In response to the growing number of identity thefts Congress enacted the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA was enacted to help prevent identity theft, both personal and medical, and was designed to supervise the personal confidential financial information that is generated in consumer transactions.
Medical identity theft is a fast-growing crime, and some reports estimate that between 250,000 and 500,000 patients have been victims of medical identity theft. Medical identity theft occurs when an individual uses the personal identification information of another to obtain medical services, prescriptions, or other medical goods. The thief receives medical services or goods for conditions that the victim never had. Many times a patient’s medical records are forever altered or tainted, which may result in the administration of incorrect medical care by a provider when that provider relies on the patient’s false medical records.
FACTA required the Federal Trade Commission and other government agencies to develop unified regulations and guidelines in order to identify, detect, mitigate, and protect against identity theft. Thus, in an effort to enforce FACTA and provide further guidance, the Federal Trade Commission (FTC) issued its Red Flag Rules in accordance with FACTA in November 2007. Any business that allows its customers to defer payment for goods or services must comply with the Red Flag Rules.
In late summer, the FTC clarified that it believes FACTA would apply to health care providers. The FTC believes that health care providers who do not require full payment the day services are rendered are subject to the Red Flag Rules. The Red Flag Rules required those providers to implement a written Identity Theft Prevention Program (the “Program”) by November 1, 2008. On October 22, 2008, the Federal Trade Commission announced that it will suspend its enforcement of the new “Red Flag Rules” until May 1, 2009 to give certain types of creditors (which includes health care providers) additional time to develop and implement their written Identity Theft Programs. While the rules still require businesses to have the plan in place, the announcement by the FTC means that the FTC will take no enforcement action against a business that has not fully implemented the plan until after May 1, 2009. The Program must be designed to identify, detect, prevent, and mitigate identity theft. Simply put, the Red Flag Rules place responsibility on the provider to ensure the accuracy of patient identification.
In order to implement the Program, the provider must identify his or her covered accounts. A “covered account” is basically any patient account that permits a patient to make payments over time. These include patient medical records. The provider must asses the risk of possible patient identify theft, including relevant Red Flags, associated with each covered account. The provider must provide education and training to his or her staff on identifying and detecting Red Flags, promptly reporting Red Flags, and appropriately responding to Red Flags to ensure the continued security and accuracy of patients’ medical identities. Finally, each provider must appoint a Compliance Officer to be responsible for the implementation, continued administration, and oversight of the Program.
The FTC is authorized to bring enforcement actions in federal court for those health care providers that knowingly violate FACTA. FACTA allows the FTC to enforce penalties of up to $2,500 for each violation of the Red Flag Rules. These violations include ignoring alerts from consumer reporting agencies or failing to respond appropriately to suspicious documents, suspicious personal identifying information, or the unusual use of or suspicious activity related to a covered account. Additionally, FACTA authorizes each state to bring an action on behalf of a resident victim of medical identity theft and may recover actual damages of up to $1,000 for each violation, attorneys’ fees, and in some cases, punitive damages.
Even if no government enforcement action is taken, your practice may be at risk to patients in private lawsuits. The recent Ohio case of Hurchank v. Swayze held that a physician can be liable for damages to a patient when the patient’s identity was stolen because of the failure to prevent access to private information in a medical record.
Providers that are subject to FACTA must implement a written Identity Theft Prevention Program by November 1, 2008. The good news for providers is that the Program can be integrated into the provider’s existing HIPAA Security Plan and extend the actions already taken under the HIPAA Security Plan to cover the additional elements now required by the Red Flag Rules. Because most, if not all, providers are already in compliance under HIPAA, the additional rules can be implemented relatively quickly to satisfy the deadline of November 1, 2008. We have developed a short version compliance plan that can be quickly integrated into your practice compliance program.
Article by Scott P. Sandrock and Amanda L. Waesch taken from Stark County Medical Society's Newsletter