FTC RED FLAG RULE WHAT YOU SHOULD KNOW

Presenter:

Scott George

B.S., BC-HIS

CEO

Mid America Hearing Center.com

photo

What is the purpose of the FTC Red Flags Rule?

Define a “creditor” under Red Flags Rule

Determine if you are likely exempt

Identify three potential Red Flags

Can you refuse service to someone who does not

present a valid Photo ID?

LEARNING OBJECTIVES

KEY ISSUE

FTC Red Flag Rule enforced eff. Jan ’11

Wait – Audiologists and Hearing Instrument Specialists

are exempt. Right?

Not so Fast. It depends.

WHAT WE ARE ABOUT

Discuss FTC Red Flag Rule

Who is exempted by Dec 2010 bill?

Implementing an FTC Red Flag Program

FTC “Red Flag” is any event, document, information,

or attempted transaction that signals a person is not

who they claim to be.

These are NOT the FDA Red Flags.

WHAT I AM NOT

I am not an attorney nor am I giving you legal

advice. Consult your legal advisor to be sure.

Not acting as a licensing board, state or national

representative.

Just a poor, dumb, country boy from SW MO.

FTC “RED FLAGS” RULE ORIGINAL EFFECTIVE MAY 1, 2009

Original impetus was financial institutions.

Legislation included the word “creditors”

Fair and Accurate Credit Transaction Act of 2003

(FACTA) defines “creditor” broadly

Examples of creditors include:

Send a bill to a patient for services rendered;

Agree with patient on installment payment plan;

Arrange credit via a credit card or a medical

financing company such as CareCredit®;

Accept assignment of insurance.

Nearly every business/profession was a creditor

RULE

28 Associations formed coalition

Included ASHA, ABA, AMA, ADA,

Lobbied Congress – delaying start 5 times

Dec 2010 - S.3987 redefined “creditor”

Enforcement began January1, 2010

Some Associations told members they are exempt

by profession

RESPONSE TO OVERREACH

S.3987 does not exempt any professions

Exempts individuals or entities that advance “funds

on behalf of a person for expenses incidental to a

service provided by the creditor to that person”

Redefines “creditor” to carve-out those who arrange

payment through insurance

The exemption is based on type of billing, not

provider.

NOT SO FAST

‘‘a creditor, as defined in section 702 of the Equal

Credit Opportunity Act (15 U.S.C. 1691a), that

regularly and in the ordinary course of business

(i) obtains or uses consumer reports, directly or indirectly,

in connection with a credit transaction;

(ii) furnishes information to consumer reporting agencies,

…, in connection with a credit transaction;

Or, (iii) advances funds to or on behalf of a person,

based on an obligation of the person to repay the funds

or repayable from specific property pledged by or on

behalf of the person;”

YOU MAY BE COVERED

Check with your Attorney before declaring yourself

Exempt.

Write letter to a permanent file stating your

reasoning.

Direct your staff to report any discrepancy in an

individual’s identification to your HIPAA Privacy

officer.

THINK YOU ARE EXEMPT?

Review the Rule at www.ftc.gov/redflagsrule

Set Up a Red Flag Program

Train Staff and Log Training

Corporate Resolution to Adopt Program

THE PROGRAM

The purpose of the Program is to assist in detecting,

preventing, and mitigating instances of possible

identity theft in connection with patients in our practice.

It does so by:

(a) requires verification of the identity of all patients,

(b) establishes certain “Red Flags” that could

indicate possible identity theft, and

(c) requires follow up on any incident that triggers a

Red Flag.

POLICY

The Program is to be observed by all employees of this

practice, including the professional, administrative, and

clerical staff.

All patients, either new or established, will be required

to present a government issued photo ID at the time of

check in. A photocopy should be taken and placed in

the patient’s folder.

Once a copy has been taken, subsequent visits only

necessitate verifying identity.

POLICY CONT…

Alerts, notifications, and warnings from a credit

reporting company.

TYPES OF RED FLAGS:

Suspicious documents

Suspicious documents that appear to have been

altered or that contain information that does not

match the person presenting them.

Examples include photo ID and insurance cards.

TYPES OF RED FLAGS:

Suspicious personal information

An individual falsely claiming to be someone already

known to the office staff.

An unrecognized individual with no personal

identification or who refuses to provide information

about their identity or provide contact information.

TYPES OF RED FLAGS:

Suspicious account activity

Repeated undeliverable mail or returned checks

while the patient continues to return for services.

Suspicious attempts to use credit card or insurance

information as payment for services.

Disputes about bills by a patient claiming to be a

victim of identity theft.

TYPES OF RED FLAGS:

Notice from other sources

The victim of identify theft, a law enforcement

authority, or someone else.

Examples include any form of notice stating that a

patient’s information or identity has been stolen.

TYPES OF RED FLAGS:

WHAT IF YOU FIND A RED FLAG?

Once a Red Flag has been raised, the company has

several options to resolve the issue:

Contact the patient to verify the information received is correct.

Verify the patient’s identity.

Photocopy of patient’s government issued photo ID.

Photo of patient at initial treatment and stored in Dental Vision.

Contact the local authorities to report activity.

When mail is returned, the patient should be called to verify that

we have the proper address.

Keeping a log describing and documenting responses and

activity. This log is to be reviewed annually to determine if

problems are being properly addressed.

DETECTING AND ADDRESSING THE RED FLAGS:

Any employee of this practice, who encounters a Red Flag

situation, or any other activity that may indicate identity theft,

should make every reasonable effort to resolve the Red Flag issue

with the patient. Simply state the company’s policy that we follow

the FTC’s guidelines.

If the issue cannot be resolved, or if the patient refuses to comply with these policies, an incident report should be written and

placed in the patient file. A copy should be sent to the

Designated Security Officer. This person will follow up as

appropriate, refer the incident to proper authorities, and maintain

the Red Flags Log.

RESPONDING TO RED FLAGS

Patient notification

The practice may notify the patient if a Red Flag is

encountered that involves that patient’s identity. Notification may

be provided by mail, by telephone, or in-person – as the practice

deems appropriate. The notification may include verification that

the patient has not been victimized by identity theft in connection

with any visits to the practice.

In some instances, additional specific action will be required:

If notice of an actual identity theft is received, we will immediately

cease any collection efforts that are related to the identity theft.

If a consumer credit report contains an address different from the

address provided by the patient, the correct address will be verified with the patient. If the verified address is different from the

address in the credit report, we may report the verified address to

the credit reporting agency.

POSSIBLE RESPONSES TO A RED FLAG SITUATION INCLUDE THE FOLLOWING:

Notification of Legal Authorities

If the practice obtains specific information pertaining

to possible identity theft, we may provide that

information to law enforcement personnel.

POSSIBLE RESPONSES TO A RED FLAG SITUATION INCLUDE THE FOLLOWING:

Refusing Service

In the case of reasonable suspicion, or unable to

properly identify themselves.

Service can be refused to the patient

POSSIBLE RESPONSES TO A RED FLAG SITUATION INCLUDE THE FOLLOWING:

Give every employee a copy of Policy

Train them on the procedures

Each employee signs an acknowledgement receipt

and understanding.

Evaluate & update Program annually

Questions to Designated Security Officer

PLAN ADMINISTRATION AND UPDATES

Whereas, ___________________________ is aware of the traumatic and

undesirable impact that identity theft could have on its patients and employees and

Whereas, the Corporation wishes to avoid the unauthorized dissemination of any

nonpublic, personal identifiable, information of its patients or employees;

Now, therefore, be it resolved that we the Board of Directors of the

___________________________ do hereby adopt the ___________________________,

Identity Theft Prevention Program and declare that it be effective on this date.

Be it further resolved that the Corporation will designate a senior level employee

to administer the program, evaluate it and make changes as needed on no less than an

annual basis and report such changes and evaluation to the board.

The undersigned hereby certifies that he/she is the duly elected and qualified Secretary

and the custodian of the books and records and seal of ___________________________,

a corporation duly formed pursuant to the laws of the state of Missouri and that the

foregoing is a true record of a resolution adopted at a meeting of the

___________________________ and that said meeting was held in accordance with

state law and the Bylaws of the above named Corporation on _______________, 20____

and that said resolution is now in full force and effect.

In witness whereof, I have executed my name as Secretary and have hereunto affixed the

corporate seal of the above named Corporation this _____ day of __________ of 20____.

_______________________________________

Secretary seal

SAMPLE CORPORATE RESOLUTION TO ADOPT IDENTITY THEFT PROTECTION PLAN

SAMPLE LOGS

EMPLOYEE NAME SIGNATURE POSITION

Alissa Parady, IHS Gov. Affairs Manager

Major help in researching this issue

go to www.ihsinfo.org for IHS Advisory Stmt.

Or, www.ftc.gov/redflagsrule

FACTA http://frwebgate.access.gpo.gov/cgi-

bin/getdoc.cgi?dbname=108_cong_public_laws&do

cid=f:publ159.108

RED FLAG RULE – MORE INFO

POP QUIZ

What is the purpose of the FTC Red Flags Rule?

Define a “creditor” under Red Flags Rule

Determine if you are likely exempt

Identify three potential Red Flags

Can you refuse service to someone who does

not present a valid Photo ID?

QUESTIONS

THANK YOU FOR ATTENDING!

Contact Scott George at

sgeorge@sofnet.com

Visit MidAmericaHearingCenter.com

These presentations slides will be

available at ihsinfo.org

To be eligible for CE credit

Be sure to get your CE page from your directory

hole-punched as you exit!