FTC’s Red Flags Rule: Understanding and

Meeting Compliance Expectations

October 2008

Lawrence HughesAHA Assistant General CounselAdvocacy and Public Policy

Presentation Topics• Clarify what the Red Flags Rule

is and is not

• Provide insights into the FTC’s expectations for compliance and strategy for enforcement

• Offer some suggestions for how to get started with compliance

Red Flags Rule - Overview • Related set of rules concerned with

preventing and detecting identity theft

• Two in particular are most likely to affect hospitals:

“Creditors” with “covered accounts” must develop a written identity theft prevention program

Users of consumer reports must respond to address discrepancy notices from a consumer reporting agency

Application to Hospitals • Hospitals are likely to meet the rule’s

broad definition of “creditor” and have patient accounts that fall within the scope of “covered accounts”

• Key aspect of definition is “Do you provide service for which you defer payment?”

Most hospitals do

Application to Hospitals • Many hospitals use consumer

reports in their financial assistance processes

• Requirement is more about accuracy than about identity theft

Key question is whether the report really is about the individual it purports to be about

• Not covered further in this presentation

Red Flags Rule Is . . . • Risk-based

What are the risks to your patient accounts?

• Flexible Programs must be tailored to the size and

complexity of specific organizational operations

E.g., small providers that know all their patients by sight may run little risk of identity theft and may have a very simple policy

Red Flags Rule Requires . . . • Reasonable response when a

warning sign is present/detected Is it just clerical error? Consider the impact of other laws on

appropriate response e.g, EMTALA, HIPAA’s restrictions on

sharing PHI Is individual breach notification required?

Do we have to offer creditor monitoring services?

• Periodic assessment to identify new and emerging risks (“red flags”) and how to respond to them

Red Flags Rule Is NOT . . . • Specifically or solely about

technology Rather it is principally about processes and

procedures, behavior change• Requirements for data security or a

mandate for specific responses to a data security breach

Requires recognizing and responding reasonably and appropriately to warning signs/suspicious activities that suggest potential identity theft

HIPAA privacy and security requirements complement, but do not specifically address the same issues

FTC’S Approach• Key term is Reasonable

• The FTC expects that hospitals will:

Undertake a risk assessment What are the risks to your organization and its

specific types of patient accounts? Cannot rely on some generic list of risks

Have a written policy Reasonable practices for identifying and

responding to signs, suspicious activities/behaviors, patterns, practices that suggest potential cases of identify theft

FTC’S Approach (cont.)• The FTC expects that hospitals will:

Obtain board approval of the initial written policy

Put the policy into actual practice within the organization

Does the organization actually do what its policy says it does will be a key consideration in any FTC eventual review

You can’t have just a generic policy or rely on a template policy you just stick on the shelf

FTC’S Approach (cont.)• The FTC expects that hospitals will:

Periodically review and revise policies Identify and respond to new and emerging

signs, suspicious activities/behaviors, patterns, practices

FTC’S Jurisdiction• FTC has – and continues to in the context

of this rule – assert jurisdiction over not-for-profit and government hospitals

• Hospitals are subject to the FTC’s jurisdiction when they are engaging in activities that a for-profit entity would engage in

“[w]here they defer payment for goods and service” – see FTC’s July Guidance “New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft”

• Bottom Line: Industry best practice; benefit hospital’s billing operations and patients

FTC’s 10/28 AnnouncementCompliance deadline remains November 1, 2008

• FTC will suspend enforcement until May 1, 2009 Additional time to develop and implement written identity theft

prevention programs

• Does NOT affect enforcement of: Nov. 1 compliance deadline for institutions subject to oversight by

federal agencies other than the FTC (banking, financial services) Requirement for users of consumer reports to respond to address

discrepancy notices from a consumer reporting agency Nov. 1 is still the compliance deadline Includes hospitals

• FTC’s announcement can be found at http://www.ftc.gov/opa/2008/10/redflags.shtm

Read Text of the FTC Enforcement Policy (link at right-hand side of the Web page

FTC’s 10/28 Announcement• Bottom Line for Hospitals: Make a good

faith effort to comply as soon as possible

Compliance Expectations• FTC does not expect your organization to

spot every case of identity theft or apprehend every identity thief

That’s practically impossible FTC recognizes that your organization is primarily

a health care provider, not an investigatory/detective/law enforcement agency

• Key operational concept is “could indicate” identity theft

Not every sign, pattern when investigated will show that identity theft is occurring or has occurred (e.g., documentation mistakes, key stroke/data entry errors, merged records)

FTC’s Enforcement Strategy• NOT viewed by the FTC as an opportunity

for GOTCHA Are you making reasonable progress toward

compliance? Example: You have a written policy but are

awaiting your next board meeting – which does not convene until next quarter - for approval

• Don’t use this as an excuse for delay or, worse yet, doing nothing

A warning from the chief of the FTC division in charge of the program: If next year at this time you’ve done nothing, there may be a real problem

FTC’s Enforcement Strategy• FTC enforcement through “industry

sweeps” to check compliance Responsible for compliance of lots of organization

in many different fields Likelihood of an immediate focus on health care is

low FTC aware that health care organizations (among

others) only recently learned about the Rule’s application; lead to 10/28 announcement of enforcement delay

• Again, this should not become an excuse for delaying your organization’s efforts to comply

Other Enforcement• NO private right of action

• States attorneys general have enforcement authority under the Rule

Likely to follow an FTC investigation/imposition of sanctions

• State consumer protection laws may be a source of individual right of action

A Proper Perspective• Good business practice for hospitals

• It’s about protecting your patient accounts and your patient relationships

• Warning: If you don’t do it, there are likely to be additional requirements imposed from the outside

Proposals (more onerous) currently pending at federal, state levels

How To Get StartedCompliance required by November 1, 2008

Step 1: Read the Rule

• There is no substitute here and you may have to read it multiple times!

• Pay particular attention to Appendix A and its supplement (beginning on page 63773)

Appendix A includes guidelines intended to assist organizations in developing and structuring their programs

FTC has specifically said all organizations need to consider these carefully

Supplement lists 26 potential red flags NOT all may be applicable to health care providers but they are a

great starting point for understanding what red flags to consider, incorporate, respond to

• Final rule published in Nov. 9, 2007 Federal Register

Copy posted on AHA’s Web site at www.aha.org/redflags

How To Get StartedStep 2: Assemble Your Team• Consider who within the organization should be part of the

implementation team Remember it’s not just an IT issue; BUT IT professionals will - and

should - be involved Who’s integral to making the program work on a daily basis: billing

and financial services, admissions, privacy, security, patient care, risk management, compliance, legal counsel

How To Get StartedStep 3: Inventory Current Practices and Procedures• Many hospitals already have processes and procedures in

place to detect and respond to cases of potential identity theft

Seriously, write them down! It’s a good start in crafting your policy

Consider what’s already working? What might need to change to be more effective? What’s missing?

• What you do must be based on an assessment of the real risk your organization faces with regard to its patient accounts

What risks have you already had to address? What risks have your peer organizations seen? Consider multiple sites, locations within your organization Consider outside service vendors

(e.g., credit/collection agency activities)

How To Get StartedA word on using sample policies

• May be appropriate to start with a sample policy

• However, the regulation requires that the identify theft program be appropriate for the organization’s size and complexity and the nature and scope of its activities

• Therefore, each organization must adapt any sample document to address the specific risks they face and to ensure an appropriate and reasonable organizational response to them

AHA’s Sample Policy• Developed in cooperation with our outside

counsel Hogan & Hartson LLP

• Hospitals can use as a first step in developing their written identity theft programs

AHA’s sample policy is NOT intended to substitute for responsible legal advice

Hospitals should examine the sample document as part of a comprehensive risk assessment

• Available on the AHA Web site at www.aha.org/redflags

Hospitals’ Primary New Obligations

• Under the new rule, hospitals’ primary new obligations are likely to be two fold:

Systematizing policies in a consolidated written format

Obtaining board approval of the initial written policy

Only applies to the initial policy

Reminder• Rule requires periodic reassessment of risks

and, if appropriate, revision of policies and practices

Build that into your policy and program from the start Specifically charge someone within the organization with

responsibility for maintaining and updating your policies and program

Always ask what new risks might be out there Keep up-to-date with the FTC’s Web site on identity theft Consider reports from consumer organizations Listen to news coverage – Identity theft is issue of intense

current interest in the media Again, not all may apply directly to health care providers

Note on HIPAA Privacy• Patients’ frequent complaint: Can’t get

access to my records when I suspect I’m the victim of identity theft

Patients report that hospitals cite HIPAA as the reason

• Patients’ rights under HIPAA: To access his/her medical records, and To request changes to their records

• Why HIPAA probably isn’t a barrier: It’s the patient’s information It’s an incidental disclosure, at most It probably involves deidentified data

• Remember when developing your policies and practices: It’s always about your relationship with your patients

Resources

AHA Red Flags Rule issue Web site found at

www.aha.org/redflags