Docstoc
EXCLUSIVE OFFER FOR DOCSTOC USERS
Try the all-new QuickBooks Online for FREE.  No credit card required.

Name of presentation “FACTA S

Document Sample
Name of presentation “FACTA S Powered By Docstoc
					“FACTA'S RED FLAG RULES”
Unraveling the mystery and brief overview of
HCRA and surcharges
      Brian S. Strohl, JD and MPA
      Overton, Russell, Doerr and Donovan, LLP
                      Today’s Roadmap
1. Understanding the Red Flag Rules
2. Brief Facts Regarding Identity Theft
3. How Identity Theft Occurs according to Federal Trade Commission
4. Who Should Comply
5. What Elements Should be Included in a Program
6. What is a “Red Flag”
7. What is Required in a Program
8. Suspicious Documents and Suspicious Activity
9. Response to Program
10. Enforcement
11. New York State Health Care Reform Act
              Background
• The Fair and Accurate Credit Transaction Act of 2003 (FACTA) added
  new sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C.
  1681 et seq.), intended primarily to help consumers fight the growing
  crime of identity theft. Accuracy, privacy, limits on information sharing,
  and new consumer rights to disclosure are included in FACTA.

• Free credit reports
    – The standard advice was to request a copy of your credit report once a
      year from each of the three national credit bureaus: Experian,
      TransUnion, and Equifax.
    – Congress recognized the benefits of self-monitoring. It adopted a new
      rule that allows you a free copy of your credit report annually from each
      of the "big three."
              Background
• Fraud Alerts and Active Duty Alerts
   – If you are the victim of identity theft, FACTA gives you the right to
     contact a credit reporting agency to flag your account. To place a fraud
     alert, you must provide proof of your identity to the credit bureau.

   – The fraud alert is initially effective for 90 days, but may be extended at
     your request for seven years when you provide a police report to the
     credit bureaus that indicates you are a victim of identity theft.

   – FACTA creates a new kind of alert, an active duty alert, that allows active
     duty military personnel to place a notation on their credit report as a way
     to alert potential creditors to possible fraud.
       • While on duty outside the country, military members are particularly vulnerable
         to identity theft and lack the means to monitor credit activity.
       • An active duty alert is maintained in the file for at least 12 months.
             Background
• Fraud Alerts and Active Duty Alerts
   – If a fraud alert or active duty alert is placed on your credit report, any
     business that is asked to extend credit to you must contact you at a
     telephone number you provide or take other "reasonable steps" to see
     that the credit application was not made by an identity thief.
   – FACTA gives you the right to a free copy of your credit report when you
     place a fraud alert. With the extended alert (seven years), you are
     entitled to two free copies of your report during the 12-month period
     after you place the alert.
             Background
• Truncation: Credit Cards, Debit Cards, Social Security Numbers
   – Credit card receipts that include full account numbers and expiration
     dates are a gold mine for identity thieves.
   – FACTA sets a national standard requiring truncation of credit card
     information.
   – FACTA says credit and debit card receipts may not include more than the
     last five digits of the card number.
   – Nor may the card's expiration date be printed on the cardholder's receipt.

• Collection agencies
   – Under FACTA, if you are contacted by a collection agency about a debt
     that resulted from the theft of your identity, the collector must so inform
     the creditor.
             Background
• Red Flag Rules
   – In adopting FACTA, Congress recognized that consumers are helpless to
     prevent identity theft if businesses ignore the events that signal a
     potential fraud.

   – Thus, FACTA incorporates several provisions that require financial
     institutions, creditors, and other businesses that rely on consumer
     reports to detect and resolve fraud by identity theft.

   – Consumer advocates have long pointed out that consumers can only go
     so far in protecting against identity theft, and that much of the problem
     lies with lax procedures of credit issuers and other companies that use
     information from credit reports.

   – A climate of easy credit has made some creditors far too willing to accept
     a change of address, a request for a replacement credit card, or
     reactivation of a dormant account.
              Background
• Red Flag Rules

   – The so-called “red flags” and related sections of FACTA include:
      • Red Flag Guidelines and requirements for credit and debit card issuers to
        assess the validity of a change of address request, (FACTA §114, FCRA
        §615(e)).

       • Procedures to reconcile different consumer addresses. (FACTA §315, FCRA
         §605(h)(2)).
             Understanding the Red Flag Rules
• Pursuant to regulations promulgated by the Federal Trade Commission
  and other federal agencies, financial institutions and creditors will be
  required to create an Identity Theft Prevention Program to detect,
  prevent, and mitigate identity theft with respect to the opening of
  certain accounts or certain existing accounts.

• These regulations, often called the Red Flag Rules, became effective
  January 1, 2008, and mandatory compliance is required by November
  1, 2008.

• Financial institutions and creditors will be required to create an
  identity theft prevention program by Nov. 1, 2008, under the Red Flag
  Rules created by a group of federal regulatory agencies, including the
  Federal Trade Commission, to protect consumers and businesses from
  the threat of identity theft.
              Understanding the Red Flag Rules

• Although the Federal Trade Commission announced in October 2008
  that it will delay enforcement of the regulations for qualifying entities
  until May 1, 2009, it is important for financial institutions and
  creditors to learn not only what is considered a red flag, but also the
  elements that should be put in place to create an identity theft
  prevention program.
                Understanding the Red Flag Rules
                         Facts Regarding Identity Theft



• More than 10 million Americans are victims of identity theft each
  year.
• Total financial losses due to identity theft are estimated to be about
  $50 billion every year.
    –   Source: Federal Trade Commission
                Understanding the Red Flag Rules
                         Facts Regarding Identity Theft
• The Federal Trade Commission received 258,427 complaints of
  identity theft in 2007, 32% of the total complaints the FTC received –
  4 times the complaints in the next highest category.

• Victims spent an average of $550 in 2007 for damage to existing
  accounts.

• When identity thieves opened new accounts 8 accounts, victims spent
  an average of $1,865.
    –   Source: Federal Trade Commission
         Understanding the Red Flag Rules
                 Facts Regarding Identity Theft – How??
• By stealing purses and wallets.
• By stealing checks or credit card information out of the mail
• By completing a "change of address form" to divert mail to another
  location
• By abusing their employer's authorized access to customer or
  employee information
• By getting a credit report by abusing their employer's authorized
  access to it, by posing as a landlord, employer, or someone else who
  may have the right to the report
• By rummaging through the trash of businesses, or public trash
  dumps, a practice known as "dumpster diving."
           Understanding the Red Flag Rules
                      Facts Regarding Identity Theft – How??
• By bribing an employee who has access to records
• By conning information out of employees
• By stealing credit or debit card numbers
   – by capturing the information in a data storage device in a practice
     known as "skimming"
   – during an actual purchase, or
   – by attaching a device to an ATM machine
• By stealing personal information by breaking into homes
• By posing as legitimate companies and claiming that victims have
  problems with their accounts.
   – This practice is known as "phishing" when it’s done online, typically via
     email, or “pretexting” when it’s done by phone.
       •   Source: Federal Trade Commission
             Understanding the Red Flag Rules

• The purpose of an identity theft prevention program is to detect,
  prevent and mitigate identity theft linked to the opening and
  maintaining of certain covered accounts.

• The Fair Credit Reporting Act (FCRA) defines a covered account as
  one created for personal, family or household purposes that allows
  multiple payments, or for which there is a reasonable, foreseeable
  risk of identity theft occurring.
              Understanding the Red Flag Rules


• When implementing an identity theft prevention program, it's
  important to be aware of what constitutes identity theft and
  identifying information.

• Identity theft is fraud committed or attempted using the identifying
  information of another person without that person's authority.

• Identifying information includes:
    – A person's first name, last name, Social Security number, date of birth,
      driver's license number, passport number and/or tax payer
      identification number.
    – A person's biometric data—finger prints, retina scans, etc.
    – A person's credit card number, routing number or cell phone number.
              Understanding the Red Flag Rules
                       Who Should Comply?
• The Red Flag Rules require financial institutions and creditors develop
  an identity theft prevention program.

• According to the Fair Credit Reporting Act (FCRA), a creditor is:
    – an entity that regularly extends, renews or continues credit;
    – any entity that regularly arranges for the extension, renewal or
      continuation of credit;
    – or any assignee of an original creditor that participates in the decision
      to extend, renew or continue credit.

• The Red Flag Rules apply to financial institutions and creditors who
  offer or maintain one or more covered accounts, and specifically
  mandate these entities create and implement a Program.
              Understanding the Red Flag Rules
                       Who Should Comply?
• The rules also require creditors and financial institutions to exercise
  appropriate and effective oversight of service provider arrangements.
    – A service provider is a person who provides a service directly to the
      financial institution or creditor.
             Understanding the Red Flag Rules
                      Who Should Comply?

• The term “credit” is defined as “the right granted by a creditor to a
  debtor to defer payment of debt or to incur debts and defer its
  payment or to purchase property or services and defer payment
  therefore.”

• The FTC has stated that while accepting credit cards as a method of
  payment does not make the accepting entity a creditor, businesses
  such as finance companies, automobile dealers, utility companies,
  and telecommunication companies are creditors. Even non-profit
  and government entities who defer payment of goods and services
  are considered creditors
    – It is therefore assumed that a hospital that allows for payment of
      services rendered to be deferred or paid on a payment plan would fit
      into the definition of a “creditor”
            Understanding the Red Flag Rules
                    Who Should Comply?
• Because the definition of a covered account is extremely broad, any
  financial institution or creditor that reasonably foresees problems
  arising from identity theft should be prepared to create a written
  Program.
             Understanding the Red Flag Rules
                     What Elements Should be
                     Included?
• The program itself should be tailored to fit the size of the financial
  institution and the complexity/nature of the operation. In essence,
  the program should have reasonable policies and procedures in
  place to:
    –   Identify and incorporate red flags into the program.
    –   Detect red flags.
    –   Respond appropriately to any detected red flags.
    –   Ensure periodic review and updating.
• If your organization already has a program in place, you can
  incorporate the existing program into the new identity theft
  prevention program.
              Understanding the Red Flag Rules
                       What is a Red Flag?
• A red flag is a pattern, practice or specific activity that indicates a
  warning of possible identity theft. The categories include:

    – Alerts or notifications—
       1. When a fraud or active duty alert is included with a
                consumer report.
       2. A credit reporting agency provides notice of a credit freeze.
       3. A credit reporting agency provides notice of an address
                discrepancy.
       4. The consumer report indicates an unusual pattern of
                activity such as an unusual number of recently
                established credit relationships.
    – Suspicious personal identifying information on an application.
    – Unusual use of a covered account.
    – Notice is received of possible identity theft occurring in
      connection with covered accounts.
             Understanding the Red Flag Rules
                       What Does the Identity Theft Prevention
                       Program Require?

• The Red Flag Rules require responsible entities satisfy four elements
  in creating and implementing reasonable policies and procedures of
  an identity theft prevention program.

1. Identify any specific activity, pattern, or practice indicating
   a possible existence of identity theft. Otherwise known as the
   Red Flags, the entity should consider four factors in determining
   what Red Flags it should incorporate into its Program:
        • What types of covered accounts does the entity maintain or provide?
        • What methods does the entity use in maintaining or providing covered
          accounts?
        • What forms of access does the entity provide to consumer accounts?
        • What experiences has the entity had with identity theft in the past?
               Understanding the Red Flag Rules
                         What Does the Identity Theft Prevention
                         Program Require?
• The Red Flags are intended to alert the entity to any specific activity,
  pattern, or practice indicating the possible existence of identity theft.
• The guidance provides five categories from which Red Flags should
  be included in the Program:

   a. Alerts or warnings received from consumer reporting agencies or service
         providers;
   b. Presentation of suspicious documents;
   c. Presentation of any suspicious personal identifying information;
   d. Suspicious activity relating to a covered account; and
   e. Any notices received from identify theft victims, law enforcement authorities, or
        other parties containing information related to identity theft as to covered
        accounts.
                Understanding the Red Flag Rules
                  What Does the Identity Theft Prevention
                  Program Require?
2. Detect Red Flags Incorporated in the Program
•   The Program must have sufficient policies and procedures addressing the detection of
    those incorporated Red Flags.
•   The guidelines provide two examples of such policies and procedures.
     –   First, acquiring identifying information about a person opening a covered account
         and verifying his or her identity.
     –   Second, identifying, monitoring, and verifying the validity of change of address
         requests for existing covered accounts.


3. Respond Appropriately to Any Red Flags Detected
•   Once a Red Flag has been detected, the Program must define how the entity will
    respond.
•   In responding to a Red Flag, the entity should determine whether the Red Flag
    detected a risk of identity theft and must have a reasonable basis to conclude there is
    no evidence of risk of identity theft.
                Understanding the Red Flag Rules
                          What Does the Identity Theft Prevention
                          Program Require?
4. Update the Program Periodically

•   The Program must be reviewed and updated periodically, and any updates should
    reflect changes in risks to customers and the entity from identify theft.
•   This review not only includes considering changes in identity theft methods as well as
    the accounts the entity offers or maintains, but it also requires consideration of
    changes in business arrangements of the entity.
              Understanding the Red Flag Rules
                      Suspicious Documents
• One way to look for red flags is to pay close attention to the
  documents associated with accounts.

• Documents that may be considered warning signs of identity theft, or
  red flags, include those that appear to have been altered or forged,
  or that have information that is inconsistent with the information
  provided by the person opening the account.

• It might also be a red flag if the signature on an application looks like
  it was traced or was rewritten after being crossed out.
    – Practice Point: If the application looks like it was piecemealed
      together, that's something that would be a red flag or a trigger
      that possible identity theft has occurred
              Understanding the Red Flag Rules
                      Suspicious Documents
• The rules do not require creditors and financial institutions provide all
  red flags included in the guidance, but such entities are required to
  consider the guidance and include those red flags in their program as

   appropriate.
            Understanding the Red Flag Rules
                    Examples of Suspicious Activity

• If an account holder requests a new bank card, attempts to take out
  a lot of cash advances or requests a new authorized user shortly
  after an address change, it might be an indication that someone
  intends to commit fraud or identity theft.
   – In that scenario, the financial institution that extended the
     credit should have steps in place to verify the information with
     the customer.

• In addition, it might be a red flag if a consumer comes into a
  hospital to obtain services and cannot provide information about
  him or herself beyond a driver's license, such as a mother's maiden
  name, an address, date of birth or what high school he or she
  attended.
            Understanding the Red Flag Rules
                     Detecting and Responding to Red
                     Flags
• The guidance suggests red flags can be detected in at least one of
  two ways:
    – By obtaining identifying information about a person opening an
      account.
    – By verifying the validity of any changes made to the account.

• The way in which a creditor or financial institution responds to a red
  flag alert or notification should correspond to the type of threat it
  detected.

• First and foremost, the entity should determine whether the red flag
  that was discovered poses a risk of identity theft and, if so, it should
  respond based on the degree of risk associated with the red flag.
            Understanding the Red Flag Rules
                     Detecting and Responding to Red
                     Flags
• Responses could include:
   – Monitoring an account for evidence of identity theft.
   – Contacting the customer.
   – Changing any passwords, security codes or other security devices that
     permit access to a covered account.
   – Reopening an account with a new account number.
   – Notifying law enforcement.
             Understanding the Red Flag Rules
                     Ensure Program is Periodically
                     Updated
• Practice Point: The guidelines don't specify how often an identity
  theft prevention program should be updated, but it should be done
  periodically.

• Practice Point: An organization should review its previous
  experience with identity theft and methods of mitigating the risk of
  identity theft to determine the extent of the program.

• Although there is no private cause of action for not having an identity
  theft prevention program in place, financial institutions could be
  subject to fees imposed by the Federal Trade Commission for not
  implementing a program.
    – $2,500 fine
             Understanding the Red Flag Rules
                     Ensure Program is Periodically
                     Updated


• Practice Point: Properly training staff members who handle
  account information about your individual identity theft prevention
  program will help prevent identity theft and ensure the program
  works effectively.

• Practice Point: Have adequate “checks and balances” or
  appropriate oversight within your organization
             Understanding the Red Flag Rules
                     Who does the Rule aim to Protect?

Bank customers and banking institutions
   – Customer losses for unauthorized debit card use (Electronic
     Funds Transfer Act and Federal Reserve Board’s “Regulation E”)
      • Capped at $50 if bank is notified within 2 days
      • Capped at $500 if bank notified within 60 days


• Credit card account holders and issuers
   – Customer losses for unauthorized credit card use (Fair credit
     Billing Act)
      • Capped at $50 if issuer notified within 60 days
             Understanding the Red Flag Rules
                 Enforcement


• Federal Trade Commission officials have stated that they do not
  intend to conduct inspections to verify compliance but may do so in
  response to complaints.

• Federal Trade Commission officials have also stated that, if
  enforcement actions are required, the first few will likely require only
  that the entity take additional steps to comply with the Rules.
   New York State Health Care Reform Act
   (HCRA)
• Complex and convoluted law controlling state’s reimbursement
  methodology for healthcare services

• The New York Health Care Reform Act became law on January 1,
   1997 and was revised and extended on January 1, 2000.


• Insurance carriers of all kinds receive “discounted surcharge rate” by
  paying the state directly (~ 8% versus 24%) and advising billing
  provider of the such action in a timely manner.
    – Explanation of Benefits
New York State Health Care Reform Act
(HCRA)
• HCRA is a major component of New York State's Health Care
  financing laws which governs hospital reimbursement methodologies
  and targets funding for a multitude of health care initiatives. The law
  also requires that certain third-party payors and providers of health
  care services participate in the funding of these initiatives through
  the submission of authorized surcharges and assessments.

• The New York State HCRA set forth in Public Health Law § 2807-c
  and related provisions establish the requirement that no-fault insurers
  and self-insurers pay a surcharge on payments made for services
  rendered in general hospitals, diagnostic and treatment centers, and
  freestanding clinical laboratories to the Public Goods Pool.
   New York State Health Care Reform Act
   (HCRA)
• Under HCRA, payors for select health care services in New York,
  including self-funded plans, are required to pay surcharges on select
  fee-for-service and capitated medical claims and monthly
  assessments on plan members residing in New York.
    – These surcharges and assessments are used by the state to pay for
      indigent care, graduate medical education, and other health-related
      initiatives.

• Under HCRA, self-funded plans incur a public goods surcharge on all
  inpatient and outpatient hospital care, clinical lab services and
  services rendered at ambulatory surgery, diagnostic and treatment
  centers.
    – Included in the services subject to the surcharge payments are
      behavioral care/substance abuse treatments rendered at a designed
      New York provider facility.
New York State Health Care Reform Act
(HCRA)
• General Rule
   – the patient's liability is a fixed amount (as a copayment or deductible
     usually are) then a provider cannot affix a surcharge
   – the patient's contractual liability is a percentage of the bill (as co-
     insurance amounts usually are) a provider SHOULD affix a surcharge.


• Contractually stated fixed dollar copayments and deductibles cannot
  be increased by the HCRA surcharges.
   – Where contractual relationships between beneficiaries and payors
     require a fixed dollar patient copayment or deductible only, the
     beneficiary's fixed dollar liability will not increase as a result of the
     application of the HCRA surcharges.
New York State Health Care Reform Act
(HCRA)
• Usually, insurance carriers are responsible to pay the state for their
  portion of the surcharge
    – If they do not, then the state’s issue is with the carrier, not the hospital
• The Department often takes the position that it does not have
  authority over, and will not become involved in, the contractual
  relationships between payors, providers and covered persons.
• Self pay patients
    – These persons may not elect to pay the Department's pool administrator
      directly.
    – Their surcharge obligations are limited to the 8.18 percent surcharge.
    – These patients are not required to pay the 24 percent surcharge, the
      professional education pool surcharges or a covered life assessment.
Questions??
     Brian S. Strohl, Esq.
     Overton, Russell, Doerr and Donovan, LLP
     Phone: (518) 383-4000
     Fax: (518) 383-5500
     bstrohl@ordlaw.com

				
DOCUMENT INFO