It's a fact. Under a 2003 law called FACTA (Fair and Accurate Credit Transactions Act), healthcare organizations will soon be required to have in place a policy on identity theft.
A June 2008 Federal Trade Commission Business Alert has helped draw attention to FACTA's Nov. 1, 2008, deadline by which affected businesses are to have identity theft programs in place. While the law's focus is on financial institutions, it includes the catch-all phrase "any other person that holds a 'transaction account' belonging to a consumer."
It would be difficult to question the necessity of this little-known law and its implementing regulations, which require hospitals and other healthcare organizations to recognize in policy their role in fighting identity theft. In just the few days before my writing of this column, there were news reports indicating the scope of the problem:
- "U.S. Indicts 11 in Global [my emphasis] Credit-Card Scheme" in the Aug. 6 Wall Street Journal reported on perhaps the most disturbing account of computer hacking to date, possibly affecting more than 40 million credit card accounts.
- "Countrywide Insider Stole Mortgage Applicants' Data, FBI Says" in the Aug. 2 Los Angeles Times talked about the theft and sale of the personal information of as many as 2 million mortgage applicants at Countrywide Financial Corp.
Key Regulations: The Red Flags Rules
Although FACTA doesn't target the healthcare industry, it is clear hospitals and other healthcare organizations that collect huge amounts of identifying personal information must address identity theft for the protection of their customers, as well as the enterprise. Business accounts are also being attacked.
More than one set of regulations have emanated from the law, but healthcare organizations have perhaps the greatest stake in the one titled "Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003," which was issued in final form on Nov. 9, 2007. Anyone still questioning the scope of the identity theft issue need only look at the list of federal agencies that jointly issued this set of rules and accompanying guidelines: Office of the Comptroller of the Currency, Treasury; Board of Governors of the Federal Reserve; Federal Deposit Insurance Corporation; the Office of Thrift Supervision; the National Credit Union Administration; and, of course, the Federal Trade Commission.
These agencies call the November regulations the Red Flags Rules because they establish the requirement that each affected entity have a program "to detect, prevent, and mitigate identity theft" and to "incorporate into its program relevant indicators of a possible risk of identity theft (Red Flags)." Or as the FTC says in its June 2008 Business Alert, the businesses' policy "must provide for the identification, detection, and response to patterns, practices, or specific activities-known as 'red flags'-that could indicate identity theft."
The June Business Alert also sums up the key points of the regulations:
- The Red Flags Rules apply to "financial institutions" and "creditors" with "covered accounts."
- A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
- Where nonprofit and government entities defer payment for goods or services, they, too, are to be considered creditors.
- A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions.
Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects warning signs of identity theft, including:
- Unusual account activity
- Fraud alerts on a consumer report
- Attempted use of suspicious account application documents
The program must also:
- Describe appropriate responses that would prevent and mitigate the crime
- Detail a plan to update the program
- Be managed by the organization's board of directors or senior employees
- Include appropriate staff training
- Provide for oversight of any service providers
The Federal Government: "We're Flexible"
The Red Flags Rules provide, the FTC says, the opportunity to design and implement a program that is appropriate to the size, complexity, and nature of the business. Guidelines have been provided to help in designing the programs. A supplement to the guidelines identifies 26 possible red flags that, although not to be taken as a checklist, serve as examples that can be used as a starting point for policy development. These warning signs fall into five categories:
- Alerts, notifications, or warnings from a consumer reporting agency
- Suspicious documents
- Suspicious personally identifying information, such as a suspicious address
- Unusual use of-or suspicious activity relating to-a covered account
- Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts
The FTC says more detailed compliance guidance will be forthcoming.
And Don't Forget Disposal
Healthcare organizations should have long been sensitive to, and diligent about, destroying patients' private information, but policies and practices should be reviewed for compliance with an earlier "disposal" rule implementing another aspect of FACTA ("Disposal of Consumer Report Information and Records," published in the Nov. 24, 2004, Federal Register). The disposal rule requires entities to have measures in place to prevent the unauthorized access to, or use of, information in a consumer report. Such measures would include having, and insuring compliance with, policies for burning, pulverizing, or shredding papers so that information cannot be read or reconstructed, and conducting due diligence with contracted services (reviewing an independent audit of a disposal company's operations, obtaining information about the disposal company from references, reviewing and evaluating the disposal company's security policies and procedures). The disposal rule became effective June 1, 2005.
In short, when it comes to FACTA, healthcare financial leaders would be well advised to keep apprised of the facts.
Jim Alexander is a technical director in HFMA's Washington, D.C., office.
Resources: Regulations and the Law
Publication Date: Monday, September 01, 2008