Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule

Time to Wave the White Flag – Compliance with Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rulethe FTC’s Identity Theft Red Flags Rule

William P. Dillon, Esq.William P. Dillon, Esq.Messer, Caparello & Self, P.A.Messer, Caparello & Self, P.A.

2618 Centennial Place2618 Centennial Place

Tallahassee, Florida 32308Tallahassee, Florida 32308

Tel: 850-222-0720Tel: 850-222-0720

Fax: 850-224-4359 Fax: 850-224-4359

[email protected]@lawfla.com

Board Certified in Health LawBoard Certified in Health Law

Medical Identity Theft Medical Identity Theft

New York Times Article – June 13, 2009New York Times Article – June 13, 2009

Brandon Sharp, 37 year old from Houston with no real health Brandon Sharp, 37 year old from Houston with no real health problems and who has never stepped foot in an emergency room, is problems and who has never stepped foot in an emergency room, is surprised to learn he owes thousands of dollars for emergency surprised to learn he owes thousands of dollars for emergency medical services.medical services.

U.S. Attorney’s Office – Southern District of Florida – April 1- 2008 U.S. Attorney’s Office – Southern District of Florida – April 1- 2008 Press ReleasePress Release

Former employee of Cleveland Clinic indicted for stealing Former employee of Cleveland Clinic indicted for stealing information of approximately 1500 patients and then selling information of approximately 1500 patients and then selling information to a cousin who owned a DME company who in turn information to a cousin who owned a DME company who in turn submitted over one million dollars of fraudulent claims to Medicaresubmitted over one million dollars of fraudulent claims to Medicare

What is the Red Flag Rule?What is the Red Flag Rule?

Everyone knows that the term “Red Flag” is Everyone knows that the term “Red Flag” is used to warn of a potential danger. In this case used to warn of a potential danger. In this case the Red Flag Rules refer to those regulations the Red Flag Rules refer to those regulations found at 16 CFR Part 681 which require covered found at 16 CFR Part 681 which require covered businesses to take actions to:businesses to take actions to: Identify; Identify; Detect; Detect; Prevent; and Prevent; and Mitigate Identity TheftMitigate Identity Theft

Do the Red Flag Rules Apply to Community Do the Red Flag Rules Apply to Community Health Centers?Health Centers?

In almost every case the answer is “Yes”. In almost every case the answer is “Yes”.

To determine if your CHC is required to comply To determine if your CHC is required to comply ask the following questionsask the following questions

1.1. Is my CHC considered a “Creditor”?; if yes go Is my CHC considered a “Creditor”?; if yes go to question 2.to question 2.

2.2. Does my CHC maintain “Covered Accounts”?; Does my CHC maintain “Covered Accounts”?; If the answer is also yes then the Red Flag Rules If the answer is also yes then the Red Flag Rules apply.apply.44

Who is considered a “Creditor” and what is Who is considered a “Creditor” and what is considered a “Covered Account”considered a “Covered Account”

The definition of a “creditor” can be found at 16 CFR Part The definition of a “creditor” can be found at 16 CFR Part 681.2, however, generally any person who regularly 681.2, however, generally any person who regularly extends, renews or continues credit will be considered a extends, renews or continues credit will be considered a creditor. creditor.

If a CHC is extending credit, for example via outstanding If a CHC is extending credit, for example via outstanding patient accounts, then it maintains covered accounts.patient accounts, then it maintains covered accounts.

Red Flag Rules apply to all accounts not just those in which Red Flag Rules apply to all accounts not just those in which credit has been extended.credit has been extended.

Identification of Covered AccountsIdentification of Covered Accounts

A Covered Account is an account that is offered or A Covered Account is an account that is offered or maintained by a creditor primarily for personal, family, or maintained by a creditor primarily for personal, family, or household purposes, which involves or is designed to household purposes, which involves or is designed to permit multiple payments or transactions. Accounts permit multiple payments or transactions. Accounts related to the provision of medical services would be related to the provision of medical services would be considered accounts related to a personal, family or considered accounts related to a personal, family or household purpose. The purpose of identifying covered household purpose. The purpose of identifying covered accounts is to ensure all such accounts are subject to accounts is to ensure all such accounts are subject to the Identity Theft Prevention and Detection Program the Identity Theft Prevention and Detection Program

How Do CHC’s Comply?How Do CHC’s Comply?

Similar to your “Corporate Compliance Program” Similar to your “Corporate Compliance Program” or your “HIPAA Privacy and Security Program” or your “HIPAA Privacy and Security Program” your CHC should have “buy in” from the your CHC should have “buy in” from the Governing Board and Senior Management. Governing Board and Senior Management. The Governing Board should authorize the The Governing Board should authorize the implementation of a program that:implementation of a program that: 1.1. Identifies relevant indicators (Red Flags) of Identifies relevant indicators (Red Flags) of

Identity TheftIdentity Theft 2.2. Detects Red FlagsDetects Red Flags 3.3. Prevents and/or Mitigates Identity TheftPrevents and/or Mitigates Identity Theft 4.4. Periodically Updated Periodically Updated

Components of an Identity Theft Prevention Components of an Identity Theft Prevention and Detection Programand Detection Program

1.1. Program Management and OversightProgram Management and Oversight

2. Identification of Covered Accounts2. Identification of Covered Accounts

3.3. Identification of Red FlagsIdentification of Red Flags

4.4. Detection of Red FlagsDetection of Red Flags

5.5. Prevention and Mitigation of Identity TheftPrevention and Mitigation of Identity Theft

6.6. TrainingTraining

7.7. UpdatesUpdates

8.8. Oversight of Service Providers (Business Oversight of Service Providers (Business Associates)Associates)

Program Management and OversightProgram Management and Oversight

Identify Program Manager or CommitteeIdentify Program Manager or Committee

Identify Covered AccountsIdentify Covered Accounts

Identify Red Flags relevant to the CHCIdentify Red Flags relevant to the CHC

Develop and Update Policies and ProceduresDevelop and Update Policies and Procedures

Respond to Red FlagsRespond to Red Flags

TrainingTraining

Service Provider ComplianceService Provider Compliance

Identification of Red FlagsIdentification of Red Flags

The risk of identity theft exists both from persons The risk of identity theft exists both from persons accessing services and from accessing services and from employees/contractors of a health care provider.employees/contractors of a health care provider.

Covered entities should seek to prevent both Covered entities should seek to prevent both external and internal identity theft.external and internal identity theft.


Suspicious DocumentsSuspicious Documents Documents that appear to have been forgedDocuments that appear to have been forged Photograph or physical description on identification Photograph or physical description on identification

not consistent with the appearance of the patientnot consistent with the appearance of the patient Other inconsistent informationOther inconsistent information

Identification of Red Flags Identification of Red Flags

Suspicious Personal Identifying InformationSuspicious Personal Identifying Information Address does not matchAddress does not match Social Security Number not validSocial Security Number not valid Address is known to be a mail drop, prison or other Address is known to be a mail drop, prison or other

undeliverable addressundeliverable address Invalid/suspicious telephone numberInvalid/suspicious telephone number Same Social Security Number for multiple patientsSame Social Security Number for multiple patients Same Group Health Insurance Information for Same Group Health Insurance Information for

multiple patientsmultiple patients Patient fails/refuses to provide all required personal Patient fails/refuses to provide all required personal

informationinformation


Unusual/Suspicious ActivityUnusual/Suspicious Activity Patient mail repeatedly returned as undeliverablePatient mail repeatedly returned as undeliverable Notices from patients, victims of identity theft, law Notices from patients, victims of identity theft, law

enforcement of others regarding possible identity enforcement of others regarding possible identity theft.theft.

OthersOthers

Detection of Identity TheftDetection of Identity Theft

New Patient AccountsNew Patient Accounts Verify New Patient IdentityVerify New Patient Identity Require certain demographic informationRequire certain demographic information Confirm demographic information Confirm demographic information Group Health Plan/Medicaid/Medicare confirmationGroup Health Plan/Medicaid/Medicare confirmation


Existing Patient AccountsExisting Patient Accounts Verify IdentityVerify Identity Group Health Plan/Medicaid/Medicare confirmationGroup Health Plan/Medicaid/Medicare confirmation


Another method that some organizations are Another method that some organizations are utilizing for detecting identity theft is the utilizing for detecting identity theft is the institution of digital scans of patient IDs and/or institution of digital scans of patient IDs and/or the collection of biometric patient information. the collection of biometric patient information. This should be done with caution as while it may This should be done with caution as while it may be very helpful in preventing external identity be very helpful in preventing external identity theft issues it creates new internal identity theft theft issues it creates new internal identity theft concerns.concerns.

Detection of Identity Theft - InternallyDetection of Identity Theft - Internally

HIPAA Security Policies and ProceduresHIPAA Security Policies and Procedures

Regularly monitoring employee contractor Regularly monitoring employee contractor activityactivity

Unsecured/unencrypted patient information on Unsecured/unencrypted patient information on portable devices (laptops, thumb drives, etc.)portable devices (laptops, thumb drives, etc.)

Prevention/Mitigation of Identity TheftPrevention/Mitigation of Identity Theft

Appropriate ResponsesAppropriate Responses Monitoring of patient accountMonitoring of patient account Contacting the patientContacting the patient Change internal information systems (security breach)Change internal information systems (security breach) Close patient accountClose patient account Reopen new patient accountReopen new patient account Appropriate Modification of “False” recordsAppropriate Modification of “False” records Notify law enforcementNotify law enforcement

TrainingTraining

Employee TrainingEmployee Training All employees that access or have access to patient All employees that access or have access to patient

accountsaccounts Program Manager should organize training and Program Manager should organize training and

ensure that it is applicable to the CHCensure that it is applicable to the CHC Provide employees access to policies and proceduresProvide employees access to policies and procedures

Periodic UpdatesPeriodic Updates

Service Provider ComplianceService Provider Compliance

CHC should ensure that their service providers CHC should ensure that their service providers (vendors), take reasonable steps to prevent or (vendors), take reasonable steps to prevent or detect identity theft.detect identity theft. Existing Business Associate Agreements may Existing Business Associate Agreements may

address many of these issues.address many of these issues.