understanding the fair and accurate credit transaction act, the “red flag” regulations, and...

Understanding the Fair and Accurate Credit Understanding the Fair and Accurate Credit Transaction Act, the “Red Flag” Regulations, and Transaction Act, the “Red Flag” Regulations, and

their impact on Health Care Providerstheir impact on Health Care Providers

Raising a “Red Flag”Raising a “Red Flag”

2

Introduction

“What are the Red Flag Rules,” and What is a Red Flag

What do the Rules require, and Who Must Comply?

Consequences of Failure to Comply Creation of an Identity Theft Detection

Program Health Care Specified Examples

04/19/232 RATC Red Flag Information

3

What are the “Red Flag Rules”?

• Fair and Accurate Credit Transactions Act (“FACTA”)

was passed by Congress in 2003 to protect consumers against identity theft

• Agencies published the final regulations under FACTA effective January 1, 2008

• The good news: deadline for mandatory compliance with the Red Flag Rules was delayed for six months,

from November 1, 2008 to May 1, 2009

3 RATC Red Flag Information 04/19/23

4

What is a “Red Flag”?

A pattern, practice, or specific activity that indicates the possibility of identity theft


5

What Do the Red Flag Rules Require?

RATC must create a written program to detect, prevent, respond to, and mitigate identity theft in connection with new or exiting policies

Train the staff on the new guidelines. And do audits


6

Who is Required to Comply?

A financial entity-i.e., a State or national bank, a State or Federal savings and loan association

Or A "creditor” who maintains “covered accounts” __The definition of “creditor” can include

“lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies”


7

Are Health Care Providers

Yes, they can be. Health care providers may be creditors if

they “regularly” extend, renew or continue credit”

Credit simply means any deferral of payment

Note: the Federal Trade Commission (“FTC”) takes the position that “regular” probably includes “a few times a year”


8

Do you Maintain Covered Accounts?

What is a “covered account”?

Any account maintained “primarily for personal, family, or household purposes that involves or is designed to permit multiple payments and tranactions”

And any other account…for which there is a reasonably foreseeable risk to patients…for identity theft.”


9

Do you Maintain Covered Accounts?

Thus, any account that permits multiple payments (or an entity’s practice of permitting such payments)


10

Special Problem for Health Care Providers: Medical Identity Theft

Medical identity theft occurs when__someone uses a person’s name and sometimes other parts of their identity, including insurance info or SS#__without the victim’s knowledge or consent__to obtain medical goods or services__or to obtain money by falsifying claims for medical services and falsifying medical records to support claims


11

What Happens if You Fail to Comply?

The Federal Trade Commission (“FTC’) oversees creditors who are not financial institutions—such as health care providers

Even if your entity is a nonprofit organization, the FTC takes the position that such entities are subject to its jurisdiction

Failure to comply with the Red Flag Rules can lead to enforcement actions and penalties of up to $2,500 per violation

04/19/2311 RATC Red Flag Information11

12

Four Essentials for a Red Flags Program

Identify Red Flags Detect Red Flags Respond appropriately to Red Flags

detected Update program to reflect changes in risk

from identity theft to patients


13

Identify Red Flags

Health care providers should consider patterns, signals, activities or practices that would alert the provider to the possibility of identity theft, such as:---ALERTS, notifications or warnings from any other providers (hospital,collection agency, referring physicians, etc)---Suspicious documents---Suspicious personal identifying information


14

Identify Red Flags

Unusual use of, or suspicious activity related to, the covered account

__Notice from a patient, theft victim, law enforcement or other business

RATC Red Flag Information 04/19/23

15

Detect Red Flags

Implement procedures to detect the identified red flags:

___Obtain information and verify identity of persons wanting to inquire about an account

___Verify change of address request for existing covered accounts.


16

Respond to Detected Red Flags

Develop appropriate policies to respond to detected Red Flags:___Monitor patients account for evidence of identity theft (MMP)(duplicate SS#, same address different patient name)___Contact a patient___Change any passwords or security codes that permit access to patient accounts__Remove or modify incorrect medical records


17

Respond to Detected Red Flags

___If patient has already an exiting account and his information was stolen, set up a new account___Do not attempt to collect on a patient account___Notify law enforcement


18

HIPAA and the Red Flags Rule

For most health care providers, HIPAA security policies and procedures go a long way toward compliance with the Red Flag Rules

However –unlike HIPAA—the Red Flags Rule’s requirement to mitigate may require notification of patients


19

HIPAA and the Red Flags Rule

It will be important for health care providers to review their existing HIPAA compliance effort---Some policies will need to be updated based on the circumstances and situations that are unique to health care providers


20

Examples of Red Flags in Health Care: How Patients Find Out

Patient receives EOB for services not received

Patient receives bill from facility which patient never visited

Patient receives bill for another person Physician mentions inaccurate treatment

history during patient’s office visit (referring physician)


21


Accounting for disclosure Insurance company denies

treatment for condition patient doesn’t have

Patient’s records shows treatment inconsistent with patient’s medical history or physical exam (age, blood type)


22


Patients complains about receiving collection notice for services not received

Patient provides insurance number but cannot produce insurance card

Mail sent to patient’s is returned repeatedly but transactions continue to occur on patient’s account


23


ID appears to have been altered or forged

Picture or signature on file does not match that of person presenting for treatment


24

The Good News

Many health care providers have extensive compliance programs in place to safeguard protected health information under HIPAA

The Red Flags Rule imposes a separate, independent duty on health care providers to help victims mitigate the consequences of identity theft


25

The Good News RATC has to have a program to safeguard

patient health and financial information


26

Don’t Panic

The programs are risk-based and flexible

Consider the bigger picture preventing medical identity theft can save Patients’ lives


understanding the fair and accurate credit transaction act, the “red flag” regulations, and...

Documents