Upload
egbert-conley
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
1
Red Flags Rule:Implementing an Identity Theft
Prevention Program
Health Managers NetworkMay 25. 2010
Chris Apgar, CISSP President, Apgar & Associates, LLC
22010 © Apgar & Associates, LLC 2
Agenda Red Flags Rule Overview State & Breach Notification
Requirements Definition of “Red Flags” Identity Theft Protection Program
Requirements Implementation Tips Q & A
2010 © Apgar & Associates, LLC 3
Red Flags Rule Overview
Result of Fair and Accurate Credit Transaction Act of 2003 (FACTA)
Amendment to Fair Credit Reporting Act Final Red Flags Rule published November 2007 Original enforcement date was moved from
November 2008 to June 1, 2010 Rules will be enforced by the Federal Trade
Commission (FTC)
2010 © Apgar & Associates, LLC 4
Red Flags Rule Overview
Applies to “creditors” Physicians today classified as “creditors” “Creditor” is defined as:
Maintain “covered account” (for physicians this is the patient account where patient is not required to pay for treatment or fully pay for treatment at the time treatment is rendered)
Participates in the decision whether or not to issue credit
2010 © Apgar & Associates, LLC 5
Red Flags Rule Overview Physicians may or may not ultimately be
considered “creditors” based on American Bar Association court finding that attorneys are not regulated by the Red Flags Rule
American Medical Association, American Hospital Association and others have appealed to the FTC to categorize licensed health care professionals the same as attorneys
No response yet from the FTC Do not assume not covered
2010 © Apgar & Associates, LLC 6
Red Flags Rule Overview
Requires implementation of an identity theft protection program which includes: Risk analysis Identification of “red flags” (events that may be
identity theft) “Red Flag” alerts Response policies, procedures and practices
(similar to a security incident response team) Annual program review and update as necessary
2010 © Apgar & Associates, LLC 7
Federal & State Breach Notification Laws
Oregon breach notification requirements effective October 1, 2007
State security requirements effective January 1, 2008 (non-HIPAA and GLBA covered entities)
Federal interim final breach notification rule and breach notification requirements effective September 23, 2009
Penalties associated with non-compliance with state and federal breach notification laws
2010 © Apgar & Associates, LLC 8
Federal & State Breach Notification Laws
Existing requirements dovetail with Red Flags Rule and HIPAA Security Rule
Identity theft protection program is preventative versus breach notification which is reactive
Preventive and reactive policies, procedures and practices are already mandated by the HIPAA Security Rule (covered entities and business associates)
2010 © Apgar & Associates, LLC 9
Federal & State Breach Notification Laws
“Red Flags” could represent security breaches Breach notification requirements would be
triggered under Oregon and federal law Now required to notify patients of medical
information breach Tied to HIPAA Security Rule requirement, security
incident response mitigation phase and HIPAA Privacy Rule, privacy incident mitigation
2010 © Apgar & Associates, LLC 10
Definition of Red Flags
“Red Flags” identify when breach or identity theft might have occurred or may be occurring
Red flags include (list not inclusive): Notification of fraud from consumer protection
agency Documents provided for identification appear to
have been altered or forged The address or telephone number provided is the
same as or similar to the address or telephone number submitted by other patients
2010 © Apgar & Associates, LLC 11
Definition of Red Flags Red flags include (list not inclusive):
Personal identifying information provided is not consistent with personal identifying information on file
Mail sent to the patient is returned repeatedly as undeliverable although health care charges continue to be added to the patient’s account
The clinic or physician is notified by a patient, a victim of medical identity theft, a law enforcement authority or any other person that a person engaged in identity theft or medical identity theft is seeking treatment
2010 © Apgar & Associates, LLC 12
Identity Theft Protection Program Requirements
The Red Flags Rule requirements similar to HIPAA Security Rule and federal/state breach notification requirements
Federal and state breach notification requirements are reactive –requires notification after the breach
The Red Flags Rule is proactive – it requires implementation of appropriate protections before a breach occurs
2010 © Apgar & Associates, LLC 13
Identity Theft Protection Program Requirements
The HIPAA Security Rule requires implementation of appropriate administrative, physical and technical safeguards
Security safeguard implementation with ongoing attention to safeguard management is the first step in complying with HIPAA and the Red Flags Rule
Both require a risk analysis which (HIPAA included) should occur when establishing a security program and periodically thereafter
142010 © Apgar & Associates, LLC 14
A Formal Security Program
• Before addressing the additional requirements of the Red Flags Rule a formal security program is required
• This includes principles and practices as required by HIPAA, Oregon law and appropriate industry standards
• The program needs to be comprehensive and formal (documented, implemented and regularly monitored)
• Safeguard implementation and management is directly related to controlling breaches
152010 © Apgar & Associates, LLC 15
Risk Assessment
• Perform regular, periodic risk analyses• Identify risks (vulnerabilities & threats) and
analyze how big they are (likelihood & impact) • Take mitigating steps – implement or strengthen
existing controls:• Administrative• Physical• Technical
2010 © Apgar & Associates, LLC 16
Audit Log Review
• Capture logs of activity on network, applications and systems, review and document review
• Looking for unauthorized and authorized users (e.g., excessive or inappropriate access)
• Routine, timely review of logs can detect breach• After breach, logs can reveal what happened and
sometimes identify perpetrator• Documentation required
172010 © Apgar & Associates, LLC 17
Workforce Awareness and Training
• New workforce training• Routine, periodic training for full workforce • Includes training for temporaries, volunteers and
contractors (non-business associates)• Responsibilities regarding privacy and security
which includes requirement to report a suspected incident
• Periodic security and sanctions reminder• Targeted training for certain workforce members
(e.g., billing, HIM, IT, etc.)
182010 © Apgar & Associates, LLC 18
Identity Theft Protection Program Requirements
• The Red Flags Rule requires physicians and clinics implement an effective identity and medical identity theft prevention program that becomes a part of the formal security program
• The rule also requires implementation of a program to identify or “flag” identity or medical identity theft as it is occurring to stop it, preventing damage to the patient (medical and financial)
192010 © Apgar & Associates, LLC 19
Policy Development
• Creditors (in this case physicians) are required to develop, implement and periodically update policies and procedures that fully define identity theft protection program
• Policies and procedures need to address existing and new patient accounts
202010 © Apgar & Associates, LLC 20
Policy Development
• Policies and procedures need to include:• How to identify relevant red flags.• How to detect red flags.• How to respond when red flags are detected• Provide for appropriate responses to red flags that
matches the risk identified• Consider factors such as security breach and
subsequent breach notification requirements
212010 © Apgar & Associates, LLC 21
Policy Development
• Policies must:• Be approved by the physician, partnership or
board (highest authority for the practice)• Be overseen by senior management• Include staff training and oversight of business
associates such as billing agencies
222010 © Apgar & Associates, LLC 22
Implementation
• Need to create process/procedural guidance for each operational area (written or electronic instruction guide)
• Need to balance risks with appropriate action, by operational area (e.g., higher risk in billing department and patient intake, especially with new patients)
232010 © Apgar & Associates, LLC 23
Program Maintenance and Administration
• The board of directors or senior management need to regularly:• Monitor assignment of specific responsibility for
program implementation• Review reports by workforce members• Review or delegate review of audit logs, identified
red flags, etc.• Approve material changes to program
242010 © Apgar & Associates, LLC 24
Program Maintenance and Administration
• Review and document at least annually:• Policy effectiveness• Business associate responsibilities and adherence
to requirements• Reasonably ensuring (e.g., by written contract)
business associates:• Implementation and monitoring of activities in
connection with patient records and accounts• Maintain procedures to detect, prevent, and
mitigate identity theft
252010 © Apgar & Associates, LLC 25
Program Maintenance and Administration
• Review and document at least annually (continued):• Significant security incidents• Recommendations for material changes
• Documentation needs to be retained for a minimum of six years (HIPAA requirement)
262010 © Apgar & Associates, LLC 26
Example Program Requirement
• Develop and implement a policy and procedure that defines the process for patient requests for address changes
• This includes documentation of appropriate actions for handling address changes and/or patient account changes
272010 © Apgar & Associates, LLC 27
HIPAA and Red Flag Rule Reminder
• The HIPAA Security Rule requires implementation of appropriate administrative, physical and technical safeguards for electronic records
• The HIPAA Privacy Rule expands security protections to all PHI, no matter the form
• Breach notification, a federal and a state law requirement, is considered a part of the HIPAA required formation of a security incident response team (SIRT)
282010 © Apgar & Associates, LLC 28
Implementation Tips
• Consider compliance with the Red Flags Rule as an extension of already required compliance with HIPAA and state and federal breach notification requirements
• “Flags” will be determined more often by how payables and receivables are managed, how new patients are added to the practice and the management of existing patients’ financial and demographic information
292010 © Apgar & Associates, LLC 29
Implementation Tips
• Build on already existing security program – no need to start from scratch
• Make sure training material is updated to include how identity theft or medical identity theft will be spotted and what actions need to be taken
• Expand HIPAA required risk analysis to include the additional risk analysis requirements of the Red Flags Rule
302010 © Apgar & Associates, LLC 30
Implementation Tips
• Expand existing policies and procedures where applicable rather than creating new “red flag” policies and procedures
• Make sure that business associates know what they will now be required to do and amend business associate contracts accordingly (especially billing agencies)
• If holes exist in the physician or practice’s security program, now is the time to fix them
312010 © Apgar & Associates, LLC 31
Resources
• Federal Trade Commission Alert: http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
• LexisNexis: http://solutions.lexisnexis.com/forms/FS08RFWEBINARRFWEBPOSTMKTG169?gclid=CPvXzfzA0JgCFQ9JagodtgL32w
• DCIG: http://www.dciginc.com/2008/08/ftc-issues-red-flag-rules-reminder-ensuring-i.html
322010 © Apgar & Associates, LLC 32
Resources
• Identity Theft Daily: http://www.identitytheftdaily.com/index.php/20081015440/Latest/Red-Flag-Rules-Effective-November-1-2008.html
• Jones Day (law firm): http://www.jonesday.com/pubs/pubs_detail.aspx?pubID=S5427
• Office for Civil Rights: http://www.ocr/hhs.gov