understanding the fair and accurate credit transaction act, the “red flag” regulations, and...
TRANSCRIPT
Understanding the Fair and Accurate Credit Understanding the Fair and Accurate Credit Transaction Act, the “Red Flag” Regulations, and Transaction Act, the “Red Flag” Regulations, and
their impact on Health Care Providerstheir impact on Health Care Providers
Raising a “Red Flag”Raising a “Red Flag”
2
Introduction
“What are the Red Flag Rules,” and What is a Red Flag
What do the Rules require, and Who Must Comply?
Consequences of Failure to Comply Creation of an Identity Theft Detection
Program Health Care Specified Examples
04/19/232 RATC Red Flag Information
3
What are the “Red Flag Rules”?
• Fair and Accurate Credit Transactions Act (“FACTA”)
was passed by Congress in 2003 to protect consumers against identity theft
• Agencies published the final regulations under FACTA effective January 1, 2008
• The good news: deadline for mandatory compliance with the Red Flag Rules was delayed for six months,
from November 1, 2008 to May 1, 2009
3 RATC Red Flag Information 04/19/23
4
What is a “Red Flag”?
A pattern, practice, or specific activity that indicates the possibility of identity theft
04/19/234 RATC Red Flag Information
5
What Do the Red Flag Rules Require?
RATC must create a written program to detect, prevent, respond to, and mitigate identity theft in connection with new or exiting policies
Train the staff on the new guidelines. And do audits
04/19/235 RATC Red Flag Information
6
Who is Required to Comply?
A financial entity-i.e., a State or national bank, a State or Federal savings and loan association
Or A "creditor” who maintains “covered accounts” __The definition of “creditor” can include
“lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies”
04/19/236 RATC Red Flag Information
7
Are Health Care Providers
Yes, they can be. Health care providers may be creditors if
they “regularly” extend, renew or continue credit”
Credit simply means any deferral of payment
Note: the Federal Trade Commission (“FTC”) takes the position that “regular” probably includes “a few times a year”
04/19/237 RATC Red Flag Information
8
Do you Maintain Covered Accounts?
What is a “covered account”?
Any account maintained “primarily for personal, family, or household purposes that involves or is designed to permit multiple payments and tranactions”
And any other account…for which there is a reasonably foreseeable risk to patients…for identity theft.”
04/19/238 RATC Red Flag Information
9
Do you Maintain Covered Accounts?
Thus, any account that permits multiple payments (or an entity’s practice of permitting such payments)
9 RATC Red Flag Information 04/19/23
10
Special Problem for Health Care Providers: Medical Identity Theft
Medical identity theft occurs when__someone uses a person’s name and sometimes other parts of their identity, including insurance info or SS#__without the victim’s knowledge or consent__to obtain medical goods or services__or to obtain money by falsifying claims for medical services and falsifying medical records to support claims
04/19/2310 RATC Red Flag Information
11
What Happens if You Fail to Comply?
The Federal Trade Commission (“FTC’) oversees creditors who are not financial institutions—such as health care providers
Even if your entity is a nonprofit organization, the FTC takes the position that such entities are subject to its jurisdiction
Failure to comply with the Red Flag Rules can lead to enforcement actions and penalties of up to $2,500 per violation
04/19/2311 RATC Red Flag Information11
12
Four Essentials for a Red Flags Program
Identify Red Flags Detect Red Flags Respond appropriately to Red Flags
detected Update program to reflect changes in risk
from identity theft to patients
04/19/2312 RATC Red Flag Information
13
Identify Red Flags
Health care providers should consider patterns, signals, activities or practices that would alert the provider to the possibility of identity theft, such as:---ALERTS, notifications or warnings from any other providers (hospital,collection agency, referring physicians, etc)---Suspicious documents---Suspicious personal identifying information
04/19/2313 RATC Red Flag Information
14
Identify Red Flags
Unusual use of, or suspicious activity related to, the covered account
__Notice from a patient, theft victim, law enforcement or other business
RATC Red Flag Information 04/19/23
15
Detect Red Flags
Implement procedures to detect the identified red flags:
___Obtain information and verify identity of persons wanting to inquire about an account
___Verify change of address request for existing covered accounts.
04/19/2315 RATC Red Flag Information
16
Respond to Detected Red Flags
Develop appropriate policies to respond to detected Red Flags:___Monitor patients account for evidence of identity theft (MMP)(duplicate SS#, same address different patient name)___Contact a patient___Change any passwords or security codes that permit access to patient accounts__Remove or modify incorrect medical records
04/19/2316 RATC Red Flag Information
17
Respond to Detected Red Flags
___If patient has already an exiting account and his information was stolen, set up a new account___Do not attempt to collect on a patient account___Notify law enforcement
17 RATC Red Flag Information 04/19/23
18
HIPAA and the Red Flags Rule
For most health care providers, HIPAA security policies and procedures go a long way toward compliance with the Red Flag Rules
However –unlike HIPAA—the Red Flags Rule’s requirement to mitigate may require notification of patients
04/19/2318 RATC Red Flag Information
19
HIPAA and the Red Flags Rule
It will be important for health care providers to review their existing HIPAA compliance effort---Some policies will need to be updated based on the circumstances and situations that are unique to health care providers
RATC Red Flag Information 04/19/23
20
Examples of Red Flags in Health Care: How Patients Find Out
Patient receives EOB for services not received
Patient receives bill from facility which patient never visited
Patient receives bill for another person Physician mentions inaccurate treatment
history during patient’s office visit (referring physician)
04/19/2320 RATC Red Flag Information
21
Examples of Red Flags in Health Care: How Patients Find Out
Accounting for disclosure Insurance company denies
treatment for condition patient doesn’t have
Patient’s records shows treatment inconsistent with patient’s medical history or physical exam (age, blood type)
RATC Red Flag Information 04/19/23
22
Examples of Red Flags in Health Care: How Patients Find Out
Patients complains about receiving collection notice for services not received
Patient provides insurance number but cannot produce insurance card
Mail sent to patient’s is returned repeatedly but transactions continue to occur on patient’s account
04/19/2322 RATC Red Flag Information
23
Examples of Red Flags in Health Care: How Patients Find Out
ID appears to have been altered or forged
Picture or signature on file does not match that of person presenting for treatment
RATC Red Flag Information 04/19/23
24
The Good News
Many health care providers have extensive compliance programs in place to safeguard protected health information under HIPAA
The Red Flags Rule imposes a separate, independent duty on health care providers to help victims mitigate the consequences of identity theft
04/19/2324 RATC Red Flag Information
25
The Good News RATC has to have a program to safeguard
patient health and financial information
RATC Red Flag Information 04/19/23
26
Don’t Panic
The programs are risk-based and flexible
Consider the bigger picture preventing medical identity theft can save Patients’ lives
04/19/2326 RATC Red Flag Information