210 likes | 350 Views
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule. William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial Place Tallahassee, Florida 32308 Tel: 850-222-0720 Fax: 850-224-4359 Wdillon@lawfla.com Board Certified in Health Law.
E N D
Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial Place Tallahassee, Florida 32308 Tel: 850-222-0720 Fax: 850-224-4359 Wdillon@lawfla.com Board Certified in Health Law
Medical Identity Theft • New York Times Article – June 13, 2009 Brandon Sharp, 37 year old from Houston with no real health problems and who has never stepped foot in an emergency room, is surprised to learn he owes thousands of dollars for emergency medical services. U.S. Attorney’s Office – Southern District of Florida – April 1- 2008 Press Release Former employee of Cleveland Clinic indicted for stealing information of approximately 1500 patients and then selling information to a cousin who owned a DME company who in turn submitted over one million dollars of fraudulent claims to Medicare
What is the Red Flag Rule? • Everyone knows that the term “Red Flag” is used to warn of a potential danger. In this case the Red Flag Rules refer to those regulations found at 16 CFR Part 681 which require covered businesses to take actions to: • Identify; • Detect; • Prevent; and • Mitigate Identity Theft
Do the Red Flag Rules Apply to Community Health Centers? • In almost every case the answer is “Yes”. • To determine if your CHC is required to comply ask the following questions • 1. Is my CHC considered a “Creditor”?; if yes go to question 2. • 2. Does my CHC maintain “Covered Accounts”?; If the answer is also yes then the Red Flag Rules apply.4
Who is considered a “Creditor” and what is considered a “Covered Account” • The definition of a “creditor” can be found at 16 CFR Part 681.2, however, generally any person who regularly extends, renews or continues credit will be considered a creditor. • If a CHC is extending credit, for example via outstanding patient accounts, then it maintains covered accounts. • Red Flag Rules apply to all accounts not just those in which credit has been extended.
Identification of Covered Accounts • A Covered Account is an account that is offered or maintained by a creditor primarily for personal, family, or household purposes, which involves or is designed to permit multiple payments or transactions. Accounts related to the provision of medical services would be considered accounts related to a personal, family or household purpose. The purpose of identifying covered accounts is to ensure all such accounts are subject to the Identity Theft Prevention and Detection Program
How Do CHC’s Comply? • Similar to your “Corporate Compliance Program” or your “HIPAA Privacy and Security Program” your CHC should have “buy in” from the Governing Board and Senior Management. • The Governing Board should authorize the implementation of a program that: • 1. Identifies relevant indicators (Red Flags) of Identity Theft • 2. Detects Red Flags • 3. Prevents and/or Mitigates Identity Theft • 4. Periodically Updated
Components of an Identity Theft Prevention and Detection Program • 1. Program Management and Oversight • 2. Identification of Covered Accounts • 3. Identification of Red Flags • 4. Detection of Red Flags • 5. Prevention and Mitigation of Identity Theft • 6. Training • 7. Updates • 8. Oversight of Service Providers (Business Associates)
Program Management and Oversight • Identify Program Manager or Committee • Identify Covered Accounts • Identify Red Flags relevant to the CHC • Develop and Update Policies and Procedures • Respond to Red Flags • Training • Service Provider Compliance
Identification of Red Flags • The risk of identity theft exists both from persons accessing services and from employees/contractors of a health care provider. • Covered entities should seek to prevent both external and internal identity theft.
Identification of Red Flags • Suspicious Documents • Documents that appear to have been forged • Photograph or physical description on identification not consistent with the appearance of the patient • Other inconsistent information
Identification of Red Flags • Suspicious Personal Identifying Information • Address does not match • Social Security Number not valid • Address is known to be a mail drop, prison or other undeliverable address • Invalid/suspicious telephone number • Same Social Security Number for multiple patients • Same Group Health Insurance Information for multiple patients • Patient fails/refuses to provide all required personal information
Identification of Red Flags • Unusual/Suspicious Activity • Patient mail repeatedly returned as undeliverable • Notices from patients, victims of identity theft, law enforcement of others regarding possible identity theft. • Others
Detection of Identity Theft • New Patient Accounts • Verify New Patient Identity • Require certain demographic information • Confirm demographic information • Group Health Plan/Medicaid/Medicare confirmation
Detection of Identity Theft • Existing Patient Accounts • Verify Identity • Group Health Plan/Medicaid/Medicare confirmation
Detection of Identity Theft • Another method that some organizations are utilizing for detecting identity theft is the institution of digital scans of patient IDs and/or the collection of biometric patient information. This should be done with caution as while it may be very helpful in preventing external identity theft issues it creates new internal identity theft concerns.
Detection of Identity Theft - Internally • HIPAA Security Policies and Procedures • Regularly monitoring employee contractor activity • Unsecured/unencrypted patient information on portable devices (laptops, thumb drives, etc.)
Prevention/Mitigation of Identity Theft • Appropriate Responses • Monitoring of patient account • Contacting the patient • Change internal information systems (security breach) • Close patient account • Reopen new patient account • Appropriate Modification of “False” records • Notify law enforcement
Training • Employee Training • All employees that access or have access to patient accounts • Program Manager should organize training and ensure that it is applicable to the CHC • Provide employees access to policies and procedures Periodic Updates
Service Provider Compliance • CHC should ensure that their service providers (vendors), take reasonable steps to prevent or detect identity theft. • Existing Business Associate Agreements may address many of these issues.