Red Flags Rule Red Flags Rule Staff Training Course Practice Administrator SAMPLE AAP PEDIATRICS

Disclaimer This content is for informational purposes only. It is not intended to constitute financial or legal advice. A financial advisor or attorney should be consulted if financial or legal advice is desired. The AL Chapter-AAP Practice Management Association accepts no legal liability or responsibility for any claims made or opinions expressed herein.

Red Flags Rule for your Office The Red Flags Rule gives you the flexibility to design a Program appropriate for your company, its size and potential risks of identity theft. While some businesses and organizations may need a comprehensive Program that addresses a high risk of identity theft in a complex organization, others with a low risk of identity theft could have a more streamlined Program.

Red Flags Rule Training Table of Contents 1. Federal Trade Commission (FTC) Information 2. FTC Red Flags Rules 3. Applicability to Health Care Providers 4. Definitions 5. Program Requirement 6. Possible Red Flags 7. Detection of Red Flags 8. Prevention of Red Flags 9. Sanctions Against the Practice 10. Updating the Program 11. Oversight of the Program 12. Examples 13. Filing a Complaint 14. Questions and Discussion 15. Resources for Practice Managers

The FTC reports that of the 8.3 million cases of identity theft, 4.5% of those were medical identity theft. That’s almost 375,000 cases of medical identity theft. Federal Trade Commission Information -5-

FTC Information Continued: The FTC defines the term “Red Flags” as a pattern, practice or specific activity that indicates identity theft -6-

FTC Red Flags Rule  Fair and Accurate Credit Transactions Act of 2003 (“FACTA”): o As an extension of the Fair Credit Reporting Act (“FCRA”), the Federal Trade Commission (“FTC”) adopted FACTA to provide rules aimed at deterring, detecting and preventing identity theft. o Under these “Red Flags Rules,” financial institutions and creditors of covered accounts must establish a program to detect, prevent and mitigate identity theft.  Effective Date for Health Care: May 1, Postponed Effective Date Postponed to August 1, 2009 Effective Date Now Set for November 1,

Applicability to Health Care Providers Initially unsure whether applied to health care providers. AMA challenged applicability to health care providers. FTC confirmed that a health care provider would be a creditor if the health care provider does not regularly demand payment in full for services or supplies at the time of service (i.e. extending credit) and maintains covered accounts of its patients.  Collecting co-pay or deductible at the time of service, then subsequently collecting from third party payers and finally collecting remaining balance from patient.  Payment plans. -8-

Definitions Creditor: o An entity that regularly extends, renews, continues credit or arranges for the extension of credit. Covered Account: o A consumer account designed to permit multiple payments or transactions, or any other account for which there is a reasonably foreseeable risk of identity theft (e.g. patient billing records, patient payment plans). -9-

Definitions continued: Identity Theft Occurs when a person wholly takes over another individual’s identifying information:  To obtain medical services or goods.  To obtain money by falsifying claims for medical services and falsifying medical records to support those claims. Identifying Information  Is defined as any Identifying Information which may be used to identify a person, such as (e.g. name date of birth, social security number, state issued driver’s license, government identification, passport, insurance policy number, etc.) Red Flags  Means a pattern, practice or specific activity that indicates the possible existence of identity theft. -10-

Identity Theft Prevention Program Requirements Identify Red Flags Detect Red Flags Respond to Red Flags detected to prevent and mitigate identity theft and Ensure the Program is updated periodically to reflect changes in the risks of identity theft -11-

Red Flags Categories 1.Alerts from others 2.Suspicious documents 3.Suspicious personal Identifying Information 4.Suspicious account activity or unusual use of account -12-

26 Possible Red Flags 1.A fraud alert included with a consumer report. 2.Notice of a credit freeze in response to a request for a consumer report. 3.A consumer reporting agency providing a notice of address discrepancy. 4.Unusual credit activity, such as an increased number of accounts or inquiries. 5.Documents provided for identification appearing altered or forged. 6.Photograph on ID inconsistent with appearance of customer. 7.Information on ID inconsistent with information provided by person opening account. 8.Information on ID, such as signature, inconsistent with information on file at financial institution or creditor. 9.Application appearing forged or altered or destroyed and reassembled. 10.Information on ID not matching any address in the consumer report, Social Security number has not been issued or appears on the Social Security Administration's Death Master File, a file of information associated with Social Security numbers of those who are deceased. 11.Lack of correlation between Social Security number range and date of birth. -13-

26 Possible Red Flags 12.Personal Identifying Information associated with known fraud activity. 13.Suspicious addresses supplied, such as a mail drop or prison, or phone numbers associated with pagers or answering service. 14.Social Security number provided matching that submitted by another person opening an account or other customers. 15.An address or phone number matching that supplied by a large number of applicants. 16.The person opening the account unable to supply Identifying Information in response to notification that the application is incomplete. 17.Personal information inconsistent with information already on file at financial institution or creditor. 18.Person opening account or customer unable to correctly answer challenge questions. 19.Shortly after change of address, creditor receiving request for additional users of account. -14-

26 Possible Red Flags 20.Most of available credit used for cash advances, jewelry or electronics, plus customer fails to make first payment. 21.Drastic change in payment patterns, use of available credit or spending patterns. 22.An account that has been inactive for a lengthy time suddenly exhibiting unusual activity. 23.Mail sent to customer repeatedly returned as undeliverable despite ongoing transactions on active account. 24.Financial institution or creditor notified that customer is not receiving paper account statements. 25.Financial institution or creditor notified of unauthorized charges or transactions on customer's account. 26.Financial institution or creditor notified that it has opened a fraudulent account for a person engaged in identity theft. -15-

Detection of Red Flags 1. New patient accounts.  Require and verify Identifying Information.  Compare photo identification carefully to patient presenting identification.  Compare physical description to patient presenting identification (e.g. DOB, height, etc.).  Check expiration date.  Compare signature on identification to other signatures of patient.  Review identification for evidence of tampering.  When available verify Identifying Information with insurance company’s information. 2.Existing patient accounts.  Verify identification of patient or their legal representative before disclosing any personal Identifying Information.  Verify identification of patient or their legal representative before accommodating requests for changes of billing address. -16-

Prevention and Mitigation of Identity Theft If identity theft is suspected for any reason, immediate action is required. Notify Administrator, Doctor or supervisor. One of the following actions will immediately be put into place.  Monitor the covered account for evidence of identity theft.  Contact the patient.  Change any passwords, security codes or other security devices that permit access to a covered account.  Re-open a covered account with a new account number.  Do not open a new covered account.  Close an existing covered account.  Notify law enforcement.  Determine no response is warranted under the particular circumstances. -17-

Sanctions Against the Practice Federal Enforcement: FTC can enforce penalties up to $2,500 per violation. State Enforcement: State can enforce penalties up to $1,000 per violation plus attorney’s fees. Civil Liability: Each patient may be entitled to recover actual damages. -18-

Updating the Program The Program will be reviewed and updated annually to reflect changes in risks to patients based on the following factors:  The experience of the entity with identity theft.  Changes in methods of identity theft.  Changes in methods to detect, prevent and mitigate identity theft.  Changes in the types of accounts that the entity offers or maintains. -19-

Oversight of the Program Oversight of the Program shall include: The Physician Owners of the entity approve of the Program. Disclosure of their approval is located in Operational Policy and Procedure Manual. Administrator and all management staff will be responsible for implementation of the Program. Compliance by all staff members is required. Approval of material changes to the Program. The Compliance Officer should be responsible for oversight of the Program and report to the Administrator, and/or the Physician Owners. Physician Owners have ultimate responsibility over the Program. -20-

Examples of Red Flags Mitigation and Resolution Procedures Red Flags: Personal Identifying Information provided by the patient is not consistent with other personal Identifying Information provided by patient.  State issued driver’s license describes an individual as 45 year old, 5’ 10” male; patient presenting is 25 year old, 5’ 5” male. Prevention/mitigation procedure:  Stop the intake/admissions process and require patient to provide additional satisfactory information to verify identity.  Notify law enforcement as appropriate. -21-

Examples of Red Flags Mitigation and Resolution Procedures Red Flags: Patient complaint regarding bill for service patient did not receive. Prevention/mitigation procedure:  Hold bill.  Investigate complaint.  Interview individuals as appropriate.  Obtain additional satisfactory information to verify identity.  Notify law enforcement as appropriate. -22-

Examples of Red Flags Mitigation and Resolution Procedures Red Flags: Change in address requested. Prevention/mitigation procedure:  Verify patient’s identity through social security number, DOB and other form of Patient information as originally provided to the entity, prior to accepting any address change.  Do not change address if identity is not verified.  Notify law enforcement as appropriate. -23-

Filing a complaint: To report or discuss a case of identity theft, call toll free , or go to FTC online, at Medicaid Fraud related complaints should be reported to: Alabama Director, MFCU Office of the Attorney General 11 South Union Street Montgomery, AL

Thank you!! Questions and Discussion

Resources for Practice Managers Federal Trade Commission Website for Red Flags Rule American Academy of Pediatrics Website 687http://practice.aap.org/content.aspx?aid=2 687 (AAP member log-in required)  Your Local Attorney