Health Care Providers: Act Now to Ensure Timely Compliance with Identity Theft Red Flags Rule by DLAPiper


									DLA Piper | Publications | Health Care Providers: Act Now to Ensure Timely Compliance... Page 1 of 5


10 MAR 2009

Health Care Providers: Act Now to Ensure Timely Compliance with Identity Theft Red Flags Rule

Deborah L. Gersh Darrell W. Taylor Adam G. Arnett

The deadline for health care providers (Providers) to comply with the Identity Theft Red Flags Rule (the Red Flags Rule) under the Fair and Accurate Credit Transactions Act1 (the Act) is May 1.2 Providers covered by the Act are required to develop and implement a written identity theft prevention program (Program) to detect, prevent and mitigate identity theft in connection with certain patient accounts. This Alert provides guidance as to which Providers must comply and an overview of what compliance entails. Providers Have Been Unsure Whether to Comply with the Red Flags Rule The Red Flags Rule, effective January 1, 2008 with a mandatory compliance date of November 1, 2008, applies to financial institutions and creditors.3 Because Providers do not generally think of themselves as financial institutions or creditors and Providers are already required to adhere to strict data security and HIPAA requirements, few have paid close attention to the Red Flags Rule. The Red Flags Rule, however, extends beyond HIPAA privacy and security rules, operating to prevent the illegal use of personal identifying information to obtain products or services, such as healthcare. As a result of uncertainty among Providers, on October 22, 2008, the Federal Trade Commission (FTC) extended the mandatory compliance date to May 1, 2009 for select entities, such as Providers. The extension avails Providers of much-needed time to determine which red flags are applicable to their 3/10/2009

DLA Piper | Publications | Health Care Providers: Act Now to Ensure Timely Compliance... Page 2 of 5

organizations and to develop, adopt and implement a Program. The Red Flags Rule defines “red flags” as certain patterns, practices or activities that might indicate an identity theft attempt.4 Provider-specific red flags could include: an identification card that appears to have been tampered with; a discrepancy between admissions information and prior account information; a physical description inconsistent with appearance; or the use of a post office box as a mailing address.5 Determining If Compliance Is Necessary Determining whether an organization must comply with the Red Flags Rule is a two-step process. If an organization (1) qualifies as a “financial institution” or a “creditor;” and (2) offers or maintains “covered accounts,” then the organization must comply by designing and implementing a written Program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of covered accounts. Step 1 – Does your organization qualify as a financial institution or creditor? Although a Provider would be unlikely to qualify as a financial institution, many Providers qualify as “creditors” under the Red Flags Rule.6 Allowing for deferred payments constitutes an extension of credit under the Act and is sufficient to label a Provider as a creditor within the scope of the Red Flags Rule.7 This means that Providers, including nonprofit and government entities, that regularly allow for patient payment plans or installment payments are subject to compliance under the Red Flags Rule.8 Step 2 – Does your organization offer or maintain covered accounts? Provider “covered accounts” include those that involve a continuous consumer, commercial or business account relationship for purposes of obtaining a product or service, namely health care. Provider-specific covered accounts may include: patient billing or payment accounts; patient medical records; loans to employees, doctors, offices or practice groups; or the extension of credit to subcontractors. Program Elements The Red Flags Rule applies to a broad range of entities and allows flexibility for organizations to develop individualized Programs that include reasonable policies and procedures for detecting red flags, taking into account the size, complexity, nature and scope of their operations. Ideally, this will include both anticipated risks and past identity theft experiences. Specifically, an acceptable Program must include reasonable policies and procedures designed to address four key areas: identification, detection, response and periodic updates. Identification of red flags Identification involves an evaluation of covered accounts (i.e. billing and records accounts) and the methods available to open, access, modify or close those accounts. This evaluation is often done by way of a committee of individuals familiar with organizational operations, processes and procedures. Preliminary questions helpful in identifying red flags might include the following: How is an individual’s identity verified before opening or accessing a covered account? 3/10/2009

DLA Piper | Publications | Health Care Providers: Act Now to Ensure Timely Compliance... Page 3 of 5

What information is required for such verification? What is done with that information once it is collected? What third party service providers have access to data? Detection of red flags Detection is a function of the policies and procedures that a Provider puts in place after identifying possible red flags. In connection therewith, the FTC lists five examples of categories with which an organization should be concerned, including: Alerts, notifications or warnings from a consumer reporting agency; Suspicious documents; Suspicious personally identifiable information, such as a suspicious address; Unusual use of, or suspicious activity involving a covered account; and Notice from customers, victims of identity theft, law enforcement authorities or others regarding the possible identity theft in connection with covered accounts held by the creditor. Response mechanisms Responses should be commensurate with the risk posed by a red flag in order to prevent or mitigate identity theft. For example, if a data storage system containing covered account information is compromised, an organization will respond differently than if an individual’s physical description does not match his or her photo identification. Provider responses to detected red flags could include any one or a combination of the following: Monitoring a covered account; Contacting a customer; Changing account passwords; Closing and reopening a covered account with a new account number; Notifying law enforcement; or Determining that no response is warranted. Periodic updates and risk assessment Even Providers not required initially to comply have an ongoing obligation to periodically conduct a risk assessment to determine whether the organization offers or maintains covered accounts by coming full circle and revisiting the previously discussed compliance issues in this Alert. In addition, Providers should periodically update Programs to reflect changes in risk exposure. Penalties For Noncompliance The Act can subject organizations to civil monetary penalties at both the federal and state level.9,10 Although the FTC has not elaborated, fines could be assessed against each of a noncompliant companies’ covered accounts. Further, the FTC has indicated that they may initiate investigations based 3/10/2009

DLA Piper | Publications | Health Care Providers: Act Now to Ensure Timely Compliance... Page 4 of 5

on consumer or third party complaints. Recommendation Provider compliance with the Red Flags Rule is mandatory as of May 1, 2009. Prior to that date, covered organizations must determine which red flags pertain to their organization; develop a Program; approve the Program by way of a board vote; train employees on the Program; and implement the Program. This may require the formation of a committee; multiple meetings; a risk analysis of Provider practices; multiple drafts of a Program and time to provide notice, hold and vote at a regularly scheduled or a special board meeting. As a result, it is important for Providers to begin the process as soon as possible in order to be positioned for May 1, 2009 compliance. Following initial compliance, a Program requires senior management oversight and ongoing training to address new red flags that emerge as an organization evolves and adopts new technology, policies and procedures as well as to address employee turnover. In addition, a carefully developed reporting mechanism is essential to demonstrate the effectiveness of the Program.

1 15 U.S.C. §1681 et seq. 2 Although not the subject of this Alert, there exists a second parallel identity theft rule, which applies to users of consumer reports regarding address discrepancies. 16 CFR Part 681.1. It may also apply to organizations required to comply with the Red Flags Rule. The rule pertaining to consumer reports provides that where an organization receives a report from a consumer reporting agency and the report contains notice of an address discrepancy, the user must take steps to ensure that the user has obtained the correct consumer report for the consumer about whom it requested such a report and take further action, as necessary. The address discrepancy rule became effective November 1, 2008. 3 16 CFR Part 681.2. 4 Identity theft is defined as a fraud committed or attempted using the identifying information of another person without authority. 5 The FTC provides a non-exhaustive and non-healthcare specific list of examples of red flags on pages 63755-56 of the legislation: 6 A “creditor” under the Act has the same meaning as in section 702 of the Equal Credit Opportunity Act (the “ECOA”). 15 U.S.C. §1691a. The ECOA defines “creditor” to include any person who regularly extends, renews or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit. 15 U.S.C. §1691a(e). 7 The ECOA defines “credit” as the right granted by a creditor to a debtor to defer payment of debt or to incur debt and defer its payment or to purchase property or services and defer payment therefore. 15 U.S.C. §1691a(d). 8 Available at: 3/10/2009

DLA Piper | Publications | Health Care Providers: Act Now to Ensure Timely Compliance... Page 5 of 5

9 Available at: 10 Federal authorities may impose up to a $2,500 fine for each knowing violation. 15 U.S.C. §1681s(a) (2)(A). A state may impose up to a $1,000 fine for each willful or negligent violation. 15 U.S.C. §1681s(c) (1)(B)(iii). 3/10/2009

To top