Indiana Medical Group Management Association

1
Indiana Medical Group Management Association

• FTC Red Flag Rules
• Presented by
• Susan E. Ziel, RN, JD, Krieg DeVault LLP
• Leigh Ann Lauth ONeill, JD, Krieg DeVault LLP

2
Disclaimer

• The information contained in this presentation
  has been prepared with the understanding that the
  authors are not engaged in rendering legal,
  financial, medical or other professional advice.

3
Objectives

• Identify state and federal laws concerned with
  the prevention of identity theft in the State of
  Indiana
• List and describe the key provisions of the FTC
  Red Flag Rules that determine applicability to
  medical groups
• Discuss the key elements of a medical group's
  identity theft prevention program that complies
  with the Rules

4
Indiana Laws

• IC 35-43-5. Forgery, Fraud, Identity Deception
  and Other Deceptions.
• IC 4-1-10. Release of Social Security Number.
• IC 24-4-14. Improper Disposal of Personal
  Information (See Tab A).
• IC 24-4.9-3. Security Breach Involving Personal
  Information (See Tab A).

5
Federal Laws and Regulations

• Fair and Accurate Credit Transaction Act of 2003
  (FACTA)
• FTC Red Flag Rules (Red Flag Rules)
• Also, dont forget the 2009 HIPAA Privacy and
  Security Amendments (HIPAA) but thats
  another conference call

6
Fair and Accurate Credit Transaction Act of 2003
(FACTA)

• FACTA applies to credit card issuers, consumer
  reporting agencies, financial institutions and,
  in some cases, certain creditors that maintain
  covered accounts
• FACTA is concerned with both prevention and
  detection of identity theft
• FACTA requires the promulgation of identity theft
  regulations hence, the FTC, in conjunction with
  other agencies, developed the Red Flag Rules

7
Red Flag Rules

• The Red Flag Rules govern the detection,
  prevention, and mitigation of identity theft
• Among other requirements, the Red Flag Rules
  mandate Identity Theft Prevention and Detection
  programs
• There remains controversy as whether the Red Flag
  Rules apply to medical groups

8
What is a Red Flag?

• A suspicious circumstance that indicates the
  possibility of identity theft
• Alerts, notifications, warnings received from
  consumer report agencies or service providers
  questions from patients and other third parties
• Suspicious documents and behavior
• See Tab B (Suspicious Circumstances)

9
Red Flag Rules Applicability to Medical Groups

• Test 1 Do you qualify as a creditor?
• Do you regularly extend, renew or continue credit
  or regularly arrange for the extension of credit
  to your clients?
• Do you defer payment for goods or services?
• Do you extend credit by not demanding full
  payment at the time of service?

10
Red Flag Rules Applicability to Medical Groups

• Test 2 Do you offer or maintain covered
  accounts?
• Do you provide personal, family or household
  services that involve multiple payments or
  transactions?
• Do you have a continuing relationship with your
  clients?
• Does your relationship involve or permit multiple
  payments or transactions?

11
Red Flag Rules Applicability to Medical Groups

• Test 2 (Alternative) Do you offer or maintain
  covered accounts?
• Do you provide, offer or maintain accounts for
  which there is a reasonably foreseeable risk to
  customers or to the safety and soundness of the
  creditor from identity theft?
• Do you ask for photo ID at patient registration?

12
Red Flag Rules Applicability to Medical Groups

• Do you qualify as a creditor?
• Do you offer or maintain covered accounts, or
  alternatively, is the risk of identity theft to
  your customers or to your business reasonably
  foreseeable?
• If yes we recommend you comply with the Red
  Flag Rules.

13
Red Flag Rules Applicability to Medical Groups

• Do you request consumer reports? If yes, there
  are some additional requirements that apply

14
Compliance with the Red Flag Rules

• Risk Assessment Suspicious Circumstances
• Identity Theft Prevention and Detection Policy
• Workforce Training and Business Partner
  (Associate) Oversight
• Governing Body Approval

15
Risk Assessment

• Risk Factors
• Maintenance and Access to Accounts
• Use of Personal Information
• Manner of Payment
• Past Incidents of Identity Theft
• Use of Consumer Reports
• See Tab B (Suspicious Scenarios)

16
Identity Theft Prevention and Detection Policy

• Policy Statement
• Defined Terms
• Procedure

17
Identity Theft Prevention and Detection Policy

• Policy Statement (Purpose)
• To safeguard confidentiality, integrity and
  availability of our patients personal and
  identifying information
• To cause all Workforce and Business Partners
  (Associates) to detect, report and respond to
  suspicious circumstances that may represent a Red
  Flag

18
Identity Theft Prevention and Detection Policy

• Defined Terms
• What qualifies as a Red Flag
• What qualifies as Identifying Information
• Workforce who are subject to this Policy
• Business Partners (Associates) who require
  notification of obligations
• What is a Consumer Reporting Agency
• What is Identity Theft

19
Identity Theft Prevention and Detection Policy

• Procedure
• Program Oversight
• Administrator and Governing Body Officer
• Workforce Training
• Registration, Patient Care, Business Office
• Suspicious Circumstances and Obligations
• Business Partner (Associate) Notification
• BAA Amendment Requiring Compliance
• State Laws Governing Personal Information
• FTC Red Flag Rules

20
Identity Theft Prevention and Detection Policy

• Procedure (cont.)
• Prevention
• Reconciliation of Consumer Report Requests
• Upon receipt of a report, any discrepancy must be
  relayed to the consumer reporting agency as a
  suspicious circumstance indicative of a possible
  Red Flag

21
Identity Theft Prevention and Detection Policy

• Procedure (cont.)
• Prevention
• Patient Registration Safeguards
• Patient Identification
• Suspicious Documents or Behavior
• Ability to Question and Intervene
• Prompt Reporting to Prevent or Mitigate Risk of
  Identity Theft

22
Identity Theft Prevention and Detection Policy

• Procedure (cont.)
• Prevention
• Receipt of Discrepancy Reports
• Patient
• Victim of Identity Theft
• Law Enforcement
• Prompt Reporting (as before)
• Patient Record Amendments
• Patient Account Holds

23
Identity Theft Prevention and Detection Policy

• Procedure (cont.)
• Prevention
• Other Questionable Scenarios
• Patient Care Encounters
• Third Party Payer Denials
• Patient Request/Review of Patient Records

24
Identity Theft Prevention and Detection Policy

• Procedure (cont.)
• Duty to Report Red Flags to Administrator
• Handle Like an Incident Report
• Applies to Both Workforce and Business Partners
  (Associates)

25
Identity Theft Prevention and Detection Policy

• Procedure (cont.)
• Duty to Investigate Facts/Circumstances
• Obligation of Administrator (or Designee)
• Findings and Recommendations
• Related Records and Reports Maintained in
  Confidential Investigative File for at Least Six
  (6) Years from Date Investigation Closed

26
Identity Theft Prevention and Detection Policy

• Procedure (cont.)
• Duty to Mitigate/Correct
• Actions
• Monitoring of Patient Record Access
• Opening or Closing Accounts
• Changing Passwords, Security Codes
• Patient Notification (see Duty to Disclose)
• Involvement of Law Enforcement
• All Actions Documented in Confidential
  Investigation File

27
Identity Theft Prevention and Detection Policy

• Procedure (cont.)
• Duty to Report and/or Disclose
• Governing Body
• Patient Notification So to Institute Actions to
  Decrease Further Risk of Identity Theft
• File Fraud Alert With Consumer Reporting Agency
• File ID Theft Complaint Form With FTC
• Other

28
Identity Theft Prevention and Detection Policy

• Procedure (cont.)
• Duty to Report Status of Investigations
• Governing Body Reports
• Significant Incidents
• Pending and Closed Investigations
• Program Effectiveness
• Workforce and Business Partner (Associate)
  Evaluation
• Program Improvement Recommendations

29
Governing Body Approval

• Governing Body Approval of Policy
• Assign Board Member or Administrator to Oversee,
  Implement and Administer Program
• Annual Reports to Governing Body
• Document in Meeting Minutes

30
Additional Materials

• Tab A (Indiana Laws)
• Improper Disposal of PI
• Security Breach Involving PI
• Tab B (Suspicious Circumstances Indicative of a
  Red Flag)

31
Red Flags Action Plan

• Risk Assessment
• Policy
• Board Approval
• Training
• BAA Amendments

32
Questions?

• Krieg DeVault LLP
• Susan E. Ziel, RN JD
• (317) 238-6244
• sziel_at_kdlegal.com
• Leigh Ann Lauth ONeill, JD
• (317) 238-6346
• loneill_at_kdlegal.com