We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byBeryl Quinn
Modified about 1 year ago
© 2009 Rath, Young and Pignatelli, P.C. 1 Rath, Young and Pignatelli, P.C. One Capital Plaza P.O. Box 1500 Concord, NH by Lucy C. Hodder, Esquire
Thank you to Diane Blaha, Compliance Officer at LRGH, for her contribution to this presentation. Diane Blaha, FHFMA Compliance Officer LRGHealthcare 80Highland Street Laconia, NH Direct Fax © 2009 Rath, Young and Pignatelli, P.C.2
What Is Medical Identity Theft? “Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity – such as insurance information – without the person’s knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name.” World Privacy Forum Presentation © 2009 Rath, Young and Pignatelli, P.C.3
ID Theft: What We Know “Victims of medical identity theft may receive the wrong treatment, find their health insurance exhausted, and could become uninsurable for both life and health insurance coverage….They may fail physical exams for employment due to the presence of diseases in their health record that do not belong to them.” By Pamela Dixon, World Privacy Forum Most Institutions experience ID theft… With no Single Cause: 11% Intentional Theft (Hacking) 27% Intentional Theft (Fraud) 44% Accidental Loss 18% Incidental Theft Medical Theft: Fastest growing ID theft 300,000 + annual cases (300% growth) © 2009 Rath, Young and Pignatelli, P.C. 4
New Data breach laws, 35 total Children’s Online Privacy Protection Act Children’s Online Privacy Protection Act Child Online Protection Act Red Flag Rules FACT Act, 44 Data Breach Laws California SB 168 The Identity Theft and Assumption Deterrence Act Electronic Communications Privacy Act Fair Credit Reporting Act
OverviewoftheRedFlagRules Overview of the Red Flag Rules What are they and why were they created? FTC interested in rules to prevent ID theft by increasing protections of confidential information and tools to help consumers detect crime at an earlier stage. FACTA (The Fair and Accurate Credit Transactions Act) §114 Amended Fair Credit Reporting Act and mandated the promulgation of identity theft regulations. Red Flag Rules – Detection, prevention and mitigation of identity theft by financial institutions or creditors. © 2009 Rath, Young and Pignatelli, P.C. 6
Overview Overview (cont’d) The Red Flag Rules require a creditor to make reasonable attempts to prevent and detect theft through its Identity Prevention Program and respond appropriately to mitigate the theft. Include guidelines on how the creditor can identify Red Flags and respond. Describe what a user of consumer reports must do if the user receives notice of address discrepancy. © 2009 Rath, Young and Pignatelli, P.C.7
WhoMustComply? Who Must Comply? The Red Flag rules apply to financial institutions and “Creditors” with “Covered Accounts”. Creditors are defined as – “…any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal or continuation of credit; or an assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” Typically includes lenders such as banks, finance companies, auto dealers, mortgage brokers, utility companies and telecommunications companies. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. © 2009 Rath, Young and Pignatelli, P.C. 8
AreYouSureProviders are“Creditors”? Are You Sure Providers are “Creditors”? Has been interpreted to apply to any organization - including non-profits and government agencies that defers payment ---does not require payment in full, in advance or at the time of services. A healthcare provider will be considered a “creditor” if it regularly defers payment for services. FTC has said providers are creditors if they submit a claim to an insurance carrier first and then bill any unpaid amounts to the patient (recent letter to the AMA). © 2009 Rath, Young and Pignatelli, P.C. 9
What are “Covered Accounts”? “Covered Account” means: An account a creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and Any other account that the creditor offers or maintains if there is a reasonable foreseeable risk to customers or to the safety and soundness of the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. © 2009 Rath, Young and Pignatelli, P.C. 10
© 2009 Rath, Young and Pignatelli, P.C. 11 Deadline is November 1, FTC Enforcement deferred until May 1, 2009.
What are Creditors Required to Do? Overview: Creditors must develop and implement an identity theft prevention program (“Program”) designed to detect, prevent and mitigate identity theft in connection with Covered Accounts. Flexibility: The Program must be appropriate to the size and complexity of the organization. It must be written. Creditors must “consider” Guidelines on ID Theft Detection, Prevention and Mitigation. © 2009 Rath, Young and Pignatelli, P.C. 12
Red Flag Guidelines are geared toward preventing financial identity theft. Medical providers are very likely to be targets of medical identity theft. Medical identity theft occurs when someone uses another person’s name and identity (e.g., insurance information) to obtain medical services or goods. © 2009 Rath, Young and Pignatelli, P.C. 13
Implications of Medical Identity Theft for Providers EXAMPLE: Identity theft takes a particularly nasty turn in healthcare. According to the FTC’s 2006 identity theft survey, the median amount obtained by identity thieves for all types of identity theft was $500. In contrast, physicians, hospitals, and others who provide care in good faith can find themselves responsible for thousands of dollars when the patient they have helped turns out to have stolen another’s identity. In one egregious recent example, a man needing cardiac surgery was able to get healthcare services totaling $350,000 from a local hospital, using a friend’s identity. Identity theft can cause substantial losses to healthcare providers. The healthcare provider probably will not find out about the identity theft until after services have been provided. An alert consumer may spot an unfamiliar entry on an Explanation of Benefit (EOB) from the consumer’s insurance company and notify the insurer. Of course, once the insurer or health plan that paid for the service learns that the person receiving it was not covered, it will demand a refund from the provider. If the consumer does not scrutinize his or her EOBs, then it is possible that the fraud will not be uncovered until the personal portion of the account is sent for collection. The individual who identity was stolen will refuse rightfully to pay because he or she did not receive the services. © 2009 Rath, Young and Pignatelli, P.C. 14
Implications of Medical Identity Theft for Patients A victim of medical identity theft has to contend with the problems common to all identity theft victims: the time, financial harm, out-of- pocket expense, and worry of placing fraud alerts, closing accounts, and the replacing identification. Beyond these time and money issues, the victim also has to worry that his or her medical history can be confused with that of the thief. In the extreme, medical identity theft can prove fatal. A report in Business Week described the dilemmas encountered by a woman whose identity was stolen by a thief who used it to obtain surgery. After sorting out the financial claims, the victim found her problems were not over: When Weaver was hospitalized a year later for a hysterectomy, she realized the [identity thief’s] medical info was now mixed in with her own after a nurse reviewed her chart and said, “I see you have diabetes.” (She doesn’t.) With medical data expected to begin flowing more freely among healthcare providers, Weaver now frets that if she is ever rushed to a hospital, she could receive improper care – a transfusion with the wrong type of blood, for instance, or a medicine to which she is allergic. © 2009 Rath, Young and Pignatelli, P.C. 15
What are Creditors Required to Do? Initial Steps: Determine whether it offers or maintains Covered Accounts. Assign responsibility for developing Identity Theft Program (e.g., committee with representatives from Finance, Billing, Admissions/Intake, IT, and Privacy/Compliance). Conduct a risk assessment of its Covered Accounts, taking into consideration: the methods it provides to open its accounts: the methods it provides to access its accounts; and its previous experiences with identity theft. What is their risk for identity theft? © 2009 Rath, Young and Pignatelli, P.C. 16
What are Creditors Required to Do? The Program must include “reasonable” policies and procedures to: 1.Identify relevant Red Flags for Covered Accounts and incorporate those Red Flags into its Program; 2.Detect Red Flags that have been incorporated into the Program; 3.Respond appropriately to Red Flags that are detected to prevent and mitigate identity theft; and 4.Ensure the Program, including identified Red Flags, is updated periodically to reflect: Changes in customer risk Changes to the safety and soundness of the Creditor from identity theft. © 2009 Rath, Young and Pignatelli, P.C. 17
FTC Quote When identifying Red Flags, financial institutions and creditors must consider the nature of their business and the type of identity theft to which they may be subject. For instance, creditors in the health care field may be at risk of medical identity theft (i.e., identity theft for the purposes of obtaining medical services) and, therefore must identify Red Flags that reflect this risk. 71 Fed. Reg. at © 2009 Rath, Young and Pignatelli, P.C. 18
What is Red Flag? A Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft. Alerts from consumer reporting agencies. 72 Federal Register Presentation of suspicious documents. Presentation of suspicious personal identifying information such as suspicious address change. The unusual use of a covered account. Notice from customers, victims or law enforcement of identity theft. © 2009 Rath, Young and Pignatelli, P.C. 19
Supplement A: Sample Red Flags Alerts, Notifications or Warnings from a Consumer Reporting Agency A fraud or active alert is included with a consumer report. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. A consumer reporting agency provides a notice of address discrepancy. A consumer report indicates a pattern of activity A consumer report indicate a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: ◦ A recent or significant increase in the volume of inquiries; ◦ An unusual number of recently established credit relationships; ◦ A material change in the use of credit, especially with respect to recently established credit relationships; or ◦ An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. © 2009 Rath, Young and Pignatelli, P.C. 20
Supplement A: Sample Red Flags Suspicious Documents Suspicious Personal Identifying Information Documents provided for identification appear to have been altered or forged. The photo or physical description is not consistent with the appearance of the customer. Other information on the ID is not consistent with information provided by the person or on file, such as signature card. An application appears to have been altered or forged, or gives appearance of having been destroyed and reassembled. Personal identifying information provided is inconsistent when compared against external information sources. (DOB, address, SSN, SSN on Death Master File) Personal identifying information provided by the customer is not consistent with other personal identifying information provided by customer. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third- party sources. (information is same as provided on fraudulent application-the address or phone number.) © 2009 Rath, Young and Pignatelli, P.C. 21
Supplement A: Sample Red Flags Suspicious Personal Identifying Information Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third- party sources used by the creditor: The address is fictitious, a mail drop or a prison, or The phone number is invalid, or is associated with a pager or answering service. The SSN provided is the same as that submitted by other persons or other customers. The address or telephone number provided is the same as or similar to the account number or telephone numbers submitted by other customers. The person opening the account or the customer fails to provide all required personal identifying information. Personal identifying information provided is not consistent with personal identifying information that is on file with the Creditor. © 2009 Rath, Young and Pignatelli, P.C. 22
Supplement A: Sample Red Flags Examples of notification Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons regarding possible identity theft in connection with Covered Accounts held by the Creditor The Creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. © 2009 Rath, Young and Pignatelli, P.C. 23
Applying Guidance to Medical Identity Theft Samples of Red Flags indicating possible medical identity theft: A patient who knows his/her insurance ID number but does not produce the card. Complaint from a patient that a bill or EOB contains charges for services not provided, practitioners not seen. Complaint from patient about collection agency attempts to collect unknown bill. Report that insurance benefits have been exhausted for patient claiming not to have used them. © 2009 Rath, Young and Pignatelli, P.C. 24
Other Elements of Program Besides identifying relevant red flags, Identity Theft Programs must include reasonable policies and procedures to: Detect Red Flags Respond Appropriately to any red flags that are detected →prevent identity theft →mitigate identity theft © 2009 Rath, Young and Pignatelli, P.C. 25
Detecting Red Flags Possible policy and procedure: Require complete identifying information for new patients (full name, DOB, address, government issued ID, insurance card, etc.) Require production of photo ID for all patients © 2009 Rath, Young and Pignatelli, P.C. 26
Detecting Red Flags Detecting Red Flags (cont’d) In designing Program, hospitals must be careful to ensure compliance with other applicable laws. EMTALA requires provision without delay of medical screening and stabilizing treatment for emergency medical conditions. This will affect policies dealing with access to patient identifying information. © 2009 Rath, Young and Pignatelli, P.C. 27
Detecting Red Flags Detecting Red Flags (cont’d) Driver’s License Policy: Should providers simply check picture ID? Or scan it? Remember, storing additional personal information can increase risks of identity theft (insiders). New Hampshire law prohibits copying and scanning of photo licenses in such a way that it could be mistaken for a valid license. RSA 263:12 Department of Safety says it is permissible to copy licenses, with permission of patient, if the reproduced versions are suitably marked so they would not be mistaken as a license or reproduction. © 2009 Rath, Young and Pignatelli, P.C. 28
Responding to Any Red Flag That is Detected Providers need policies and procedures to address preventing and mitigating identity theft if a red flag is detected. Examples What if patient’s ID is suspicious? (Photo does not match, document looks altered or forged.) Possibilities: - call supervisor - stop admissions process - require applicant to provide additional satisfactory information to verify identity © 2009 Rath, Young and Pignatelli, P.C. 29
What are Creditors Required To Do? Mitigation – some examples: Track vulnerability Notify victim – when? Report to Law Enforcement – when? Place billing account on hold Correct billing records Correct medical records (“Jane or John Doe” extraction) If PHI disclosed, must this be accounted for? © 2009 Rath, Young and Pignatelli, P.C. 30
What are Creditors Required To Do? What are Creditors Required To Do? (cont’d) © 2009 Rath, Young and Pignatelli, P.C. 31 Jane or John Doe File Extraction Health information managers may be familiar with this concept. If fraud or medical identity theft can be substantiated, the victim’s file is purged of all information that was entered as a result of the fraudulent activity, and is left with a brief cross- reference and explanation of the deletion. (Retraceable audit trail.) Important because the fraudulent activity can introduce errors into the victim’s file, which can be medically significant. If thief is unknown, fraudulent information is removed and held separately; if the thief is known, the purged information can be filed under his/her name.
What are Creditors Required to Do? What are Creditors Required to Do? (cont’d) Other Obligations Obtain approval of initial Program from Board or appropriate committee of Board. Implement the Program and provide for its continued administration. © 2009 Rath, Young and Pignatelli, P.C. 32
What are Creditors Required to Do? What are Creditors Required to Do? (cont’d) Continuing Obligations Involve Board or appropriate Board committee or designated senior management official in oversight, development, implementation, and administration of Program. Report at least annually. Train staff to implement the Program. Ensure Program is updated periodically. Oversee service provider arrangements to ensure they incorporate adequate Red Flag protections for Creditor’s Covered Accounts. © 2009 Rath, Young and Pignatelli, P.C. 33
Hi-Tech Changes to HIPPA © 2009 Rath, Young and Pignatelli, P.C. 34 HIPPA will apply directly to business associates (service providers). Business associate agreements will have to be updated. Consider including any necessary red flag provisions in BAAs?
Two Known Cases 1.Uninsured brother uses Insured brother’s identity 2.Self Pay patient with two common data elements: DOB First Name Exceptions or suspicious information: SSN’s Last Names Addresses Another persons insurance information Used several providers within regional location © 2009 Rath, Young and Pignatelli, P.C. 35
1.What are the real risks of non-compliance? 2.Should we do this internally? 3.What are my peers doing? 4.What is too much versus the right amount of time and resources for the organization to devote to ID theft compliance? © 2009 Rath, Young and Pignatelli, P.C. 36
New Procedures vs. Patient Stress You see it every day! Economic factors Work demands/stress Insurance coverage issues Sickness System pressures Fear Family dysfunction © 2009 Rath, Young and Pignatelli, P.C.37
Employer Responsibility to Prevent Patient Violence NH employers do not have a general duty to protect their employees from third party criminal acts even when the criminal act occurs in the workplace. BUT an employer DOES have the responsibility to protect an employee from known dangers. NH Case – Employee came to work on a day off in violation of company policy and confronted co- employee about having an affair with his girlfriend. Supervisor asked them both to leave. Situation worsened and supervisor learned one employee had a loaded gun. Never called the police. Altercation resulted in shooting and suicide. © 2009 Rath, Young and Pignatelli, P.C.38
OSHA More assaults occur in the healthcare and social services industries than any other, according to OSHA. OSHA applies the general duty of care standard – employers required to protect employees and take proper precautions. © 2009 Rath, Young and Pignatelli, P.C.39
When are Patients Stressed? 43% of adults suffer negative effects of stress and over half of visits to doctors are to treat stress related ailments. When patients don’t have the money to pay. When patients can’t schedule a visit or talk to the physician. When patients can’t get the medication they want. When a patient isn’t getting better. © 2009 Rath, Young and Pignatelli, P.C.40
How to Improve Patient Contact Assess with safety team points of contact Scheduling Medications Payments Follow-up When do points of contact become stressed? What factors can alleviate stress? What resources are available to deal with problems? Ask patients for solutions © 2009 Rath, Young and Pignatelli, P.C. 41
How to Deal With a Threatening Patient? Have a safety program! NH law requires employers with 5 or more employees to have a Joint Loss Management Committee. Employers with 10 or more must file a Written Safety Program biennially. Use your safety committee! Assess your workplace for hot button areas: money, public areas, staffing levels, access points. Train your staff. Support your staff. Run a “fire” drill. © 2009 Rath, Young and Pignatelli, P.C.42
Privacy Protections HIPAA Security Rule requires a practice to protect the confidentiality and integrity of any Electronic PHI that it maintains, creates, receives or transmits AND Encryption may be “reasonable and appropriate” for certain identifying information To implement various security standards Must guard against unauthorized access to EPHI New HIPAA laws require accounting upon request of all disclosures made electronically © 2009 Rath, Young and Pignatelli, P.C.43
Is Encryption “Reasonable and Appropriate?” Rule requires practice to assess what safeguards are appropriate and document the assessment process. Is encryption reasonable and appropriate? What is the size of your practice? What are your technical capabilities? What are the costs? What are the risks of disclosure? © 2009 Rath, Young and Pignatelli, P.C.44
© 2009 Rath, Young and Pignatelli, P.C. 45 Develop a Policy on Electronic Communication State scope of use, i.e., scheduling a visit, billing question, new patient information, Rx refills Include disclaimer regarding questions about individual care or treatment Include notification that information not encrypted Include authorization/consent Warn to call if no response within 24 hours Provide contact name and numbers for questions 45
Patients Seeking Medication High risk of threats and violence. Ethical Guidelines: “If the patient is determined to be at high risk for medication abuse or have a history of substance abuse, the physician may employ the use of a written agreement between physician and patient outlining patient responsibilities.” Use patient medication contracts. © 2009 Rath, Young and Pignatelli, P.C.46
Why Might You Terminate a Patient? Refuses to cooperate Patient not paying bills Unruly and obnoxious to extent that care is compromised Behavior endangers staff!! Harassing providers or staff Is engaging in behavior indicating identity theft BUT be aware of EMTALA © 2009 Rath, Young and Pignatelli, P.C. 47
Medical Ethics Can terminate – CANNOT abandon AMA Code of Ethics: “Physicians have an obligation to support continuity of care for their patients. While physicians have the option of withdrawing from a case, they cannot do so without giving notice to the patient, the relatives, or responsible friends sufficiently long in advance of withdrawal to permit another medical attendant to be secured. Physicians may not refuse to care for a patient based on race, gender, sexual orientation, or any other criteria that would constitute invidious discrimination. Physician should respond in cases of emergency. © 2009 Rath, Young and Pignatelli, P.C.48
How Do You Do It? If possible, have patient agree to transfer care. Review medical records to determine status of care. Notify attending physicians. Give reasonable notice to patient including date services will end. Provide appropriate referral information. Explain how you intend to provide records to future providers. Send certified mail. © 2009 Rath, Young and Pignatelli, P.C.49
Red Flag Rule Resources AHA Red Flag Rule Resources: Federal Register: © 2009 Rath, Young and Pignatelli, P.C.50
© 2009 Rath, Young and Pignatelli, P.C. 51 Lucy C. Hodder Rath, Young, Pignatelli, P.C. One Capital Plaza P.O. Box 1500 Concord, NH
Red Flag Rules WELCOME Iowa State University Identity Theft Prevention Program.
PLANNING THE AUDIT Individual audits must be properly planned to ensure: Appropriate and sufficient evidence is obtained to support the auditors opinion;
UNIVERSITY OF ALABAMA V HIPAA Privacy and Security Training For Employees Compliance is Everyones Job 1 INTERNAL USE ONLY For UA Health Care Components,
1 Toronto Head Office: 350 Bay Street Suite 1000 Toronto, Ontario M5H 2S6 Mississauga Office: 2 Robert Speck Pkwy. Suite 750 Mississauga, Ontario L4Z 1H8.
Identity Theft A Core Risk of HIPAA Security Lapses Gail Sausser.
NAHU Ethics In Business. Good Ethics is Good Business Why? Maybe its because the insurance industry is so highly regulated. Maybe its because NAHU makes.
1 HIPAA Privacy Standards Health Insurance Portability and Accountability Act – HIPAA Privacy Standards Healthcare Provider Training Module Copyright 2003.
1 Data Handling at Purdue. Section I The Importance of Data Security (slides 4 – 5) Laws and Policies (Slides 7 – 18) - Federal - State - Purdue Section.
Funding Your Future Establishing Fee-for-Service Programs in Non-Profit EMS Agencies Central Shenandoah EMS Council in partnership with: Virginia Office.
Breakfast and Business Law Brought to you by: Carroll County Chamber of Commerce The Burson Center PRESENTS &
Training Module: For New and Existing Employees Copyright © 2013.
Copyright Davis Wright Tremaine LLP - Jan Working with the HIPAA Privacy Manual and Forms --- HIPAA Summit West II Clark Stanton & Tom Jeffry Davis.
Experts Connection Presents: Hot Button Issues for Executive Level Recruiting William R. Hill Donahue Gallagher Woods LLP
Community Empower Preparedness and Interaction Training.
The External Auditors Perspective and use of Internal Audit Brent Currey Live Seminar 9:00am – 4:30pm October 12, 2011 Relationships backed by performance.
1 IAPP Privacy Certification Workplace Privacy Certified Information Privacy Professional (CIPP) James Koenig Practice Co-leader, Privacy Strategy and.
Logical IT Security By Prashant Mali.
STUDENT CODE OF CONDUCT Madison County Schools Dr. David A. Copeland, Superintendent 1275 F Jordan Road, Bldg. B Huntsville, Alabama Telephone:
Protecting Patient Privacy: HIPAA Guidelines for Health Care Providers.
CREATING A SAFETY PROGRAM for YOUR SMALL BUSINESS HCA.
Anatomy of a HIPAA Breach Maureen DAgostino SVP, Quality, Service and Performance Excellence Colleen McClorey Associate General Counsel, University of.
Mississippi DOM Fraud, Waste, and Abuse (FWA) and HIPAA Training UPDATED 4/1/2014.
Screening Topics Larry Newcomer Director Domin-8 Value Added Services This session is designed for current Domin-8 Background Screening Users © 2009 Domin-8.
1 Information Security Awareness Training: Good Computing Practices for Confidential Electronic Information Information Security Training for all Workforce.
Copyright, 2001, ePrivacy Group HIPAA Summit IV Preconference III Basic Privacy and HIPAA.
Mount Auburn Hospital Information Security Awareness Training How to protect electronic information at work and at home.
Workshop on the Registrar Accreditation Agreement Creating new protections for registrants.
1 HIPAA Privacy Basics Presented by: Michele A. Masucci Harvey Z. Werblowsky McDermott, Will & Emery October 30, 2002.
GALVESTON HOUSING AUTHORITY PUBLIC HOUSING DWELLING LEASE.
© 2016 SlidePlayer.com Inc. All rights reserved.