© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Raising a Red Flag: Understanding the Fair and Accurate Credit Transactions Act, the Red Flag Regulations, and Their Impact on Physicians February 11, 2009 Presented by: Patricia A. Markus Smith Moore Leatherwood LLP Post Office Box T: (919) F: (919)

Introduction In 2008, 656 reported data breaches (47% increase over 2007) –37% of breaches in business –20% in education –17% in government/military –15% in health care –12% in financial/credit Insider theft accounts for almost 16% of breaches; data on the move and accidental exposure account for 35% Electronic breaches account for 82% of data breaches

Introduction What are the Red Flag Rules, and What is a Red Flag? What do the Rules Require, and Who Must Comply? The Two-Part Test Consequences of Failure to Comply Creation of an Identity Theft Detection Program Health Care Specific Examples Intersection with NC Identity Theft Protection Act Questions

What Are the Red Flag Rules? Fair and Accurate Credit Transactions Act (FACTA) was passed by Congress in 2003 to protect consumers against identity theft Six agencies published the final regulations under FACTA effective January 1, 2008 The good news: deadline for mandatory compliance with the Red Flag Rules has been delayed six months, from November 1, 2008 to May 1, 2009

What Is a Red Flag? Any pattern, practice, or specific activity that indicates the possibility of identity theft

What Do the Red Flag Rules Require? Covered Entities must create written programs to detect, prevent, respond to, and mitigate identity theft in connection with new or existing covered accounts Consumer reporting agencies must follow certain rules related to address discrepancies** Debit and credit card issuers must put procedures into place to assess the validity of address changes** **NOTE: the deadline for enforcement of these rules remains November 1, 2008

Who is Required to Comply? A financial entity –i.e., a State or national bank, a State or Federal savings and loan association OR A creditor who maintains covered accounts –The definition of creditor can include lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies

Question 1: Are You a Creditor? What is a creditor? Specifically, a creditor is: –any person who regularly extends, renews, or continues credit; –any person who regularly arranges for the extension, renewal, or continuation of credit; or –any assignee of an original creditor who participates in the decision to extend, renew, or continue credit. A creditor is any entity that allows its customers to pay their fees or balances on a delayed-payment basis

Are Health Care Providers Creditors? Yes, they can be. Health care providers may be creditors if theyregularly** extend, renew or continue credit Credit simply means any deferral of payment **NOTE: the FTC takes the position that regular probably includes a few times a year

Special Problem for Health Care Providers: Medical Identity Theft Medical identity theft occurs when –someone uses a persons name and sometimes other parts of their identity, including insurance info or SSN –without the victims knowledge or consent –to obtain medical goods or services –or to obtain money by falsifying claims for medical services and falsifying medical records to support claims FTC: MIT accounts for 3% of identity theft crimes

Medical Identity Theft Victims info is stolen so that thief can fraudulently obtain benefits for which he otherwise would not qualify Physicians identities stolen to fraudulently bill insurers for services not provided Health care insiders, the fastest growing group involved in MIT, sell info to criminals for $5 to $50/name Many providers are now asking patients to provide photo ID to authenticate that patients are who they say they are

Question 2: Do You Maintain Covered Accounts? What is a covered account? Any account maintained primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions And any other account…for which there is a reasonably foreseeable risk to customers…from identity theft. THUS, any account that permits multiple payments (or an entitys practice of permitting such payments)

Examples of Covered Accounts for Health Care Providers Patient Account –Serves a personal, family, or household purpose, and the information contained therein poses a foreseeable identity theft risk BUT ALSO Credit to Physicians or Other Employees –Income guarantees –Recruitment loans –Educational loans

Does the Address Discrepancy Rule Apply to Your Entity? Do you use consumer reports to make employment decisions in performing background checks? Do you use consumer reports to make credit decisions about your patients or customers? If so, your entity must comply with the rules applied to users of consumer reports who receive notice of an address discrepancy from a consumer reporting agency

What Happens if You Fail to Comply? The Federal Trade Commission oversees creditors who are not financial institutions---such as health care providers. Even if your entity is a nonprofit organization, the FTC takes the position that such entities are subject to its jurisdiction Failure to comply with the Red Flag Rules can lead to enforcement actions and penalties of up to $2,500 per violation.

What About Private Lawsuits? Like HIPAA, the Red Flag Rules do not provide for a private right of action, but the Rules may provide the basis for state law claims Ultimatelyalso like HIPAAthe Red Flag Rules could set a national standard of care for handling confidential financial information In addition to liability under state identity theft acts, state law claims under tort or contract theories (negligence, breach of warranty) are possible

Four Essentials for a Red Flag Program Identify Red Flags Detect Red Flags Respond appropriately to Red Flags detected Update program to reflect changes in risks from identity theft to customers

Identify Red Flags Medical practices should consider patterns, signals, activities or practices that would alert the provider to the possibility of identity theft, such as: –Alerts, notifications or warnings from a consumer reporting agency –Suspicious documents –Suspicious personal identifying information –Unusual use of, or suspicious activity related to, the covered account –Notice from a customer, theft victim, law enforcement or other business

Detect Red Flags Implement procedures to detect the identified red flags: –Obtain information and verify identity of person opening a covered account –Authenticate customers (patients), monitor transactions –Verify change of address requests for existing covered accounts –Look at all areas where patients info is provided/accessedintake, check-out, medical records, billing/collections

Respond to Detected Red Flags Develop appropriate policies to respond to detected Red Flags: –Monitor a covered account for evidence of identity theft –Contact a customer (patient) –Change any passwords or security codes that permit access to covered accounts –Remove or modify incorrect medical records –Reopen covered account with a new account number –Do not attempt to collect on a covered account –Notify law enforcement

Update the Program Periodic updating is required to reflect changes to the identity theft risks to patients Document a procedure for adopting additional prevention or detection methods In updating the program, practices should consider: –Tracking identity theft trend data –Identifying who will be responsible for tracking the data –Developing a procedure to adopt new policies to adapt to new risk calculations

Action Items Establish and approve a program Provide ongoing oversight and training Follow reporting requirements

Step One Establish and Approve a Program

Establishment and Approval Program must –be written –be appropriate to the size and complexity of the organization –be appropriate to the nature and scope of the organizations activities –consider and include in program the Guidelines to the Rules If a practice excludes a Red Flag from its program, a written rationale for the exclusion must be provided Once established, program must be approved by the Board of Directors or appropriate subcommittee

Step Two Provide Ongoing Oversight and Training

Oversight and Training Oversight and implementation of the program must involve senior staff or designees Assign specific responsibilities Train staff Educate patients about risks and prevention Review compliance reports Policies to respond to the following, among others: –Patient claims fraud has occurred or services not received –Provider has altered patient records –Police reports and victim requests for investigation

Ongoing Oversight Approve material changes to the program as necessary to address changing risks There must be oversight of the service provider arrangements (i.e., a third party billing service) to guarantee that the service provider is acting in accordance with the approved program

Step Three Follow Reporting Requirements

Program Reporting Requirements The oversight staff must report to the designated oversight authority at least annually The staff report should include –Effectiveness of program –Significant incidents involving identity theft and the response to them –Recommendations for material changes to the program

HIPAA and the Red Flags Rule For most health care providers, HIPAA security policies and procedures go a long way toward compliance with the Red Flags Rule Howeverunlike HIPAAthe Red Flags Rules requirement to mitigate may require notification of patients It will be important for physician practices to review their existing HIPAA compliance efforts –Some policies will need to be updated based on the circumstances and situations that are unique to health care providers

Patient receives EOB for services not received Patient receives bill from facility which patient never visited Patient receives bill for another person Physician mentions inaccurate treatment history during patients office visit Accounting of disclosures Insurance company denies treatment for condition patient doesnt have Examples of Red Flags in Health Care: How Patients Find Out

Examples of Red Flags in Health Care: How Providers Find Out Patients records show treatment inconsistent with patients medical history or physical exam (age, blood type) Patient complains about receiving collection notice for services not received Patient provides insurance number but cannot produce insurance card Mail sent to patient is returned repeatedly but transactions continue to occur on patients account ID appears to have been altered or forged Picture or signature on file does not match that of person presenting for treatment

The Good News Many health care providers have extensive compliance programs in place to safeguard protected health information under HIPAA The Red Flags Rule imposes a separate, independent duty on health care providers to help victims mitigate the consequences of identity theft Now have three more months to augment compliance program to safeguard patient financial information

What About N.C. Identity Theft Law? Applies to all entities doing business in NC Like the Red Flag Rules, requires a policy and training Encrypted and redacted data provide safe harbors ITPA regulates the collection and destruction of personal identifying information, especially social security numbers Must notify individuals of possible security breaches without unreasonable delay

NC Identity Theft Law Contd If more than 1,000 persons affected by the breach, business must notify the Attorney Generals office and consumer reporting agencies Violation of the Act may result in private lawsuits, damages of up to $5,000, and treble damages.

Common Misconceptions Under the NC law, you may copy a drivers license for identification purposes Under NC law, you may maintain SSNs on file for accounting purposes But these items should be closely guarded as part of practices privacy, security, and Red Flag efforts!

Additional Resources PDF/ByArticle/Chapter_75/Article_2A.pdf

QUESTIONS??

For more information, please contact: Patricia A. Markus Smith Moore Leatherwood LLP