by San Diego Physician

RED F LAGS RULE TOOLK I T (APR I L 8, 2009)

The Federal Trade Commission (FTC) has promulgated a new regulation known as the Red Flags Rule (codified at 16 C.F.R. §§681.1.3), which can require those affected to develop and implement an identity theft detection and prevention program by May 1, 2009. This toolkit is intended to assist physicians and their staff to understand the scope and requirements of the Red Flags Rule. Also included are recommended steps to consider in designing and implementing an appropriate identity theft detection and prevention program. Finally, the toolkit highlights how the Red Flags Rule interacts or overlaps with other legal requirements governing the safeguard and handling of patient information, particularly the federal Health Information Portability and Accountability Act (HIPAA). NOTE: This toolkit provides general information about important issues of law affecting physicians, but is not intended to provide readers with professional legal advice of any kind. Nor is this toolkit intended to create, and should not be understood as creating, an attorneyclient relationship between or among any parties. CMA is unable to provide specific legal advice to each of its more than 35,000 members or any other readers of this toolkit. For a legal opinion concerning a specific situation, consult a qualified and licensed attorney.

OVERVIEW OF THE RED FLAGS RULE The Red Flags Rule consists of three parts: Part I establishes certain requirements when using consumer credit reports; Part II requires the development and implementation of an identity theft detection and prevention program; and Part III establishes requirements for issuers of credit cards. This toolkit focuses on Part II, which is most applicable to physicians. The following chart summarizes the requirements of Part II. STEP 1

STEP 2

Periodically conduct a risk assessment to determine if covered accounts exist (e.g., patient billing accounts).

If covered accounts exist, develop and implement a written identity theft program.

Functions of the program:

Administrative requirements:

•

Update red flags in the program.

•

Board or a senior employee must approve the program.

Identify common red flags1 of identity theft that may arise in your practice.

•

Detect if and when any such red flags actually arise in your patient accounts.

•

Respond appropriately to those red flags that are detected.

Board member or senior employee must oversee the program.

•

Staff must be adequately trained.

•

Must include some oversight of third party vendors.

For many physicians, complying with the Red Flags Rule is not likely to be burdensome for two reasons. First, the scale of your identity theft program can be commensurate with the scale of your practice. Practices with less complicated billing procedures will require minimal red flag detection and response policies. Checking for photo identification when registering a new patient and monitoring address changes in patient accounts may be sufficient, for example. Second, the rule allows you to rely on existing security measures to satisfy the requirements of an identity theft program. This allows most physicians to comply in large part by relying on their A “red flag” is “a pattern, practice or specific activity that indicates the possible existence of identity theft.” 1

current HIPAA policies and procedures. These existing obligations already go a long way in protecting patient confidential information, and therefore are aligned with the purpose of the Red Flags Rule. The Red Flags Rule, however, requires a little more protection by way of a formalized process to identify, detect and respond to common situations when patient information security may have been breached.

OTHER RESOURCES The FTC recently created a website for the Red Flags Rule, which contains general information as well as guides: <http://www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml>. The most useful aide from this website is a glossy compliance guide that can be downloaded in PDF format, entitled “Fighting Fraud with the Red Flags Rule: A HowTo Guide for Business.” The guide presents a simplified explanation of the Red Flags Rule and offers steps for complying. Additionally, the American Medical Association (AMA) plans to provide a Red Flags Rule compliance guide for physicians on its website <www.amaassn.org>, through the AMA Practice Management Center. The guide is expected to be posted on or soon after April 10, 2009. There also are a number of other CMA resources that can help physicians understand the Red Flags Rule, its implications and other related topics. These include the following CMA OnCall documents, available in the 2009 edition of CMA’s California Physician’s Legal Handbook or online at <www.cmanet.org> (free to CMA members and at a perpage cost to others): • • • • • • • •

•

#1100, “Medical Records: Most Commonly Asked Questions”; #1101, “Request by Other Third Parties: CMIA, IIPPA and the HIPAA Privacy Rules”; #1110, “Confidentiality of Sensitive Medical Information”; #1160, “Retention of Medical Records”; #1175, “Special Confidentiality Requests”; #1600, “HIPAA Overview/Enforcement”; #1603, “HIPAA ACT SMART: Introduction to the HIPAA Privacy Rules”; #1606, “HIPAA Electronic Transaction Rule”; and #1607, “HIPAA Security Rule.”

Another useful resource to understanding the Red Flags Rule is the regulation itself. A copy of the relevant portions of the Red Flags Rule is attached at the end of this toolkit, along with the Appendix to the rule.

COMMERC IAL COMPLIANCE PRODUCTS There are numerous commercial products available in the marketplace advertised as Red Flags Rule compliance kits. CMA has not reviewed any of these retail products and cannot evaluate their value or utility. CMA does not intend to endorse any particular commercial compliance product. We nevertheless would be interested in hearing feedback from any physician who has used or intends to use one or more of the available products. However, as noted below, because the Red Flags Rule is deliberately flexible and scalable to the particular nature of a physician office, it probably is not necessary to consult outside help to achieve compliance. Some physicians, especially with medium or smaller offices, may be able to meet compliance on their own, whereas larger practices with more complicated recordkeeping processes may need to consult external help.

Should a physician wish to use a commercial compliance product, please be careful to select the product from a reputable and established company. Furthermore, the physician should consult this toolkit and the other free guides cited herein (by the AMA and the FTC) before determining whether additional, commercial guidance is warranted.

BACKGROUND OF THE RED FLAGS RULE The FTC promulgated the Red Flags Rule as part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Through FACTA Congress directed federal regulatory agencies, including the FTC, to develop rules and guidelines to address an increase in identity theft, including identity theft occurring in the health care industry. The FTC defines medical identity theft as identity theft committed for the purpose of obtaining medical services. Medical identity theft can surface when a patient seeks medical services or goods using the name or insurance information of another person. It also can arise when a person’s name or insurance information is used to submit false claims for reimbursement. Medical identity theft often results in erroneous health information being entered into existing medical records or the creation of fictitious medical records in a victim’s name. The FTC claims these crimes can result in both false billing and the potentially lifethreatening corruption of a patient’s medical records. A nationwide survey conducted for the FTC found that 4.5% of the 8.3 million annual victims of identity theft had experienced some form of medical identity theft. More pernicious than other forms of identity theft, victims of medical identity theft face the risk that physicians may not have accurate information to adequately treat them due to false and misleading information embedded in their medical records as a result of medical identity theft. Physicians may also suffer if someone they treated committed or is the victim of medical identity theft. Without safeguards, medical identity theft probably cannot be discovered until after the physician has rendered services and submitted bills to a third party payor. Once the medical identity theft has been discovered, the third party payor will demand a refund from the physician on the basis that the person treated was not covered. The physician’s sole recourse then may be the person who received the treatment, who may be long gone by the time the theft is discovered. Physicians therefore may ultimately bear the brunt of the financial harm caused by medical identity theft. These facts about medical identity theft provide the backdrop to why the FTC seeks to apply the Red Flags Rule to physicians and other medical care providers. However, organized medicine strongly resisted. The Red Flags Rule was originally slated to go into effect on November 1, 2009, but that deadline was delayed six months after CMA, the AMA and numerous other physician associations objected to the FTC’s position that physicians are required to comply with the new rule. In early Fall 2008 the AMA and CMA separately sent letters to the FTC voicing our disagreement with the FTC and discussing the legal authority that demonstrates physicians are not “creditors” within the meaning of the federal consumer protection statutes. The AMA also met with FTC staff to further discuss these objections. Nevertheless, in response letters to the AMA and CMA in February 2009, the FTC steadfastly maintained that physicians are subject to the Red Flags Rule and thus must implement identity theft detection and prevention programs by May 1, 2009. CMA has joined dozens of other physician associations in signing onto a letter from the AMA to

continue to protest the FTC’s position. We will remain involved in the advocacy efforts directed at the FTC, but thus far, there is no indication that the FTC will reverse its position.

JURISD IC T IO N OF THE FTC The FTC is vested with broad regulatory powers under the Federal Trade Commission Act, 15 U.S.C. §§41 et seq., including enforcement powers against persons or entities to prevent or terminate unfair or deceptive acts in or affecting commerce. (15 U.S.C. §45(a).) In particular the FTC is empowered to enforce the consumer protection provisions of FACTA, from which the Red Flags Rule was promulgated. (15 U.S.C. §1681s(a).) The FTC also has authority over any person who violates FACTA or its regulations, “irrespective of whether that person is engaged in commerce or meets any other jurisdictional tests in the [FTC] Act.” (16 C.F.R. §681.2(a).) These statutes empower the FTC to enforce the Red Flags Rule against physicians, to the extent a physician satisfies the definition of a “creditor” under the rules.

ENFORCEMENT OF THE RED FLAGS RULE The Red Flags Rule does not include provisions governing its enforcement or penalties for failure to comply. This does not mean, however, that the Red Flags Rule has no teeth. Although there are no criminal penalties for failure to comply with the Red Flags Rule, the FTC can enforce any of its regulations through its general civil enforcement powers and impose civil monetary penalties. However, there is some indication that the FTC will be flexible and accommodating to give affected physicians time to implement an identity theft program pursuant to the rule. The AMA quoted Naomi Lefkovitz, an attorney with the FTC’s Division of Privacy and Identity

Protection to refuse further extensions of the Red Flags Rule’s implementation deadline, but, “[t]hat said, we [the FTC] continue to take a view that we’re looking for reasonable efforts” by doctors to comply. See Amy Lynn Sorrel, “Medicine Slams FTC Over Forcing Physicians to Police Identity Theft,” Amednews.com (April 6, 2009) [http://www.amaassn.org/amednews/2009/04/06/gvl10406.htm>]. The FTC has not given notice how it intends to monitor compliance with the Red Flags Rule. It is not clear how, if at all, the FTC will determine whether particular identity theft programs meet the requirements of the Red Flags Rule. Nevertheless, physicians are urged to try to meet the compliance deadline of May 1, 2009, in establishing and implementing an identity theft program pursuant to the Red Flags Rule.

UNDERSTANDING THE RED FLAGS RULE WHO MUST COMPLY The Red Flags Rule unambiguously dictates who must comply with the requirement to implement an identity theft detection and prevention program: Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. (16 C.F.R. §681.2(d)(1).)

Thus, physicians will be subject to this requirement if they are a “creditor” that offers or maintains one or more “covered accounts.” Both terms are given a definition.

“Creditors” There is no freestanding definition of a “creditor” in the Red Flags Rule. Rather the rule relies on

the definition used in the Consumer Credit Protection Act, which in turn relies on the definition used in the Equal Credit Opportunity Act (ECOA). (See 16 C.F.R. §681.2(b)(5).) These consumer protection statutes define a “creditor” as one who “regularly extends, renews, or continues credit,” and “credit” as “the right granted by a creditor to a debtor . . . to purchase property or services and defer payment therefor.” 15 U.S.C. §1691a(d) and (e) (emphases added). The Red Flags Rule provides illustrative examples of “creditors” to include “banks, finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies.” 16 C.F.R. §681.2(b)(5). Notwithstanding the absence of physicians from the examples of “creditors” listed in the Red Flags Rule, the FTC asserts that any professionals – including physicians – who regularly bill their clients, customers, or patients for their services after those services are rendered are “creditors.” In support of its position, the FTC relies heavily on a broad interpretation of the terms “creditor” and “credit” found in an Official Staff Interpretation of the ECOA (from which the Red Flags Rule borrows the definition of “creditor”). The Official Staff Interpretation states, “[i]f a service provider (such as a hospital, doctor, lawyer or merchant) allows the client or customer to defer the payment of a bill, this deferral of a debt is credit for purposes of the regulation [under ECOA], even though there is no finance charge and no agreement for payment in installments.” (12 C.F.R. §202.3.) The AMA and CMA raised numerous arguments against the FTC’s reasoning to include physicians within the scope of “creditors.” These arguments include, importantly, the FTC’s failure to recognize that to the extent physicians “defer” payment by patients, it is almost always done so involuntarily under a complex payment scheme governed by layers of regulations and involvement of third party payors. This process is governed under contractual obligations between health insurance carriers or state payors, on the one hand, and patients and physicians, on the other hand, as well as federal and state prompt pay laws. CMA additionally cited two cases to the FTC, in which courts found that physicians or other health care providers are not “creditors.” These courts recognized the special and complicated payment processes in health care and determined that the delays in payment arising in this context were not “deferrals” of payment to trigger application of the definition of a “creditor” under the federal consumer protection statutes. As of press time, the FTC is holding steadfast to its view that physicians are “creditors” if they regularly bill their patients and do not collect full payment at the time medical services are rendered. Accordingly, unless physicians hear otherwise from the FTC, it should be assumed that physicians will need to comply with the Red Flags Rule when the May 1, 2009, compliance date comes.

“Covered Accounts” There appears to be little controversy over the definition of “covered accounts” under the Red Flags Rule. An “account” is defined as “a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.” (Id. at §681.2(b)(1).) By this definition, examples of accounts include an

“extension of credit, such as the purchase of property or services involving a deferred payment” or a “deposit account.” (Id.). A “covered account” means:

(i)

An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and

(ii)

Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. (16 C.F.R. §681.2(b)(3).)

Determining whether an account poses a reasonably foreseeable risk of identity theft involves consideration of the methods the physician provides to open patient accounts; the methods the physician provides to access patient accounts; and the physician’s previous experience or exposure to identity theft. Setting aside the disagreement whether physicians can be considered “creditors,” the Red Flags Rule would seem to apply to those physicians who maintain accounts containing patient information, by which billings and outstanding balances for services rendered are maintained. Such accounts could be considered “covered accounts” within the meaning of the Red Flags Rule.

DESIGNING AN IDENTITY THEFT PROGRAM If a physician meets the definition of a “creditor” and maintains one or more “covered accounts,” the physician must develop and implement (by May 1, 2009) a program “that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.” (16 C.F.R. §681.2(e).)

GENERAL CONSIDERAT IONS There are two provisions in the Red Flags Rule that are designed to ease the burden of developing and implementing an identity theft program. First, the identity theft program can be based on, in whole or in part as appropriate, existing policies, procedures and other arrangements that can also reasonably protect against identity theft. (See 16 C.F.R. §681, Appendix A.) In other words, many of the safeguards already in place to comply with federal and state patient confidentiality requirements (e.g., HIPAA) can be incorporated into a physician’s new identity theft program to satisfy the Red Flags Rule. Second, the Red Flags Rule expressly builds in flexibility and some degree of discretion in crafting an appropriate program. The rule allows that “[t]he Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its

activities.” (Id. at §681.2(d)(1).) This aspect of the rule was highlighted in the FTC’s letter to the AMA. The FTC’s statements are particularly illuminating: [T]he Red Flags Rule is designed to be flexible and tailored to the degree of identity theft risk faced by the particular physician; in many cases, that risk may be minimal or non existent, such that a simple and streamlined program would be adequate. For example, for most physicians in a low risk environment, an appropriate program might consist of checking a photo identification at the time services are sought and have appropriate procedures in place in the event the office is notified – say by a consumer or law enforcement – that the consumer’s identity has been misused. Such procedures might include not trying to collect the debt from the true consumer or not reporting it on the consumer’s credit report, as well as ensuring that any medical information about the identity thief is maintained separately from information about the consumer. As physicians evaluate how to develop and implement an identity theft program, these two provisions in the Red Flags Rule should always be remembered. They should not, of course, be viewed as loopholes to get around compliance with the Red Flags Rule. Rather, they can properly be used to help minimize the burden of complying with the Red Flags Rule.

SPECIFIC REQUIRE ME N TS The requirements of an identity theft program are provided in two parts of the Red Flags Rule. General elements of the program are listed in the text of the rule (section 681.2(d) and (e)), and more specific requirements are laid out in a lengthier Appendix to the rule. (The rule and the appendix are attached hereto.) The FTC indicated in the Red Flags Rule that every identity theft program must include the following basic functions:

•

Identify red flags for covered accounts and incorporate those red flags into an effective detection system (a “red flag” is “a pattern, practice or specific activity that indicates the possible existence of identity theft”);

•

Respond appropriately to any red flags that are detected in order to mitigate or prevent identity theft; and

•

Update the detection and response system periodically, to reflect changes in red flags, risks and identity theft techniques. (See 16 C.F.R. §681.2(d)(2).)

Every identity theft program also must satisfy a number of specified administrative mandates:

•

The program must be approved by a board of directors or a senior manager (e.g., a medical director or managing partner of a medical group);

•

A board member or senior management employee must be involved in the oversight, development, implementation and administration of the identity theft program;

•

Staff must be adequately trained to implement the program; and

•

The program must include oversight of outside service provider arrangements. (See id. at §6812(e).)

In addition to satisfying the foregoing elements, physicians should look to the Appendix to the Red Flags Rule. The Appendix provides detailed explanations and suggestions for complying with the substantive and administrative elements of an identity theft program. The Appendix can help physicians tailor a program to their particular practice or office setting to mitigate the burden of implementing a new program. However, physicians should be aware that not all of the suggestions provided in the Appendix may be applicable to them in particular or medical practices in general.

STEP 1: DETERMI NE IF YOU HAVE COVERED ACCOUNTS As noted above, the Red Flags Rule is triggered only if a physician maintains one or more “covered accounts.” To the extent physicians have “covered accounts,” such accounts most likely would fall under the first of two definitions in the Red Flags Rule: “An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions.” Patient accounts or files (whether paper or electronic) used to store patient background and payment information, through which bills and outstanding balances are generated and maintained, would fall in this category of “covered accounts.” Medical records likely are not “covered accounts.” These records traditionally do not contain the types of information that would invoke protection under the Red Flags Rule. FTC staff has indicated that the Red Flags Rule is not intended to apply to traditional medical records alone. In addition to patient billing accounts, physicians will need to determine if other accounts they have fall under the second definition of a covered account: “Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” Determining whether an account poses a reasonably foreseeable risk of identity theft involves consideration of the methods the physician provides to open patient accounts; the methods the physician provides to access patient accounts; and the physician’s previous experience or exposure to identity theft. There may be nonpatient accounts with third party vendors (e.g., lab records) that fall into this definition, especially if such accounts contain patient information that could be used by identity thieves.

STEP 2: IDENT I FY RED FLAGS RELEVANT TO YOUR COVERED ACCOUNTS If a physician maintains “covered accounts,” a written identity theft detection and prevention program will need to be designed and implemented. The first function of the written program is to identify and incorporate “red flags” that are most likely to arise in your practice. A “red flag” is a pattern, practice or specific activity that indicates the possible existence of identity theft. After covered accounts are identified, physicians should then identify the red flags that are related to such covered accounts.

The Appendix to the Red Flags Rule indicates that physicians should consider the following factors in identifying relevant red flags for their covered accounts: (1) The types of covered accounts offered or maintained; (2) The methods employed to open a covered account; (3) The methods used to access covered accounts; and (4) Previous experiences, if any, with identity theft. There are several sources that can help physicians identify relevant red flags for their covered accounts. Past experience with identity theft, of course, is a reliable source. Other types of red flags include: •

Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;

•

The presentation of suspicious documents;

•

The presentation of suspicious personal identifying information, such as a suspicious address change;

•

The unusual use of, or other suspicious activity related to, a covered account; and

•

Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

A Supplement to the Appendix of the Red Flags Rule provides a laundry list of examples of red flags that fall into these categories. Not all of the examples, however, will apply to physicians’ covered accounts. This Supplement is also attached hereto.

STEP 3: ESTABLISH A SYSTEM TO DETECT RELEVANT RED FLAGS The identity theft program must establish policies and procedures to detect identified possible red flags in connection with the opening and maintenance of covered accounts. According to the FTC, the greatest risk of identity theft for healthcare providers exists when a patient account is opened. For most physicians, this may include obtaining identifying information about, and verifying the identity of, a patient opening a covered account. It may also include verifying the identity of patients with existing accounts, periodically monitoring transactions on patient accounts for aberrant activity, and validating any changes in address on the accounts.

STEP 4: ESTABLISH POLICIES AND PROCEDURES TO RESPOND TO RED FLAGS 10

The identity theft program should provide for appropriate responses to the red flags when they are detected. The response should be commensurate with the degree of risk posed. In determining an appropriate response, physicians should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a patient’s account, or notice that a patient has provided information related to a covered account to someone fraudulently claiming to represent the physician office. Physicians should not feel that they have to significantly alter their practices in order to comply with the Red Flags Rule. The rules do not dictate what information you may or may not obtain from patients. Physicians also must carefully balance the need to detect red flags against the potential that patients will feel unduly hassled. For example, not all patients may have a drivers’ license or passport, and it may be overzealous to require a longtime patient whom your staff knows well to present identification every time he or she has a visit. In negotiating these tensions to develop a detection system for your identity theft program, physicians should remember the two general considerations highlighted above: that the identity theft program can incorporate existing practices or policies and that the program should be tailored to the size and complexity of your business practices. An appropriate response when a red flag is detected will depend on the degree of risk that is posed. Examples of some appropriate responses include: •

More closely monitoring a covered account when a red flag is detected with respect to that account;

•

Contacting the patient to verify the accuracy of information in the account;

•

To the extent applicable, changing passwords, security codes or other ways to access the covered account;

•

Closing the account and opening a new one for the patient, with a new account number;

•

If the red flag is associated with someone seeking to open a new account, don’t open the new account unless other, verifiable identification and information is provided;

•

Not trying to collect on overdue balances in a covered account until the red flag is mitigated;

•

Notifying law enforcement; or

•

Taking no action if the circumstances warrant it.

As the last example shows, an appropriate response also can include doing nothing if the totality of circumstances indicates that, despite a red flag being triggered, there is no credible risk of identity theft. However, there must be a reasonable basis to believe this if your response is to take no action.

STEP 5: KEEP THE IDENT I TY THEFT PROGRAM UP- TO-DATE The written identity theft program will need to be reviewed periodically to ensure that relevant red flags are current. It will be necessary to make modifications to reflect changes in risks to patients or to the safety and soundness of your practice from identity theft. Such changes can include your own experience with identity theft, or evolving methods of identity theft, methods to detect, prevent and mitigate identity theft. Additionally, modifications may be necessary to the extent physicians modify their account practices or business arrangements, including adding or switching third party billing agents or incorporating new physicians or a new physician group into your practice.

ADMINISTERING THE IDENTITY THEFT PROGRAM The Red Flags Rule also raises administrative and reporting requirements dictating how an identity theft program must be implemented and administered. These requirements, for the most part, should not prove more onerous than usual when incorporating any new procedure or policy into your practice. Again, remember that the policies and procedures of your identity theft program need only be complex as the nature of your practice. In other words, the program can be tailored to the unique characteristics of your practice.

PROGRAM OVERSIGHT The Red Flags Rule requires that a member of the board of directors or, if there isn’t one, a managementlevel employee be charged with oversight of the identity theft program. This includes oversight of the planning, design and implementation of the program. Such a person’s duties also should include delegating responsibilities to staff members for the program’s implementation, reviewing reports regarding compliance with the Red Flags Rule, and approving any material changes to the program as necessary. It may be efficient to designate your HIPAA compliance officer to also serve as the person with oversight of the identity theft program. Once a program is designed and memorialized, the board of directors (or other similar governing body) will have to formally approve it.

REPORTS The Red Flags Rule includes provisions requiring periodic written reports to the board (or other similar governing body) concerning the identity theft program. Those who are responsible for the development, implementation, and administration of the program should prepare the reports, at least once a year. The person designated with oversight of the program should approve the report. Written reports should address material matters related to the identity theft program and evaluate

issues such as: the effectiveness of the policies and procedures of program in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management’s response; and recommendations for material changes to the program.

DUTY TO OVERSEE SERVICE PROVIDER ARRANGEMEN TS In addition to monitoring for red flags within your practice, the Red Flags Rule requires physicians also to take steps to guard against identity theft when outside service providers may have access to or handle sensitive patient information in “covered accounts.” What steps are adequate is unclear from the rules. The Red Flags Rule states only that an identity theft program must “[e]xercise appropriate and effective oversight of service provider arrangements.” (16. C.F.R. §681.2(e)(4).) No further guidance is provided. Moreover, this oversight duty arises only if the third party is granted access to the patient accounts that are deemed “covered accounts.” The FTC explained in the final rulemaking comments for the Red Flags Rule that this provision applies whenever a creditor engages a service provider to perform an activity on its behalf and the requirements of the identity theft program applied to that activity. Such an oversight requirement prevents creditors from circumscribing the Red Flags Rule by delegating or outsourcing tasks to third parties. This provision therefore serves to remind creditors subject to the Red Flags Rule that they continue to remain responsible for compliance with the rule, even if they outsource operations to a third party. However, responding to complaints about the burden of regulating third parties, the FTC simplified the oversight provision to simply require “appropriate and effective oversight.” The FTC intentionally did not further elaborate in order to provide maximum flexibility to creditors in managing their service provider arrangements, while still making clear that the creditor cannot escape its obligations under the Red Flags Rule. To the extent that service providers handle or have access to covered accounts, physicians therefore should ensure that the activities of these service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, a physician could require the service provider by contract to have policies and procedures to detect relevant red flags that may arise in the performance of the service provider’s activities, and either report the red flags to the physician, or to take appropriate steps to prevent or mitigate identity theft. In many instances, your service provider may already be subject to the Red Flags Rule and may already have implemented its own identity theft program. Furthermore, service providers will be subject to HIPAA security and privacy requirements as well. The latest updates to HIPAA, as shown below, will extend the HIPAA mandates to business associates and third parties who deal with protected health information. Thus, although the oversight provision may seem overly burdensome, in reality it may not require much.

OTHER RELATED LEGAL REQUIREMENTS

Long before the Red Flags Rule was issued, physicians already were subject to HIPAA to protect the confidentiality of patient information, including financial information. The requirements of HIPAA are too lengthy for a complete discussion here. Rather, in this toolkit, focus will be given to the areas of overlap between HIPAA and the Red Flags Rule. More information about HIPAA can be found in CMA ONCALL documents listed at the beginning of this toolkit. All physicians are covered by HIPAA if they use electronic means to transmit any of the following: health claims, remittance or payment advice, claim status inquiries, eligibility inquiries, enrollment and disenrollment, referral certification and authorization, coordination of benefits or health plan premium payments. The primary purpose of HIPAA is to enhance health insurance accessibility for people changing employers or leaving the workforce. To facilitate accessibility, HIPAA also contains provisions designed to encourage transmission of confidential health care data electronically, which prompted further provisions to ensure confidentiality and security in maintaining and transmitting health data. Congress and privacy advocates (including physicians) were concerned that the growing use of electronic means to transmit healthcare data increased the risk to the public that the data would be compromised. HIPAA thus includes a number of mandates to increase confidentiality and security, falling into two separate sets of rules known as the Privacy Rules and Security Rules. These rules are not exclusive. State laws that are more protective of patient privacy and confidentiality would supplement or control over HIPAA, in the event of a conflict of laws. (45 C.F.R. §§160.202, 160.203.) HIPAA covers all “protected health information.” Virtually all individually identifiable health information falls under the definition of protected health information. “Health information” includes: Any information, whether oral or recorded in any form or medium, that: i)

Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

ii)

Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present or future payment for the provisions of health care to an individual. (emphasis added.)

“Health care” is similarly defined very broadly to include “care, services, or supplies related to the health of an individual.” Information in “covered accounts” (as defined under the Red Flags Rule) that typically is the target of identity thieves would fall under the expansive coverage of HIPAA. HIPAA therefore overlaps significantly with the Red Flags Rule. The HIPAA Privacy and Security Rules are similar to the Red Flags Rule in that they generally require risk assessment and development of appropriate and reasonable protection measures, scaled to the complexity and size of the physician’s practice. Many California physicians already have practices to safeguard patient confidentiality that would satisfy HIPAA. The following summary of HIPAA privacy requirements is taken with permission from HIPAAClinician/Senior Management Education & Training Materials © 2001, California HealthCare Foundation:

•

Individually identifiable health information may not be used or disclosed unless specifically approved by the patient or explicitly permitted under HIPAA.

•

The privacy rule generally requires patient authorization to disclose information for nontreatment purposes (such as to employers, life insurers, underwriters, or researchers).

•

Disclosure of health information for nontreatment purposes must generally be limited to the “minimum necessary.”

•

Inadvertent and incidental disclosures – e.g., two colleagues talking about a patient in the hospital hallway – will not be deemed a violation of the law so long as the organization has made reasonable efforts to comply with HIPAA requirements and has appropriate policies and procedures in place.

•

A written agreement must be in place that provides for appropriate safeguarding of health information with all “business associates.” (These include those who perform services on behalf of the practice such as practice management consultants, collection agencies, malpractice insurers, and accountants, among others.)

•

Each practice must designate a privacy officer, develop written privacy policies and procedures, and provide staff training to ensure that health information is protected. The scope of these requirements is scalable: small offices do not have to develop elaborate systems; just basic protections and the office manager can be the privacy officer.

•

Patient authorization is not required for sharing a patient’s medical records with another physician when referring the patient to that physician or when billing a patient referred for a specialty consultation.

•

Patients have the right to inspect and receive a copy of their medical records and to request amendments to their records. (Note, this right of access under HIPAA may be a point of intersection with the Red Flags Rule, because it appears to be an area where identity thieves can strike.)

The Privacy Rule contains a very general requirement that covered entities institute security measures as follows: “A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.” (45 CFR §164.530(c)(2).) The HIPAA Security Rule imposes additional, more detailed requirements aimed at safeguarding patients’ health information. The rule contains three main areas of regulation: physical security, technical security and administrative security measures. Each area of regulation is made up of a series of “Standards” and a number of “Specifications” to implement these Standards. There are nine Administrative Standards (with twentyone implementation specifications), four Physical Standards (with eight implementation specifications) and five Technical Standards (with seven implementation specifications). For a complete discussion of these standards, see CMA ONCALL document #1607, “HIPAA Security Rule.” Rather than go into detail in these implementation standards and specifications, it is relevant here to focus on two broad aspects of the HIPAA Security Rule that

overlap with the Red Flags Rule. In general, the HIPAA Security Rule requires that patient health information must be kept confidential; its integrity maintained (is the data accurate and kept accurate); and must be reasonably available in a secure fashion (because the Privacy Rule gives patients or their personal representatives the right to access their PHI it must be kept available, even in the event of a system failure or a natural disaster). Additionally, security measures must be designed to protect against reasonably anticipated threats or hazards to the security of patient health information (including, for example, fire or computer viruses). Such security measures also must protect against reasonably anticipated uses or disclosures that are not permitted. All members of the physician’s office and staff must comply with the security regulations. As can be seen, these general requirements could be interpreted to encompass threats posed by identity theft. As with the Red Flags Rule, the HIPAA Security Rule also provides substantial flexibility to reflect the nature of a given physician practice. The following factors may be considered when implementing the rule: i)

The size, complexity and capabilities of your organization as you consider security measures;

ii)

The technical infrastructure (do you have someone on staff is familiar with computers and technical matters?), and your hardware and software capabilities;

iii) The costs of security measures in relation to the size and resources of your practice; and iv) Probability and criticality of potential risks to patient health information. Probability refers to the likeliness that a risk might happen. Criticality refers to the importance of a particular application or business process. Taking these into account, physicians must adopt reasonable and scalable measures for their practice. Many of the procedures or policies implemented to satisfy these HIPAA mandates can be marshaled to satisfy the requirements of the Red Flags Rule. However, physicians should not assume that HIPAA compliance fully satisfies the requirements of the Red Flags Rule. There may be significant overlap, but the Red Flags Rule does raise some obligations not found in HIPAA. The FTC has explained the distinction between the Red Flags Rule and HIPAA as follows: We [the FTC] certainly recognize the importance of HIPAA’s privacy and security requirements and the essential role data security plays in protecting individuals’ health information from compromise and misuse, as well as physicians’ ethical responsibilities in this area. But, notwithstanding physicians’ reasonable efforts to prevent them from doing so, identity thieves have a variety of means of obtaining personal information. A comprehensive approach to combating medical identity theft, therefore, must include measures aimed not only at preventing the compromise of patient information, but also at preventing or mitigating the misuse of that information if it is compromised. The Rule is designed to prevent identity theft primarily by ensuring that organizations are alert to signs that an identity thief is using someone else’s identifying information fraudulently to

obtain products or services, including services such as medical care. Thus, the Red Flags Rule generally complements rather than duplicates the HIPAA data security requirements.

UPCOMI NG UPDATES TO HIPAA There is an upcoming expansion of HIPAA as part of the American Recovery and Reinvestment Act of 2009 (H.R. 1). President Obama’s economic stimulus package, which was signed into law on February 17, 2009, includes numerous provisions aimed at health care, including extending COBRA coverage, increasing Medicaid matching funds and creating investment incentives for health information technology. The package also includes provisions to enhance and expand privacy protections under HIPAA. These changes should not significantly impact compliance with the Red Flags Rule. They do, however, establish or expand requirements under HIPAA that would also satisfy certain aspects of the Red Flags Rule. Relevant changes to HIPAA that can be incorporated into an identity theft program under the Red Flags Rule include: •

Requiring notification to patients if their health information is breached;

•

Requiring thirdparty health record vendors also to notify patients if their health information is breached; and

•

Expanding HIPAA to apply directly to business associates of covered entities.

RED FLAGS RULE & APPEND IX