1 / 28

FTC’s Red Flags Rule: Understanding and Meeting Compliance Expectations October 2008

Gain insights into the FTC's expectations for compliance with the Red Flags Rule and learn strategies for enforcement. Get started with compliance by clarifying what the rule is and is not.

mozelll
Download Presentation

FTC’s Red Flags Rule: Understanding and Meeting Compliance Expectations October 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. FTC’s Red Flags Rule: Understanding and Meeting Compliance Expectations October 2008 Lawrence Hughes AHA Assistant General Counsel Advocacy and Public Policy

  2. Presentation Topics • Clarify what the Red Flags Rule is and is not • Provide insights into the FTC’s expectations for compliance and strategy for enforcement • Offer some suggestions for how to get started with compliance

  3. Red Flags Rule - Overview • Related set of rules concerned with preventing and detecting identity theft • Two in particular are most likely to affect hospitals: • “Creditors” with “covered accounts” must develop a written identity theft prevention program • Users of consumer reports must respond to address discrepancy notices from a consumer reporting agency

  4. Application to Hospitals • Hospitals are likely to meet the rule’s broad definition of “creditor” and have patient accounts that fall within the scope of “covered accounts” • Key aspect of definition is “Do you provide service for which you defer payment?” • Most hospitals do

  5. Application to Hospitals • Many hospitals use consumer reports in their financial assistance processes • Requirement is more about accuracy than about identity theft • Key question is whether the report really is about the individual it purports to be about • Not covered further in this presentation

  6. Red Flags Rule Is . . . • Risk-based • What are the risks to your patient accounts? • Flexible • Programs must be tailored to the size and complexity of specific organizational operations • E.g., small providers that know all their patients by sight may run little risk of identity theft and may have a very simple policy

  7. Red Flags Rule Requires . . . • Reasonable response when a warning sign is present/detected • Is it just clerical error? • Consider the impact of other laws on appropriate response • e.g, EMTALA, HIPAA’s restrictions on sharing PHI • Is individual breach notification required? Do we have to offer creditor monitoring services? • Periodic assessment to identify new and emerging risks (“red flags”) and how to respond to them

  8. Red Flags Rule Is NOT . . . • Specifically or solely about technology • Rather it is principally about processes and procedures, behavior change • Requirements for data security or a mandate for specific responses to a data security breach • Requires recognizing and responding reasonably and appropriately to warning signs/suspicious activities that suggest potential identity theft • HIPAA privacy and security requirements complement, but do not specifically addressthe same issues

  9. FTC’S Approach • Key term isReasonable • The FTC expects that hospitals will: • Undertake a risk assessment • What are the risks to your organization and its specific types of patient accounts? • Cannot rely on some generic list of risks • Have a written policy • Reasonable practices for identifying and responding to signs, suspicious activities/behaviors, patterns, practices that suggest potential cases of identify theft

  10. FTC’S Approach (cont.) • The FTC expects that hospitals will: • Obtain board approval of the initial written policy • Put the policy into actual practice within the organization • Does the organization actually do what its policy says it does will be a key consideration in any FTC eventual review • You can’t have just a generic policy or rely on a template policy you just stick on the shelf

  11. FTC’S Approach (cont.) • The FTC expects that hospitals will: • Periodically review and revise policies • Identify and respond to new and emerging signs, suspicious activities/behaviors, patterns, practices

  12. FTC’S Jurisdiction • FTC has – and continues to in the context of this rule – assert jurisdiction over not-for-profit and government hospitals • Hospitals are subject to the FTC’s jurisdictionwhenthey are engaging in activities that a for-profit entity would engage in • “[w]here they defer payment for goods and service” – see FTC’s July Guidance “New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft” • Bottom Line: Industry best practice; benefit hospital’s billing operations and patients

  13. FTC’s 10/28 Announcement Compliance deadline remains November 1, 2008 • FTC will suspendenforcementuntil May 1, 2009 • Additional time to develop and implement written identity theft prevention programs • DoesNOTaffect enforcement of: • Nov. 1 compliance deadline for institutions subject to oversight by federal agencies other than the FTC (banking, financial services) • Requirement forusers of consumer reports to respond to address discrepancy notices from a consumer reporting agency • Nov. 1 is still the compliance deadline • Includes hospitals • FTC’s announcement can be found athttp://www.ftc.gov/opa/2008/10/redflags.shtm • Read Text of the FTC Enforcement Policy (link at right-hand side of the Web page

  14. FTC’s 10/28 Announcement • Bottom Line for Hospitals: Make a good faith effort to comply as soon as possible

  15. Compliance Expectations • FTC does not expect your organization to spot every case of identity theft or apprehend every identity thief • That’s practically impossible • FTC recognizes that your organization is primarily a health care provider, not an investigatory/detective/law enforcement agency • Key operational concept is “could indicate” identity theft • Not every sign, pattern when investigated will show that identity theft is occurring or has occurred (e.g., documentation mistakes, key stroke/data entry errors, merged records)

  16. FTC’s Enforcement Strategy • NOT viewed by the FTC as an opportunity for GOTCHA • Are you making reasonable progress toward compliance? • Example: You have a written policy but are awaiting your next board meeting – which does not convene until next quarter - for approval • Don’t use this as an excuse for delay or, worse yet, doing nothing • A warning from the chief of the FTC division in charge of the program: If next year at this time you’ve done nothing, there may be a real problem

  17. FTC’s Enforcement Strategy • FTC enforcement through “industry sweeps” to check compliance • Responsible for compliance of lots of organization in many different fields • Likelihood of an immediate focus on health care is low • FTC aware that health care organizations (among others) only recently learned about the Rule’s application; lead to 10/28 announcement of enforcement delay • Again, this should not become an excuse for delaying your organization’s efforts to comply

  18. Other Enforcement • NO private right of action • States attorneys general have enforcement authority under the Rule • Likely to follow an FTC investigation/imposition of sanctions • State consumer protection laws may be a source of individual right of action

  19. A Proper Perspective • Good business practice for hospitals • It’s about protecting your patient accounts and your patient relationships • Warning:If you don’t do it, there are likely to be additional requirements imposed from the outside • Proposals (more onerous) currently pending at federal, state levels

  20. How To Get Started Compliance required by November 1, 2008 Step 1:Read the Rule • There is no substitute here and you may have to read it multiple times! • Pay particular attention to Appendix A and its supplement (beginning on page 63773) • Appendix A includes guidelines intended to assist organizations in developing and structuring their programs • FTC has specifically said all organizations need to consider these carefully • Supplement lists 26 potential red flags • NOT all may be applicable to health care providers but they are a great starting point for understanding what red flags to consider, incorporate, respond to • Final rule published in Nov. 9, 2007 Federal Register • Copy posted on AHA’s Web site at www.aha.org/redflags

  21. How To Get Started Step 2: Assemble Your Team • Consider who within the organization should be part of the implementation team • Remember it’s not just an IT issue; BUT IT professionals will - and should - be involved • Who’s integral to making the program work on a daily basis: billing and financial services, admissions, privacy, security, patient care, risk management, compliance, legal counsel

  22. How To Get Started Step 3: Inventory Current Practices and Procedures • Many hospitals already have processes and procedures in place to detect and respond to cases of potential identity theft • Seriously, write them down! It’s a good start in crafting your policy • Consider what’s already working? What might need to change to be more effective? What’s missing? • What you do must be based on an assessment of the real risk your organization faces with regard to its patient accounts • What risks have you already had to address? • What risks have your peer organizations seen? • Consider multiple sites, locations within your organization • Consider outside service vendors (e.g., credit/collection agency activities)

  23. How To Get Started A word on using sample policies • May be appropriate to start with a sample policy • However,the regulation requires that the identify theft program be appropriate for the organization’s size and complexity and the nature and scope of its activities • Therefore, each organization must adapt any sample document to address the specific risks they face and to ensure an appropriate and reasonable organizational response to them

  24. AHA’s Sample Policy • Developed in cooperation with our outside counsel Hogan & Hartson LLP • Hospitals can use as a first step in developing their written identity theft programs • AHA’s sample policy is NOT intended to substitute for responsible legal advice • Hospitals should examine the sample document as part of a comprehensive risk assessment • Available on the AHA Web site at www.aha.org/redflags

  25. Hospitals’ Primary New Obligations • Under the new rule, hospitals’ primary new obligations are likely to be two fold: • Systematizing policies in a consolidated written format • Obtaining board approval of the initial written policy • Only applies to the initial policy

  26. Reminder • Rule requires periodic reassessment of risks and, if appropriate, revision of policies and practices • Build that into your policy and program from the start • Specifically charge someone within the organization with responsibility for maintaining and updating your policies and program • Always ask what new risks might be out there • Keep up-to-date with the FTC’s Web site on identity theft • Consider reports from consumer organizations • Listen to news coverage – Identity theft is issue of intense current interest in the media • Again, not all may apply directly to health care providers

  27. Note on HIPAA Privacy • Patients’ frequent complaint: Can’t get access to my records when I suspect I’m the victim of identity theft • Patients report that hospitals cite HIPAA as the reason • Patients’ rights under HIPAA: • To access his/her medical records, and • To request changes to their records • Why HIPAA probably isn’t a barrier: • It’s the patient’s information • It’s an incidental disclosure, at most • It probably involves deidentified data • Remember when developing your policies and practices: It’s always about your relationship with your patients

  28. Resources AHA Red Flags Rule issue Web site found at www.aha.org/redflags

More Related