1 Red Flags Rule: Implementing an Identity Theft Prevention Program Health Managers Network May 25. 2010 Chris Apgar, CISSP President, Apgar & Associates,

1

Red Flags Rule:Implementing an Identity Theft

Prevention Program

Health Managers NetworkMay 25. 2010

Chris Apgar, CISSP President, Apgar & Associates, LLC

22010 © Apgar & Associates, LLC 2

Agenda Red Flags Rule Overview State & Breach Notification

Requirements Definition of “Red Flags” Identity Theft Protection Program

Requirements Implementation Tips Q & A


Red Flags Rule Overview

Result of Fair and Accurate Credit Transaction Act of 2003 (FACTA)

Amendment to Fair Credit Reporting Act Final Red Flags Rule published November 2007 Original enforcement date was moved from

November 2008 to June 1, 2010 Rules will be enforced by the Federal Trade

Commission (FTC)



Applies to “creditors” Physicians today classified as “creditors” “Creditor” is defined as:

Maintain “covered account” (for physicians this is the patient account where patient is not required to pay for treatment or fully pay for treatment at the time treatment is rendered)

Participates in the decision whether or not to issue credit


Red Flags Rule Overview Physicians may or may not ultimately be

considered “creditors” based on American Bar Association court finding that attorneys are not regulated by the Red Flags Rule

American Medical Association, American Hospital Association and others have appealed to the FTC to categorize licensed health care professionals the same as attorneys

No response yet from the FTC Do not assume not covered



Requires implementation of an identity theft protection program which includes: Risk analysis Identification of “red flags” (events that may be

identity theft) “Red Flag” alerts Response policies, procedures and practices

(similar to a security incident response team) Annual program review and update as necessary


Federal & State Breach Notification Laws

Oregon breach notification requirements effective October 1, 2007

State security requirements effective January 1, 2008 (non-HIPAA and GLBA covered entities)

Federal interim final breach notification rule and breach notification requirements effective September 23, 2009

Penalties associated with non-compliance with state and federal breach notification laws



Existing requirements dovetail with Red Flags Rule and HIPAA Security Rule

Identity theft protection program is preventative versus breach notification which is reactive

Preventive and reactive policies, procedures and practices are already mandated by the HIPAA Security Rule (covered entities and business associates)



“Red Flags” could represent security breaches Breach notification requirements would be

triggered under Oregon and federal law Now required to notify patients of medical

information breach Tied to HIPAA Security Rule requirement, security

incident response mitigation phase and HIPAA Privacy Rule, privacy incident mitigation


Definition of Red Flags

“Red Flags” identify when breach or identity theft might have occurred or may be occurring

Red flags include (list not inclusive): Notification of fraud from consumer protection

agency Documents provided for identification appear to

have been altered or forged The address or telephone number provided is the

same as or similar to the address or telephone number submitted by other patients


Definition of Red Flags Red flags include (list not inclusive):

Personal identifying information provided is not consistent with personal identifying information on file

Mail sent to the patient is returned repeatedly as undeliverable although health care charges continue to be added to the patient’s account

The clinic or physician is notified by a patient, a victim of medical identity theft, a law enforcement authority or any other person that a person engaged in identity theft or medical identity theft is seeking treatment


Identity Theft Protection Program Requirements

The Red Flags Rule requirements similar to HIPAA Security Rule and federal/state breach notification requirements

Federal and state breach notification requirements are reactive –requires notification after the breach

The Red Flags Rule is proactive – it requires implementation of appropriate protections before a breach occurs



The HIPAA Security Rule requires implementation of appropriate administrative, physical and technical safeguards

Security safeguard implementation with ongoing attention to safeguard management is the first step in complying with HIPAA and the Red Flags Rule

Both require a risk analysis which (HIPAA included) should occur when establishing a security program and periodically thereafter


A Formal Security Program

• Before addressing the additional requirements of the Red Flags Rule a formal security program is required

• This includes principles and practices as required by HIPAA, Oregon law and appropriate industry standards

• The program needs to be comprehensive and formal (documented, implemented and regularly monitored)

• Safeguard implementation and management is directly related to controlling breaches


Risk Assessment

• Perform regular, periodic risk analyses• Identify risks (vulnerabilities & threats) and

analyze how big they are (likelihood & impact) • Take mitigating steps – implement or strengthen

existing controls:• Administrative• Physical• Technical


Audit Log Review

• Capture logs of activity on network, applications and systems, review and document review

• Looking for unauthorized and authorized users (e.g., excessive or inappropriate access)

• Routine, timely review of logs can detect breach• After breach, logs can reveal what happened and

sometimes identify perpetrator• Documentation required


Workforce Awareness and Training

• New workforce training• Routine, periodic training for full workforce • Includes training for temporaries, volunteers and

contractors (non-business associates)• Responsibilities regarding privacy and security

which includes requirement to report a suspected incident

• Periodic security and sanctions reminder• Targeted training for certain workforce members

(e.g., billing, HIM, IT, etc.)



• The Red Flags Rule requires physicians and clinics implement an effective identity and medical identity theft prevention program that becomes a part of the formal security program

• The rule also requires implementation of a program to identify or “flag” identity or medical identity theft as it is occurring to stop it, preventing damage to the patient (medical and financial)


Policy Development

• Creditors (in this case physicians) are required to develop, implement and periodically update policies and procedures that fully define identity theft protection program

• Policies and procedures need to address existing and new patient accounts


Policy Development

• Policies and procedures need to include:• How to identify relevant red flags.• How to detect red flags.• How to respond when red flags are detected• Provide for appropriate responses to red flags that

matches the risk identified• Consider factors such as security breach and

subsequent breach notification requirements


Policy Development

• Policies must:• Be approved by the physician, partnership or

board (highest authority for the practice)• Be overseen by senior management• Include staff training and oversight of business

associates such as billing agencies


Implementation

• Need to create process/procedural guidance for each operational area (written or electronic instruction guide)

• Need to balance risks with appropriate action, by operational area (e.g., higher risk in billing department and patient intake, especially with new patients)


Program Maintenance and Administration

• The board of directors or senior management need to regularly:• Monitor assignment of specific responsibility for

program implementation• Review reports by workforce members• Review or delegate review of audit logs, identified

red flags, etc.• Approve material changes to program



• Review and document at least annually:• Policy effectiveness• Business associate responsibilities and adherence

to requirements• Reasonably ensuring (e.g., by written contract)

business associates:• Implementation and monitoring of activities in

connection with patient records and accounts• Maintain procedures to detect, prevent, and

mitigate identity theft



• Review and document at least annually (continued):• Significant security incidents• Recommendations for material changes

• Documentation needs to be retained for a minimum of six years (HIPAA requirement)


Example Program Requirement

• Develop and implement a policy and procedure that defines the process for patient requests for address changes

• This includes documentation of appropriate actions for handling address changes and/or patient account changes


HIPAA and Red Flag Rule Reminder

• The HIPAA Security Rule requires implementation of appropriate administrative, physical and technical safeguards for electronic records

• The HIPAA Privacy Rule expands security protections to all PHI, no matter the form

• Breach notification, a federal and a state law requirement, is considered a part of the HIPAA required formation of a security incident response team (SIRT)


Implementation Tips

• Consider compliance with the Red Flags Rule as an extension of already required compliance with HIPAA and state and federal breach notification requirements

• “Flags” will be determined more often by how payables and receivables are managed, how new patients are added to the practice and the management of existing patients’ financial and demographic information


Implementation Tips

• Build on already existing security program – no need to start from scratch

• Make sure training material is updated to include how identity theft or medical identity theft will be spotted and what actions need to be taken

• Expand HIPAA required risk analysis to include the additional risk analysis requirements of the Red Flags Rule


Implementation Tips

• Expand existing policies and procedures where applicable rather than creating new “red flag” policies and procedures

• Make sure that business associates know what they will now be required to do and amend business associate contracts accordingly (especially billing agencies)

• If holes exist in the physician or practice’s security program, now is the time to fix them


Resources

• Federal Trade Commission Alert: http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm

• LexisNexis: http://solutions.lexisnexis.com/forms/FS08RFWEBINARRFWEBPOSTMKTG169?gclid=CPvXzfzA0JgCFQ9JagodtgL32w

• DCIG: http://www.dciginc.com/2008/08/ftc-issues-red-flag-rules-reminder-ensuring-i.html

http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm

http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm


Resources

• Identity Theft Daily: http://www.identitytheftdaily.com/index.php/20081015440/Latest/Red-Flag-Rules-Effective-November-1-2008.html

• Jones Day (law firm): http://www.jonesday.com/pubs/pubs_detail.aspx?pubID=S5427

• Office for Civil Rights: http://www.ocr/hhs.gov

Summary and Q&A

2010 © Apgar & Associates, LLC33

Chris Apgar, CISSPPresident

•Officially endorsed by the Oregon Medical Association with member discounts available•Check out Web site for additional information