idbusiness for physicians

Red Flag Compliance for Medical PracticesJune 9, 2009

Our goals today

Our goals today

‣ To give you the WHAT…

Our goals today


‣ The FTC’s Red Flag Rules

Our goals today



‣ ...review the HOW…

Our goals today




‣ demo the idBUSINESS Red Flag Compliance Module

Our goals today





‣ but also give you the WHY

Our goals today





‣ but also give you the WHY

‣ Why information security should be a part of your practice

An issue of PATIENT CARE

“The possibility for medical identity theft gives rises to a duty to monitor for the

potential that patients may be victims. The prudent provider will also monitor employee

and vendor access to patient data.”

- World Privacy Forum, 9/24/08

What this means

What this means

‣ Medical identity theft is on the rise

‣ Costs $192 per record to restore

‣ Often an inside job

‣ Organized crime is involved

What this means

‣ Medical identity theft is on the rise

‣ Costs $192 per record to restore

‣ Often an inside job

‣ Organized crime is involved

‣ Doctor’s offices are unique

‣ Reliance on office manager to run operations

‣ No line between your brand and your name

The Opportunity

‣ There is a unique opportunity to grow a practice by leveraging strong information security policy and sharing it with patients

‣ Build trust with patients

‣ Strengthen employee relationships

‣ Tighten operations with vendors

The facts

• Since 2/15/05, over 251,000,000 Americans have had identities or other personal information compromised

40%

60%

Business has suffered breachBusiness has yet to incur a breach

30%

70%

Thief is employee or knows employeeThief is unknown

The facts

The average breach and its impact on customer confidence is growing.

Source: Ponemon Institute, 2008.

58% of customers willlose confidence in your business after a breach.

31% of your customers will immediately cease doing business with you following a breach.

The Red Flag Rules

The Red Flag Rules

‣ Sections 114 & 315 of the Fair and Accurate Credit Transactions Act

The Red Flag Rules


‣ Applies to you if:

The Red Flag Rules



‣ you hold “covered accounts”

The Red Flag Rules



‣ you hold “covered accounts”

‣ your customer records present a “reasonably foreseeable risk of identity theft”

Why are physiciansCOVERED ENTITIES?‣ Accepting insurance

‣ Deferral of 100% of payment, you collect enough patient data to collect the remainder that insurance does not pay.

‣ Reasonably foreseeable risk

‣ Your patient files are a treasure trove

‣ Each record worth between $80-300 each*

* Source: Black Market Identity Auction attended by Net Reaction mole, 2008.

Red Flag REQUIREMENTS

Red Flag REQUIREMENTS1. A Written Information Security Program


2. Controls to prevent and mitigate the risks associated with identity theft



3. Must be administered by a board of directors or a member of senior management




4. Must deliver compliance report on at least an annual basis





5. Must contain mechanism to train employees






6. Must contain an incident response capability






6. Must contain an incident response capability7. Must ensure that vendors and suppliers are also compliant

“What happens if I don’t comply?”• Noncompliance carries several penalties

– Civil Liability

– Class-Action Lawsuits

– Federal Fines

– State Fines

The solution

‣ The idBUSINESS Red Flag Compliance Module‣ Built on real-world forensic fieldwork‣ Includes tools & benefits that actively involve

employees in your compliance efforts

‣ Transitions information security from a compliance issue into a competitive advantage

The Red Flag Compliance Module

‣ Secure online interface


‣ Learning tools available as text or video webinar


‣ Risk Assessment tool provides ranking of your company in 12 key focus areas


‣ Customizable checklist of 26 Red Flags to meet requirements of FACT Act


‣ Employee training automated & easy, integrates automatically with your compliance report


‣ Ability to evaluate supplier compliance practices using our proprietary Vendor Integrity Assessment


‣ Access individual identity recovery protection using FraudStop and Restore from ID Experts

‣ Available as employee benefit, cafeteria-style add-on, customer blanket, or new revenue stream

‣ In the event of a breach, one-click access to best-in-breed data breach services and forensic services

“Can’t I do this myself?”

• A self-written policy meets the letter of the law, but leaves gaps:

– No vendor integrity assessment

– No employee training, just signature line

– No mitigation of damages in the event of an incident• Who will you call when you have a question?

• No context of how Red Flag Policy fits into your business

–What’s worth doing is worth doing right.

–Missing an opportunity to GROW your practice

So I’m compliant...

‣ NOW WHAT?

‣ Don’t let it sit on a shelf

‣ Talk to your employees

‣ Talk to your patients

‣ Use your policy as a practice-building tool

A final word‣ “I understand the mindset of other practices, and that it is easy to minimize identity

theft as a business threat or a patient care issue. It is low on their list of priorities, which

is unfortunate because if and when a patient data breach occurs, we are by law

responsible. I personally would recommend acting with a sense of urgency to become

compliant with the FTC ‘Red Flag Rules’ both to avoid penalty and to protect your

patients from a life-wrenching identity theft experience. You’ll be protecting yourself as

well, and as a result, will sleep better at night.”

Dr. Miles Collett, DDS

Thank you!

‣ To learn more, please visit idBUSINESS.com

‣ Discounts are available for medical associations

‣ Check with your association or call idBUSINESS Distributor Joe Nollet, 951-928-4438

http://www.idBUSINESS.com

http://www.idBUSINESS.com

idbusiness for physicians

Technology

red flag requirements

ftcs red flag rules

red flag rules sections

withidentity theft

compliance report

personal information

memberof senior management

board of directors