raising a red flag l.
Skip this Video
Loading SlideShow in 5 Seconds..
Raising a “Red Flag”: PowerPoint Presentation
Download Presentation
Raising a “Red Flag”:

Loading in 2 Seconds...

play fullscreen
1 / 36

Raising a “Red Flag”: - PowerPoint PPT Presentation

  • Uploaded on

Raising a “Red Flag”:. Understanding the Fair and Accurate Credit Transactions Act, the “Red Flag” Regulations, and Their Impact on Health Care Providers October 23, 2008. Presented by: Denise S. Cline Patricia A. Markus Smith Moore Leatherwood LLP Post Office Box 27525

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Raising a “Red Flag”:' - andrew

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
raising a red flag

Raising a “Red Flag”:

Understanding the Fair and Accurate Credit Transactions Act,

the “Red Flag” Regulations, and Their Impact on Health Care Providers

October 23, 2008

Presented by:

Denise S. Cline

Patricia A. Markus

Smith Moore Leatherwood LLP

Post Office Box 27525

T: (919) 755-8700

F: (919) 755-8800

  • What are the “Red Flag Rules,” and What is a Red Flag?
  • What do the Rules require, and Who Must Comply?
  • The Two-Part Test
  • Consequences of Failure to Comply
  • Creation of an Identity Theft Detection Program
  • Health Care Specific Examples
  • Questions
what are the red flag rules
What Are the “Red Flag Rules”?
  • Fair and Accurate Credit Transactions Act (“FACTA”) was passed by Congress in 2003 to protect consumers against identity theft
  • Six agencies published the final regulations under FACTA effective January 1, 2008
  • The good news: deadline for mandatory compliance with the Red Flag Rules has been delayed six months, from November 1, 2008 to May 1, 2009
what is a red flag
What Is a “Red Flag”?
  • A pattern, practice, or specific activity that indicates the possibility of identity theft
what do the red flag rules require
What Do the Red Flag Rules Require?
  • Covered Entities must create written programs to detect, prevent, respond to, and mitigate identity theft in connection with new or existing covered accounts
  • Consumer reporting agencies must follow certain rules related to address discrepancies**
  • Debit and credit card issuers must put procedures into place to assess the validity of address changes**
  • **NOTE: the deadline for enforcement of these rules remains November 1, 2008
who is required to comply
Who is Required to Comply?
  • A financial entity
    • i.e., a State or national bank, a State or Federal savings and loan association


  • A “creditor” who maintains “covered accounts”
    • The definition of “creditor” can include “lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies”
question 1 are you a creditor
Question 1: Are You a Creditor?
  • What is a creditor?
  • Specifically, a “creditor” is:
    • “any person who regularly extends, renews, or continues credit;
    • any person who regularly arranges for the extension, renewal, or continuation of credit; or
    • any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.”
  • A creditor is any entity that allows its customers to pay their fees or balances on a delayed-payment basis
are health care providers creditors
Are Health Care Providers Creditors?
  • Yes, they can be.
  • Health care providers may be creditors if they “regularly** extend, renew or continue credit”
  • “Credit” simply means any deferral of payment
  • **NOTE: the FTC takes the position that “regular” probably includes “a few times a year”
special problem for health care providers medical identity theft
Special Problem for Health Care Providers: Medical Identity Theft
  • Medical identity theft occurs when
    • someone uses a person’s name and sometimes other parts of their identity, including insurance info or SSN
    • without the victim’s knowledge or consent
    • to obtain medical goods or services
    • or to obtain money by falsifying claims for medical services and falsifying medical records to support claims
question 2 do you maintain covered accounts
Question 2: Do You Maintain Covered Accounts?
  • What is a “covered account”?
  • Any account maintained “primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions”
  • And “any other account…for which there is a reasonably foreseeable risk to customers…from identity theft.”
  • THUS, any account that permits multiple payments (or an entity’s practice of permitting such payments)
examples of covered accounts for health care providers
Examples of Covered Accounts for Health Care Providers
  • Patient Account
    • Serves a “personal, family, or household” purpose, and the information contained therein poses a foreseeable identity theft risk
  • Credit to Physicians or Other Employees
    • Income guarantees
    • Recruitment loans
    • Educational loans
does the address discrepancy rule apply to your entity
Does the Address Discrepancy Rule Apply to Your Entity?
  • Do you use consumer reports to make employment decisions in performing background checks?
  • Do you use consumer reports to make credit decisions about your patients or customers?
  • If so, your entity must comply with the rules applied to users of consumer reports who receive notice of an “address discrepancy” from a consumer reporting agency
what happens if you fail to comply
What Happens if You Fail to Comply?
  • The Federal Trade Commission oversees creditors who are not financial institutions---such as health care providers.
  • Even if your entity is a nonprofit organization, the FTC takes the position that such entities are subject to its jurisdiction
  • Failure to comply with the Red Flag Rules can lead to enforcement actions and penalties of up to $2,500 per violation.
what about private lawsuits
What About Private Lawsuits?
  • Like HIPAA, the Red Flags Rule does not provide for a private right of action, but the Rule may provide the basis for state law claims
  • Ultimately—also like HIPAA—the Red Flags Rule could set a national standard of care for handling confidential financial information
four essentials for a red flags program
Four Essentials for a Red Flags Program
  • Identify Red Flags
  • Detect Red Flags
  • Respond appropriately to Red Flags detected
  • Update program to reflect changes in risks from identity theft to customers
identify red flags
Identify Red Flags
  • Health care providers should consider patterns, signals, activities or practices that would alert the provider to the possibility of identity theft, such as:
    • Alerts, notifications or warnings from a consumer reporting agency
    • Suspicious documents
    • Suspicious personal identifying information
    • Unusual use of, or suspicious activity related to, the covered account
    • Notice from a customer, theft victim, law enforcement or other business
detect red flags
Detect Red Flags
  • Implement procedures to detect the identified red flags:
    • Obtain information and verify identity of person opening a covered account
    • Authenticate customers (patients), monitor transactions,
    • Verify change of address requests for existing covered accounts.
respond to detected red flags
Respond to Detected Red Flags
  • Develop appropriate policies to respond to detected Red Flags:
    • Monitor a covered account for evidence of identity theft
    • Contact a customer (patient)
    • Change any passwords or security codes that permit access to covered account
    • Remove or modify incorrect medical records
    • Reopen covered account with a new account number
    • Do not attempt to collect on a covered account
    • Notify law enforcement
update the program
Update the Program
  • Periodic updating is required to reflect changes to the identity theft risks to patients
  • Document a procedure for adopting additional prevention or detection methods
  • In updating the program, health care providers should consider:
    • Tracking identity theft trend data
    • Identifying who will be responsible for tracking the data
    • Developing a procedure to adopt new policies to adapt to new risk calculations
action items
Action Items
  • Establish and approve a program
  • Provide ongoing oversight and training
  • Follow reporting requirements
step one
Step One

Establish and Approve a Program

establishment and approval
Establishment and Approval
  • Program must
    • be written
    • be appropriate to the size and complexity of the organization
    • be appropriate to the nature and scope of the organization’s activities
    • consider and include in program the “Guidelines” to the Rules
  • If a health care provider excludes a Red Flag from its program, a written rationale for the exclusion must be provided
  • Once established, program must be approved by the Board of Directors or appropriate subcommittee
step two
Step Two

Provide Ongoing Oversight

and Training

oversight and training
Oversight and Training
  • Oversight and implementation of the program must involve senior staff or designees
  • Assign specific responsibilities
  • Train staff
  • Educate patients about risks and prevention
  • Review compliance reports
  • Policies to respond to the following, among others:
    • Patient claims fraud has occurred or services not received
    • Provider has altered patient records
    • Police reports and victim requests for investigation
ongoing oversight
Ongoing Oversight
  • Approve material changes to the program as necessary to address changing risks
  • There must be oversight of the service provider arrangements (i.e., a third party billing service) to guarantee that the service provider is acting in accordance with the approved program
step three
Step Three

Follow Reporting Requirements

program reporting requirements
Program Reporting Requirements
  • The oversight staff must report to the designated oversight authority at least annually
  • The staff report should include
    • Effectiveness of program
    • Significant incidents involving identity theft and the response to them
    • Recommendations for material changes to the program
hipaa and the red flags rule
HIPAA and the Red Flags Rule
  • For most health care providers, HIPAA security policies and procedures go a long way toward compliance with the Red Flags Rule
  • However—unlike HIPAA—the Red Flags Rule’s requirement to mitigate may require notification of patients
  • It will be important for health care providers to review their existing HIPAA compliance efforts
    • Some policies will need to be updated based on the circumstances and situations that are unique to health care providers
examples of red flags in health care how patients find out
Examples of Red Flags in Health Care: How Patients Find Out
  • Patient receives EOB for services not received
  • Patient receives bill from facility which patient never visited
  • Patient receives bill for another person
  • Physician mentions inaccurate treatment history during patient’s office visit
  • Accounting of disclosures
  • Insurance company denies treatment for condition patient doesn’t have
examples of red flags in health care how providers find out
Examples of Red Flags in Health Care: How Providers Find Out
  • Patient’s records show treatment inconsistent with patient’s medical history or physical exam (age, blood type)
  • Patient complains about receiving collection notice for services not received
  • Patient provides insurance number but cannot produce insurance card
  • Mail sent to patient is returned repeatedly but transactions continue to occur on patient’s account
  • ID appears to have been altered or forged
  • Picture or signature on file does not match that of person presenting for treatment
the good news
The Good News
  • Many health care providers have extensive compliance programs in place to safeguard protected health information under HIPAA
  • The Red Flags Rule imposes a separate, independent duty on health care providers to help victims mitigate the consequences of identity theft
  • Now have six months to augment compliance program to safeguard patient financial information
what about n c identity theft law
What About N.C. Identity Theft Law?
  • Applies to all entities doing business in N.C.
  • Like the Red Flag Rules, requires a policy and training
  • ITPA regulates the collection and destruction of personal identifying information, especially social security numbers
  • Includes a specific notification requirement for possible security breaches
identity theft law cont d
Identity Theft Law Cont’d
  • Notification requirement includes possible obligation to notify the Attorney General
  • Violation of the Act may result in private lawsuits and treble damages.
additional resources
Additional Resources
  • www.worldprivacyforum.org
  • http://www.ftc.gov/os/2007/10/r611019redflagsfrn.pdf
  • http://www.ncga.state.nc.us/EnactedLegislation/Statutes/PDF/ByArticle/Chapter_75/Article_2A.pdf
for more information please contact
For more information, please contact:

Denise Smith Cline



Patricia A. Markus



Smith Moore Leatherwood LLP