1 / 110

GAMES 2009 Annual Convention August 2, 2009 The King & Prince Resort St. Simons Island, Georgia

The “Red Flags” Rule: What DMEPOS Providers Need to Know About Complying with New Requirements for Fighting Identity Theft. GAMES 2009 Annual Convention August 2, 2009 The King & Prince Resort St. Simons Island, Georgia. Presented by…. Mark J. Higley –

Download Presentation

GAMES 2009 Annual Convention August 2, 2009 The King & Prince Resort St. Simons Island, Georgia

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The “Red Flags” Rule:What DMEPOS Providers Need to Know About Complying with New Requirements for Fighting Identity Theft GAMES 2009 Annual Convention August 2, 2009 The King & Prince Resort St. Simons Island, Georgia

  2. Presented by… Mark J. Higley – Vice President/Development VGM Group, Inc.

  3. Most HME/DME organizations have been unaware of the “Red Flag Rules”…or have been uncertain of the applicability of these requirements. Providers should immediately become aware of these rules, should revisit their existing privacy and security compliance programs to ensure that the requirements of the Red Flag Rules have been addressed, and should take other actions to bring themselves into compliance with applicable requirements.

  4. In general healthcare “creditors” that are subject to FTC enforcement under the Fair Credit Reporting Act (FCRA) with “covered accounts” must implement programs that identify, detect and respond to DMEPOS facilities that could indicate identity theft. • With few exceptions, each company represented here today must comply. • The effective date WAS August 1, 2009 (!)

  5. FTC AGAIN POSTPONES ENFORCEMENT OF RED FLAGS RULE • On July 29, 2009 the FTC announced another delay in the enforcement date of the so-called “Red Flags Rule” (the Rule). The FTC indicated that enforcement of the Rule is now postponed until November 1, 2009. The Rule was originally scheduled to be enforced on November 1, 2008, but the enforcement date was postponed to May 1, 2009, and then until August 1, 2009.

  6. The new delay will give creditors who are subject to the Rule an additional three months to come into compliance. • It also leaves open the possibility that new legislation or changes in the Rule will narrow its scope or reduce the burdens of compliance.

  7. The House Appropriations Committee also asked the FTC to defer enforcement and to make additional efforts to minimize the burdens of the rule on health care providers and small businesses with a low risk of identity theft problems.

  8. In any case, you will receive an attachment today to assist your facility in understanding and to comply with the Red Flag Rules, as well as the “Address Discrepancy Rules” which were effective November 1, 2008.

  9. While the American Medical Association (AMA) and a significant number of medical societies and associations protested the inclusion of health care providers, including clinicians, among those required to comply with the Red Flag and Address Discrepancy Rules, on February 4, 2009, the Federal Trade Commission had issued a letter confirming that clinicians and related health care providers must comply with the Red Flag and Address Discrepancy Rules.

  10. The Red Flag and Address Discrepancy Rules require clinicians and healthcare providers, among other individuals and businesses deemed as “creditors” (including banks, mortgage lenders, credit unions, utility companies, car dealers, and telecommunications companies) to develop and implement a formal written program to detect, prevent and mitigate identity theft, including medical identity theft.

  11. While the Red Flag and Address Discrepancy Rules are similar and contain many of the same content and requirements as the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, they are intended to not only prevent the compromise of patient information, but also to prevent or mitigate the misuse of such information if it is compromised.

  12. The Red Flag and Address Discrepancy Rules are designed to avert identity theft by ensuring that organizations are alert to signs that an identity thief is using someone else’s identifying information fraudulently to obtain products and services, including medical care. As indicated by the Federal Trade Commission, the Rules are meant to complement rather than duplicate privacy and security requirements under HIPAA.

  13. Scalable… • Like the HIPAA Security Rule, the Red Flag and Address Discrepancy Rules are “flexible” in that a DMEPOS facility may tailor creation and implementation of its identity theft program based on the degree of identity theft risk faced by the DMEPOS facility. For example, a large multi-location DMEPOS facility may need a more robust program than a small single location DMEPOS facility.

  14. The “deadlines”… • The Red Flag and Address Discrepancy Rules were published in final form on November 9, 2007, 72 Fed. Reg. 63718 (Nov. 9, 2007). While they were published together, they are in fact separate regulations. • With few exceptions, all DMEPOS (HME/HME, O&P, Re-hab, Supplies) facilities are now likely to be required to be fully compliant with the Red Flag Rule by November 1, 2009. The compliance deadline for the Address Discrepancy Rule was November 1, 2008.

  15. The Red Flag and Address Discrepancy Rules do not require the appointment of an individual to oversee the identity theft program; however, it is recommended that the DMEPOS facility consider doing so. • This individual may be your identified HIPAA Privacy or Security Official or a designated staff member, such as the DMEPOS facility manager or administrator. • However, every company should begin to create a written “Identity Theft Prevention Program”.

  16. The steps… • Read the Overview of the Red Flag and Address Discrepancy Rules • Designate a Privacy Official to Oversee the Program • Perform a Risk Analysis • Develop a Written Identity Theft Prevention Program • Obtain Approval of the Written Identity Theft Prevention Program • Develop an Identity Theft Database • Document and Train Staff on the Identity Theft Prevention Program • Obtain Signed Workforce Confidentiality Agreements from All Staff • Monitor Compliance With the Identity Theft Prevention Program

  17. Step 1: Read the Overview of the Red Flag and Address Discrepancy Rules • The Fair Credit Reporting Act (FCRA) as amended in 2003 requires the Federal Trade Commission and bank regulatory agencies to issue joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft. The requirement includes special regulations directing debit and credit card issuers to validate notifications of changes of address under certain circumstances. 15 U.S.C. § 1681m(e).

  18. A healthcare provider must comply with the Red Flag Rule if the provider meets the definition of “creditor” under the Fair Credit Reporting Act (15 U.S.C. 1681a(r)(5)). A healthcare provider must comply with the Address Discrepancy Rule if the provider uses consumer credit reports. • The main purpose of the Red Flag and Address Discrepancy Rules is to develop and implement a formal written program to detect, prevent and mitigate identity theft, including medical identity theft, in connection with establishing new or maintaining existing “covered accounts.”

  19. WHAT IS MEDICAL IDENTITY THEFT? • Medical identify theft occurs when someone uses a person’s name and/or other part of their identity without that person’s knowledge or consent to obtain medical services or goods, or when someone else uses the person’s identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims.

  20. WHAT IS A COVERED ACCOUNT? • A covered account is (i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

  21. Bottom line… • If a health care provider extends credit to a consumer by establishing an account that permits multiple payments, the provider is a creditor offering a covered account and is subject to the Red Flag rules. • With few exceptions, all attendees here today are subject to the rules!

  22. Unlike the HIPAA Privacy and Security Rules, the Red Flag and Address Discrepancy Rules state that entities, including health care providers, who offer credit to consumers (in this case, patients) must be able to detect evidence of identity theft that arises when dealing with consumers (again, in this case, patients). One way to identify identity theft is through a “red flag.” • Another way is through a “Notice of Address Discrepancy.”

  23. WHAT IS A RED FLAG & A WHAT IS A NOTICE OF ADDRESS DISCREPANCY?? • A red flag is a pattern, practice, or specific activity that could indicate identity theft. • A Notice of Address Discrepancy is a notice that a credit bureau sends to a person or business that ordered a credit report about a consumer which informs the consumer of a substantial difference between the address for the consumer in the credit bureau files and the person or business who ordered the report.

  24. The Address Discrepancy Rule requires all users of consumer credit reports, including healthcare facilities, to develop policies and procedures designed to enable the facility to form a reasonable belief that a credit report belongs to the patient for whom it was requested. • For example, if a facility offers patients the use of a healthcare financing organization and as part of the qualifying process reviews the patient’s credit report, the DMEPOS facility must comply with the Address Discrepancy Rule.

  25. If the DMEPOS facility receives a Notice of Address Discrepancy from a nationwide consumer reporting agency (such as Equifax, Experian, and/or Transunion) indicating that the address given to the DMEPOS facility by the patient differs from the address on the credit report, it must have a policy in place to determine how the discrepancy will be reconciled.

  26. Means of Complying with the Red Flag and Address Discrepancy Rules • Like the HIPAA Security Rule, the Red Flag and Address Discrepancy Rules were purposely written broadly. The specific measures that one DMEPOS facility uses to comply with the Rules may vary from the specific measures taken by another DMEPOS facility. • For example, measures taken to prevent identity theft used by a 20 branch office location DMEPOS facility will likely be quite different from those used by a single location DMEPOS facility with five employees. However, the process set forth in this manual is applicable to all DMEPOS facilities.

  27. In deciding what specific measures to use in order to comply with the Red Flag and Address Discrepancy Rules, each DMEPOS facility must consider the following: • The size, complexity, and capabilities of the DMEPOS facility including • The types of covered accounts it offers and maintains • The methods it provides to open its covered accounts • The methods it provides to access its covered accounts • Its previous experiences with identity theft • The probability and criticality of potential risks surrounding identity theft.

  28. As the DMEPOS facility evolves, it must monitor, keep current, and document the measures it takes to prevent identity theft in connection with new and existing covered accounts.

  29. Step 2: Designate a Privacy Official to Oversee the DMEPOS facility’s Identity Theft Prevention Program • The Red Flag and Address Discrepancy Rules do not require the DMEPOS facility to designate an individual who oversees the DMEPOS facility’s Identity Theft Prevention Program and is able to respond to identity theft incidences and crimes. However, it is recommended that the DMEPOS facility consider doing so.

  30. This individual may be your identified HIPAA Privacy or Security Official or a designated staff member, such as the DMEPOS facility manager or administrator, and will be responsible for the DMEPOS facility’s compliance with the Red Flag and Address Discrepancy Rules. • Additionally, this position will be responsible for executing whatever changes or modifications need to be implemented as identified during your risk assessment and as required by the Rules.

  31. If your DMEPOS facility is organized as a separate legal entity (such as a corporation or partnership), you should also specifically indicate the name of the person that you have appointed to be the Privacy Official for the year within the entity’s corporate minutes.

  32. As it evolves, the DMEPOS facility’s on-going analysis of its Identity Theft Prevention Program may indicate that the Privacy Official’s responsibilities may need to be modified as a partial response to the DMEPOS facility’s modified means of compliance with the Red Flag and Address Discrepancy Rules. • As additional clarification of the Rules is provided by the Federal Trade Commission, these responsibilities may need to be modified. • Place this form and other relevant forms in a permanent Red Flag and Address Discrepancy Rules folder or binder to serve as part of your DMEPOS facility’s overall Compliance Plan.

  33. Step 3: Perform a Risk Analysis • While most health care providers already have privacy and security risk assessments in place as a result of compliance with the HIPAA Privacy and Security Rules, the DMEPOS facility may need to expand its risk analysis to consider medical identity theft scenarios. A thorough assessment may require additional considerations beyond those addressed in the DMEPOS facility’s HIPAA Privacy and Security risk assessments.

  34. The risk analysis should consider potential circumstances that might pose a risk if proper measures were not put in place. Potential circumstances would include, for example, breaches caused by unauthorized uses, lack of processes associated with verifying and authenticating a patient’s identity, and unsecured access to patient information, that may occur absent the appropriate measures to prevent identity theft. • A complete analysis should consider both “outsider” threats as well as “insider” threats. An “outsider” threat may be associated with a breach that occurs by an individual that is not employed by the DMEPOS facility, while an “insider” threat is associated with a person who is employed or has authorized access to the DMEPOS facility’s patient information.

  35. The Privacy Official should use the Red Flag and Address Discrepancy Rules Risk Analysis provided in the attachments as a guide to assess the DMEPOS facility and prepare it for detecting red flags and complying with the Rules. • The Red Flag and Address Discrepancy Rules Risk Analysis allows you to clearly identify and document your decisions regarding prevention and mitigation of identity theft. Additionally, it should be reviewed periodically based on the changes and evolution of the DMEPOS facility.

  36. TO DO: • Fill in your DMEPOS facility Name on the attachment Exhibit 1. • Photocopy Exhibit 1 (all pages) for each DMEPOS facility location. (Keep a master copy for future quarterly or annual assessment reviews). Follow the checklist. • Answer the questions to identify your current operational procedures.

  37. NOTE: • If multiple locations are operated by your DMEPOS facility, a risk analysis should be conducted at each location. • Place the Red Flag and Address Discrepancy Rules Risk Analysis in a permanent Red Flag and Address Discrepancy Rules folder or binder to serve as part of your DMEPOS facility’s overall Compliance Plan. File subsequent revisions to the Risk Analysis in this folder as well.

  38. Step 4: Develop a Written Identity Theft Prevention Program • Under the Red Flag and Address Discrepancy Rules, creditors (in this case, DMEPOS facilities) who maintain covered accounts are required to implement an Identity Theft Prevention Program. The goal of this program is to assist the DMEPOS facility in identifying, detecting and mitigating risks of identity theft affecting its patients.

  39. The Identity Theft Prevention Program must include four (4) required elements consisting of policies and procedures to: • Identify relevant red flags for the covered accounts that the DMEPOS facility offers or maintains and incorporate these red flags into its Identity Theft Prevention Program. • Examples of red flags include, but are not limited, to the following…

  40. A complaint or question from a patient based on the patient’s receipt of a bill for another individual, a bill for a product or service that the patient denies receiving, a bill from a health care provider that the patient never patronized, and/or notice of insurance benefits (Explanation of Benefits) for health services never received. • Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient. • A complaint or question from a patient about the receipt of an account statement or a collection notice from a collection agency for services that the patient did not receive.

  41. A patient or insurance company report that coverage for legitimate healthcare services is denied because insurance benefits have been depleted or a lifetime cap has been reached when the patient claims that he/she has not received that level of services. • A complaint or question from a patient about information added to a credit report by a health care provider or insurer. • A dispute of a bill received from the DMEPOS facility by a patient who claims to be the victim of any type of identity theft.

  42. A patient who has an insurance number but cannot produce an insurance card or other physical documentation of insurance coverage. • A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency. • Receipt of a Notice of Address Discrepancy from a patient. Note: Any of the above Red Flags will take on greater importance and priority of investigation if the patient has also filed a police report regarding identity theft.

  43. Detect red flags that have been incorporated into the Identity Theft Prevention Program. • Examples of policies and procedures intended to detect red flags include, but are not limited to, the following…

  44. During patient intake DMEPOS facility staff should review and include in each patient’s file a photo ID issued by a local, state, or federal government agency (e.g., a driver’s license, passport, military ID, etc.). • In the event the patient does not have photo ID, DMEPOS facility staff should ask for two forms of non-photo ID, one of which has been issued by a state or federal agency (e.g., Social Security card and a utility bill or company or school identification). • Each time a patient visits the DMEPOS facility, DMEPOS facility staff should check whether the identification provided is valid, copy the identification provided, and match any photo to the patient/responsible party.

  45. Prevent and mitigate identity theft by appropriately responding to red flags that are detected. • Examples of appropriate responses include, but are not limited to the following…

  46. Monitoring a covered account for evidence of identity theft by “flagging” the account either on paper or electronically for ease of identification. • Contacting the patient and explaining the circumstances of the situation. • Changing any passwords, security codes, or other security devices that permit access to a covered account. • Reopening a breached covered account with a new account number.

  47. Not opening a new covered account • Closing an existing breached covered account. • Not attempting to collect on a covered account or not transferring a covered account to a debt collector. • Notifying law enforcement. • Determining that no response is warranted under the particular circumstances.

  48. Update the Identity Theft Prevention Program by periodically reviewing its effectiveness and updating it to reflect changes in risks to patients or the DMEPOS facility as a result of identity theft. • Examples of changes in risks include, but are not limited to the following…

  49. The experiences of the DMEPOS facility with identity theft. • Changes in methods of identity theft. • Changes in methods to detect, prevent, and mitigate identity theft. • Changes in the types of accounts that the DMEPOS facility offers or maintains. • Changes in the business arrangements of the DMEPOS facility, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

More Related