2. Agenda
• About Us
• Overview of the Red Flags Rule
– Purpose
– HIPAA and the Red Flags Rule
– Enforcement Timetable
– Consequences of Non-compliance
– Background
– Term Definition
– Healthcare Providers = Creditors?
• Compliance Determination and Execution
• Discussion on Current Practices (Q & A)
Raising Red Flags
4. • Management consulting firm
• Founded in 1953
• Headquartered in Pittsburgh, PA
• Affiliated with several consulting firms across the
United States
About Us
Raising Red Flags
5. • Strategy
• Operations and Process Improvement
• Performance and Diagnostic Measurement
• Organizational Development
• Workforce and Economic Development
Strategy
Our Services
Raising Red Flags
8. Purpose
• The intent of the Red Flag Rule is to prevent
unauthorized use of an individual, or organization’s,
identity
• This is to be completed through the…
– detection,
– prevention,
– mitigation of identity theft
Raising Red Flags
A FTC survey, found that 4.5% (373.500) of the 8.3 million
victims reporting identity theft in 2000 had experienced some
form of medical identity theft
9. HIPAA and Red Flags Rule
• HIPAA
– Focuses on preventing data
from being compromised
• Red Flags Rule
– Focuses on preventing an
individual with unauthorized
data from obtaining
unauthorized services
Raising Red Flags
HIPAA and the Red Flags Rule are complimentary, not duplicative,
regulations in combating identity theft
10. Enforcement and Consequences of Non-
Compliance
• Enforcement:
– Initial Enforcement Date = November 1, 2008
– 1st
Extension was issued on October 22, 2008
• New compliance date = May 1, 2009
– 2nd
Extension was issued on April 30, 2009
• New compliance date = August 1, 2009
– 3rd
Extension was issued on July 29, 2009
• New compliance date = November 1, 2009
• Consequences of Non-Compliance
– Potential Audit
– Litigation Risk
Raising Red Flags
11. Background
• The Red Flags Rule were developed by a
combination of federal agencies in order to
implement sections 114 and 315 of the Fair and
Accurate Credit Transactions Act of 2003
(FACTA).
• The Joint Final Rules and Guidelines were
effective as of January 1, 2008
Raising Red Flags
12. Term Definition
Board of Directors Can be the Board of Directors, appropriate sub-committee, or designated senior
management individual
Covered Account 1. An account that a financial institution or creditor offers or maintains,
primarily for personal, family, or household purposes, that involved or
is designated to permit multiple payments or transactions.
2. Any other account that the financial institution or creditor offers or
maintains for which there is a reasonable foreseeable risk to customers
or the safety and soundness of the financial institution or creditor from
identity theft
*This includes both active and inactive accounts
Creditor A person [organization] who arranges for the extension, renewal, or
continuation of credit
Customer Person holding a “covered account” with the financial institution or creditor
Identity Theft A fraud committed or attempted using the identifying information of another
person without authority
Red Flag A pattern, practice, or specific activity that indicates the possible existence of
identity theft
Raising Red Flags
13. Healthcare Providers = Creditors?
• Since the initial release of the Red Flags Rule, there has been strong
discussion as to whether entities within the healthcare profession should
be subject to the regulation.
• In a February 2009 rebuttal from the FTC to the AMA, it was stated that
the healthcare organization would remain subject to the Red Flags Rule
Raising Red Flags
15. Compliance Elements
Four Elements of Compliance Exist for the Red Flags Rule:
1. Identify Red Flags for covered accounts and incorporate those red
flags into the Program
2. Detect Red Flags that have been incorporated into the Program
3. Respond appropriately to any Red Flags that are detected to
prevent and mitigate identity theft
4. Update the Program at least annually to reflect changes in risks to
customers or to the safety and soundness of the financial institution
or creditor from identity theft
Raising Red Flags
16. Compliance Process
Raising Red Flags
The following flow-chart illustrates the logical processes, and decision-points that
must be conducted for Red Flags Rule compliance:
17. Risk Assessment
• Conduct a risk assessment to determine the appropriate degree of
complexity for the Identity Theft Prevention Program
– Evaluate the existence of “covered accounts”
• The methods for accepting a new patient
• The methods for providing access to patient account information
• Any previous experiences with identity theft
• If it is determined that “covered accounts” do exist:
– Identify the accounts the program must address
– Determine the risk level of your organization as it relates to the Red Flags
Rule:
• Practice Size
• Patient Mix
• Services Provided
• Current Practices and Procedures
• Previous instances of identity theft (attempted or otherwise)
Raising Red Flags
18. Program Development
• Program must:
– Contain “reasonable policies and procedures” to fulfill the four
compliance elements:
• Identification of potential Red Flags for your organization
• Policies and Procedures for detecting attempted or successful
use of an unauthorized identity by an individual
• Policies and Procedures for “responding appropriately” to
potential instances of Identity Theft
• Requirements for updating the program on an annual basis to
reflect changes in risks to customers and the related environment
Raising Red Flags
19. Program Development (cont.)
• Program must:
– Be formally documented
– Be tailored to the entity’s size, complexity and nature of its
operations
– Identify the individuals / positions responsible for ensuring
efficient execution
– Be approved by the “Board of Directors” or equivalent
Raising Red Flags
20. Program Implementation
and Administration
• Staff Training
• Service Provider Oversight
• Annual Effectiveness Reports
– Reports must be prepared, and reviewed by the board of directors (or
equivalent) at least annually
– These reports should discuss material matters related to the program’s
effectiveness and any recommendations
• Program Approval
Raising Red Flags
21. Compliance Review
1. Design Effectiveness
• The Program has been formally documented
• The Program has been approved by an appropriate individual or group
of individuals
• Effectiveness reports include the appropriate items to describe the
Program’s effectiveness
• The Program is appropriate for the organization size, complexity, and
nature and scope of activities
2. Operating Effectiveness
• All stages of the program are being executed effectively:
– Identify
– Detect
– Update (including review of effectiveness reports)
Raising Red Flags
There are two main areas discussed within the Red Flags Rule that will generally
be reviewed to determine compliance:
23. Thank You
If you have any additional questions, please feel free to contact
me:
Scott A. Rogerson, CISA
412-722-1111
srogerson@hillgroupinc.com
The Hill Group, Inc.
2 East Main Street
Carnegie, PA 15106-2456 USA
www.hillgroupinc.com
Raising Red Flags
Notas do Editor
<number>
<number>
<number>
as the billing and collections process of submitting a claim to an insurance carrier and then billing the patient for the remainder, deferring payment of his / her share of the claim until after the service was performed, includes these firms within the definition of a “creditor” organization.
1st Extension
FTC stated this extension was due to some confusion expressed from industries as to who was covered and what they were required to implement in order to be in compliance
2nd Extension
114 – Required Agencies to issue joint regulations and guidelines regarding the detection prevention, and mitigation of identity theft
- Also included special regulations for debit and credit card issuers in validating change of address requests
315 – Required Agencies to issue joint regulations that provide guidance regarding reasonable policies and procedures a user of a consumer report should employ when receiving a notice of address discrepancy
FACTA: Congress directed the Agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft.
Identifying information can include SSN, Name, DoB, ID Card or ID number, biometric data,
as the billing and collections process of submitting a claim to an insurance carrier and then billing the patient for the remainder, deferring payment of his / her share of the claim until after the service was performed, includes these firms within the definition of a “creditor” organization.
Much of this discussion has been lead by the American Medical Association (AMA)
This risk assessment should be performed at least annually during Identity Theft Prevention Program re-evaluation to confirm the risk level and related information has not changed
Potential Red Flags includes combinations of factors that may result in a red flag
Potential Red Flags includes combinations of factors that may result in a red flag
Only required for the initial written version, it is left to the discretion of the organization as to whether approval is warranted for subsequent versions
What should be documented in the report:
The effectiveness of policies and procedures
Service provider arrangements
Significant incidents of identity theft and management’s response
Recommendations for changes in the program