1. Red-Flag Identity Theft Requirements February 19th 2009 Cathy Casagrande, Privacy Officer

2. 2 Background of Regulation The Fair Credit Reporting Act (FCRA) as amended in 2003 requires the Federal Trade Commission joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft. These Red Flag and Address Discrepancy regulations were published in final form on November 9, 2007, 72 Fed. Reg. 63718.

3. 3 Trends Medical Identity Theft World Privacy Forum estimates 250,000 to 500,000 Americans are victims of Medical Identity Theft. FTC report 8.3 million identity theft victims in 2005, 3% involving Medical Identity Theft. A Few Cases: -Wellpoint 128,000 member personal information exposed (server security problem). -Jose Medical Group 185,000 individuals (3/05) two computers were stolen that had billing information. -Duke University Medical Center 14,000 a hacker broke into the computer system and stole over 5,000 passwords and 9,000 SSN fragments.

4. 4 Data Breaches & Risks Reported 2006 Privacy Rights Clearinghouse Health Care Outside Hackers3% Insider Malfeasance20% Human/software incompetence20% Theft (non laptop) 17% Laptop theft40%

5. 5 FTC Requirements Two key areas of focus medical identity theft Red Flags Address Discrepancy

6. 6 Red Flag & Address Discrepancy Defined Red Flag is defined as a pattern, practice, or specific activity that could indicate identity theft. All Creditors are subject to this new rule. Address Discrepancy Organizations Requirements: 1. Required for organizations which check credit reports-the language in this is broad: includes any viewing, information obtained from credit report or a complete credit report. 2. Address Discrepancy are triggers which must be addressed with the consumer.

7. 7 Creditors Defined Any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor, participating in the decision to extend, renew, or continue credit. Essentially, if a health care provider extends credit to a consumer by establishing an account that permits multiple payments, the provider is a creditor. Everyone...

8. 8 Examples Red Flags A bill for another individual. A bill for a product or service that the patient denies receiving. A bill from health care provider that the patient never patronized collection notice, including a complaint regarding the Notice. EOB not received. A dispute of a bill by a patient who claims to be the victim of any type of identity theft.

9. 9 Requirements of Health Care Providers Red Flag Rule There are four required elements: Identify relevant Red Flags. Detect Red Flags. Respond to noted Red Flags. Review/education of identity theft program.

10. 10 Identify & Detect Red Flags Providers should have processes in place to appropriately detect red flags once the program has been implemented. Processes may include patient authentication (require the patient to produce identifying information at the time the account is opened and upon receiving services), and validating any change of address requests.

11. 11 Identify & Detect Red Flags Start with an assessment of current practices Tools to Assist Risk Assessment provided by FTC Section J Handout Key Assessment Points

12. 12 Identify & Detect Red Flags Group Activity: Small groups: Review Key Assessment Handout- identify an area of concern Discussions

13. 13 Internal Red Flag Create a process to identify a red flag at the Point of Service Develop a process which fits for your practice computer paper system

14. 14 Respond to Red Flags Response Plan should contain an identity theft mitigation strategy including: Monitoring covered accounts. Contacting patients when questions arise or suspicious activity is detected. Changing passwords or security codes. Notifying law enforcement when appropriate. Addressing documentation issues in the patients medical record that may be related to identity theft (ensuring the medical records are accurate).

15. 15 Response Expectations Designate an individual to respond to possible medical identity theft Privacy Officer Type of Cases: ID theft reported by a patient Incorrect bill, name on bill, wrong address=investigate Handouts: ID Theft Affidavit

16. 16 Additional FTC Requirements Update the Program Periodically - changes in the risk of identity theft. Obtain Written Board Approval -identity theft program must be approved by the Board of Directors. Designation of Oversight Responsibilities -the Board or an individual of senior level management must be involved in the oversight, development, management of the program. Training and Compliance Monitoring - staff training: regulation, including awareness of the risk of identity theft, and impact. Oversight and compliance with the program should be monitored.

17. 17 Penalties for Non-Compliance The FTCs plan with respect to monitoring compliance with the Red Flag rules is not clear. Nevertheless, failure to comply with the Red Flag rules could result in the imposition of monetary penalties. The FTC is authorized to bring enforcement actions in federal court for violations with penalties set at $2,500 per independent violation. State enforcement action is authorized on behalf of victims with penalties set at $1,000 per violation and reasonable attorney fees. Finally each patient may be entitled to bring a civil action and recover actual damages sustained from a violation of the Red Flag rules.

18. 18 Red Flag Resources www.FTC.gov www.idtheftcenter.org www.worldprivacyforum.org www.privacyrights.org State of Md. 14-3501 Notification Requirements of a Breach State of Md. 14-3402 Display of Social Security Number