1 / 36

Raising a “Red Flag”:

Raising a “Red Flag”:. Understanding the Fair and Accurate Credit Transactions Act, the “Red Flag” Regulations, and Their Impact on Health Care Providers October 23, 2008. Presented by: Denise S. Cline Patricia A. Markus Smith Moore Leatherwood LLP Post Office Box 27525

andrew
Download Presentation

Raising a “Red Flag”:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Raising a “Red Flag”: Understanding the Fair and Accurate Credit Transactions Act, the “Red Flag” Regulations, and Their Impact on Health Care Providers October 23, 2008 Presented by: Denise S. Cline Patricia A. Markus Smith Moore Leatherwood LLP Post Office Box 27525 T: (919) 755-8700 F: (919) 755-8800

  2. Introduction • What are the “Red Flag Rules,” and What is a Red Flag? • What do the Rules require, and Who Must Comply? • The Two-Part Test • Consequences of Failure to Comply • Creation of an Identity Theft Detection Program • Health Care Specific Examples • Questions

  3. What Are the “Red Flag Rules”? • Fair and Accurate Credit Transactions Act (“FACTA”) was passed by Congress in 2003 to protect consumers against identity theft • Six agencies published the final regulations under FACTA effective January 1, 2008 • The good news: deadline for mandatory compliance with the Red Flag Rules has been delayed six months, from November 1, 2008 to May 1, 2009

  4. What Is a “Red Flag”? • A pattern, practice, or specific activity that indicates the possibility of identity theft

  5. What Do the Red Flag Rules Require? • Covered Entities must create written programs to detect, prevent, respond to, and mitigate identity theft in connection with new or existing covered accounts • Consumer reporting agencies must follow certain rules related to address discrepancies** • Debit and credit card issuers must put procedures into place to assess the validity of address changes** • **NOTE: the deadline for enforcement of these rules remains November 1, 2008

  6. Who is Required to Comply? • A financial entity • i.e., a State or national bank, a State or Federal savings and loan association OR • A “creditor” who maintains “covered accounts” • The definition of “creditor” can include “lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies”

  7. Question 1: Are You a Creditor? • What is a creditor? • Specifically, a “creditor” is: • “any person who regularly extends, renews, or continues credit; • any person who regularly arranges for the extension, renewal, or continuation of credit; or • any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” • A creditor is any entity that allows its customers to pay their fees or balances on a delayed-payment basis

  8. Are Health Care Providers Creditors? • Yes, they can be. • Health care providers may be creditors if they “regularly** extend, renew or continue credit” • “Credit” simply means any deferral of payment • **NOTE: the FTC takes the position that “regular” probably includes “a few times a year”

  9. Special Problem for Health Care Providers: Medical Identity Theft • Medical identity theft occurs when • someone uses a person’s name and sometimes other parts of their identity, including insurance info or SSN • without the victim’s knowledge or consent • to obtain medical goods or services • or to obtain money by falsifying claims for medical services and falsifying medical records to support claims

  10. Question 2: Do You Maintain Covered Accounts? • What is a “covered account”? • Any account maintained “primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions” • And “any other account…for which there is a reasonably foreseeable risk to customers…from identity theft.” • THUS, any account that permits multiple payments (or an entity’s practice of permitting such payments)

  11. Examples of Covered Accounts for Health Care Providers • Patient Account • Serves a “personal, family, or household” purpose, and the information contained therein poses a foreseeable identity theft risk • BUT ALSO • Credit to Physicians or Other Employees • Income guarantees • Recruitment loans • Educational loans

  12. Does the Address Discrepancy Rule Apply to Your Entity? • Do you use consumer reports to make employment decisions in performing background checks? • Do you use consumer reports to make credit decisions about your patients or customers? • If so, your entity must comply with the rules applied to users of consumer reports who receive notice of an “address discrepancy” from a consumer reporting agency

  13. What Happens if You Fail to Comply? • The Federal Trade Commission oversees creditors who are not financial institutions---such as health care providers. • Even if your entity is a nonprofit organization, the FTC takes the position that such entities are subject to its jurisdiction • Failure to comply with the Red Flag Rules can lead to enforcement actions and penalties of up to $2,500 per violation.

  14. What About Private Lawsuits? • Like HIPAA, the Red Flags Rule does not provide for a private right of action, but the Rule may provide the basis for state law claims • Ultimately—also like HIPAA—the Red Flags Rule could set a national standard of care for handling confidential financial information

  15. Four Essentials for a Red Flags Program • Identify Red Flags • Detect Red Flags • Respond appropriately to Red Flags detected • Update program to reflect changes in risks from identity theft to customers

  16. Identify Red Flags • Health care providers should consider patterns, signals, activities or practices that would alert the provider to the possibility of identity theft, such as: • Alerts, notifications or warnings from a consumer reporting agency • Suspicious documents • Suspicious personal identifying information • Unusual use of, or suspicious activity related to, the covered account • Notice from a customer, theft victim, law enforcement or other business

  17. Detect Red Flags • Implement procedures to detect the identified red flags: • Obtain information and verify identity of person opening a covered account • Authenticate customers (patients), monitor transactions, • Verify change of address requests for existing covered accounts.

  18. Respond to Detected Red Flags • Develop appropriate policies to respond to detected Red Flags: • Monitor a covered account for evidence of identity theft • Contact a customer (patient) • Change any passwords or security codes that permit access to covered account • Remove or modify incorrect medical records • Reopen covered account with a new account number • Do not attempt to collect on a covered account • Notify law enforcement

  19. Update the Program • Periodic updating is required to reflect changes to the identity theft risks to patients • Document a procedure for adopting additional prevention or detection methods • In updating the program, health care providers should consider: • Tracking identity theft trend data • Identifying who will be responsible for tracking the data • Developing a procedure to adopt new policies to adapt to new risk calculations

  20. Action Items • Establish and approve a program • Provide ongoing oversight and training • Follow reporting requirements

  21. Step One Establish and Approve a Program

  22. Establishment and Approval • Program must • be written • be appropriate to the size and complexity of the organization • be appropriate to the nature and scope of the organization’s activities • consider and include in program the “Guidelines” to the Rules • If a health care provider excludes a Red Flag from its program, a written rationale for the exclusion must be provided • Once established, program must be approved by the Board of Directors or appropriate subcommittee

  23. Step Two Provide Ongoing Oversight and Training

  24. Oversight and Training • Oversight and implementation of the program must involve senior staff or designees • Assign specific responsibilities • Train staff • Educate patients about risks and prevention • Review compliance reports • Policies to respond to the following, among others: • Patient claims fraud has occurred or services not received • Provider has altered patient records • Police reports and victim requests for investigation

  25. Ongoing Oversight • Approve material changes to the program as necessary to address changing risks • There must be oversight of the service provider arrangements (i.e., a third party billing service) to guarantee that the service provider is acting in accordance with the approved program

  26. Step Three Follow Reporting Requirements

  27. Program Reporting Requirements • The oversight staff must report to the designated oversight authority at least annually • The staff report should include • Effectiveness of program • Significant incidents involving identity theft and the response to them • Recommendations for material changes to the program

  28. HIPAA and the Red Flags Rule • For most health care providers, HIPAA security policies and procedures go a long way toward compliance with the Red Flags Rule • However—unlike HIPAA—the Red Flags Rule’s requirement to mitigate may require notification of patients • It will be important for health care providers to review their existing HIPAA compliance efforts • Some policies will need to be updated based on the circumstances and situations that are unique to health care providers

  29. Examples of Red Flags in Health Care: How Patients Find Out • Patient receives EOB for services not received • Patient receives bill from facility which patient never visited • Patient receives bill for another person • Physician mentions inaccurate treatment history during patient’s office visit • Accounting of disclosures • Insurance company denies treatment for condition patient doesn’t have

  30. Examples of Red Flags in Health Care: How Providers Find Out • Patient’s records show treatment inconsistent with patient’s medical history or physical exam (age, blood type) • Patient complains about receiving collection notice for services not received • Patient provides insurance number but cannot produce insurance card • Mail sent to patient is returned repeatedly but transactions continue to occur on patient’s account • ID appears to have been altered or forged • Picture or signature on file does not match that of person presenting for treatment

  31. The Good News • Many health care providers have extensive compliance programs in place to safeguard protected health information under HIPAA • The Red Flags Rule imposes a separate, independent duty on health care providers to help victims mitigate the consequences of identity theft • Now have six months to augment compliance program to safeguard patient financial information

  32. What About N.C. Identity Theft Law? • Applies to all entities doing business in N.C. • Like the Red Flag Rules, requires a policy and training • ITPA regulates the collection and destruction of personal identifying information, especially social security numbers • Includes a specific notification requirement for possible security breaches

  33. Identity Theft Law Cont’d • Notification requirement includes possible obligation to notify the Attorney General • Violation of the Act may result in private lawsuits and treble damages.

  34. Additional Resources • www.worldprivacyforum.org • http://www.ftc.gov/os/2007/10/r611019redflagsfrn.pdf • http://www.ncga.state.nc.us/EnactedLegislation/Statutes/PDF/ByArticle/Chapter_75/Article_2A.pdf

  35. QUESTIONS??

  36. For more information, please contact: Denise Smith Cline Denise.cline@smithmoorelaw.com 919.755.8734 Patricia A. Markus Trish.markus@smithmoorelaw.com 919.755.8850 Smith Moore Leatherwood LLP

More Related