Federal Trade Commission (FTC) Final Regulations issued November, 2007 › Effective 1/1/08 › Compliance and Enforcement Date 11/1/08 Enforcement Delayed Twice to 8/1/09 Creditors must implement written policies/procedures to prevent, detect and mitigate identity theft related to consumer accounts › TTUHSC OP – 4/30/09
TTUHSC is a Creditor › Regularly defers payment for goods or services or provides goods or services and bills later. › FTC stance: Physicians who accept insurance or payment plans are “creditors”. TTUHSC has Consumer Accounts › Accounts permitting multiple payments › Accounts where there is a reasonable foreseeable risk of identity theft BUT, WHAT ABOUT HIPAA?
Identity Theft › Fraud committed or attempted by an individual using another person’s identifying information to obtain goods/services Identifying Information › Name; SSN; birth date; phone number; government identity card (license, passport, visa); PHI, bank/credit/debit account numbers insurance information, biometric information; electronic identification information
Identify relevant “Red Flags” › Those likely to encounter during business operations Detect Red Flags › Establish procedures to detect red flags in day-to-day operations Prevent & Mitigate Identity Theft › Respond to red flags found Update the Program
Electronic Data/Interchanges › External Security Breaches › Internal Security Breaches Physical Points of Service › Setting up a New Patient › Patient Encounters – Medical Information › Account Collection Activity VERIFYVERIFYVERIFY
Types › False Identity › Use another individual’s insurance information to obtain health care items/services Risks › Non-payment/Refund to the Insurer › Inaccurate medical history for the insured › Inaccurate/False Medical Record › Inaccurate billing information
Current OB Patient previously received OB care under a false identity. Patient receives treatment using cousin’s insurance card Patient does not use real name to receive treatment. Patient denies having received treatment from the provider.
A RED FLAG › DOES NOT EQUAL IDENTITY THEFT › IS AN INDICATOR OF POSSIBLE IDENTITY THEFT Categories of “Red Flags” – Attachment A › Credit Report Alerts › Suspicious Documents/Identity Information › Suspicious Activity › Patient Notices/Complaints
Patient Complains that items/services billed were not received by them Patient’s medical histories are inconsistent Patient uses various “aliases” to receive services False/Forged Documentation Presented Patient complaint/question about collections or entry on a credit report
Insurer denial of coverage for the service because patient previous received the service › Appendectomy; Hysterectomy; etc. Insurance Information Does Not Match Patient Information Patient Personal Information Does Not Match Information Presented or on File › Photo IDs, Insurance Card
Educate Staff on Medical Identity Theft and Detecting Red Flags › What is a “red flag” – 52.10, Attachment “A” › Who to Contact? Supervisor/Manager/Administrator Institutional Privacy Officer Institutional Security Officer (Identified security breach)
New Patients: › Copy of current insurance cards › Over 16 years of age: Government-issued ID checked and copied for medical record › Under 16 years of age: Other government – issued documents Copy of Birth Certificate for medical record Copy of School Enrollment Patient Refusal – Contact Supervisor
Existing/Returning Patients › Verify patient matches photo ID – get copy if not already in the medical record › No photo ID – Verify patient using other individual identifying information, such as: Address Phone number Last 4 of Social Security Number Other unique information (last visit; insurer; etc.) › You may already be doing some or all of this
Patient Complaint/Notice Unusual/Suspicious Activity/Information › Medical Record Information › Payment Denials › Insurer Inquiries related to a submitted claim › Name discrepancies › Number of children › Active patient with mail returned as undeliverable
FTC Fighting Fraud with Red Flag Rules AMA Publication FTC Website