1 / 18

Red-Flag Identity Theft Requirements

Red-Flag Identity Theft Requirements. February 19th 2009 Cathy Casagrande, Privacy Officer. Background of Regulation.

dayton
Download Presentation

Red-Flag Identity Theft Requirements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer

  2. Background of Regulation • The Fair Credit Reporting Act (FCRA) as amended in 2003 requires the Federal Trade Commission joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft. • These Red Flag and Address Discrepancy regulations were published in final form on November 9, 2007, 72 Fed. Reg. 63718.

  3. Trends Medical Identity Theft • World Privacy Forum estimates 250,000 to 500,000 Americans are victims of Medical Identity Theft. • FTC report 8.3 million identity theft victims in 2005, 3% involving Medical Identity Theft. • A Few Cases: -Wellpoint 128,000 member personal information exposed (server security problem). -Jose Medical Group 185,000 individuals (3/05) two computers were stolen that had billing information. -Duke University Medical Center 14,000 a hacker broke into the computer system and stole over 5,000 passwords and 9,000 SSN fragments.

  4. Data Breaches & Risks Reported 2006 Privacy Rights Clearinghouse Health Care • Outside Hackers 3% • Insider Malfeasance 20% • Human/software incompetence 20% • Theft (non laptop) 17% • Laptop theft 40%

  5. FTC Requirements • Two key areas of focus medical identity theft • Red Flags • Address Discrepancy

  6. Red Flag & Address Discrepancy Defined • Red Flag is defined as a pattern, practice, or specific activity that could indicate identity theft. All “Creditors” are subject to this new rule. • Address Discrepancy Organizations Requirements: 1. Required for organizations which check credit reports-the language in this is broad: includes any viewing, information obtained from credit report or a complete credit report. 2. Address Discrepancy are triggers which must be addressed with the consumer.

  7. Creditors Defined • Any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor, participating in the decision to extend, renew, or continue credit. • Essentially, if a health care provider extends credit to a consumer by establishing an account that permits multiple payments, the provider is a creditor. • Everyone...

  8. Examples Red Flags • A bill for another individual. • A bill for a product or service that the patient denies receiving. • A bill from health care provider that the patient never patronized collection notice, including a complaint regarding the “Notice”. • EOB not received. • A dispute of a bill by a patient who claims to be the victim of any type of identity theft.

  9. Requirements of Health Care Providers Red Flag Rule • There are four required elements: • Identify relevant Red Flags. • Detect Red Flags. • Respond to noted Red Flags. • Review/education of identity theft program.

  10. Identify & Detect Red Flags • Providers should have processes in place to appropriately detect red flags once the program has been implemented. • Processes may include patient authentication (require the patient to produce identifying information at the time the account is opened and upon receiving services), and validating any change of address requests.

  11. Identify & Detect Red Flags • Start with an assessment of current practices • Tools to Assist • Risk Assessment provided by FTC Section “J” • Handout Key Assessment Points

  12. Identify & Detect Red Flags Group Activity: Small groups: Review “Key Assessment Handout”- identify an area of concern Discussions

  13. Internal Red Flag • Create a process to identify a “red flag” at the Point of Service • Develop a process which fits for your practice • computer • paper system

  14. Respond to Red Flags • Response Plan should contain an identity theft mitigation strategy including: • Monitoring covered accounts. • Contacting patients when questions arise or suspicious activity is detected. • Changing passwords or security codes. • Notifying law enforcement when appropriate. • Addressing documentation issues in the patient’s medical record that may be related to identity theft (ensuring the medical records are accurate).

  15. Response Expectations • Designate an individual to respond to possible medical identity theft • Privacy Officer Type of Cases: • ID theft reported by a patient • Incorrect bill, name on bill, wrong address=investigate • Handouts: ID Theft Affidavit

  16. Additional FTC Requirements • Update the Program Periodically - changes in the risk of identity theft. • Obtain Written Board Approval -identity theft program must be approved by the Board of Directors. • Designation of Oversight Responsibilities -the Board or an individual of senior level management must be involved in the oversight, development, management of the program. • Training and Compliance Monitoring - staff training: regulation, including awareness of the risk of identity theft, and impact. • Oversight and compliance with the program should be monitored.

  17. Penalties for Non-Compliance • The FTC’s plan with respect to monitoring compliance with the Red Flag rules is not clear. • Nevertheless, failure to comply with the Red Flag rules could result in the imposition of monetary penalties. • The FTC is authorized to bring enforcement actions in federal court for violations with penalties set at $2,500 per independent violation. • State enforcement action is authorized on behalf of victims with penalties set at $1,000 per violation and reasonable attorney fees. • Finally each patient may be entitled to bring a civil action and recover actual damages sustained from a violation of the Red Flag rules.

  18. Red Flag Resources • www.FTC.gov • www.idtheftcenter.org • www.worldprivacyforum.org • www.privacyrights.org • State of Md. 14-3501 Notification Requirements of a Breach • State of Md. 14-3402 Display of Social Security Number

More Related