© 2008 Smith Moore Leatherwood LLP. ALL RIGHTS RESERVED. Raising a “Red Flag”: Understanding the Fair and Accurate Credit Transactions Act, the “Red Flag” Regulations, and Their Impact on Health Care Providers October 23, 2008 Presented by: Denise S. Cline Patricia A. Markus Smith Moore Leatherwood LLP Post Office Box T: (919) F: (919)

Introduction What are the “Red Flag Rules,” and What is a Red Flag? What do the Rules require, and Who Must Comply? The Two-Part Test Consequences of Failure to Comply Creation of an Identity Theft Detection Program Health Care Specific Examples Questions

What Are the “Red Flag Rules”? Fair and Accurate Credit Transactions Act (“FACTA”) was passed by Congress in 2003 to protect consumers against identity theft Six agencies published the final regulations under FACTA effective January 1, 2008 The good news: deadline for mandatory compliance with the Red Flag Rules has been delayed six months, from November 1, 2008 to May 1, 2009

What Is a “Red Flag”? A pattern, practice, or specific activity that indicates the possibility of identity theft

What Do the Red Flag Rules Require? Covered Entities must create written programs to detect, prevent, respond to, and mitigate identity theft in connection with new or existing covered accounts Consumer reporting agencies must follow certain rules related to address discrepancies** Debit and credit card issuers must put procedures into place to assess the validity of address changes** **NOTE: the deadline for enforcement of these rules remains November 1, 2008

Who is Required to Comply? A financial entity –i.e., a State or national bank, a State or Federal savings and loan association OR A “creditor” who maintains “covered accounts” –The definition of “creditor” can include “lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies”

Question 1: Are You a Creditor? What is a creditor? Specifically, a “creditor” is: –“any person who regularly extends, renews, or continues credit; –any person who regularly arranges for the extension, renewal, or continuation of credit; or –any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” A creditor is any entity that allows its customers to pay their fees or balances on a delayed-payment basis

Are Health Care Providers Creditors? Yes, they can be. Health care providers may be creditors if they “regularly** extend, renew or continue credit” “Credit” simply means any deferral of payment **NOTE: the FTC takes the position that “regular” probably includes “a few times a year”

Special Problem for Health Care Providers: Medical Identity Theft Medical identity theft occurs when –someone uses a person’s name and sometimes other parts of their identity, including insurance info or SSN –without the victim’s knowledge or consent –to obtain medical goods or services –or to obtain money by falsifying claims for medical services and falsifying medical records to support claims

Question 2: Do You Maintain Covered Accounts? What is a “covered account”? Any account maintained “primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions” And “any other account…for which there is a reasonably foreseeable risk to customers…from identity theft.” THUS, any account that permits multiple payments (or an entity’s practice of permitting such payments)

Examples of Covered Accounts for Health Care Providers Patient Account –Serves a “personal, family, or household” purpose, and the information contained therein poses a foreseeable identity theft risk BUT ALSO Credit to Physicians or Other Employees –Income guarantees –Recruitment loans –Educational loans

Does the Address Discrepancy Rule Apply to Your Entity? Do you use consumer reports to make employment decisions in performing background checks? Do you use consumer reports to make credit decisions about your patients or customers? If so, your entity must comply with the rules applied to users of consumer reports who receive notice of an “address discrepancy” from a consumer reporting agency

What Happens if You Fail to Comply? The Federal Trade Commission oversees creditors who are not financial institutions---such as health care providers. Even if your entity is a nonprofit organization, the FTC takes the position that such entities are subject to its jurisdiction Failure to comply with the Red Flag Rules can lead to enforcement actions and penalties of up to $2,500 per violation.

What About Private Lawsuits? Like HIPAA, the Red Flags Rule does not provide for a private right of action, but the Rule may provide the basis for state law claims Ultimately—also like HIPAA—the Red Flags Rule could set a national standard of care for handling confidential financial information

Four Essentials for a Red Flags Program Identify Red Flags Detect Red Flags Respond appropriately to Red Flags detected Update program to reflect changes in risks from identity theft to customers

Identify Red Flags Health care providers should consider patterns, signals, activities or practices that would alert the provider to the possibility of identity theft, such as: –Alerts, notifications or warnings from a consumer reporting agency –Suspicious documents –Suspicious personal identifying information –Unusual use of, or suspicious activity related to, the covered account –Notice from a customer, theft victim, law enforcement or other business

Detect Red Flags Implement procedures to detect the identified red flags: –Obtain information and verify identity of person opening a covered account –Authenticate customers (patients), monitor transactions, –Verify change of address requests for existing covered accounts.

Respond to Detected Red Flags Develop appropriate policies to respond to detected Red Flags: –Monitor a covered account for evidence of identity theft –Contact a customer (patient) –Change any passwords or security codes that permit access to covered account –Remove or modify incorrect medical records –Reopen covered account with a new account number –Do not attempt to collect on a covered account –Notify law enforcement

Update the Program Periodic updating is required to reflect changes to the identity theft risks to patients Document a procedure for adopting additional prevention or detection methods In updating the program, health care providers should consider: –Tracking identity theft trend data –Identifying who will be responsible for tracking the data –Developing a procedure to adopt new policies to adapt to new risk calculations

Action Items Establish and approve a program Provide ongoing oversight and training Follow reporting requirements

Step One Establish and Approve a Program

Establishment and Approval Program must –be written –be appropriate to the size and complexity of the organization –be appropriate to the nature and scope of the organization’s activities –consider and include in program the “Guidelines” to the Rules If a health care provider excludes a Red Flag from its program, a written rationale for the exclusion must be provided Once established, program must be approved by the Board of Directors or appropriate subcommittee

Step Two Provide Ongoing Oversight and Training

Oversight and Training Oversight and implementation of the program must involve senior staff or designees Assign specific responsibilities Train staff Educate patients about risks and prevention Review compliance reports Policies to respond to the following, among others: –Patient claims fraud has occurred or services not received –Provider has altered patient records –Police reports and victim requests for investigation

Ongoing Oversight Approve material changes to the program as necessary to address changing risks There must be oversight of the service provider arrangements (i.e., a third party billing service) to guarantee that the service provider is acting in accordance with the approved program

Step Three Follow Reporting Requirements

Program Reporting Requirements The oversight staff must report to the designated oversight authority at least annually The staff report should include –Effectiveness of program –Significant incidents involving identity theft and the response to them –Recommendations for material changes to the program

HIPAA and the Red Flags Rule For most health care providers, HIPAA security policies and procedures go a long way toward compliance with the Red Flags Rule However—unlike HIPAA—the Red Flags Rule’s requirement to mitigate may require notification of patients It will be important for health care providers to review their existing HIPAA compliance efforts –Some policies will need to be updated based on the circumstances and situations that are unique to health care providers

Patient receives EOB for services not received Patient receives bill from facility which patient never visited Patient receives bill for another person Physician mentions inaccurate treatment history during patient’s office visit Accounting of disclosures Insurance company denies treatment for condition patient doesn’t have Examples of Red Flags in Health Care: How Patients Find Out

Examples of Red Flags in Health Care: How Providers Find Out Patient’s records show treatment inconsistent with patient’s medical history or physical exam (age, blood type) Patient complains about receiving collection notice for services not received Patient provides insurance number but cannot produce insurance card Mail sent to patient is returned repeatedly but transactions continue to occur on patient’s account ID appears to have been altered or forged Picture or signature on file does not match that of person presenting for treatment

The Good News Many health care providers have extensive compliance programs in place to safeguard protected health information under HIPAA The Red Flags Rule imposes a separate, independent duty on health care providers to help victims mitigate the consequences of identity theft Now have six months to augment compliance program to safeguard patient financial information

What About N.C. Identity Theft Law? Applies to all entities doing business in N.C. Like the Red Flag Rules, requires a policy and training ITPA regulates the collection and destruction of personal identifying information, especially social security numbers Includes a specific notification requirement for possible security breaches

Identity Theft Law Cont’d Notification requirement includes possible obligation to notify the Attorney General Violation of the Act may result in private lawsuits and treble damages.

Additional Resources PDF/ByArticle/Chapter_75/Article_2A.pdf

QUESTIONS??

For more information, please contact: Denise Smith Cline Patricia A. Markus Smith Moore Leatherwood LLP