© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Raising a Red Flag: Understanding the Fair...

© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED.

Raising a “Red Flag”:Understanding the Fair and Accurate Credit Transactions Act,

the “Red Flag” Regulations, and Their Impact on Physicians

February 11, 2009

Presented by:Patricia A. Markus

Smith Moore Leatherwood LLPPost Office Box 27525

T: (919) 755-8850F: (919) 755-8800

Introduction

• In 2008, 656 reported data breaches (47% increase over 2007)– 37% of breaches in business– 20% in education– 17% in government/military– 15% in health care– 12% in financial/credit

• Insider theft accounts for almost 16% of breaches; data on the move and accidental exposure account for 35%

• Electronic breaches account for 82% of data breaches

Introduction

• What are the “Red Flag Rules,” and What is a Red Flag?• What do the Rules Require, and Who Must Comply?• The Two-Part Test• Consequences of Failure to Comply• Creation of an Identity Theft Detection Program• Health Care Specific Examples• Intersection with NC Identity Theft Protection Act• Questions

What Are the “Red Flag Rules”?• Fair and Accurate Credit Transactions Act (“FACTA”) was

passed by Congress in 2003 to protect consumers against identity theft

• Six agencies published the final regulations under FACTA effective January 1, 2008

• The good news: deadline for mandatory compliance with the Red Flag Rules has been delayed six months, from November 1, 2008 to May 1, 2009

What Is a “Red Flag”?

• Any pattern, practice, or specific activity that indicates the possibility of identity theft

What Do the Red Flag Rules Require?• Covered Entities must create written programs to detect,

prevent, respond to, and mitigate identity theft in connection with new or existing covered accounts

• Consumer reporting agencies must follow certain rules related to address discrepancies**

• Debit and credit card issuers must put procedures into place to assess the validity of address changes**

• **NOTE: the deadline for enforcement of these rules

remains November 1, 2008

Who is Required to Comply?

• A financial entity – i.e., a State or national bank, a State or Federal

savings and loan association

OR• A “creditor” who maintains “covered accounts”

– The definition of “creditor” can include “lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies”

Question 1: Are You a Creditor?• What is a creditor?

• Specifically, a “creditor” is:– “any person who regularly extends, renews, or

continues credit; – any person who regularly arranges for the extension,

renewal, or continuation of credit; or– any assignee of an original creditor who participates

in the decision to extend, renew, or continue credit.” • A creditor is any entity that allows its customers to pay

their fees or balances on a delayed-payment basis

Are Health Care Providers Creditors? • Yes, they can be. • Health care providers may be creditors if they

“regularly** extend, renew or continue credit”• “Credit” simply means any deferral of payment

• **NOTE: the FTC takes the position that “regular” probably includes “a few times a year”

Special Problem for Health Care Providers: Medical Identity Theft

• Medical identity theft occurs when – someone uses a person’s name and sometimes other

parts of their identity, including insurance info or SSN– without the victim’s knowledge or consent– to obtain medical goods or services– or to obtain money by falsifying claims for medical services

and falsifying medical records to support claims• FTC: MIT accounts for 3% of identity theft crimes

Medical Identity Theft

• Victims’ info is stolen so that thief can fraudulently obtain benefits for which he otherwise would not qualify

• Physicians’ identities stolen to fraudulently bill insurers for services not provided

• Health care “insiders,” the fastest growing group involved in MIT, sell info to criminals for $5 to $50/name

• Many providers are now asking patients to provide photo ID to authenticate that patients are who they say they are

Question 2: Do You Maintain Covered Accounts?• What is a “covered account”?

• Any account maintained “primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions”

• And “any other account…for which there is a reasonably foreseeable risk to customers…from identity theft.”

• THUS, any account that permits multiple payments (or an entity’s practice of permitting such payments)

Examples of Covered Accounts for Health Care Providers• Patient Account

– Serves a “personal, family, or household” purpose, and the information contained therein poses a foreseeable identity theft risk

• BUT ALSO• Credit to Physicians or Other Employees

– Income guarantees– Recruitment loans– Educational loans

Does the Address Discrepancy Rule Apply to Your Entity?• Do you use consumer reports to make employment

decisions in performing background checks?• Do you use consumer reports to make credit decisions

about your patients or customers? • If so, your entity must comply with the rules applied to

users of consumer reports who receive notice of an “address discrepancy” from a consumer reporting agency

What Happens if You Fail to Comply?• The Federal Trade Commission oversees creditors who

are not financial institutions---such as health care providers.

• Even if your entity is a nonprofit organization, the FTC takes the position that such entities are subject to its jurisdiction

• Failure to comply with the Red Flag Rules can lead to enforcement actions and penalties of up to $2,500 per violation.

What About Private Lawsuits?• Like HIPAA, the Red Flag Rules do not provide for a

private right of action, but the Rules may provide the basis for state law claims

• Ultimately—also like HIPAA—the Red Flag Rules could set a national standard of care for handling confidential financial information

• In addition to liability under state identity theft acts, state law claims under tort or contract theories (negligence, breach of warranty) are possible

Four Essentials for a Red Flag Program• Identify Red Flags• Detect Red Flags• Respond appropriately to Red Flags detected• Update program to reflect changes in risks from identity

theft to customers

Identify Red Flags

• Medical practices should consider patterns, signals, activities or practices that would alert the provider to the possibility of identity theft, such as:– Alerts, notifications or warnings from a consumer

reporting agency– Suspicious documents– Suspicious personal identifying information– Unusual use of, or suspicious activity related to, the

covered account– Notice from a customer, theft victim, law enforcement

or other business

Detect Red Flags

• Implement procedures to detect the identified red flags:– Obtain information and verify identity of person

opening a covered account– Authenticate customers (patients), monitor

transactions– Verify change of address requests for existing

covered accounts– Look at all areas where patients’ info is

provided/accessed—intake, check-out, medical records, billing/collections

Respond to Detected Red Flags • Develop appropriate policies to respond to detected Red

Flags: – Monitor a covered account for evidence of identity

theft– Contact a customer (patient)– Change any passwords or security codes that permit

access to covered accounts– Remove or modify incorrect medical records– Reopen covered account with a new account number – Do not attempt to collect on a covered account– Notify law enforcement

Update the Program

• Periodic updating is required to reflect changes to the identity theft risks to patients

• Document a procedure for adopting additional prevention or detection methods

• In updating the program, practices should consider:– Tracking identity theft trend data– Identifying who will be responsible for tracking the

data– Developing a procedure to adopt new policies to

adapt to new risk calculations

Action Items

• Establish and approve a program

• Provide ongoing oversight and training

• Follow reporting requirements

Step One

Establish and Approve a Program

Establishment and Approval

• Program must– be written– be appropriate to the size and complexity of the organization– be appropriate to the nature and scope of the organization’s

activities– consider and include in program the “Guidelines” to the Rules

• If a practice excludes a Red Flag from its program, a written rationale for the exclusion must be provided

• Once established, program must be approved by the Board of Directors or appropriate subcommittee

Step Two

Provide Ongoing Oversight

and Training

Oversight and Training

• Oversight and implementation of the program must involve senior staff or designees

• Assign specific responsibilities• Train staff• Educate patients about risks and prevention• Review compliance reports• Policies to respond to the following, among others:

– Patient claims fraud has occurred or services not received

– Provider has altered patient records– Police reports and victim requests for investigation

Ongoing Oversight

• Approve material changes to the program as necessary to address changing risks

• There must be oversight of the service provider arrangements (i.e., a third party billing service) to guarantee that the service provider is acting in accordance with the approved program

Step Three

Follow Reporting Requirements

Program Reporting Requirements• The oversight staff must report to the designated

oversight authority at least annually• The staff report should include

– Effectiveness of program– Significant incidents involving identity theft and the

response to them– Recommendations for material changes to the

program

HIPAA and the Red Flags Rule • For most health care providers, HIPAA security policies

and procedures go a long way toward compliance with the Red Flags Rule

• However—unlike HIPAA—the Red Flags Rule’s requirement to mitigate may require notification of patients

• It will be important for physician practices to review their existing HIPAA compliance efforts– Some policies will need to be updated based on the

circumstances and situations that are unique to health care providers

• Patient receives EOB for services not received• Patient receives bill from facility which patient never

visited• Patient receives bill for another person• Physician mentions inaccurate treatment history during

patient’s office visit• Accounting of disclosures• Insurance company denies treatment for condition

patient doesn’t have

Examples of Red Flags in Health Care: How Patients Find Out

Examples of Red Flags in Health Care: How Providers Find Out• Patient’s records show treatment inconsistent with

patient’s medical history or physical exam (age, blood type)

• Patient complains about receiving collection notice for services not received

• Patient provides insurance number but cannot produce insurance card

• Mail sent to patient is returned repeatedly but transactions continue to occur on patient’s account

• ID appears to have been altered or forged• Picture or signature on file does not match that of person

presenting for treatment

The Good News

• Many health care providers have extensive compliance programs in place to safeguard protected health information under HIPAA

• The Red Flags Rule imposes a separate, independent duty on health care providers to help victims mitigate the consequences of identity theft

• Now have three more months to augment compliance program to safeguard patient financial information

What About N.C. Identity Theft Law?• Applies to all entities doing business in NC• Like the Red Flag Rules, requires a policy and

training• Encrypted and redacted data provide safe

harbors• ITPA regulates the collection and destruction of

personal identifying information, especially social security numbers

• Must notify individuals of possible security breaches “without unreasonable delay”

NC Identity Theft Law Cont’d

• If more than 1,000 persons affected by the breach, business must notify the Attorney General’s office and consumer reporting agencies

• Violation of the Act may result in private lawsuits, damages of up to $5,000, and treble damages.

Common Misconceptions

• Under the NC law, you may copy a driver’s license for identification purposes

• Under NC law, you may maintain SSNs on file for accounting purposes

• But these items should be closely guarded as part of practice’s privacy, security, and Red Flag efforts!

Additional Resources

• www.worldprivacyforum.org• http://www.ftc.gov/os/2007/10/r611019redflagsfrn.pdf• http://www.ncga.state.nc.us/EnactedLegislation/

Statutes/PDF/ByArticle/Chapter_75/Article_2A.pdf

QUESTIONS??

For more information, please contact:

Patricia A. Markus

Trish.markus@smithmoorelaw.com

919.755.8850

Smith Moore Leatherwood LLP