The Red Flags Rule applies to “financial institutions” and “creditors.” The Rule requires you to conduct a periodic risk assessment to determine if you have “covered accounts.” You need to implement a written program only if you have covered accounts.
It’s important to look closely at how the Rule defines “financial institution” and “creditor” because the terms apply to groups that might not typically use those words to describe themselves. For example, many non-profit groups and government agencies are “creditors” under the Rule. The determination of whether your
business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions.
There are at least some eCommerce sites that would qualify as "creditors" but most, like almost all non-profits, do not think of themselves as such. For more information and guidance regarding the Rule click here. If you are still confused, then you are best advised to contact a Privacy & Data Security Lawyer..
Looking for a best of breed HIPAA Compliance Tracking System?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
If you need tools that will help with your compliance initiatives then check out the HSG Store.
Comments