Transcript Title
Raising a “Red Flag”:
Understanding the Fair and Accurate Credit Transactions Act, the “Red Flag” Regulations, and Their Impact on Physicians February 11, 2009 Presented by:
Patricia A. Markus
Smith Moore Leatherwood LLP Post Office Box 27525 T: (919) 755-8850 F: (919) 755-8800 © 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.
Introduction
• In 2008, 656 reported data breaches (47% increase over 2007) – 37% of breaches in business – 20% in education – 17% in government/military – 15% in health care – 12% in financial/credit • Insider theft accounts for almost 16% of breaches; data on the move and accidental exposure account for 35% • Electronic breaches account for 82% of data breaches
Introduction
• What are the “Red Flag Rules,” and What is a Red Flag?
• What do the Rules Require, and Who Must Comply?
• The Two-Part Test • Consequences of Failure to Comply • Creation of an Identity Theft Detection Program • Health Care Specific Examples • Intersection with NC Identity Theft Protection Act • Questions
What Are the “Red Flag Rules”?
• Fair and Accurate Credit Transactions Act (“FACTA”) was passed by Congress in 2003 to protect consumers against identity theft • • Six agencies published the final regulations under FACTA effective January 1, 2008
The good news
: deadline for mandatory compliance with the Red Flag Rules has been delayed six months, from November 1, 2008 to May 1, 2009
What Is a “Red Flag”?
• Any pattern, practice, or specific activity that indicates the possibility of identity theft
What Do the Red Flag Rules Require?
• Covered Entities must create written programs to detect, prevent, respond to, and mitigate identity theft in connection with new or existing covered accounts • Consumer reporting agencies must follow certain rules related to address discrepancies** • Debit and credit card issuers must put procedures into place to assess the validity of address changes** • **NOTE: the deadline for enforcement of these rules remains November 1, 2008
Who is Required to Comply?
• A financial entity –
i.e.
, a State or national bank, a State or Federal savings and loan association OR • A “creditor” who maintains “covered accounts” – The definition of “creditor” can include “lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies”
Question 1: Are You a Creditor?
• What is a creditor?
• Specifically, a “creditor” is: – “any person who regularly extends, renews, or continues credit; – any person who regularly arranges for the extension, renewal, or continuation of credit; or – any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” • A creditor is any entity that allows its customers to pay their fees or balances on a delayed-payment basis
Are Health Care Providers Creditors?
• Yes, they can be. • Health care providers may be creditors if they “regularly** extend, renew or continue credit” • “Credit” simply means any deferral of payment • **NOTE: the FTC takes the position that “regular” probably includes “a few times a year”
Special Problem for Health Care Providers: Medical Identity Theft
• Medical identity theft occurs when – someone uses a person’s name and sometimes other parts of their identity, including insurance info or SSN – without the victim’s knowledge or consent – to obtain medical goods or services – or to obtain money by falsifying claims for medical services and falsifying medical records to support claims • FTC: MIT accounts for 3% of identity theft crimes
Medical Identity Theft
• Victims’ info is stolen so that thief can fraudulently obtain benefits for which he otherwise would not qualify • Physicians’ identities stolen to fraudulently bill insurers for services not provided • Health care “insiders,” the fastest growing group involved in MIT, sell info to criminals for $5 to $50/name • Many providers are now asking patients to provide photo ID to authenticate that patients are who they say they are
Question 2: Do You Maintain Covered Accounts?
• What is a “covered account”?
• Any account maintained “primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions” • And “any other account…for which there is a reasonably foreseeable risk to customers…from identity theft.” • THUS, any account that permits multiple payments (or an entity’s practice of permitting such payments)
Examples of Covered Accounts for Health Care Providers
• Patient Account – Serves a “personal, family, or household” purpose, and the information contained therein poses a foreseeable identity theft risk • BUT ALSO • Credit to Physicians or Other Employees – Income guarantees – Recruitment loans – Educational loans
Does the Address Discrepancy Rule Apply to Your Entity?
• Do you use consumer reports to make employment decisions in performing background checks?
• Do you use consumer reports to make credit decisions about your patients or customers? • If so, your entity must comply with the rules applied to users of consumer reports who receive notice of an “address discrepancy” from a consumer reporting agency
What Happens if You Fail to Comply?
• The Federal Trade Commission oversees creditors who are not financial institutions---such as health care providers.
• Even if your entity is a nonprofit organization, the FTC takes the position that such entities are subject to its jurisdiction • Failure to comply with the Red Flag Rules can lead to enforcement actions and penalties of up to $2,500 per violation.
What About Private Lawsuits?
• Like HIPAA, the Red Flag Rules do
not
provide for a private right of action, but the Rules may provide the basis for state law claims • Ultimately—also like HIPAA—the Red Flag Rules could set a national standard of care for handling confidential financial information • In addition to liability under state identity theft acts, state law claims under tort or contract theories (negligence, breach of warranty) are possible
Four Essentials for a Red Flag Program
• Identify Red Flags • Detect Red Flags • Respond appropriately to Red Flags detected • Update program to reflect changes in risks from identity theft to customers
Identify Red Flags
• Medical practices should consider patterns, signals, activities or practices that would alert the provider to the possibility of identity theft, such as: – Alerts, notifications or warnings from a consumer reporting agency – Suspicious documents – Suspicious personal identifying information – Unusual use of, or suspicious activity related to, the covered account – Notice from a customer, theft victim, law enforcement or other business
Detect Red Flags
• Implement procedures to detect the identified red flags: – Obtain information and verify identity of person opening a covered account – Authenticate customers (patients), monitor transactions – Verify change of address requests for existing covered accounts – Look at all areas where patients’ info is provided/accessed —intake, check-out, medical records, billing/collections
Respond to Detected Red Flags
• Develop appropriate policies to respond to detected Red Flags: – Monitor a covered account for evidence of identity theft – Contact a customer (patient) – Change any passwords or security codes that permit access to covered accounts – Remove or modify incorrect medical records – Reopen covered account with a new account number – Do not attempt to collect on a covered account – Notify law enforcement
Update the Program
• Periodic updating is required to reflect changes to the identity theft risks to patients • Document a procedure for adopting additional prevention or detection methods • In updating the program, practices should consider: – Tracking identity theft trend data – Identifying who will be responsible for tracking the data – Developing a procedure to adopt new policies to adapt to new risk calculations
Action Items
• Establish and approve a program • Provide ongoing oversight and training • Follow reporting requirements
Step One Establish and Approve a Program
Establishment and Approval
• Program must – be written – be appropriate to the size and complexity of the organization – be appropriate to the nature and scope of the organization’s activities – consider and include in program the “Guidelines” to the Rules • If a practice excludes a Red Flag from its program, a written rationale for the exclusion must be provided • Once established, program must be approved by the Board of Directors or appropriate subcommittee
Step Two Provide Ongoing Oversight and Training
Oversight and Training
• Oversight and implementation of the program must involve senior staff or designees • Assign specific responsibilities • Train staff • Educate patients about risks and prevention • Review compliance reports • Policies to respond to the following, among others: – Patient claims fraud has occurred or services not received – Provider has altered patient records – Police reports and victim requests for investigation
Ongoing Oversight
• Approve material changes to the program as necessary to address changing risks • There must be oversight of the service provider arrangements (i.e., a third party billing service) to guarantee that the service provider is acting in accordance with the approved program
Step Three Follow Reporting Requirements
Program Reporting Requirements
• The oversight staff must report to the designated oversight authority at least annually • The staff report should include – Effectiveness of program – Significant incidents involving identity theft and the response to them – Recommendations for material changes to the program
HIPAA and the Red Flags Rule
• For most health care providers, HIPAA security policies and procedures go a long way toward compliance with the Red Flags Rule • However—unlike HIPAA—the Red Flags Rule’s requirement to mitigate
may
require notification of patients • It will be important for physician practices to review their existing HIPAA compliance efforts – Some policies will need to be updated based on the circumstances and situations that are unique to health care providers
Examples of Red Flags in Health Care: How Patients Find Out
• Patient receives EOB for services not received • Patient receives bill from facility which patient never visited • Patient receives bill for another person • Physician mentions inaccurate treatment history during patient’s office visit • Accounting of disclosures • Insurance company denies treatment for condition patient doesn’t have
Examples of Red Flags in Health Care: How Providers Find Out
• Patient’s records show treatment inconsistent with patient’s medical history or physical exam (age, blood type) • Patient complains about receiving collection notice for services not received • Patient provides insurance number but cannot produce insurance card • Mail sent to patient is returned repeatedly but transactions continue to occur on patient’s account • ID appears to have been altered or forged • Picture or signature on file does not match that of person presenting for treatment
The Good News
• Many health care providers have extensive compliance programs in place to safeguard protected health information under HIPAA • The Red Flags Rule imposes a separate, independent duty on health care providers to
help victims mitigate the consequences of identity theft
• Now have three more months to augment compliance program to safeguard patient financial information
What About N.C. Identity Theft Law?
• Applies to all entities doing business in NC • Like the Red Flag Rules, requires a policy and training • Encrypted and redacted data provide safe harbors • ITPA regulates the collection and destruction of personal identifying information, especially social security numbers • Must notify individuals of possible security breaches “without unreasonable delay”
NC Identity Theft Law Cont’d
• If more than 1,000 persons affected by the breach, business must notify the Attorney General’s office and consumer reporting agencies • Violation of the Act may result in private lawsuits, damages of up to $5,000, and treble damages.
Common Misconceptions
• Under the NC law, you may copy a driver’s license for identification purposes • Under NC law, you may maintain SSNs on file for accounting purposes • But these items should be closely guarded as part of practice’s privacy, security, and Red Flag efforts!
Additional Resources
• • www.worldprivacyforum.org
http://www.ftc.gov/os/2007/10/r611019redflagsfrn.pdf
• http://www.ncga.state.nc.us/EnactedLegislation/Statutes/ PDF/ByArticle/Chapter_75/Article_2A.pdf
QUESTIONS??
For more information, please contact:
Patricia A. Markus [email protected]
919.755.8850
Smith Moore Leatherwood LLP