ftc red flag rule what you should know slides - ft… · discuss ftc red flag rule who is exempted...
TRANSCRIPT
FTC RED FLAG RULE WHAT YOU SHOULD KNOW
Presenter:
Scott George
B.S., BC-HIS
CEO
Mid America Hearing Center.com
photo
What is the purpose of the FTC Red Flags Rule?
Define a “creditor” under Red Flags Rule
Determine if you are likely exempt
Identify three potential Red Flags
Can you refuse service to someone who does not
present a valid Photo ID?
LEARNING OBJECTIVES
KEY ISSUE
FTC Red Flag Rule enforced eff. Jan ’11
Wait – Audiologists and Hearing Instrument Specialists
are exempt. Right?
Not so Fast. It depends.
WHAT WE ARE ABOUT
Discuss FTC Red Flag Rule
Who is exempted by Dec 2010 bill?
Implementing an FTC Red Flag Program
FTC “Red Flag” is any event, document, information,
or attempted transaction that signals a person is not
who they claim to be.
These are NOT the FDA Red Flags.
WHAT I AM NOT
I am not an attorney nor am I giving you legal
advice. Consult your legal advisor to be sure.
Not acting as a licensing board, state or national
representative.
Just a poor, dumb, country boy from SW MO.
FTC “RED FLAGS” RULE ORIGINAL EFFECTIVE MAY 1, 2009
Original impetus was financial institutions.
Legislation included the word “creditors”
Fair and Accurate Credit Transaction Act of 2003
(FACTA) defines “creditor” broadly
Examples of creditors include:
Send a bill to a patient for services rendered;
Agree with patient on installment payment plan;
Arrange credit via a credit card or a medical
financing company such as CareCredit®;
Accept assignment of insurance.
Nearly every business/profession was a creditor
RULE
28 Associations formed coalition
Included ASHA, ABA, AMA, ADA,
Lobbied Congress – delaying start 5 times
Dec 2010 - S.3987 redefined “creditor”
Enforcement began January1, 2010
Some Associations told members they are exempt
by profession
RESPONSE TO OVERREACH
S.3987 does not exempt any professions
Exempts individuals or entities that advance “funds
on behalf of a person for expenses incidental to a
service provided by the creditor to that person”
Redefines “creditor” to carve-out those who arrange
payment through insurance
The exemption is based on type of billing, not
provider.
NOT SO FAST
‘‘a creditor, as defined in section 702 of the Equal
Credit Opportunity Act (15 U.S.C. 1691a), that
regularly and in the ordinary course of business
(i) obtains or uses consumer reports, directly or indirectly,
in connection with a credit transaction;
(ii) furnishes information to consumer reporting agencies,
…, in connection with a credit transaction;
Or, (iii) advances funds to or on behalf of a person,
based on an obligation of the person to repay the funds
or repayable from specific property pledged by or on
behalf of the person;”
YOU MAY BE COVERED
Check with your Attorney before declaring yourself
Exempt.
Write letter to a permanent file stating your
reasoning.
Direct your staff to report any discrepancy in an
individual’s identification to your HIPAA Privacy
officer.
THINK YOU ARE EXEMPT?
Review the Rule at www.ftc.gov/redflagsrule
Set Up a Red Flag Program
Train Staff and Log Training
Corporate Resolution to Adopt Program
THE PROGRAM
The purpose of the Program is to assist in detecting,
preventing, and mitigating instances of possible
identity theft in connection with patients in our practice.
It does so by:
(a) requires verification of the identity of all patients,
(b) establishes certain “Red Flags” that could
indicate possible identity theft, and
(c) requires follow up on any incident that triggers a
Red Flag.
POLICY
The Program is to be observed by all employees of this
practice, including the professional, administrative, and
clerical staff.
All patients, either new or established, will be required
to present a government issued photo ID at the time of
check in. A photocopy should be taken and placed in
the patient’s folder.
Once a copy has been taken, subsequent visits only
necessitate verifying identity.
POLICY CONT…
Alerts, notifications, and warnings from a credit
reporting company.
TYPES OF RED FLAGS:
Suspicious documents
Suspicious documents that appear to have been
altered or that contain information that does not
match the person presenting them.
Examples include photo ID and insurance cards.
TYPES OF RED FLAGS:
Suspicious personal information
An individual falsely claiming to be someone already
known to the office staff.
An unrecognized individual with no personal
identification or who refuses to provide information
about their identity or provide contact information.
TYPES OF RED FLAGS:
Suspicious account activity
Repeated undeliverable mail or returned checks
while the patient continues to return for services.
Suspicious attempts to use credit card or insurance
information as payment for services.
Disputes about bills by a patient claiming to be a
victim of identity theft.
TYPES OF RED FLAGS:
Notice from other sources
The victim of identify theft, a law enforcement
authority, or someone else.
Examples include any form of notice stating that a
patient’s information or identity has been stolen.
TYPES OF RED FLAGS:
WHAT IF YOU FIND A RED FLAG?
Once a Red Flag has been raised, the company has
several options to resolve the issue:
Contact the patient to verify the information received is correct.
Verify the patient’s identity.
Photocopy of patient’s government issued photo ID.
Photo of patient at initial treatment and stored in Dental Vision.
Contact the local authorities to report activity.
When mail is returned, the patient should be called to verify that
we have the proper address.
Keeping a log describing and documenting responses and
activity. This log is to be reviewed annually to determine if
problems are being properly addressed.
DETECTING AND ADDRESSING THE RED FLAGS:
Any employee of this practice, who encounters a Red Flag
situation, or any other activity that may indicate identity theft,
should make every reasonable effort to resolve the Red Flag issue
with the patient. Simply state the company’s policy that we follow
the FTC’s guidelines.
If the issue cannot be resolved, or if the patient refuses to comply with these policies, an incident report should be written and
placed in the patient file. A copy should be sent to the
Designated Security Officer. This person will follow up as
appropriate, refer the incident to proper authorities, and maintain
the Red Flags Log.
RESPONDING TO RED FLAGS
Patient notification
The practice may notify the patient if a Red Flag is
encountered that involves that patient’s identity. Notification may
be provided by mail, by telephone, or in-person – as the practice
deems appropriate. The notification may include verification that
the patient has not been victimized by identity theft in connection
with any visits to the practice.
In some instances, additional specific action will be required:
If notice of an actual identity theft is received, we will immediately
cease any collection efforts that are related to the identity theft.
If a consumer credit report contains an address different from the
address provided by the patient, the correct address will be verified with the patient. If the verified address is different from the
address in the credit report, we may report the verified address to
the credit reporting agency.
POSSIBLE RESPONSES TO A RED FLAG SITUATION INCLUDE THE FOLLOWING:
Notification of Legal Authorities
If the practice obtains specific information pertaining
to possible identity theft, we may provide that
information to law enforcement personnel.
POSSIBLE RESPONSES TO A RED FLAG SITUATION INCLUDE THE FOLLOWING:
Refusing Service
In the case of reasonable suspicion, or unable to
properly identify themselves.
Service can be refused to the patient
POSSIBLE RESPONSES TO A RED FLAG SITUATION INCLUDE THE FOLLOWING:
Give every employee a copy of Policy
Train them on the procedures
Each employee signs an acknowledgement receipt
and understanding.
Evaluate & update Program annually
Questions to Designated Security Officer
PLAN ADMINISTRATION AND UPDATES
Whereas, ___________________________ is aware of the traumatic and
undesirable impact that identity theft could have on its patients and employees and
Whereas, the Corporation wishes to avoid the unauthorized dissemination of any
nonpublic, personal identifiable, information of its patients or employees;
Now, therefore, be it resolved that we the Board of Directors of the
___________________________ do hereby adopt the ___________________________,
Identity Theft Prevention Program and declare that it be effective on this date.
Be it further resolved that the Corporation will designate a senior level employee
to administer the program, evaluate it and make changes as needed on no less than an
annual basis and report such changes and evaluation to the board.
The undersigned hereby certifies that he/she is the duly elected and qualified Secretary
and the custodian of the books and records and seal of ___________________________,
a corporation duly formed pursuant to the laws of the state of Missouri and that the
foregoing is a true record of a resolution adopted at a meeting of the
___________________________ and that said meeting was held in accordance with
state law and the Bylaws of the above named Corporation on _______________, 20____
and that said resolution is now in full force and effect.
In witness whereof, I have executed my name as Secretary and have hereunto affixed the
corporate seal of the above named Corporation this _____ day of __________ of 20____.
_______________________________________
Secretary seal
SAMPLE CORPORATE RESOLUTION TO ADOPT IDENTITY THEFT PROTECTION PLAN
SAMPLE LOGS
EMPLOYEE NAME SIGNATURE POSITION
Alissa Parady, IHS Gov. Affairs Manager
Major help in researching this issue
go to www.ihsinfo.org for IHS Advisory Stmt.
Or, www.ftc.gov/redflagsrule
FACTA http://frwebgate.access.gpo.gov/cgi-
bin/getdoc.cgi?dbname=108_cong_public_laws&do
cid=f:publ159.108
RED FLAG RULE – MORE INFO
POP QUIZ
What is the purpose of the FTC Red Flags Rule?
Define a “creditor” under Red Flags Rule
Determine if you are likely exempt
Identify three potential Red Flags
Can you refuse service to someone who does
not present a valid Photo ID?
QUESTIONS
THANK YOU FOR ATTENDING!
Contact Scott George at
Visit MidAmericaHearingCenter.com
These presentations slides will be
available at ihsinfo.org
To be eligible for CE credit
Be sure to get your CE page from your directory
hole-punched as you exit!