Answers to the questions below, which were distilled from 16 C.F.R. Part 681and its appendices, may be used to form the basis of an Identity Theft Protection Program as required by the FTC’s Red Flag Rules for most healthcare providers.
I. Identification of Relevant Red Flags
A. Risk factors: what risk factors do we face?
1. What types of covered accounts do we offer or maintain? Examples include not only patient accounts but also any other accounts—such as leases to third parties of office space, equipment, or personnel that are either (a) an account for personal or household purposes involving multiple transactions or (b) any account for which there is a reasonably foreseeable risk of identity theft (including financial, operational, compliance, reputation, or
litigation risks)?
2. What methods do we use to open covered accounts? Do any of these methods involve risks of identity theft? 3. What methods do we provide for access to covered
accounts? Do any of these involve risks of identity theft? 4. What previous experiences have we had with identity theft
that may inform our identification of risk factors?
5. Are there any other potential sources of risk that should be considered?
B. Sources of red flags: how can we incorporate the following sources of potential red flags into the program?
1. Are there any past incidents of identity theft? What can be done to prevent similar incidents in the future?
2. What are methods of identity theft that have been used against other organizations? Are there any new methods of identity theft that reflect changes in identity theft risks? How can they be addressed?
3. What other guidance has been issued by regulatory agencies or other organizations?
C. Categories of red flags: what procedures have we instituted to assure that appropriate responses are made to the following categories of red flags?
1. Alerts, notifications or other warnings received from consumer reporting agencies and similar providers, including but not limited to:
a. Fraud or active duty alerts;
b. Notices of credit freeze;
c. Notices of address discrepancy;
d. Patterns of activity that are inconsistent with prior history;
e. Recent increases in the volume of inquiries;
f. Unusual numbers of new credit relationships;
g. Material changes in the use of credit; and h. Accounts closed for cause.
2. The presentation of suspicious documents or information, or other suspicious activity, including but not limited to:
a. Information that is inconsistent with external sources (e.g., address, date of birth, or social security number);
b. Personal identifying information identified by third- party sources as having been associated with known fraudulent activity;
c. Personal identifying information of a type commonly associated with fraudulent activity (e.g., fictitious address, use of mail drop, or phone number that is invalid or associated only with a pager or answering service);
d. SSNs duplicating those of other patients
e. Address or telephone numbers that are the same or similar to other patients (or customers), particularly recent ones;
f. New customers who fail to provide all required personal identifying information, especially if they have been notified that the application is
incomplete;
g. Persons attempting to access an account who cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report;
h. Requests for additional authorized users on an account shortly following change of address;
i. Uses of an account that are inconsistent with established patterns of activity (e.g., nonpayment when there is no history of late or missed payments or a material increase in the use of the account);
j. Unexpected inactivity for a reasonably lengthy
period of time;
k. Repeatedly returned mail from the patient (or customer) despite continued activity in the account; and
l. Unauthorized transactions.
II. Detecting Red Flags
A. What policies and procedures do we need to detect red flags in connection with new and existing accounts? Examples include:
1. Obtain information verifying the identity of any person opening a new account (e.g., name, date of birth,
residential or business street address [if unavailable, obtain such information for next of kin or other contact individual], taxpayer identification number, passport number and country of issuance, alien identification card number, or other government-issued document indicating nationality and bearing a photograph or similar safeguard) and
2. In the case of existing accounts, authenticating customers, monitoring transactions, and verifying the validity of change of address requests.
III. Preventing and Mitigating Identity Theft
A. What policies and procedures would provide us with appropriate responses to red flags commensurate with the degree of risk posed? How should we address aggravating factors, such as actual instances of unauthorized access to an account or when someone fraudulently claiming to represent us has obtained information from one of our patients or debtors? Appropriate responses may include:
1. Monitoring accounts for evidence of identity theft; 2. Contacting the patient;
3. Changing passwords or security codes;
4. Reopening an account with a new account number; 5. Refusing to open, or closing a covered account; 6. Forbearing from collection on a covered account; 7. Notifying law enforcement; and
8. Determining that no response is necessary under the circumstances.
IV. Updating the Program
A. How will we periodically update the red flag program to reflect changes in risks to customers? Factors that may affect our need to update the Program include:
1. Actual instances of identity theft; 2. Changes in methods of identity theft;
3. Change in methods of detection, prevention, and mitigation of identity theft;
4. Changes in the types of accounts that we maintained; and 5. Changes in our business arrangements, including mergers,
acquisitions, joint ventures, etc.
V. Methods for Administering the Program
A. Who has ultimate authority for oversight of the Program (e.g., board of directors, appropriate board committee, or designated
senior management)? Oversight should include assigning specific responsibility for implementation, reviewing periodic reports at least annually, and approving changes to the Program as necessary to address changing identity theft risks. Contents of periodic reports should address and evaluate the effectiveness of the Program in addressing the risk of identity theft, reporting significant incidents of such theft and management’s response to it, and recommendations for material changes to the Program. B. When third-party service providers are engaged to perform
activities in connection with our accounts (e.g., coding, billing or accounting activities), what steps do we take to ensure that those activities are conducted in accordance with the Program?
T. SAMPLE POLICIES
Policy 1: Verifying Patient Identity at Time of Registration Purpose: To verify patient identity at time of registration
Policy: The provider will, to the extent feasible, request documentation of the patient’s identity, residence address, and insurance coverage at time of registration as part of the Identity Theft Prevention Program. Procedure:
1. When a patient calls to request an appointment, the patient will be asked to bring the following at the time of the appointment:
• Driver’s license or other photo ID • Current insurance card
• If the photo ID does not show the patient’s current address, utility bills or other correspondence showing current residence
If the patient is a minor, the patient’s parent or guardian should bring the information listed above.
2. When the patient arrives for the appointment, the patient will be asked to produce the information listed above. This requirement may be waived for patients who have been seen within the last six months.
3. If the patient has not completed the registration form within the last six months, a new registration form must be completed.
4. EXCEPTION [for hospitals]: If the patient has come to the hospital to request evaluation or treatment for an emergency medical condition, the provision of a medical screening examination will not be delayed to obtain documents verifying identity.
Policy 2: Identity Theft Red Flags
Purpose: To detect attempted identity theft or fraud
Policy: Provider staff will be alert for discrepancies in documents and patient information that suggest risk of identity theft or fraud. Procedure:
In the following circumstances, staff should be alert for the possibility of identity theft:
1. The patient submits a driver’s license, insurance card, or other identifying information that appears to be altered or forged.
2. The photograph on a driver’s license or other photo ID submitted by the patient does not resemble the patient.
3. Information on one form of identification submitted by the patient is inconsistent with information on another form of identification, or with information already in the provider’s records.
4. The SSN furnished by the patient has not been issued, is listed on the Social Security Administration’s Death Master File, or is otherwise invalid. The following numbers are always invalid:
• The first three digits are in the 800, 900, or 000 range, are in the 700 range above 772, or are 666;
• The fourth and fifth digits are 00; or • The last four digits are 0000.
5. The address given by the patient does not exist or is a post office box. 6. The phone number given by the patient is invalid or is associated with a
pager or an answering service.
7. The patient fails to provide identifying information or documents.
8. Personal identifying information given by the patient is not consistent with personal identifying information in the organization’s records.
9. The patient’s signature does not match a signature on file in the organization’s records.
10. The SSN or other identifying information furnished by the patient is the same as identifying information in the provider’s records furnished by other individuals.
Policy 3: Investigation of Suspected Identity Theft
Purpose: To investigate potential identity theft or fraud
Policy: The provider will investigate situations in which an individual claims to be a victim of identity theft.
Procedure:
1. If an individual claims to be a victim of identity theft, the provider or its collection agency will investigate the claim. The following guidelines apply: 1.1 The individual must have filed a police report for identity theft. 1.2 The individual must complete one of the following documents:
• The ID Theft Affidavit developed by the FTC, including supporting documentation;
• An ID theft affidavit recognized under state law; or • A statement including the following information:
o A statement that the individual is a victim of identity theft;
o A copy of the individual’s driver’s license or identification card;
o Any other identification document that supports the statement of identity theft;
o Specific facts supporting the claim of identity theft, if available;
o Any other explanation that the individual did not incur
the debt;
o Any available correspondence disputing the debt; o Documentation of the residence of the individual at
the date of service, including copies of utility bills, tax statements, or other statements from
businesses sent
to the individual at his or her residence;
o Any information that the individual may have concerning the person who registered in his or her name;
o A statement that the individual did not authorize the use of his or her name or personal information for obtaining services; or
o A statement certifying that the representations are true, correct, and contain no material omissions of fact to the best knowledge and belief of the person submitting the certification.
1.3 The individual must cooperate with comparing his or her personal information with information in the Provider’s records.
2. If following investigation, it appears that the individual has been a victim of identity theft, the provider will take the following actions:
2.1 The provider will cease collection on open accounts that resulted from identity theft. If the accounts had been referred to collection agencies or attorneys, the collection agencies/attorneys will be instructed to cease collection activity.
2.2 The provider will cooperate with any law enforcement investigation relating to the identity theft.
2.3 If an insurance company, government program or other payor has made payment on the account, the provider will notify the payor and refund the amount paid.
2.4 If an adverse report had been made to a consumer reporting agency, the provider will notify the agency that the account was not the responsibility of the individual.
3. If following investigation, it does not appear that the individual has been a victim of identity theft, the Provider or the collection agency will give written notice to the individual that he or she is responsible for payment of the bill. The notice will state the basis for determining that the person claiming to be a victim of identity theft was in fact the patient.
Policy 4: Disposition of Medical Record When Identity Theft Is Confirmed Purpose: To correct errors in medical records resulting from identity theft Policy: Inaccuracies in medical records resulting from identity theft will be
isolated and corrected. Procedure:
1. If it is confirmed that a patient record was created as the result of identity theft, a notation concerning the identity theft will be placed in the record. All demographic information will be removed from the record.
2. Medical records staff will determine whether any other records are linked to the record found to be created through identity theft.
3. In some cases, identity theft may involve an identity thief receiving care under the name of another person, who has been a patient. In such a case, other files relating to the patient will be reviewed and any
U. Sample Resolution Approving the Identity Theft Prevention Program
WHEREAS:
(a) Identity theft is a serious problem for businesses, consumers, and law enforcement in the United States, causing consumers to lose time and money and businesses to incur millions of dollars in losses.
(b) In response to the risks posed by identity theft to consumers and to the financial soundness of businesses, the United States Congress enacted the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). (c) The Federal Trade Commission (FTC), along with federal bank
regulators, adopted regulations implementing the FACT Act (the Red Flag Rules) that require creditors to adopt a written Identity Theft Prevention Program.
(d) The organization is a creditor subject to the FTC’s Red Flag Rules. (e) The organization has developed an Identity Theft Prevention Program
that identifies certain irregularities in information and documents
submitted by patients as red flags; delineates procedures for detection of red flags; and specifies actions to be taken for investigation of potential identity theft and response to findings of such investigations.
BE IT RESOLVED:
1. This board of directors approves the Identity Theft Prevention Program (the program) submitted by management.
2. The _______________________ of the organization is delegated responsibility for oversight, ongoing development, implementation, and administration of the program and shall have the responsibility to develop periodic updates to the program to reflect changes in risk to customers and to the safety and soundness of the organization.
V. Sample Training Presentation
Training for registration and patient account staff
Identity Theft
Prevention Program
What is Identity Theft
Identity theft is fraud committed or attempted by using identifying information of another person (individual or entity) without authority. Medical identity theft is a growing problem with potentially fatal results. Data taken by identity thieves can include SSNs, account numbers,
and other personal information.
Consumers are victimized by identity thieves because they have to spend time and incur out of pocket expenses to correct their personal information and repair their credit.
Businesses are victimized by identity thieves because they cannot collect amounts owed for their goods and services.
Red Flags for Identity Theft
y To help prevent identity theft, watch out for suspicious
documents:
y Insurance card that appears to be altered or forged
y Photograph on the driver’s license that does not look like the
patient
y Physical description on the driver’s license that does not match
the patient’s appearance
y Signature on the driver’s license or other documents that does
not match the patient’s signature
Red Flags (continued)
y Be alert for suspicious personal identifying information:
y The address, phone number etc. does not match existing
records
y The address given does not exist or is a PO box y The Social Security Number is invalid
y The patient refuses to provide personal identifying information
Handling Claims of Identity Theft
y If an individual claims that they did not receive services on
their bill due to identity theft, ask the person to submit the following:
y Police report
y Federal Trade Commission ID Theft Affidavit
y Similar statement including copies of his/her driver’s license or
other identification, documentation of the person’s residence address, any facts known about the identity theft, and other related information
If Identity Theft Occurred -
y Charges relating to the identity theft will be removed from
the bill
y If any adverse credit report has been made, consumer
reporting agencies will be notified of a correction
y Medical record information resulting from the identity theft
American Health Lawyers Association’s Health Information and Technology Practice Group would like to thank: Patricia King of Swedish Covenant Hospital (Chicago, IL) and Rebecca L. Williams, RN, JD, of Davis Wright Tremaine LLP (Seattle, WA) for authoring this Member Briefing ; Dina B. Ross of Dina B. Ross Law Offices (Oak Park, IL) and Gerald “Jud” DeLoss of Gray Plant Mooty
(Minneapolis, MN) for editing this Member Briefing ; and Kevin Lyles of Jones Day (Columbus, OH); and Kent B. Thurber of Davis Wright Tremaine LLP (Portland, OR) for contributing content to the Toolkit.
Disclaimer
This Member Briefing provides general information only and is not intended as legal advice. If you need legal advice, you should consult a licensed attorney in your jurisdiction. Also, the samples provided in the toolkit are not sufficient, on their own, to comply with the Red Flag Rules. They should be customized and used in conjunction with other analyses and documents to form an organization’s Identity Theft Protection Program.
1
Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rules, 72 Fed. Reg. 63718 (Nov. 9, 2007).
2
Federal Trade Commission 2006 Identity Theft Report, prepared for the Federal Trade Commission by Synovate, November 2007, at page 24, available at
www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf.
3
Federal Trade Commission 2006 Identity Theft Report, supra note 2.
4
Take Charge: Fighting Back Against Identity Theft, Federal Trade Commission, February 2006,
available online at www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.pdf.
5
For example, the Truth in Lending Act, 15 U.S.C. § 1601 et seq., limits consumer liability for unauthorized credit card charges to a maximum of $50.00.
6
Lost in Translation: Consumers’ risk-benefit perspectives on electronically mediated healthcare initiatives, services and related issues, presentation of the World Privacy Forum for the FTC Healthcare Innovations Workshop, April 24, 2008.
7
Federal Trade Commission 2006 Identity Theft Report, supra note 2.
8
Man Stole Pal’s Identity to Pay for Bypass Surgery, Police Say, CHICAGO TRIBUNE, August 22, 2008.
9
Diagnosis: Identity Theft, BUS.WEEK, Jan. 8, 2007,
www.businessweek.com/magazine/content/07_02/b4016041.htm
10
72 Fed. Reg. at 63727.
11
HHS scheduled a “town hall meeting” on October 15, 2008 to address the topic of medical identity theft. Announcement of the meeting can be found at
www.hhs.gov/healthit/privacy/identytheft.html. 12 Pub. L. No. 106-102. 13 Pub. L. No. 104-191. 14
HIPAA requires that protected health information be protected against inappropriate uses and disclosures and its confidentiality, integrity and availability be protected.
15
Federal Trade Commission 2006 Identity Theft Report, supra note 2, at page 24.
16
Pub. L. No. 108-159.
17
15 U.S.C. § 1681.
18
72 Fed. Reg. 63718; 16 C.F.R. § 681.2, implementing 15 U.S.C. § 1681m(e). The Red Flag Rules also provide guidelines that apply to savings associations, federal credit union, issuers and