1 Identity Theft Prevention and the Red Flag Rules

2 The Red Flag Rules Established in 2003 by the Fair and Accurate Credit Transactions Act (FACTA) Enforced by the Federal Trade Commission Requires implementation of an identity theft prevention program to identify, prevent, and mitigate identity theft

3 Application to Healthcare Organizations who process or extend credit to customers will be required by November 1, 2009 to have developed and implemented identity theft prevention programs Since healthcare organizations allow patients to pay after services are provided, and sometimes on credit, the Red Flag Rules apply

4 What is Identity Theft? Identity theft is the willful and knowing possession and/or use of someone else’s identifying information (SSN, credit cards, insurance card, etc.) to obtain money, services, or credit Medical Identity Theft occurs when someone assumes or attempts to assume the identity of someone else and uses or attempts to use the stolen identity to obtain medical services or supplies, or to file insurance claims for services they received under someone else’s insurance

5 What is a Red Flag A Red Flag is defined as a pattern, practice, or specific activity that could indicate identity theft Red Flags include –Alerts, Notifications or Warnings from a Consumer Reporting Agency –Suspicious Documents –Suspicious Personal Identifying Information –Suspicious Activity Related to an Account Examples of Red Flags are listed in the next column An insurance card that appears to be altered A picture ID that does not look like the patient The description on a driver’s license does not match the patient’s appearance The signature does not match that of the patient An invalid SSN The address or phone number does not match existing records The patient states he/she is a victim of identity theft Existing medical record information does not appear relevant to the patient being treated

6 ID Theft Program Requirements Board or board committee approval of program Designated senior level manager involved in oversight of the program Staff training—everyone Multiple policies and procedures already exist or have been written to provide guidance to safeguard our patients’ personal information Effective oversight of service provider arrangements Processes to determine how and when to notify a victim and/or law enforcement

7 What Happens When One of Our Patients is a Victim of Identity Theft? The real patient will not be charged for services provided to an identity thief if the facility has verified ID theft occurred If the ID thief’s medical record information has been placed in the real patient’s medical record, it will be separated into a different file A determination will be made by senior leadership whether it is appropriate to notify the ID theft victim and/or law enforcement based upon the circumstances of each case

8 Consequences of Non-Compliance No private right of action Civil monetary penalties ($1,000-$3,500, plus damages and attorney’s fees) Regulatory enforcement action Negative publicity