Effective May 1st 2009, the Federal Trade Commission enacted a new rule requiring all creditors to implement written policies aimed at curbing identity theft. According to the rule, any medical practice that extends, renews, or continues credit for a patient (e.g. billing a patient for services rendered) is subject to the “Red Flags Rule”, regardless of whether you first bill an insurance carrier.
However, the Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.
In order to comply, you must develop a written program that allows you to identify relevant red flags, detect red flags as they occur, and prevent and mitigate identity theft. In addition, you should be able to update your program periodically.
The program must spell out how your red flags plan will be administered and be appropriate to the size and complexity of your practice.
What is a “red flag”?
A red flag is anything that could alert your practice to suspicious activity that might be indicative of identity theft. The FTC guidelines indicate four warning sign categories:
- Alerts, notifications, or warnings from a consumer reporting agency.
- Suspicious documents.
- Suspicious personal identity information.
- Suspicious activity relating to a covered account or notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.
How are “red flags” detected?
With a medical practice, red flags may be detected when you verify a patient’s identity, review medical records, verify insurance forms, or receive alerts or information of suspicious activity from outside agencies.
How do I prevent and mitigate identity theft?
You must develop a written program including appropriate responses to red flags. Among the required actions are increased monitoring of accounts, contacting the payer, contacting law enforcement, changing account numbers to prevent misuse, or a combination of the above measures. Preventive action also may be required if there has been a breach, or attempted breach, of your database.
The program must include appropriate staff training and a means of ensuring compliance. If you use an outside person or group to perform services on your accounts, you must also take steps to ensure that their activities are conducted using a reasonable identity theft program. This could be done via a written contract with the provider or by amending an existing HIPAA Business Associate Agreement.
Although the FTC requires that you update your program “periodically”, your program should specify that it will be updated when the methods of identity-theft threats change, or new risks or trends develop.
Finally, many states have their own rules that must also be considered and implemented as part of your overall identity-theft program. Violations can subject your practice to significant civil monetary penalties.
To help entities that have a low risk of identity theft – such as businesses that know their customers personally – the Federal Trade Commission has created a template that guides such businesses and organizations in developing written identity theft prevention programs to comply with the Red Flags Rule. “Create Your Own Identity Theft Prevention Program: A Guided 4-Step Process,” is available at www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm.
The template has guidance and instructions that enable companies to complete and print the fill-in-the-blank form online. Under the Fair and Accurate Credit Transactions Act of 2003, the Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program to detect the warning signs (“red flags”) of identity theft. By identifying red flags, these entities will be in a better position to spot an imposter trying to defraud them by using someone else’s identity to get products and services.
The fact that insurance underwriters are releasing software tools to help companies calculate the potential costs of a data breach means they are on a mission to increase awareness of the problem’s magnitude. Their mission is well founded, as there is a spiraling number of data breach occurrences with an average cost to the business of $197 per breached customer record – not to mention loss of business losses.(Note: the medical industry is a prime target due to amount of data per patient.)
Cyber liability insurance can be effective in covering some of the exposures and risks, but other risk management measures are needed. One such measure being embraced by underwriters (and their attorneys) is data breach incident response training. If the inevitable data breach occurs, preparing key staff members on how to respond to the breach is critical for containing related losses.
Potential members of such a team include an incident response manager, legal counsel, network systems architect, IT manager, chief financial officer, chief marketing officer, information security officer and risk compliance manager. Additionally, organization might also want to include representatives from an investigative/fraud firm and a data breach communications firm.
The team should develop a “Data Breach Response Planning Workbook” that, like any emergency plan, delineates specific tasks, responsible parties and relation timelines for completion. Incident response forms and templates should also be included, as well as reference information, and website links to privacy laws, industry data breach standards and data breach precautions. Note that the medical industry has specific reporting requirements relating to the Health Insurance Portability and Accounting Act (HIPAA).
The plan also needs to incorporate a range of federal privacy requirements relating to the Fair Credit Reporting Act (107) and Privacy Act of 1974, the Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act), and the 2003 Fair and Accurate Credit Transactions Act (FACT).
Experts in data breach management suggest that a company give serious consideration to implementing a training program that includes a mock breach and maintaining annual reviews of the workbook and plan.
When it comes to data breaches, “failure to plan is a plan for failure”. As our world becomes more tech-dependent, cyber attacks and consequential data breaches will become more pervasive.
For more information on cyber insurance and risk management strategies, contact RGI Insurance Services at 1-800-852-8872 or visit us at http://www.rgiinsurance.com/.
Posts
