Transcript Slide 1

Rath, Young and Pignatelli, P.C.
One Capital Plaza
P.O. Box 1500
Concord, NH 03302-1500
603-226-2600
by
Lucy C. Hodder, Esquire
[email protected]
© 2009 Rath, Young and Pignatelli, P.C.
1
Thank you to Diane Blaha, Compliance
Officer at LRGH, for her contribution to
this presentation.
Diane Blaha, FHFMA
Compliance Officer
LRGHealthcare
80Highland Street
Laconia, NH 03246
603-527-7139 Direct
603-527-7042 Fax
© 2009 Rath, Young and Pignatelli, P.C.
2
What Is Medical Identity Theft?
“Medical identity theft occurs when someone uses
a person’s name and sometimes other parts of
their identity – such as insurance information –
without the person’s knowledge or consent to
obtain medical services or goods, or uses the
person’s identity information to make false
claims for medical services or goods. Medical
identity theft frequently results in erroneous
entries being put into existing medical records,
and can involve the creation of fictitious medical
records in the victim’s name.”
World Privacy Forum Presentation
© 2009 Rath, Young and Pignatelli, P.C.
3
ID Theft: What We Know
Most Institutions experience ID theft…
With no Single Cause:
11% Intentional Theft (Hacking)
27% Intentional Theft (Fraud)
44% Accidental Loss
18% Incidental Theft
Medical Theft: Fastest growing ID theft
300,000 + annual cases (300% growth)
“Victims of medical identity theft may receive the wrong treatment, find
their health insurance exhausted, and could become uninsurable for
both life and health insurance coverage….They may fail physical exams
for employment due to the presence of diseases in their health record
that do not belong to them.”
By Pamela Dixon, World Privacy Forum
© 2009 Rath, Young and Pignatelli, P.C.
4
Children’s Online
Privacy
Protection Act
Child Online
Protection Act
1970
Fair Credit
Reporting
Act
1990
1998
1999
Electronic
Communications
Privacy Act
2000
The Identity
Theft and
Assumption
Deterrence Act
11 New Data
breach laws, 35
total
2003
2006
California SB
168
© 2009 Rath, Young and Pignatelli, P.C.
2008
Red Flag Rules
FACT Act,
44 Data Breach
Laws
5
Overview of the Red Flag Rules
 What are they and why were they created?
 FTC interested in rules to prevent ID theft by increasing protections of
confidential information and tools to help consumers detect crime at an
earlier stage.
 FACTA (The Fair and Accurate Credit
Transactions Act) §114
 Amended Fair Credit Reporting Act and mandated the promulgation of
identity theft regulations.
Red Flag Rules – Detection, prevention and
mitigation of identity theft by financial institutions
or creditors.
© 2009 Rath, Young and Pignatelli, P.C.
6
Overview (cont’d)
The Red Flag Rules require a creditor to make
reasonable attempts to prevent and detect theft
through its Identity Prevention Program and respond
appropriately to mitigate the theft.
Include guidelines on how the creditor can identify
Red Flags and respond.
Describe what a user of consumer reports must do if
the user receives notice of address discrepancy.
© 2009 Rath, Young and Pignatelli, P.C.
7
Who Must Comply?
 The Red Flag rules apply to financial institutions and
“Creditors” with “Covered Accounts”.
 Creditors are defined as –
“…any person who regularly extends, renews, or continues
credit; any person who regularly arranges for the extension,
renewal or continuation of credit; or an assignee of an original
creditor who participates in the decision to extend, renew, or
continue credit.”
 Typically includes lenders such as banks, finance companies,
auto dealers, mortgage brokers, utility companies and
telecommunications companies.
 Accepting credit cards as a form of payment does not in
and of itself make an entity a creditor.
© 2009 Rath, Young and Pignatelli, P.C.
8
Are You Sure Providers
are “Creditors”?
 Has been interpreted to apply to any organization -
including non-profits and government agencies that
defers payment ---does not require payment in full, in
advance or at the time of services.
 A healthcare provider will be considered a “creditor” if it
regularly defers payment for services.
 FTC has said providers are creditors if they submit a
claim to an insurance carrier first and then bill any
unpaid amounts to the patient (recent letter to the AMA).
© 2009 Rath, Young and Pignatelli, P.C.
9
What are “Covered Accounts”?
“Covered Account” means:
An account a creditor offers or maintains, primarily
for personal, family, or household purposes, that
involves or is designed to permit multiple payments
or transactions, such as a credit card account,
mortgage loan, automobile loan, margin account, cell
phone account, utility account, checking account, or
savings account; and
Any other account that the creditor offers or
maintains if there is a reasonable foreseeable risk to
customers or to the safety and soundness of the
creditor from identity theft, including financial,
operational, compliance, reputation, or litigation
risks.
© 2009 Rath, Young and Pignatelli, P.C.
10
Deadline is
November 1, 2008.
FTC Enforcement
deferred until
May 1, 2009.
© 2009 Rath, Young and Pignatelli, P.C.
11
What are Creditors Required to Do?
Overview:
 Creditors must develop and implement an identity theft
prevention program (“Program”) designed to detect,
prevent and mitigate identity theft in connection
with Covered Accounts.
 Flexibility: The Program must be appropriate to the size
and complexity of the organization. It must be written.
 Creditors must “consider” Guidelines on ID Theft
Detection, Prevention and Mitigation.
© 2009 Rath, Young and Pignatelli, P.C.
12
Red Flag Guidelines are geared toward preventing
financial identity theft.
Medical providers are very likely to be targets of
medical identity theft.
Medical identity theft occurs when someone uses
another person’s name and identity (e.g.,
insurance information) to obtain medical services
or goods.
© 2009 Rath, Young and Pignatelli, P.C.
13
Implications of Medical Identity
Theft for Providers
EXAMPLE:
 Identity theft takes a particularly nasty turn in healthcare. According to the FTC’s
2006 identity theft survey, the median amount obtained by identity thieves for all
types of identity theft was $500. In contrast, physicians, hospitals, and others who
provide care in good faith can find themselves responsible for thousands of dollars
when the patient they have helped turns out to have stolen another’s identity. In one
egregious recent example, a man needing cardiac surgery was able to get healthcare
services totaling $350,000 from a local hospital, using a friend’s identity.
 Identity theft can cause substantial losses to healthcare providers. The healthcare
provider probably will not find out about the identity theft until after services have
been provided. An alert consumer may spot an unfamiliar entry on an Explanation of
Benefit (EOB) from the consumer’s insurance company and notify the insurer. Of
course, once the insurer or health plan that paid for the service learns that the person
receiving it was not covered, it will demand a refund from the provider. If the
consumer does not scrutinize his or her EOBs, then it is possible that the fraud will
not be uncovered until the personal portion of the account is sent for collection. The
individual who identity was stolen will refuse rightfully to pay because he or she did
not receive the services.
© 2009 Rath, Young and Pignatelli, P.C.
14
Implications of Medical
Identity Theft for Patients
 A victim of medical identity theft has to contend with the problems
common to all identity theft victims: the time, financial harm, out-ofpocket expense, and worry of placing fraud alerts, closing accounts, and
the replacing identification. Beyond these time and money issues, the
victim also has to worry that his or her medical history can be confused
with that of the thief. In the extreme, medical identity theft can prove
fatal.
 A report in Business Week described the dilemmas encountered by a
woman whose identity was stolen by a thief who used it to obtain
surgery. After sorting out the financial claims, the victim found her
problems were not over:
When Weaver was hospitalized a year later for a hysterectomy, she realized the
[identity thief’s] medical info was now mixed in with her own after a nurse
reviewed her chart and said, “I see you have diabetes.” (She doesn’t.) With
medical data expected to begin flowing more freely among healthcare
providers, Weaver now frets that if she is ever rushed to a hospital, she could
receive improper care – a transfusion with the wrong type of blood, for
instance, or a medicine to which she is allergic.
© 2009 Rath, Young and Pignatelli, P.C.
15
What are Creditors Required to Do?
Initial Steps:
 Determine whether it offers or maintains Covered
Accounts.
 Assign responsibility for developing Identity Theft
Program (e.g., committee with representatives from
Finance, Billing, Admissions/Intake, IT, and
Privacy/Compliance).
 Conduct a risk assessment of its Covered Accounts,
taking into consideration:
• the methods it provides to open its accounts:
• the methods it provides to access its accounts; and
• its previous experiences with identity theft.
 What is their risk for identity theft?
© 2009 Rath, Young and Pignatelli, P.C.
16
What are Creditors Required to Do?
The Program must include “reasonable” policies and procedures
to:
1. Identify relevant Red Flags for Covered Accounts and
incorporate those Red Flags into its Program;
2. Detect Red Flags that have been incorporated into the
Program;
3. Respond appropriately to Red Flags that are detected to
prevent and mitigate identity theft; and
4. Ensure the Program, including identified Red Flags, is
updated periodically to reflect:


Changes in customer risk
Changes to the safety and soundness of the Creditor from identity theft.
© 2009 Rath, Young and Pignatelli, P.C.
17
FTC Quote
When identifying Red Flags, financial institutions
and creditors must consider the nature of their
business and the type of identity theft to which
they may be subject.
For instance, creditors in the health care field
may be at risk of medical identity theft (i.e.,
identity theft for the purposes of obtaining
medical services) and, therefore must identify
Red Flags that reflect this risk. 71 Fed. Reg. at 63727
© 2009 Rath, Young and Pignatelli, P.C.
18
What is Red Flag?
 A Red Flag means a pattern, practice, or specific
activity that indicates the possible existence of
identity theft.
 Alerts from consumer reporting agencies.
72 Federal Register 63755
 Presentation of suspicious documents.
 Presentation of suspicious personal identifying
information such as suspicious address change.
 The unusual use of a covered account.
 Notice from customers, victims or law enforcement
of identity theft.
© 2009 Rath, Young and Pignatelli, P.C.
19
Supplement A: Sample Red Flags
 A fraud or active alert is included
with a consumer report.
 A consumer reporting agency
provides a notice of credit freeze
in response to a request for a
consumer report.

A consumer report indicate a pattern of
activity that is inconsistent with the history
and usual pattern of activity of an applicant
or customer, such as:
◦
A recent or significant increase in the
volume of inquiries;
◦
 A consumer reporting agency
provides a notice of address
discrepancy.
An unusual number of recently
established credit relationships;
◦
A material change in the use of credit,
especially with respect to recently
established credit relationships; or
 A consumer report indicates a
pattern of activity
◦
An account that was closed for cause or
identified for abuse of account
privileges by a financial institution or
creditor.
Alerts, Notifications or Warnings from a Consumer Reporting Agency
© 2009 Rath, Young and Pignatelli, P.C.
20
Supplement A: Sample Red Flags
 Documents provided for identification
appear to have been altered or forged.
 The photo or physical description is not
consistent with the appearance of the
customer.
 Other information on the ID is not
consistent with information provided
by the person or on file, such as
signature card.
 An application appears to have been
altered or forged, or gives appearance
of having been destroyed and
reassembled.
Suspicious Documents
 Personal identifying information provided
is inconsistent when compared against
external information sources.
(DOB, address, SSN, SSN on Death Master
File)
 Personal identifying information provided
by the customer is not consistent with
other personal identifying information
provided by customer.
 Personal identifying information provided
is associated with known fraudulent
activity as indicated by internal or thirdparty sources . (information is same as
provided on fraudulent application-the
address or phone number.)
Suspicious Personal
Identifying Information
© 2009 Rath, Young and Pignatelli, P.C.
21
Supplement A: Sample Red Flags
 Personal identifying information
provided is of a type commonly
associated with fraudulent activity
as indicated by internal or thirdparty sources used by the creditor:

The address is fictitious, a mail drop or a
prison, or

The phone number is invalid, or is
associated with a pager or answering
service.
 The SSN provided is the same as
that submitted by other persons or
other customers.
 The address or telephone number
provided is the same as or similar
to the account number or telephone
numbers submitted by other
customers.
 The person opening the account or
the customer fails to provide all
required personal identifying
information .
 Personal identifying information
provided is not consistent with
personal identifying information
that is on file with the Creditor.
Suspicious Personal Identifying Information
© 2009 Rath, Young and Pignatelli, P.C.
22
Supplement A: Sample Red Flags
 Notice from Customers, Victims of Identity Theft, Law
Enforcement Authorities, or Other Persons regarding
possible identity theft in connection with Covered
Accounts held by the Creditor
 The Creditor is notified by a customer, a victim of
identity theft, a law enforcement authority, or any other
person that it has opened a fraudulent account for a
person engaged in identity theft.
Examples of notification
© 2009 Rath, Young and Pignatelli, P.C.
23
Applying Guidance to
Medical Identity Theft
Samples of Red Flags indicating possible medical identity theft:
 A patient who knows his/her insurance ID number but does
not produce the card.
 Complaint from a patient that a bill or EOB contains charges
for services not provided, practitioners not seen.
 Complaint from patient about collection agency attempts to
collect unknown bill.
 Report that insurance benefits have been exhausted for
patient claiming not to have used them.
© 2009 Rath, Young and Pignatelli, P.C.
24
Other Elements of Program
 Besides identifying relevant red flags, Identity
Theft Programs must include reasonable
policies and procedures to:
 Detect Red Flags
 Respond
detected
Appropriately to any red flags that are
→prevent identity theft
→mitigate identity theft
© 2009 Rath, Young and Pignatelli, P.C.
25
Detecting Red Flags
 Possible policy and procedure:
 Require complete identifying information
for new patients (full name, DOB, address,
government issued ID, insurance card, etc.)
 Require production of photo ID for all
patients
© 2009 Rath, Young and Pignatelli, P.C.
26
Detecting Red Flags (cont’d)
 In designing Program, hospitals must be careful
to ensure compliance with other applicable
laws.
 EMTALA requires provision without delay of
medical screening and stabilizing treatment for
emergency medical conditions.
 This will affect policies dealing with access to
patient identifying information.
© 2009 Rath, Young and Pignatelli, P.C.
27
Detecting Red Flags (cont’d)
Driver’s License Policy:
 Should providers simply check picture ID?
 Or scan it?
 Remember, storing additional personal information can
increase risks of identity theft (insiders).
 New Hampshire law prohibits copying and scanning of
photo licenses in such a way that it could be mistaken
for a valid license. RSA 263:12
 Department of Safety says it is permissible to copy
licenses, with permission of patient, if the reproduced
versions are suitably marked so they would not be
mistaken as a license or reproduction.
© 2009 Rath, Young and Pignatelli, P.C.
28
Responding to Any Red Flag
That is Detected
 Providers need policies and procedures to
address preventing and mitigating identity
theft if a red flag is detected.
 Examples
What if patient’s ID is suspicious? (Photo does
not match, document looks altered or forged.)
Possibilities:
- call supervisor
- stop admissions process
- require applicant to provide additional
satisfactory information to verify identity
© 2009 Rath, Young and Pignatelli, P.C.
29
What are Creditors Required To Do?

Track vulnerability
•Notify victim – when?
•Report to Law Enforcement
– when?
Mitigation –
•Place billing account on
hold
some examples:
•Correct billing records
•Correct medical records
(“Jane or John Doe” extraction)
•If PHI disclosed, must this
be accounted for?
© 2009 Rath, Young and Pignatelli, P.C.
30
What are Creditors Required To Do?
Jane or John Doe File Extraction
(cont’d)
 Health information managers may be familiar with this concept.
 If fraud or medical identity theft can be substantiated, the
victim’s file is purged of all information that was entered as a
result of the fraudulent activity, and is left with a brief crossreference and explanation of the deletion. (Retraceable audit
trail.)
 Important because the fraudulent activity can introduce errors
into the victim’s file, which can be medically significant.
 If thief is unknown, fraudulent information is removed and held
separately; if the thief is known, the purged information can be
filed under his/her name.
© 2009 Rath, Young and Pignatelli, P.C.
31
What are Creditors Required to Do?
(cont’d)
Other Obligations
 Obtain approval of initial Program from Board or
appropriate committee of Board.
 Implement the Program and provide for its
continued administration.
© 2009 Rath, Young and Pignatelli, P.C.
32
What are Creditors Required to Do?
Continuing Obligations
(cont’d)
 Involve Board or appropriate Board committee
or designated senior management official in
oversight, development, implementation, and
administration of Program. Report at least
annually.
 Train staff to implement the Program.
 Ensure Program is updated periodically.
 Oversee service provider arrangements to
ensure they incorporate adequate Red Flag
protections for Creditor’s Covered Accounts.
© 2009 Rath, Young and Pignatelli, P.C.
33
Hi-Tech Changes to HIPPA
HIPPA will apply directly to
business associates (service
providers).
Business associate agreements
will have to be updated.
Consider including any
necessary red flag provisions
in BAAs?
© 2009 Rath, Young and Pignatelli, P.C.
34
Two Known Cases
1.
Uninsured brother uses Insured brother’s identity
2.
Self Pay patient with two common data elements:

DOB

First Name
Exceptions or suspicious information:

SSN’s

Last Names

Addresses

Another persons insurance information

Used several providers within regional location
© 2009 Rath, Young and Pignatelli, P.C.
35
1. What are the real risks of non-compliance?
2. Should we do this internally?
3. What are my peers doing?
4. What is too much versus the right amount of
time and resources for the organization to
devote to ID theft compliance?
© 2009 Rath, Young and Pignatelli, P.C.
36
New Procedures vs. Patient Stress
 You see it every day!
 Economic factors
 Work demands/stress
 Insurance coverage issues
 Sickness
 System pressures
 Fear
 Family dysfunction
© 2009 Rath, Young and Pignatelli, P.C.
37
Employer Responsibility to
Prevent Patient Violence
 NH employers do not have a general duty to protect
their employees from third party criminal acts even
when the criminal act occurs in the workplace.
 BUT an employer DOES have the responsibility to
protect an employee from known dangers.
 NH Case – Employee came to work on a day off in
violation of company policy and confronted coemployee about having an affair with his girlfriend.
Supervisor asked them both to leave. Situation
worsened and supervisor learned one employee had a
loaded gun. Never called the police. Altercation
resulted in shooting and suicide.
© 2009 Rath, Young and Pignatelli, P.C.
38
OSHA
 More assaults occur in the healthcare and social
services industries than any other, according to
OSHA.
 http://www.osha.gov/SLTC/workplaceviolence/recognition.html
 OSHA applies the general duty of care standard –
employers required to protect employees and
take proper precautions.
© 2009 Rath, Young and Pignatelli, P.C.
39
When are Patients Stressed?
 43% of adults suffer negative effects of stress and over
half of visits to doctors are to treat stress related
ailments.
 When patients don’t have the money to pay.
 When patients can’t schedule a visit or talk to the
physician.
 When patients can’t get the medication they want.
 When a patient isn’t getting better.
© 2009 Rath, Young and Pignatelli, P.C.
40
How to Improve Patient Contact
 Assess with safety team points of contact
 Scheduling
 Medications
 Payments
 Follow-up
 When do points of contact become stressed?
 What factors can alleviate stress?
 What resources are available to deal with problems?
 Ask patients for solutions
© 2009 Rath, Young and Pignatelli, P.C.
41
How to Deal With a
Threatening Patient?
 Have a safety program!
 NH law requires employers with 5 or more employees
to have a Joint Loss Management Committee.
 Employers with 10 or more must file a Written Safety
Program biennially.
 Use your safety committee!
 Assess your workplace for hot button areas: money,
public areas, staffing levels, access points.
 Train your staff.
 Support your staff.
 Run a “fire” drill.
© 2009 Rath, Young and Pignatelli, P.C.
42
Privacy Protections
 HIPAA Security Rule requires a practice to protect
the confidentiality and integrity of any Electronic
PHI that it maintains, creates, receives or
transmits AND
 Encryption may be “reasonable and appropriate”
for certain identifying information
 To implement various security standards
 Must guard against unauthorized access to EPHI
 New HIPAA laws require accounting upon request
of all disclosures made electronically
© 2009 Rath, Young and Pignatelli, P.C.
43
Is Encryption “Reasonable
and Appropriate?”
 Rule requires practice to assess what
safeguards are appropriate and document the
assessment process.
 Is encryption reasonable and appropriate?
 What is the size of your practice?
 What are your technical capabilities?
 What are the costs?
 What are the risks of disclosure?
© 2009 Rath, Young and Pignatelli, P.C.
44
Develop a Policy on
Electronic Communication
 State scope of e-mail use, i.e., scheduling a visit,
billing question, new patient information, Rx refills
 Include disclaimer regarding questions about
individual care or treatment
 Include notification that information not encrypted
 Include authorization/consent
 Warn to call if no response within
24 hours
 Provide contact name and numbers
for questions
© 2009 Rath, Young and Pignatelli, P.C.
45
45
Patients Seeking Medication
 High risk of threats and violence.
 Ethical Guidelines: “If the patient is determined to
be at high risk for medication abuse or have a
history of substance abuse, the physician may
employ the use of a written agreement between
physician and patient outlining patient
responsibilities.”
 Use patient medication contracts.
© 2009 Rath, Young and Pignatelli, P.C.
46
Why Might You Terminate a Patient?
Refuses to cooperate
Patient not paying bills
Unruly and obnoxious to extent that care is
compromised
Behavior endangers staff!!
Harassing providers or staff
Is engaging in behavior indicating identity theft
BUT be aware of EMTALA
© 2009 Rath, Young and Pignatelli, P.C.
47
Medical Ethics
 Can terminate – CANNOT abandon
 AMA Code of Ethics: “Physicians have an obligation to
support continuity of care for their patients. While
physicians have the option of withdrawing from a case,
they cannot do so without giving notice to the patient,
the relatives, or responsible friends sufficiently long in
advance of withdrawal to permit another medical
attendant to be secured.
 Physicians may not refuse to care for a patient based on
race, gender, sexual orientation, or any other criteria
that would constitute invidious discrimination.
 Physician should respond in cases of emergency.
© 2009 Rath, Young and Pignatelli, P.C.
48
How Do You Do It?
 If possible, have patient agree to transfer care.
 Review medical records to determine status of
care.
 Notify attending physicians.
 Give reasonable notice to patient including date
services will end.
 Provide appropriate referral information.
 Explain how you intend to provide records to
future providers.
 Send certified mail.
© 2009 Rath, Young and Pignatelli, P.C.
49
Red Flag Rule Resources
AHA Red Flag Rule Resources:
http://www.aha.org/aha/advocacy/compliance/redflags.html
http://www.hfma.org/hfm/2009archives/month03/HFM0309InsideIT.htm
Federal Register:
http://www.aha.org/aha/content/2008/pdf/08redflagsrule.pdf
© 2009 Rath, Young and Pignatelli, P.C.
50
Lucy C. Hodder
Rath, Young, Pignatelli, P.C.
One Capital Plaza
P.O. Box 1500
Concord, NH 03302-1500
603-226-2600
www.rathlaw.com
[email protected]
© 2009 Rath, Young and Pignatelli, P.C.
51