Strategies for ID Theft PreventionGoing Beyond Red Flags Compliance
At the end of last year, President Obama signed the Red Flag Program Clarification Act that re-defined the term "creditor" that's used to determine who must comply. As a result, the rule no longer automatically applies to entities that regularly permit deferred payments for goods and services, including professionals, such as lawyers and physicians, who bill clients after services are rendered.
But that doesn't necessarily mean that all physician practices, or, for that matter, hospitals, are exempt from compliance, Miller notes. The rule still applies to any organization that obtains and uses consumer reports in connection with credit transactions and furnishes information to consumer reporting agencies.
In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity.com, Miller points out that healthcare organizations should:
- Work with their legal counsel to precisely determine if they must comply with the Red Flags Rule, because the issue is far from black-and-white;
- Make sure all staff members understand how to spot a fake ID or identify inconsistencies in a patient's intake forms;
- Implement identity verification technology that's appropriate to the organization's needs;
- Conduct background checks on employees;
- Provide adequate security protections for patient information.
Miller is director of operations at Kroll Fraud Solutions. A licensed investigator, he leads a team of investigators specializing in cases of identity theft and fraud.
HOWARD ANDERSON: The FTC's Identity Theft Red Flags Rule applies to organizations that serve as creditors. Late last year, President Obama signed legislation clarifying that under the rule, the term "creditor" does not apply to entities that regularly permit deferred payments for goods or services, including professionals such as lawyers and physicians who bill clients after services are rendered. Creditors that must comply are those that obtain and use consumer reports in connection with a credit transaction and furnish information to consumer reporting agencies. So, does that mean that most physician group practices do not have to comply with the Red Flags Rule? And what about hospitals?
JEREMY MILLER: Each organization is responsible for determining whether they must comply with the rule. We at Kroll recommend that they consult with their legal counsel to really determine whether or not they're legally required to comply. But with that being said, the definition of who is required to comply was significantly narrowed by the Red Flag Rule's Program Clarification Act of 2010. Specifically, the Act resulted in a more traditional interpretation of what a creditor is [based on] things like those who use consumer reports for financial transactions, those entities that report debts to a consumer reporting agency, and those who advance funds to an individual based on that person's ability to repay them. But overall, each organization must take a look at their internal processes for accepting payment and collecting funds to really determine if they're required to comply with the rule. It really has to be done on a case-by-case basis and along with legal counsel.
Red Flags Rule ComplianceANDERSON: Are there key factors that a healthcare organization should consider when determining whether they must comply with the Red Flags Rule?
MILLER: The first is, do they buy consumer reports during the normal course of their business to make decisions on providing care? Do they have to pull a report before the person can access service or get care? Do they also report unpaid debts? Or if someone defaults or doesn't pay their bill, do they report that information to a consumer reporting agency?
I think one important thing to note is that the spirit of the Red Flags Rule legislation was really to stop identity theft at the point of entry within an organization. ... And from that perspective, the recent clarification that happened in December 2010 was actually a step backwards for identity theft prevention, because identity theft that's based off of something that typically appears on the consumer report is only a fraction of the type of the identity theft that can occur. Criminal identity theft, some forms of medical identity theft, government benefit fraud and identity theft, and tax fraud are the types of identity theft that would rarely, if ever, be a part of a credit grantor or credit reporting process.
Kroll, over the years, has worked with thousands of identity theft victims, and if there's one thing that we've learned and we understand it's that if organizations across multiple industries and services do a better job of stopping identity theft at the point of purchase or the point of transaction or verification, the more effective we'll all be at stopping identity theft.
But the specific steps that are outlined in the Red Flags Rule legislation are best practices regardless of whether you're legally required to comply. Things like implementing ongoing training and conducting risk assessments - those are all meaningful things that any organization can do to put into practice.
Overlap with HIPAAANDERSON: Healthcare organizations already must comply with the HIPAA privacy and security rules. Is there much overlap between those rules and requirements and the Red Flags Rule?
MILLER: There's definitely some overlap. And I think it's important to note that HIPAA and the HITECH Act rules are really focused on privacy, while the Red Flags Rule is focused on identity theft prevention and detection programs and practices. Privacy doesn't really have much to do with knowing who your customer is or accessing an application for identifying potential discrepancies in identity. But some of the topics for training regarding HIPAA compliance and patient privacy do, and they would overlap into a Red Flags Rule awareness and training program for prevention of identity theft.
But successful Red Flags Rule implementation, regardless of whether it's a legal requirement or not, could provide consumers with safeguards by having the businesses themselves act as a checkpoint at the point of transaction to not only detect identity theft but to remain vigilant about the accuracy of the customer's information. The Red Flags Rule is intended to provide consumers with an actual preventive measure against identity theft, because a business that implements its core requirements could potentially stop it at the point of transaction.
Identity Theft PreventionANDERSON: Under the Red Flags Rule, organizations that extend credit to their clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices, or specific activities that are known as red flags that could indicate identity theft. So should all organizations of a certain size develop identity theft prevention programs regardless of whether they must technically comply with the rule?
MILLER: Yes, regardless of the size of the organization. Identity theft occurs because fraudsters are able to convince businesses that they are who they say they are, or they're someone else. Putting a Red Flags Rule program into place will help identify acts before damage is really done to the victim. Education and awareness are key to helping fight against identity theft, and training programs can be a very cost-effective way to help reduce the chance that identity theft could occur on an organization's watch. ... And as I previously mentioned, there are some patient privacy training programs that are already in place that can be amended just a bit to start to include identity theft detection and identity theft awareness as well.
Low-Cost MeasuresANDERSON: So what are some of the key steps healthcare organizations, especially smaller ones like a small clinic, can take to prevent identity theft that won't cost them too much?
MILLER: I think awareness, understanding how identity theft can occur. Regardless of the size of an organization, they should try to educate themselves at all levels within their practice or within their corporation to understand how thieves can misuse the identity of another. It's important to also know your customer, to implement an identity verification solution that's appropriate to your business.
Healthcare is unique in that you can't turn people away who need emergency care. Sometimes there's not a lot of verification on who that person is. If there's an emergency involved, finding out who they are takes a back seat, which is as it should be. But [organizations should] understand things like knowing how to spot a fake ID. Whoever is doing intake in an organization needs to know how to spot a fake ID, or how to identify inconsistencies within a person's intake form. And then something that's a little more advanced than that is performing address or identity verification tactics with a third-party data provider, comparing what address is given to you versus an address that may be in public record. Those things can help raise red flags for any type of identity theft that may be occurring.
I think also, from a corporate perspective, it's about understanding organizational risk and understanding the information that you're asking for from an individual and how that might be misused. Doing background checks on employees is also important, because they may also participate in an identity theft act. Securing physical and electronic data and practicing data minimization - only asking for the information that you require to provide services - are important. And then, lastly, regularly train employees on data security and identity theft identification techniques.