1 / 21

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule. William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial Place Tallahassee, Florida 32308 Tel: 850-222-0720 Fax: 850-224-4359 Wdillon@lawfla.com Board Certified in Health Law.

jalene
Download Presentation

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial Place Tallahassee, Florida 32308 Tel: 850-222-0720 Fax: 850-224-4359 Wdillon@lawfla.com Board Certified in Health Law

  2. Medical Identity Theft • New York Times Article – June 13, 2009 Brandon Sharp, 37 year old from Houston with no real health problems and who has never stepped foot in an emergency room, is surprised to learn he owes thousands of dollars for emergency medical services. U.S. Attorney’s Office – Southern District of Florida – April 1- 2008 Press Release Former employee of Cleveland Clinic indicted for stealing information of approximately 1500 patients and then selling information to a cousin who owned a DME company who in turn submitted over one million dollars of fraudulent claims to Medicare

  3. What is the Red Flag Rule? • Everyone knows that the term “Red Flag” is used to warn of a potential danger. In this case the Red Flag Rules refer to those regulations found at 16 CFR Part 681 which require covered businesses to take actions to: • Identify; • Detect; • Prevent; and • Mitigate Identity Theft

  4. Do the Red Flag Rules Apply to Community Health Centers? • In almost every case the answer is “Yes”. • To determine if your CHC is required to comply ask the following questions • 1. Is my CHC considered a “Creditor”?; if yes go to question 2. • 2. Does my CHC maintain “Covered Accounts”?; If the answer is also yes then the Red Flag Rules apply.4

  5. Who is considered a “Creditor” and what is considered a “Covered Account” • The definition of a “creditor” can be found at 16 CFR Part 681.2, however, generally any person who regularly extends, renews or continues credit will be considered a creditor. • If a CHC is extending credit, for example via outstanding patient accounts, then it maintains covered accounts. • Red Flag Rules apply to all accounts not just those in which credit has been extended.

  6. Identification of Covered Accounts • A Covered Account is an account that is offered or maintained by a creditor primarily for personal, family, or household purposes, which involves or is designed to permit multiple payments or transactions. Accounts related to the provision of medical services would be considered accounts related to a personal, family or household purpose. The purpose of identifying covered accounts is to ensure all such accounts are subject to the Identity Theft Prevention and Detection Program

  7. How Do CHC’s Comply? • Similar to your “Corporate Compliance Program” or your “HIPAA Privacy and Security Program” your CHC should have “buy in” from the Governing Board and Senior Management. • The Governing Board should authorize the implementation of a program that: • 1. Identifies relevant indicators (Red Flags) of Identity Theft • 2. Detects Red Flags • 3. Prevents and/or Mitigates Identity Theft • 4. Periodically Updated

  8. Components of an Identity Theft Prevention and Detection Program • 1. Program Management and Oversight • 2. Identification of Covered Accounts • 3. Identification of Red Flags • 4. Detection of Red Flags • 5. Prevention and Mitigation of Identity Theft • 6. Training • 7. Updates • 8. Oversight of Service Providers (Business Associates)

  9. Program Management and Oversight • Identify Program Manager or Committee • Identify Covered Accounts • Identify Red Flags relevant to the CHC • Develop and Update Policies and Procedures • Respond to Red Flags • Training • Service Provider Compliance

  10. Identification of Red Flags • The risk of identity theft exists both from persons accessing services and from employees/contractors of a health care provider. • Covered entities should seek to prevent both external and internal identity theft.

  11. Identification of Red Flags • Suspicious Documents • Documents that appear to have been forged • Photograph or physical description on identification not consistent with the appearance of the patient • Other inconsistent information

  12. Identification of Red Flags • Suspicious Personal Identifying Information • Address does not match • Social Security Number not valid • Address is known to be a mail drop, prison or other undeliverable address • Invalid/suspicious telephone number • Same Social Security Number for multiple patients • Same Group Health Insurance Information for multiple patients • Patient fails/refuses to provide all required personal information

  13. Identification of Red Flags • Unusual/Suspicious Activity • Patient mail repeatedly returned as undeliverable • Notices from patients, victims of identity theft, law enforcement of others regarding possible identity theft. • Others

  14. Detection of Identity Theft • New Patient Accounts • Verify New Patient Identity • Require certain demographic information • Confirm demographic information • Group Health Plan/Medicaid/Medicare confirmation

  15. Detection of Identity Theft • Existing Patient Accounts • Verify Identity • Group Health Plan/Medicaid/Medicare confirmation

  16. Detection of Identity Theft • Another method that some organizations are utilizing for detecting identity theft is the institution of digital scans of patient IDs and/or the collection of biometric patient information. This should be done with caution as while it may be very helpful in preventing external identity theft issues it creates new internal identity theft concerns.

  17. Detection of Identity Theft - Internally • HIPAA Security Policies and Procedures • Regularly monitoring employee contractor activity • Unsecured/unencrypted patient information on portable devices (laptops, thumb drives, etc.)

  18. Prevention/Mitigation of Identity Theft • Appropriate Responses • Monitoring of patient account • Contacting the patient • Change internal information systems (security breach) • Close patient account • Reopen new patient account • Appropriate Modification of “False” records • Notify law enforcement

  19. Training • Employee Training • All employees that access or have access to patient accounts • Program Manager should organize training and ensure that it is applicable to the CHC • Provide employees access to policies and procedures Periodic Updates

  20. Service Provider Compliance • CHC should ensure that their service providers (vendors), take reasonable steps to prevent or detect identity theft. • Existing Business Associate Agreements may address many of these issues.

More Related