Medical Providers: Are Your "Red Flags" Ready To Fly By November 1, 2008?Hospitals and other medical care providers may be dangerously unaware that they have a looming deadline for compliance with complex new federal regulations. These "Red Flag" rules require the adoption and implementation of a broad identity theft prevention system by November 1, 2008. Why Medical Care Providers? The Red Flag rules were easy for medical care providers to overlook because they were adopted under the Fair and Accurate Credit Transactions Act Under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA, Pub.L. 108-159) which was passed by the United States Congress on December 4 2003 as an amendment to the Fair Credit Reporting Act, consumers can request and obtain a free credit report of 2003 (FACTA FACTA Fair and Accurate Credit Transactions Act of 2003 ), a statute generally intended to extend and update the Fair Credit Reporting Act The Fair Credit Reporting Act (FCRA) is legislation embodied in title VI of the Consumer Credit Protection Act (15 U.S.C.A. § 1681 et seq. [1968]), which was enacted by Congress in 1970 to ensure that reporting activities relating to various consumer transactions are conducted in a . Moreover, these rules were issued jointly by various federal agencies that regulate financial institutions, including the Office of the Comptroller of the Currency The Office of the Comptroller of the Currency (or OCC) was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and the federal branches and agencies of foreign banks in the United States. , the Board of Governors of the Federal Reserve System Board of Governors of the Federal Reserve System The managing body of the Federal Reserve System, which sets policies on bank practices and the money supply. , and the Federal Trade Commission (FTC FTC See Federal Trade Commission (FTC). ), and thus appear to be directed at banks, mortgage lenders, and other traditional creditors. But they are not so limited, because the Red Flag rules define "creditor" very broadly, and even health care providers may need to comply. Under the Red Flag rules, a creditor is "any person or business who arranges for the extension, renewal, or continuation of credit" with a "covered account." An account is defined as a continuing relationship with a creditor to obtain a product or service and includes deferred payments for services or property. A covered account is: (1) an account primarily for personal, family, and household purposes that involves or is designed to permit multiple payments or transactions; and (2) any other account (including an account for business purposes) for which there is a reasonably foreseeable risk foreseeable risk n. a danger which a reasonable person should anticipate as the result from his/her actions. Foreseeable risk is a common affirmative defense put up as a response by defendants in lawsuits for negligence. to customers, or the safety and soundness of the creditor, from identity theft, including financial, operational, compliance, reputation, or litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. risks. Health care providers may satisfy these definitions in various ways. Most health care providers extend credit to at least some patients by offering them extended payment plans. Some may also extend credit to employees, and hospitals often extend credit to physicians through income guarantees and recruitment loans. What Are the Red Flag Requirements? The Red Flag rules require a creditor to develop and implement a written program that has reasonable policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental for detecting, preventing, and mitigating identity theft. The program must enable a health care provider to: Periodically determine whether it offers or maintains a covered account Identify relevant patterns, practices, and specific forms of activity that are Red Flags signaling possible identity theft Detect when such Red Flags are occurring in the entity's business activities Respond appropriately to any Red Flag that is detected to prevent and mitigate identity theft Ensure the program is updated periodically to reflect changes in risks from identity theft Identity theft means, "a fraud committed or attempted using the identifying information of another person without authority." Identifying information means any name or number that may be used alone or in conjunction with any other information to identify a specific person, including: Social Security Number; date of birth; official state- or government-issued driver's license Noun 1. driver's license - a license authorizing the bearer to drive a motor vehicle driver's licence, driving licence, driving license license, permit, licence - a legal document giving official permission to do something or identification number; passport number; alien registration number; unique biometric data; unique electronic identification number, address, or routing code; or telecommunication identifying information or address device, and so forth. Thus, under the Red Flag regulations, the creation of a fictitious identity using any single piece of information belonging to a real person falls within the definition of identity theft. Indicators of possible risk of identity theft include precursors to identity theft such as "phishing Pronounced "fishing," it is a scam to steal valuable information such as credit card and social security numbers, user IDs and passwords. Also known as "brand spoofing," an official-looking e-mail is sent to potential victims pretending to be from their ISP, bank or retail establishment. " (using enticing e-mail masquerading 1. (networking) masquerading - "NAT" (Linux kernel name). 2. (messaging) masquerading - Hiding the names of internal e-mail client and gateway machines from the outside world by rewriting the "From" address and other headers as the message leaves the as legitimate communications to bait the consumer into revealing sensitive information), "vishing" (using voice communications and con-artist trickery Trickery See also Cunning, Deceit, Humbuggery. Bunsby, Captain Jack trapped into marriage by landlady. [Br. Lit.: Dombey and Son] Camacho cheated of bride after lavish wedding preparations. [Span. Lit. to gain access to private personal and financial information), and security breaches involving the theft of personal information, which often are a means to acquire the information of another person for use in committing identity theft. It may involve the exhaustion of lifetime benefit limits, duplicate services, fraudulent reimbursement or insurance submissions, or discrepancies in information collected at the time of providing services. In order to properly define and implement their Red Flags program, health care organizations must learn lessons from others, keeping abreast of the identity theft environment and tapping sources such as literature and information from credit bureaus, financial institutions, other creditors, designers of fraud detection software, and their own prior experience. A health care organization's board of directors (or other governing body Noun 1. governing body - the persons (or committees or departments etc.) who make up a body for the purpose of administering something; "he claims that the present administration is corrupt"; "the governance of an association is responsible to its members"; "he ) also must become involved in its Red Flags program. Each entity that is required to implement a program must: (1) obtain approval of the initial written program from either its board of directors or an appropriate committee of the board of directors; and (2) involve the board of directors, an appropriate committee, or a designated employee at the level of senior management, in the oversight, development, implementation, and administration of the entity's program. The potential responsibilities of health care providers under the Red Flag rules touch on other regulatory compliance issues that require careful consideration. Further, the regulations require many additional actions in time to meet the November 1, 2008 deadline. As burdensome as these new rules may seem, they do serve important business and compliance purposes, and carry potential sanctions for failure to comply. We will be addressing some important additional regulatory compliance issues and action items in a subsequent Legal News Alert. The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Mr Lawrence Conn Foley & Lardner 321 N. Clark, Ste. 2800 Chicago Illinois, 60610 UNITED STATES United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. Tel: 3128324734 Fax: 3128324700 E-mail: jbrumbaugh@foley.com URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. : www.foley.com Click Here for related articles (c) Mondaq Ltd, 2008 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion