In essence, we have been deemed creditors and must have policies in place to prevent identity theft. You must identify risk areas, address them, then develop policies to minimize the risk. Failure to do can result in thousands of dollars in fines.
While HIPAA may not have had teeth, my understanding is that Red Flag will, since it is the FTC that enforces it.
Feel free to contact me if you have any questions.
Sent via BlackBerry by AT&T