The FACT Act
To detect identity theft at your institution/organization.
November 9, 2007 Federal Trade Commission (FTC) & National Credit Union Administration (NCUA) Fair and Accurate Credit Transactions Act (FACTA) January 1, 2008 Effective date September 30, 2008 AMA letter to FTC (no we aren t) October 22, 2008 Delay given to May 1, 2009 November 1, 2008 First Deadline February 4, 2009 FTC letter to AMA/ADA (yes you are) May 1, 2009 Second Deadline August 1, 2009 Newest Deadline
Organizational efforts: ADA April 30, 2009 I am very pleased to inform you that the Federal Trade Commission has issued a 90 day delay in the enforcement of its Red Flags Rule, which would have gone into effect May 1. This delay will give the ADA more time to challenge its applicability to small health care providers such as dentists.
American Medical Association April 30, 2009 Update: The Federal Trade Commission (FTC) has delayed the compliance deadline of the Red Flags Rule until August 1, 2009. The AMA will utilize this time to convince the FTC and Congress that physicians are not "creditors" and therefore should not be subject to this rule.
Who knows?
Question #1: Are you a business or organization that is a financial institution or a creditor? Financial institution: bank, savings and loan, credit unions, etc Creditor: Broadly, business or organization that regularly defers payment for goods or services or provide goods or services and bill customers later.
If so, do you have covered accounts? Covered Account: 2 types An account that a financial institution or creditor offers or maintains that is at a foreseeable risk to the consumer for identity theft. Consumer account that is for personal, family or household purposes designed for multiple payments or transactions. (credit cards, mortgages, auto loans, cell phone accounts, utility accounts, etc.)
Step 1 Identify relevant red flags. What red flags are you likely to see in your area? Fake or altered id? Relative s insurance card? Roommate s insurance card? Other? *Need to develop policy and procedures that address likely methods and areas affected
Step 1 (continued) Five Categories: 1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers 2. Presentation of suspicious documents 3. Presentation of suspicious personal identifying information 4. Unusual use of, or other suspicious activity 5. Notice from the customer, victims of id theft or LEO
Step 2 Detect Red Flags: Set up procedures to detect red flags in day to day operations. Verify identity Authenticate customers Monitor transactions Verity validity of address changes Front desk? Registration? Back office? Scheduling? Others?
Step 3 Prevent and Mitigate identity theft Develop appropriate actions when red flags are detected What is an appropriate response? Monitor accounts Contact customer Change passwords Close and reopen account Refuse to open account Don t collect on or sell account Notify law enforcement officer (LEO) Front desk? Registration? Back office? Scheduling? Others?
Step 4 Update your program Must have the ability to respond to rapid changes Keep program current Monitor trends Educate/train appropriate areas How do we know it is effective?
Approval of the Board, committee of the Board or senior management is needed. Implementation plan Approve important changes to the plan Train/educate the right people Address service provider arrangements
Supplemental Guidance: Suspicious documents. Has a new patient given you identification documents that look altered or forged? Is the photograph or physical description on the ID inconsistent with what the patient looks like? Did the patient give you other documentation inconsistent with what he or she has told you for example, an inconsistent date of birth or a chronic medical condition not mentioned elsewhere? Under the Red Flags Rule, you may need to ask for additional information from that patient. Suspicious personally identifying information. If a patient gives you information that doesn t match what you ve learned from other sources, it may be a red flag of identity theft. For example, if the patient gives you a home address, birth date, or Social Security number that doesn t match information on file or from the insurer, fraud could be afoot. Suspicious activities. Is mail returned repeatedly as undeliverable, even though the patient still shows up for appointments? Does a patient complain about receiving a bill for a service that he or she didn t get? Is there an inconsistency between a physical examination or medical history reported by the patient and the treatment records? These questionable activities may be red flags of identity theft. Notices from victims of identity theft, law enforcement authorities, insurers, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing.
Financial Institutions and creditors with covered accounts must implement a written ID theft program to: Detect Prevent, and Mitigate Identity theft with existing accounts or new accounts.
Federal Trade Commission (FTC) http://www.ftc.gov/bcp/edu/microsites/idtheft/ www.ftc.gov www.hfma.org