1 Red Flags Rule: Implementing an Identity Theft Prevention Program Health Managers Network May Chris Apgar, CISSP President, Apgar & Associates, LLC
© Apgar & Associates, LLC2 Agenda Red Flags Rule Overview State & Breach Notification Requirements Definition of “Red Flags” Identity Theft Protection Program Requirements Implementation Tips Q & A
2010 © Apgar & Associates, LLC3 Red Flags Rule Overview Result of Fair and Accurate Credit Transaction Act of 2003 (FACTA) Amendment to Fair Credit Reporting Act Final Red Flags Rule published November 2007 Original enforcement date was moved from November 2008 to June 1, 2010 Rules will be enforced by the Federal Trade Commission (FTC)
2010 © Apgar & Associates, LLC4 Red Flags Rule Overview Applies to “creditors” Physicians today classified as “creditors” “Creditor” is defined as: Maintain “covered account” (for physicians this is the patient account where patient is not required to pay for treatment or fully pay for treatment at the time treatment is rendered) Participates in the decision whether or not to issue credit
2010 © Apgar & Associates, LLC5 Red Flags Rule Overview Physicians may or may not ultimately be considered “creditors” based on American Bar Association court finding that attorneys are not regulated by the Red Flags Rule American Medical Association, American Hospital Association and others have appealed to the FTC to categorize licensed health care professionals the same as attorneys No response yet from the FTC Do not assume not covered
2010 © Apgar & Associates, LLC6 Red Flags Rule Overview Requires implementation of an identity theft protection program which includes: Risk analysis Identification of “red flags” (events that may be identity theft) “Red Flag” alerts Response policies, procedures and practices (similar to a security incident response team) Annual program review and update as necessary
2010 © Apgar & Associates, LLC7 Federal & State Breach Notification Laws Oregon breach notification requirements effective October 1, 2007 State security requirements effective January 1, 2008 (non-HIPAA and GLBA covered entities) Federal interim final breach notification rule and breach notification requirements effective September 23, 2009 Penalties associated with non-compliance with state and federal breach notification laws
2010 © Apgar & Associates, LLC8 Federal & State Breach Notification Laws Existing requirements dovetail with Red Flags Rule and HIPAA Security Rule Identity theft protection program is preventative versus breach notification which is reactive Preventive and reactive policies, procedures and practices are already mandated by the HIPAA Security Rule (covered entities and business associates)
2010 © Apgar & Associates, LLC9 Federal & State Breach Notification Laws “Red Flags” could represent security breaches Breach notification requirements would be triggered under Oregon and federal law Now required to notify patients of medical information breach Tied to HIPAA Security Rule requirement, security incident response mitigation phase and HIPAA Privacy Rule, privacy incident mitigation
2010 © Apgar & Associates, LLC10 Definition of Red Flags “Red Flags” identify when breach or identity theft might have occurred or may be occurring Red flags include (list not inclusive): Notification of fraud from consumer protection agency Documents provided for identification appear to have been altered or forged The address or telephone number provided is the same as or similar to the address or telephone number submitted by other patients
2010 © Apgar & Associates, LLC11 Definition of Red Flags Red flags include (list not inclusive): Personal identifying information provided is not consistent with personal identifying information on file Mail sent to the patient is returned repeatedly as undeliverable although health care charges continue to be added to the patient’s account The clinic or physician is notified by a patient, a victim of medical identity theft, a law enforcement authority or any other person that a person engaged in identity theft or medical identity theft is seeking treatment
2010 © Apgar & Associates, LLC12 Identity Theft Protection Program Requirements The Red Flags Rule requirements similar to HIPAA Security Rule and federal/state breach notification requirements Federal and state breach notification requirements are reactive –requires notification after the breach The Red Flags Rule is proactive – it requires implementation of appropriate protections before a breach occurs
2010 © Apgar & Associates, LLC13 Identity Theft Protection Program Requirements The HIPAA Security Rule requires implementation of appropriate administrative, physical and technical safeguards Security safeguard implementation with ongoing attention to safeguard management is the first step in complying with HIPAA and the Red Flags Rule Both require a risk analysis which (HIPAA included) should occur when establishing a security program and periodically thereafter
© Apgar & Associates, LLC14 A Formal Security Program Before addressing the additional requirements of the Red Flags Rule a formal security program is required This includes principles and practices as required by HIPAA, Oregon law and appropriate industry standards The program needs to be comprehensive and formal (documented, implemented and regularly monitored) Safeguard implementation and management is directly related to controlling breaches
© Apgar & Associates, LLC15 Risk Assessment Perform regular, periodic risk analyses Identify risks (vulnerabilities & threats) and analyze how big they are (likelihood & impact) Take mitigating steps – implement or strengthen existing controls: Administrative Physical Technical
2010 © Apgar & Associates, LLC16 Audit Log Review Capture logs of activity on network, applications and systems, review and document review Looking for unauthorized and authorized users (e.g., excessive or inappropriate access) Routine, timely review of logs can detect breach After breach, logs can reveal what happened and sometimes identify perpetrator Documentation required
© Apgar & Associates, LLC17 Workforce Awareness and Training New workforce training Routine, periodic training for full workforce Includes training for temporaries, volunteers and contractors (non-business associates) Responsibilities regarding privacy and security which includes requirement to report a suspected incident Periodic security and sanctions reminder Targeted training for certain workforce members (e.g., billing, HIM, IT, etc.)
© Apgar & Associates, LLC18 Identity Theft Protection Program Requirements The Red Flags Rule requires physicians and clinics implement an effective identity and medical identity theft prevention program that becomes a part of the formal security program The rule also requires implementation of a program to identify or “flag” identity or medical identity theft as it is occurring to stop it, preventing damage to the patient (medical and financial)
© Apgar & Associates, LLC19 Policy Development Creditors (in this case physicians) are required to develop, implement and periodically update policies and procedures that fully define identity theft protection program Policies and procedures need to address existing and new patient accounts
© Apgar & Associates, LLC20 Policy Development Policies and procedures need to include: How to identify relevant red flags. How to detect red flags. How to respond when red flags are detected Provide for appropriate responses to red flags that matches the risk identified Consider factors such as security breach and subsequent breach notification requirements
© Apgar & Associates, LLC21 Policy Development Policies must: Be approved by the physician, partnership or board (highest authority for the practice) Be overseen by senior management Include staff training and oversight of business associates such as billing agencies
© Apgar & Associates, LLC22 Implementation Need to create process/procedural guidance for each operational area (written or electronic instruction guide) Need to balance risks with appropriate action, by operational area (e.g., higher risk in billing department and patient intake, especially with new patients)
© Apgar & Associates, LLC23 Program Maintenance and Administration The board of directors or senior management need to regularly: Monitor assignment of specific responsibility for program implementation Review reports by workforce members Review or delegate review of audit logs, identified red flags, etc. Approve material changes to program
© Apgar & Associates, LLC24 Program Maintenance and Administration Review and document at least annually: Policy effectiveness Business associate responsibilities and adherence to requirements Reasonably ensuring (e.g., by written contract) business associates: Implementation and monitoring of activities in connection with patient records and accounts Maintain procedures to detect, prevent, and mitigate identity theft
© Apgar & Associates, LLC25 Program Maintenance and Administration Review and document at least annually (continued): Significant security incidents Recommendations for material changes Documentation needs to be retained for a minimum of six years (HIPAA requirement)
© Apgar & Associates, LLC26 Example Program Requirement Develop and implement a policy and procedure that defines the process for patient requests for address changes This includes documentation of appropriate actions for handling address changes and/or patient account changes
© Apgar & Associates, LLC27 HIPAA and Red Flag Rule Reminder The HIPAA Security Rule requires implementation of appropriate administrative, physical and technical safeguards for electronic records The HIPAA Privacy Rule expands security protections to all PHI, no matter the form Breach notification, a federal and a state law requirement, is considered a part of the HIPAA required formation of a security incident response team (SIRT)
© Apgar & Associates, LLC28 Implementation Tips Consider compliance with the Red Flags Rule as an extension of already required compliance with HIPAA and state and federal breach notification requirements “Flags” will be determined more often by how payables and receivables are managed, how new patients are added to the practice and the management of existing patients’ financial and demographic information
© Apgar & Associates, LLC29 Implementation Tips Build on already existing security program – no need to start from scratch Make sure training material is updated to include how identity theft or medical identity theft will be spotted and what actions need to be taken Expand HIPAA required risk analysis to include the additional risk analysis requirements of the Red Flags Rule
© Apgar & Associates, LLC30 Implementation Tips Expand existing policies and procedures where applicable rather than creating new “red flag” policies and procedures Make sure that business associates know what they will now be required to do and amend business associate contracts accordingly (especially billing agencies) If holes exist in the physician or practice’s security program, now is the time to fix them
© Apgar & Associates, LLC31 Resources Federal Trade Commission Alert: /alt050.shtm /alt050.shtm LexisNexis: INARRFWEBPOSTMKTG169?gclid=CPvXzfzA0JgCFQ 9JagodtgL32w INARRFWEBPOSTMKTG169?gclid=CPvXzfzA0JgCFQ 9JagodtgL32w DCIG: issues-red-flag-rules-reminder-ensuring-i.htmlhttp:// issues-red-flag-rules-reminder-ensuring-i.html
© Apgar & Associates, LLC32 Resources Identity Theft Daily: /Latest/Red-Flag-Rules-Effective- November html /Latest/Red-Flag-Rules-Effective- November html Jones Day (law firm): ?pubID=S ?pubID=S5427 Office for Civil Rights:
Summary and Q&A 2010 © Apgar & Associates, LLC 33 Chris Apgar, CISSP President Officially endorsed by the Oregon Medical Association with member discounts available Check out Web site for additional information