Presentation is loading. Please wait.

Presentation is loading. Please wait.

Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial.

Similar presentations


Presentation on theme: "Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial."— Presentation transcript:

1 Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial Place Tallahassee, Florida 32308 Tel: 850-222-0720 Fax: 850-224-4359 Wdillon@lawfla.com Board Certified in Health Law

2 Medical Identity Theft New York Times Article – June 13, 2009 Brandon Sharp, 37 year old from Houston with no real health problems and who has never stepped foot in an emergency room, is surprised to learn he owes thousands of dollars for emergency medical services. U.S. Attorney’s Office – Southern District of Florida – April 1- 2008 Press Release Former employee of Cleveland Clinic indicted for stealing information of approximately 1500 patients and then selling information to a cousin who owned a DME company who in turn submitted over one million dollars of fraudulent claims to Medicare

3 What is the Red Flag Rule? Everyone knows that the term “Red Flag” is used to warn of a potential danger. In this case the Red Flag Rules refer to those regulations found at 16 CFR Part 681 which require covered businesses to take actions to: Identify; Identify; Detect; Detect; Prevent; and Prevent; and Mitigate Identity Theft Mitigate Identity Theft

4 Do the Red Flag Rules Apply to Community Health Centers? In almost every case the answer is “Yes”. To determine if your CHC is required to comply ask the following questions 1.Is my CHC considered a “Creditor”?; if yes go to question 2. 1.Is my CHC considered a “Creditor”?; if yes go to question 2. 2.Does my CHC maintain “Covered Accounts”?; If the answer is also yes then the Red Flag Rules apply.4 2.Does my CHC maintain “Covered Accounts”?; If the answer is also yes then the Red Flag Rules apply.4

5 Who is considered a “Creditor” and what is considered a “Covered Account” The definition of a “creditor” can be found at 16 CFR Part 681.2, however, generally any person who regularly extends, renews or continues credit will be considered a creditor. If a CHC is extending credit, for example via outstanding patient accounts, then it maintains covered accounts. Red Flag Rules apply to all accounts not just those in which credit has been extended. Red Flag Rules apply to all accounts not just those in which credit has been extended.

6 Identification of Covered Accounts A Covered Account is an account that is offered or maintained by a creditor primarily for personal, family, or household purposes, which involves or is designed to permit multiple payments or transactions. Accounts related to the provision of medical services would be considered accounts related to a personal, family or household purpose. The purpose of identifying covered accounts is to ensure all such accounts are subject to the Identity Theft Prevention and Detection Program

7 How Do CHC’s Comply? Similar to your “Corporate Compliance Program” or your “HIPAA Privacy and Security Program” your CHC should have “buy in” from the Governing Board and Senior Management. The Governing Board should authorize the implementation of a program that: 1.Identifies relevant indicators (Red Flags) of Identity Theft 1.Identifies relevant indicators (Red Flags) of Identity Theft 2.Detects Red Flags 2.Detects Red Flags 3.Prevents and/or Mitigates Identity Theft 3.Prevents and/or Mitigates Identity Theft 4.Periodically Updated 4.Periodically Updated

8 Components of an Identity Theft Prevention and Detection Program 1.Program Management and Oversight 2. Identification of Covered Accounts 3.Identification of Red Flags 4.Detection of Red Flags 5.Prevention and Mitigation of Identity Theft 6.Training 7.Updates 8.Oversight of Service Providers (Business Associates)

9 Program Management and Oversight Identify Program Manager or Committee Identify Covered Accounts Identify Red Flags relevant to the CHC Develop and Update Policies and Procedures Respond to Red Flags Training Service Provider Compliance

10 Identification of Red Flags The risk of identity theft exists both from persons accessing services and from employees/contractors of a health care provider. Covered entities should seek to prevent both external and internal identity theft.

11 Identification of Red Flags Suspicious Documents Documents that appear to have been forged Documents that appear to have been forged Photograph or physical description on identification not consistent with the appearance of the patient Photograph or physical description on identification not consistent with the appearance of the patient Other inconsistent information Other inconsistent information

12 Identification of Red Flags Suspicious Personal Identifying Information Address does not match Address does not match Social Security Number not valid Social Security Number not valid Address is known to be a mail drop, prison or other undeliverable address Address is known to be a mail drop, prison or other undeliverable address Invalid/suspicious telephone number Invalid/suspicious telephone number Same Social Security Number for multiple patients Same Social Security Number for multiple patients Same Group Health Insurance Information for multiple patients Same Group Health Insurance Information for multiple patients Patient fails/refuses to provide all required personal information Patient fails/refuses to provide all required personal information

13 Identification of Red Flags Unusual/Suspicious Activity Patient mail repeatedly returned as undeliverable Patient mail repeatedly returned as undeliverable Notices from patients, victims of identity theft, law enforcement of others regarding possible identity theft. Notices from patients, victims of identity theft, law enforcement of others regarding possible identity theft. Others Others

14 Detection of Identity Theft New Patient Accounts Verify New Patient Identity Verify New Patient Identity Require certain demographic information Require certain demographic information Confirm demographic information Confirm demographic information Group Health Plan/Medicaid/Medicare confirmation Group Health Plan/Medicaid/Medicare confirmation

15 Detection of Identity Theft Existing Patient Accounts Verify Identity Verify Identity Group Health Plan/Medicaid/Medicare confirmation Group Health Plan/Medicaid/Medicare confirmation

16 Detection of Identity Theft Another method that some organizations are utilizing for detecting identity theft is the institution of digital scans of patient IDs and/or the collection of biometric patient information. This should be done with caution as while it may be very helpful in preventing external identity theft issues it creates new internal identity theft concerns.

17 Detection of Identity Theft - Internally HIPAA Security Policies and Procedures Regularly monitoring employee contractor activity Unsecured/unencrypted patient information on portable devices (laptops, thumb drives, etc.)

18 Prevention/Mitigation of Identity Theft Appropriate Responses Monitoring of patient account Monitoring of patient account Contacting the patient Contacting the patient Change internal information systems (security breach) Change internal information systems (security breach) Close patient account Close patient account Reopen new patient account Reopen new patient account Appropriate Modification of “False” records Appropriate Modification of “False” records Notify law enforcement Notify law enforcement

19 Training Employee Training All employees that access or have access to patient accounts All employees that access or have access to patient accounts Program Manager should organize training and ensure that it is applicable to the CHC Program Manager should organize training and ensure that it is applicable to the CHC Provide employees access to policies and procedures Provide employees access to policies and procedures Periodic Updates

20 Service Provider Compliance CHC should ensure that their service providers (vendors), take reasonable steps to prevent or detect identity theft. Existing Business Associate Agreements may address many of these issues. Existing Business Associate Agreements may address many of these issues.

21


Download ppt "Time to Wave the White Flag – Compliance with the FTC’s Identity Theft Red Flags Rule William P. Dillon, Esq. Messer, Caparello & Self, P.A. 2618 Centennial."

Similar presentations


Ads by Google