Raising Red Flags - 07/2009

617 views

Published on

Red Flags Rule Program Implementation in Healthcare Environment

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
617
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • <number>
  • <number>
  • <number>
  • as the billing and collections process of submitting a claim to an insurance carrier and then billing the patient for the remainder, deferring payment of his / her share of the claim until after the service was performed, includes these firms within the definition of a “creditor” organization.
    1st Extension
    FTC stated this extension was due to some confusion expressed from industries as to who was covered and what they were required to implement in order to be in compliance
    2nd Extension
  • 114 – Required Agencies to issue joint regulations and guidelines regarding the detection prevention, and mitigation of identity theft
    - Also included special regulations for debit and credit card issuers in validating change of address requests
    315 – Required Agencies to issue joint regulations that provide guidance regarding reasonable policies and procedures a user of a consumer report should employ when receiving a notice of address discrepancy
    FACTA: Congress directed the Agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft.
  • Identifying information can include SSN, Name, DoB, ID Card or ID number, biometric data,
  • as the billing and collections process of submitting a claim to an insurance carrier and then billing the patient for the remainder, deferring payment of his / her share of the claim until after the service was performed, includes these firms within the definition of a “creditor” organization.
    Much of this discussion has been lead by the American Medical Association (AMA)
  • This risk assessment should be performed at least annually during Identity Theft Prevention Program re-evaluation to confirm the risk level and related information has not changed
  • Potential Red Flags includes combinations of factors that may result in a red flag
  • Potential Red Flags includes combinations of factors that may result in a red flag
  • Only required for the initial written version, it is left to the discretion of the organization as to whether approval is warranted for subsequent versions
    What should be documented in the report:
    The effectiveness of policies and procedures
    Service provider arrangements
    Significant incidents of identity theft and management’s response
    Recommendations for changes in the program
  • Raising Red Flags - 07/2009

    1. 1. Raising Red Flags Red Flags Rule Compliance for Physician Offices July 29, 2009 © 2009 The Hill Group, Inc.
    2. 2. Agenda • About Us • Overview of the Red Flags Rule – Purpose – HIPAA and the Red Flags Rule – Enforcement Timetable – Consequences of Non-compliance – Background – Term Definition – Healthcare Providers = Creditors? • Compliance Determination and Execution • Discussion on Current Practices (Q & A) Raising Red Flags
    3. 3. About Us Raising Red Flags Scott A. Rogerson, CISA
    4. 4. • Management consulting firm • Founded in 1953 • Headquartered in Pittsburgh, PA • Affiliated with several consulting firms across the United States About Us Raising Red Flags
    5. 5. • Strategy • Operations and Process Improvement • Performance and Diagnostic Measurement • Organizational Development • Workforce and Economic Development Strategy Our Services Raising Red Flags
    6. 6. Health Care Providers and Associations Our Clients Include
    7. 7. Overview of the Red Flags Rule Raising Red Flags
    8. 8. Purpose • The intent of the Red Flag Rule is to prevent unauthorized use of an individual, or organization’s, identity • This is to be completed through the… – detection, – prevention, – mitigation of identity theft Raising Red Flags A FTC survey, found that 4.5% (373.500) of the 8.3 million victims reporting identity theft in 2000 had experienced some form of medical identity theft
    9. 9. HIPAA and Red Flags Rule • HIPAA – Focuses on preventing data from being compromised • Red Flags Rule – Focuses on preventing an individual with unauthorized data from obtaining unauthorized services Raising Red Flags HIPAA and the Red Flags Rule are complimentary, not duplicative, regulations in combating identity theft
    10. 10. Enforcement and Consequences of Non- Compliance • Enforcement: – Initial Enforcement Date = November 1, 2008 – 1st Extension was issued on October 22, 2008 • New compliance date = May 1, 2009 – 2nd Extension was issued on April 30, 2009 • New compliance date = August 1, 2009 – 3rd Extension was issued on July 29, 2009 • New compliance date = November 1, 2009 • Consequences of Non-Compliance – Potential Audit – Litigation Risk Raising Red Flags
    11. 11. Background • The Red Flags Rule were developed by a combination of federal agencies in order to implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). • The Joint Final Rules and Guidelines were effective as of January 1, 2008 Raising Red Flags
    12. 12. Term Definition Board of Directors Can be the Board of Directors, appropriate sub-committee, or designated senior management individual Covered Account 1. An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involved or is designated to permit multiple payments or transactions. 2. Any other account that the financial institution or creditor offers or maintains for which there is a reasonable foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft *This includes both active and inactive accounts Creditor A person [organization] who arranges for the extension, renewal, or continuation of credit Customer Person holding a “covered account” with the financial institution or creditor Identity Theft A fraud committed or attempted using the identifying information of another person without authority Red Flag A pattern, practice, or specific activity that indicates the possible existence of identity theft Raising Red Flags
    13. 13. Healthcare Providers = Creditors? • Since the initial release of the Red Flags Rule, there has been strong discussion as to whether entities within the healthcare profession should be subject to the regulation. • In a February 2009 rebuttal from the FTC to the AMA, it was stated that the healthcare organization would remain subject to the Red Flags Rule Raising Red Flags
    14. 14. Compliance Determination and Execution Raising Red Flags
    15. 15. Compliance Elements Four Elements of Compliance Exist for the Red Flags Rule: 1. Identify Red Flags for covered accounts and incorporate those red flags into the Program 2. Detect Red Flags that have been incorporated into the Program 3. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft 4. Update the Program at least annually to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft Raising Red Flags
    16. 16. Compliance Process Raising Red Flags The following flow-chart illustrates the logical processes, and decision-points that must be conducted for Red Flags Rule compliance:
    17. 17. Risk Assessment • Conduct a risk assessment to determine the appropriate degree of complexity for the Identity Theft Prevention Program – Evaluate the existence of “covered accounts” • The methods for accepting a new patient • The methods for providing access to patient account information • Any previous experiences with identity theft • If it is determined that “covered accounts” do exist: – Identify the accounts the program must address – Determine the risk level of your organization as it relates to the Red Flags Rule: • Practice Size • Patient Mix • Services Provided • Current Practices and Procedures • Previous instances of identity theft (attempted or otherwise) Raising Red Flags
    18. 18. Program Development • Program must: – Contain “reasonable policies and procedures” to fulfill the four compliance elements: • Identification of potential Red Flags for your organization • Policies and Procedures for detecting attempted or successful use of an unauthorized identity by an individual • Policies and Procedures for “responding appropriately” to potential instances of Identity Theft • Requirements for updating the program on an annual basis to reflect changes in risks to customers and the related environment Raising Red Flags
    19. 19. Program Development (cont.) • Program must: – Be formally documented – Be tailored to the entity’s size, complexity and nature of its operations – Identify the individuals / positions responsible for ensuring efficient execution – Be approved by the “Board of Directors” or equivalent Raising Red Flags
    20. 20. Program Implementation and Administration • Staff Training • Service Provider Oversight • Annual Effectiveness Reports – Reports must be prepared, and reviewed by the board of directors (or equivalent) at least annually – These reports should discuss material matters related to the program’s effectiveness and any recommendations • Program Approval Raising Red Flags
    21. 21. Compliance Review 1. Design Effectiveness • The Program has been formally documented • The Program has been approved by an appropriate individual or group of individuals • Effectiveness reports include the appropriate items to describe the Program’s effectiveness • The Program is appropriate for the organization size, complexity, and nature and scope of activities 2. Operating Effectiveness • All stages of the program are being executed effectively: – Identify – Detect – Update (including review of effectiveness reports) Raising Red Flags There are two main areas discussed within the Red Flags Rule that will generally be reviewed to determine compliance:
    22. 22. Discussion on Current Practices and Q & A Raising Red Flags
    23. 23. Thank You If you have any additional questions, please feel free to contact me: Scott A. Rogerson, CISA 412-722-1111 srogerson@hillgroupinc.com The Hill Group, Inc. 2 East Main Street Carnegie, PA 15106-2456 USA www.hillgroupinc.com Raising Red Flags

    ×