identity theft facta & hitech overviewaahaminlandempire.org/sources/119identitytheft.pdf ·...
TRANSCRIPT
Identity Theft FACTA &
HITECH Overview
Lisa Asbell, RN, CHP, CITRMS
727 502 7427
Lisa Asbell 2012 1
AGENDA
Identity Theft Session 1
Statistics
Types of Identity theft
oIdentity theft stories
Methods of Identity theft
Data Breaches and the Damage caused
Warning Signs
IDT Protection
Repairing Personal Identity Theft
Lisa Asbell 2012 2
Agenda Session 2
FACTA FACTA Overview
FACTA Disposal Rule 2005
o Guideline for compliance & training
FACTA Red Flags Rules 2008
o 26 Red flags
o Guideline for compliance & training
Information Protection in your facility
Information Verification in your facility
Fines for non-compliance
Lisa Asbell 2012 3
AGENDA Session 3
HITECH ACT Areas of Change to HIPAA
Business Associate Agreements
Who Are the new BA’s and CE’s
Contract suggestions and guidance
Disclosure Agreement Provision
Breach Notification
Contract suggestions and guidance
HIPPA UPDATES
Lisa Asbell 2012 4
•Expanded Accountings of Disclosures
•Access to PHI
•Marketing
•New Penalties
Lisa Asbell 2012 5
LEARNING OBJECTIVES
How to identify a potential identity theft issue, types of identity theft
and personal identity theft
How to avoid lawsuits in your practice
Learn how the Red Flag Rules affect your facility;
Obtain practical tools such as action plans, policies and procedures,
and implementation techniques to assist your office with compliance;
Discover how to develop an action plan to mitigate identity theft; and
Comply with these new federal regulations.
Identify which organizations and individuals are BAs
Explain the new HITECH privacy and security requirements
List practical steps to rework BA and third party vendor contracts
Identify additional changes necessary to comply with HIPAA
Learn the vital importance of ongoing education and staff training
Identity Theft America’s #1 crime
Over 50 million victims in the last five years
Every 3 seconds an Identity is stolen
Over 567 million records in over 3,500 separate data breach since 2005.
Medical Identity theft is the fastest growing type. Grown over 400% in 12 months.
FTC reports that over 11 million people were victims in 2009. Over 51% is never reported!
70% of identity theft issues in medical facilities come from a piece of paper not the computer.
FBI reports that revenue from ID theft has surpassed drug trafficking. Over 9 billion a year.
Lisa Asbell 2012 6
Lisa Asbell 2012 7
" Over 400,000 Dead People opened Bank
accounts last year" – AARP
" The revenue from trafficking financial data has
surpassed that of drug trafficking." – Secret
Service March 2012
" Every Three seconds (27,000 times per day)
someone becomes a victim of Identity Theft." –
USA TODAY
IDT Statistics
Lisa Asbell 2012 8
Identity Theft: #1 FTC complaint for tenth
year straight
By admin | Published: February 26, 2011`
Think the problem of identity theft is going
away anytime soon? Think again, this week the
FTC released the 2011 Top Consumer
Complaints report and yet again, millions of
American consumers have found themselves
falling victim to identity theft and fraud. For ten
years straight identity theft and fraud have
made it to the top of the list, so I believe a toast
is in order to the identity thieves across the
world.
Criminal- (someone commits a crime in your name)
Financial - (new accounts, bank accounts, cell phones)
Drivers License- (use your name and licenses)
Social Security- (illegal aliens use them EVERYDAY)
you pay the taxes
Medical **** - (getting your health insurance info)
How many of your current patients are already victims?
What if they think your facility caused it? Do you have something in place to prove
otherwise? It only takes one complaint to launch and investigation… What about HIPAA?
They will look at everything. You can’t afford to wait a minute to get this program in place.
Lisa Asbell 2012 9
TYPES OF IDENTITY THEFT
Medical Identity Theft
Medical identity theft is a specific type of identity theft which occurs
when a person uses someone else's personal health identifiable
information, such as insurance information, Social Security Number,
health care file, or medical records, without the individual's knowledge
or consent to obtain medical goods or services, or to submit false claims
for medical services. There is limited information available about the
scope, depth, and breadth of medical identity theft.
Lisa Asbell 2012 10
Medical identity theft is about 2.5 times more costly than other types of
ID frauds, said James Van Dyke, president of Javelin, in part because
criminals use stolen health data an average of four times longer than
other identity crimes before the theft is caught. The average fraud
involving health information was $12,100 compared with $4,841 for all
identity crimes last year and consumers spent an average of $2,228 to
resolve it, or six times more than other identity fraud, according to
Javelin.
Medical Identity Threat A Rising Threat
Lisa Asbell 2012 11
The Perpetrator versus the Victim
249,000 had their medical identities stolen in 2008
Gartner Research estimates there will be more than 1 million cases of medical identity theft in 2009 The Fastest growing type of identity theft
Two areas of vulnerability: Use of a person’s name or identifiers without knowledge or consent
Use of a person’s identity to obtain money by falsifying claims for medical services
Lisa Asbell 2012 12
Personal IDT Nightmare Stories
CHICAGO (MarketWatch.com) -- Identity theft and fraud
have ruined Dave Crouse's life. In fewer than six
months, some $900,000 in merchandise, gambling and
telephone-services charges were siphoned out of his
debit card. His attempts to salvage his finances have
cost him nearly $100,000 and have bled dry his savings
and retirement accounts. His credit score, once a strong
780, has been decimated. And his identity -- Social
Security number, address, phone numbers, even
historical information -- is still being used in attempts to
open credit cards and bank accounts.
Lisa Asbell 2012 13
Few people know more about identify theft than John Harrison.
In an ironic twist, when the president of Choice Point wrote a book on
identity theft, he went to Harrison.
The Connecticut salesman has spent over 2,000 hours trying to
reclaim his life after having his identity stolen, and his home office
has become a shrine to the suffering, reports CBS News
Correspondent Byron Pitts.
"I had to come up with a filing system,'' says Harrison of his efforts to
clear his name.
Harrison was a victim nearly four years ago, when a 20-year-old stole
his identity and literally went for a ride.
"Lowes, Home Depot, Sears, JC Penny, two cars from Ford, a Harley,
a Kawasaki motorcycle," says Harrison, listing off the purchases
made in his name. "About $265,000 in four months."
Lisa Asbell 2012 14
ORANGE COUNTY, Fla. -- An Orange County woman is living an
identity theft victim's nightmare. She's been to jail and court
several times just to clear her name and she's still facing check
fraud charges in two counties.
"I was stuck. There was nothing I could do," victim Rose Jackson
told Eyewitness News.
Rose said she had little choice but to wait for months in jail for the
first of four trials on forgery and grand theft charges. Her name
started showing up on bogus checks after her purse was stolen
two years ago. She wishes she had filed a police report
immediately, because now she says no one believes the mother of
two was a victim of identity theft.
"You know, they don't care, because everybody in jail says, 'It wasn't
me. I didn't do it,'" she said.
Lisa Asbell 2012 15
Spot a Phishing Email
Protect Your Computer from Spyware
Spear Phishing: Identity Theft's New
Black
Web Page Spoofing
Email Spoofing
Nigerian Letter Scams Getting More
Elaborate
Computer Scams
Common IDT METHODS
Lisa Asbell 2012 16
Dumpster Diving
Your Risky Mailbox
Credit Card Protection Basics
Data Breaches
Vishing
Social Engineering
Vacation Time: Protect Yourself from
Identity Theft
Natural Disasters: Protect Yourself
From Identity Theft
Is Your Bank Really Merging?
Old Scams, Made New
Real World Scams
Risky Situations
Lisa Asbell 2012 17
Spear Phishing: Identity Theft’s New Black
Most people have heard about phishing – the practice of using fraudulent
emails to gain access to personal information for the purpose of identity theft.
But like any activity, an occasional update in the process is needed. Spear
phishing is the new black in identity theft.
The term phishing was coined because of the way that criminals try to gain
access to personal information – basically, they cast out a bunch of bait in
the form of fraudulent emails, and wait to see who bites. Spear phishing,
however, is more targeted.
Just a fisherman would use a spear to target a single fish, spear phishing
targets individuals. Whereas criminals might send a single, mass e-mail to a
couple hundred thousand people in a phishing attack, spear phishing attacks
are customized and sent to a single person at a time.
The spear phishing email usually contains personal information such as a
name or some tidbit about employment. They are also unique emails, rather
than being the mass “your bank account has been compromised,” type
emails that are more common in phishing.
For example, one instance of spear phishing targeted corporate executives
with personalized emails about a legal case in which the recipient of the
message was allegedly being sued. It was a new scam, so it was easy for
executives to assume that it was legitimate and click the link provided in the
message. And that’s the point at which the spear pierces the target.
Lisa Asbell 2012 18
Identity Theft Methods You May
Not Have Considered
Identity theft is often thought of as an electronic crime. In truth, however,
it’s your every day habits that could lead to identity theft. Little things that
you don’t think about it can create the opportunities that an identity thief
needs to grab enough information to damage your credit, or worse, your
whole life. Here’s a quick list of four common ways that identity thieves
gather your information…ity theft is often thought of as an electronic
crime. In truth, however, it’s your every day habits that could lead to
identity theft. Little things that you don’t think about it can create the
opportunities that an identity thief needs to grab enough information to
damage your credit, or worse, your whole life. Here’s a quick list of four
common ways that identity thieves gain access to your personal
information and steal your identity.
Lisa Asbell 2012 19
1. Wayward Receipts
Before 2006, merchants printed credit card numbers on receipts. Today,
that practice that is supposed to be illegal, but there are times when it still
happens. Especially if the merchant you’re shopping with uses one of the
old carbon credit card machines to make a copy of your credit card. Even
new cash registers print the last four digits of the card number and an
expiration date on the receipt. This information can be gold to identity
thieves.
Keep track of your receipts until you can shred them. Don’t leave them in
the bag with your purchases. And don’t throw them away in public trash
receptacles or even in your own trash. Treat your receipts just as you
would any other personal information and shred them using a cross-cut
shredder.
Lisa Asbell 2012 20
2. ATM Lurkers
Cash can’t be duplicated, so it must be safer to shop with cash than with a check or
credit card, right? Well, that depends. Cash can be safer, but only if you’re safe in
getting and managing it.
Have you ever stopped by the ATM machine just to have someone standing a little
closer than you’re comfortable with? Be careful of those people. In this day and
age of camera and video-enabled cell phones, that ATM lurker could be recording
your ATM pin number. Then it’s just a matter of grabbing your card and they have
access to your bank account and everything that’s in it.
Whenever possible use a drive up ATM machine. And if you must use an ATM
machine where people can stand behind you, try to block others’ view with your
body.
3. Secure Your Domain
Your personal space—your home and your car—feel safe to you. This is where you
spend the most time, and it’s where you keep everything that matters most in your
world. It’s that feeling of comfort that puts you most at risk for identity theft in your
own home. If someone took all of the information that you have laying around your
home, how much could they gain?
Be aware of the risks that you take with your personal information in your own
home. Mail stacked on a desk, personal files in closets, and purses sitting out in
the open are vulnerable to opportunistic criminals. Keep your personal information
and mail locked away in a fire-proof safe, and put your purse or wallet away in a
place that can’t be seen.
Lisa Asbell 2012 21
4. Credit Card Follies
Most people rely on their credit and debit cards to make everyday
purchases at stores and restaurants. Unfortunately, it’s very easy
for someone to steal your credit card information.
A common scheme used to steal credit card numbers is called
skimming. You give your credit to a server or cashier to pay for
something, and they either swipe it twice—once for authorization
and once to collect the information encoded on the card.
The best way to protect yourself from skimming is to use a
disposable credit card that you load with a preset spending
amount. They’re good until that money is gone, and then they’re
useless. This stops criminals from gaining access to your credit
or banking accounts and helps prevent identity theft.
Lisa Asbell 2012 22
Warning: Identity Thieves Want Your Home
Identity thieves are interested in your identity for what they can gain
from it. When they can access your mortgage or the deed to your home,
that can be literally the roof over your head. Your learn what the top
mortgage scams are so that you can protect yourself from criminals that
would use your information to steal your home.
Identity Thieves Love Your Gadgets, Too!
Your cell phone, iPod, and GPS system might be putting you at risk for
identity theft. These gadgets can be used by identity thieves to gain
access to your personal information. Learn how to protect your identity
by securing your personal gadgets.
How to Protect Your Identity from Employment Scams
Unemployment rates keep rising. But identity thieves don't care if you're
out of work. They'll take advantage of you anyway with employment
scams designed to steal your personal information. Learn how to
protect yourself from identity theft employment scams.
Breaches are Rampant!
www.privacyrights.org
Check out this website and you will see that over 567 million records
including personal information has been breached since 2005.
The FTC reports that the problem will 20 times worse over the next
20 months.
The FTC says that by the end of 2013 every person in America will be
affected by ID THEFT
Our goal is that NO one becomes a victim of identity theft because of
carelessness within your organization
Lisa Asbell 2012 23
Recent Known Breaches
Lisa Asbell 2012 24
• Harris County Hospital, Texas – Administrator lost medical/financial records of 1,200 patients with HIV/AIDS – Information was on a portable flash drive – Data was not password protected nor encrypted
• Staten Island University Hospital, NY – Computer with Medical Records Stolen - Patients informed 4 months later
• UCSF Medical Center – Information on patients was accessible on the Internet - Patients informed 6 months later
• New York-Presbyterian Hospital/Weill Cornell Medical Center – 2000 patient records sold; 50,000 improperly accessed
• University of Utah Health Care – Password protected but unencrypted laptop with data on 4,800 people was stolen after hours from a locked room
• University of Minnesota Reproductive Medicine Center – Doctor lost an unencrypted portable storage device with information on 3,100 patients
Lisa Asbell 2012 25
1. If you receive a credit card statement in the mail from a creditor where you do
not have an account, contact them immediately. Someone may have opened that
account in your name without you knowing about it.
2. If you feel you have good to excellent credit but you are turned down for a loan
or a new credit card, find out why. It could be that your credit is not as good as you
thought it was, or it could also be that someone has opened one or more accounts
in your name and they are all past due.
3. As mentioned above, you get a phone call from the collections department of a
creditor where you didn't know you had an account.
4. Withdrawals on your credit card account as a "cash advance" withdrawal or
having charges that you cannot identify on your debit card or credit card statement.
It is your right to know what each and every one of those transactions represents,
and if you can't identify it, it is your task to find out what it was.
5. If you don't receive your credit card statements around the same time of the
month, or perhaps don't receive one at all in a given month. Be aware of when you
should be receiving those, and if you don't receive one, contact the creditor to find
out why. It could be that an identity thief has stolen your identity and changed your
address.
Warning Signs that you may be a victim
Lisa Asbell 2012 26
Benefits of having IDT protection
•Less headache for you
•Continuous monitoring
•Loss time and wage reimbursement
•A fraud specialist to actually help
restore your name
•Peace of mind
Lisa Asbell 2012 27
A. Free Reports
Consumer advocates have long encouraged individuals to monitor their credit
reports as a way to detect identity theft. The standard advice was to request a
copy of your credit report once a year from each of the three national credit
bureaus: Experian, TransUnion, and Equifax. Until now, you usually had to pay
up to $9.50 to get a copy of your report from each of these credit bureaus.
Congress recognized the benefits of self-monitoring. It adopted a new rule that
allows you a free copy of your credit report annually from each of the "big
three." (Read more about the rulemaking on this provision.)
Should I contact each credit bureau for my free report?
No. The only way to get your free reports is through a centralized source, a
combined effort by the three national bureaus. Free reports are available
through a dedicated web site, www.annualcreditreport.com. You may order by
telephone at ( 877) 322-8228 or by mail. For a copy of the mail-in form, go to
https://www.annualcreditreport.com/cra/requestformfinal.pdf.
What is the best way to order my free reports?
We recommend you order free reports by telephone or mail. A World Privacy
Forum report released in July 2005 exposed hundreds of imposter web sites.
To read the full report and tips for ordering free reports, see
www.worldprivacyforum.org/pdf/wpfcalldontclickpt2_7142005.pdf
Lisa Asbell 2012 28
Equifax: P.O. Box
740250, Atlanta, GA
30374- 0241.
Report fraud: Call (888)
766-0008 and write to
address above.
TDD: (800) 255-0056
Web: www.equifax.com
Experian: PO Box 9532
Allen TX, 75013
Report fraud: Call (888)
EXPERIAN (888-397-3742)
and write to address above.
TDD: Use relay to fraud
number above.
Web: www.experian.com/fraud
TransUnion: P.O. Box 6790,
Fullerton, CA 92834-6790.
Report fraud: (800) 680-7289
and write to address above.
TDD: (877) 553-7803
E-mail (fraud victims only):
Web: www.transunion.com
1. Notify credit bureaus and establish fraud alerts. Immediately report
the situation to the fraud department of the three credit reporting
companies -- Experian, Equifax, and Trans Union. When you notify one
bureau that you are at risk of being a victim of identity theft, it will notify the
other two for you. Placing the fraud alert means that your file will be
flagged and that creditors are required to call you before extending credit.
Consider using a cell phone number if you have one.
We recommend that you do not choose to call Experian. You will be
subject to a marketing pitch for their "free" credit management tools. If you
fail to cancel the service within 30 days, your credit card will automatically
be charged for the service.
Lisa Asbell 2012 29
2. Law enforcement. Report the crime to your local police or
sheriff's department right away. You might also need to report it to
police department(s) where the crime occurred if it's somewhere
other than where you live. Give them as much documented
evidence as possible. Make sure the police report lists the
fraudulent accounts . Get a copy of the report, which is called an
"identity theft report" under the FCRA. Keep the phone number of
your investigator handy and give it to creditors and others who
require verification of your case. Credit card companies and
banks may require you to show the report in order to verify the
crime.
Under new provisions of the Fair Credit Reporting Act (FCRA,
605A)
you can place an initial fraud alert for only 90 days. The credit bureaus
will each mail you a notice of your rights as an identity theft victim. Once
you receive them, contact each of the three bureaus immediately to
request two things:
a free copy of your credit report
an extension of the fraud alert to seven years
You may request that only the last four digits of your Social Security
number (SSN) appear on the credit report.
Lisa Asbell 2012 30
3. Federal Trade Commission. Report the crime to the
FTC. Include your police report number. Although the
FTC does not itself investigate identity theft cases, they
share such information with investigators nationwide who
are fighting identity theft.
Call the FTC's Identity Theft Hotline: (877) IDTHEFT
(877-438-4338)
Or use its online identity theft complaint form:
https://www.ftccomplaintassistant.gov/
Or write: FTC Identity Theft Clearinghouse, 600
Pennsylvania Ave. N.W., Washington, DC 20580.
The FTC's uniform fraud affidavit form is available at
http://www.ftc.gov/bcp/edu/resources/forms/affidavit.pdf
Visit the Web site for the President’s Identity Theft Task
Force for Identity Theft Victims’ Statement of Rights
under federal law: www.idtheft.gov/
Lisa Asbell 2012 31
Lisa Asbell 2012 32
IDENTITY THEFT RELATED LAWS
FACTA Disposal Rule
FACTA RED FLAGS RULE
http://www.ckfraud.org/idtheft.html
State Info
FACTA
Lisa Asbell 2012 33
Fair and Accurate Transaction Act of 2003
Signed into law by President Bush on 12/4/ 04
Requires every practice to have a Written Security
plan.
This law is NOT delayed!
Fines up to $3,500 per affected employee or patient.
Civil and Class Action lawsuits are a potential
threat. No statue of limitation on Class Action
Lisa Asbell 2012 34
Businesses must leave off all but the final five digits of a credit card
number on electrically printed store receipts as of December 1,
2006.
Employers must destroy all information obtained from a consumer
credit report before discarding it.
Consumers who suspect that they are the victims of identity theft
only need to notify one of the three credit reporting services
(Experian, Trans Union, or Equifax) to initiate a nationwide fraud
alert.
Mortgage lenders must provide the credit score they use to
determine a loan’s interest rate, regardless of whether the loan is
approved or denied.
FACTA is enforced by the Federal Trade Commission
Many Arms of FACTA Jan 1 2005 - Access to Credit Reports- This was the first part
of FACTA www.annualcreditreport.com
June 1, 2005 Disposal Rule and business or person that has
information derived from consumer reports must have a plan
and policy in place to properly DISPOSE of that information.
www.ftc.gov/opa/2005/06/disposal.shtm
December 1, 2006 Truncation – Only allows up to 5 digits
of a credit card to be on the receipt
www.ftc.gov/bcp/edu/pubs/business/alerts/alt007.shtm
January 1, 2008 Red Flags Rules
www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
Lisa Asbell 2012 35
FACTA DISPOSAL RULE
The Disposal Rule applies to consumer reports or
information derived from consumer reports. The Fair Credit
Reporting Act defines the term consumer report to include
information obtained from a consumer reporting company
that is used – or expected to be used – in establishing a
consumer’s eligibility for credit, employment, or insurance,
among other purposes. Examples of consumer reports
include credit reports, credit scores, reports businesses or
individuals receive with information relating to employment
background, check writing history, insurance claims,
residential or tenant history, or medical history.
Lisa Asbell 2012 36
Lisa Asbell 2012 37
Existing FCRA preemption provisions are made permanent and other areas in
which state and local laws are preempted have been added, especially in
specific areas relating to identity theft. This should not be construed to mean that
all areas of identity theft are now preempted.
Consumers can place fraud alerts on their credit files and block information
caused by identity theft or fraud. The FTC and other federal agencies must
establish guidelines to protect against fraud and identity theft. The law provides
for “active duty alerts” for active duty military personnel.
When a consumer is granted credit, but, because of a credit rating, the credit
granted is at a less advantageous rate, the consumer must receive notice of that
fact.
Consumers have the right to one free credit report annually from the national
repositories and national specialty credit reporting agencies, a newly designated
group of credit reporting agencies. The FTC must prescribe regulations to
provide procedures and processes for consumers to obtain free reports.
The standard for furnisher accuracy is changed from “knows or consciously
avoids knowing” to the higher standard of “knows or has reasonable cause to
believe” information is inaccurate. Regulators must establish guidelines for
furnishers regarding the “accuracy and integrity” of information furnished to credit
reporting agencies. A study on the accuracy of consumer reports must also be
conducted.
FACTA Close UP
Lisa Asbell 2012 38
Consumers may dispute information and initiate an investigation directly with
furnisher. Furnishers cannot forward information to credit reporting agencies when a
consumer submits an identity theft report to the furnisher relating to that information.
A requirement that credit and debit card numbers be truncated on consumer
receipts will be implemented over an extended period.
Consumers can request that their social security number be truncated from their
credit report.
Credit scores and how they are determined must be disclosed to consumers for a
reasonable fee, as determined by the FTC. Consumers must be notified of this right.
A study on the potential disparate impact of credit scores is required.
Consumers can prohibit the sharing of information by affiliates that will be used for
marketing purposes.
Communications to employers from third party investigators are no longer
considered consumer reports under the FCRA. However employees must be
notified if adverse action is taken based such communications and employees have
the right to a summary of the nature and substance of the communication.
Additional limits are placed on the sharing of medical information.
A financial literacy and education commission is created.
FACTA Requirements (Disposal Rules)
Lisa Asbell 2012 39
Have a Written Security policy for how you physically secure
information
Mandatory Staff training on Identity theft and the Security
Policy
Appointed an Information Security Officer
Have a mitigation plan for how you would repair the
problem.
Have Senior Management approve the policies and
procedures
Bad People can get the info if your not careful!
In January 2005, for example, Trailblazer Health, a Medicare
intermediary/carrier, posted a notice warning health care providers
about an identity theft scam involving a caller posing as a Medicare
Fraud Investigator or Medicare employee. The scam artists ask the
provider to fax copies of the provider’s driver’s license, Social
Security Number, Provider Identification Number, medical license,
medical charts or other sensitive information, claiming to need it to
update the provider's record, replace information lost in a
computer malfunction, or certain other plausible business reasons.
Instead, the identity thieves use the information to file fraudulent
claims under the provider’s identifying information with a different
payment address created by the identity thieves.
Lisa Asbell 2012 40
What is required to be FACTA-compliant?
FACTA requires financial institutions and creditor organizations
to develop, document and implement a comprehensive
identity theft program that includes information
security policies, procedures and incident response
plans covering personal (e.g., consumer, customer,
patient) information. The objective of this program
is to mitigate identity theft risks through the
effective prevention, detection and management of
“Red Flag” incidents (ref. below).
The program must be administered by a board of directors or
senior management and be periodically (min. annual)
reviewed, updated and confirmed. The program must also
ensure that relevant vendors are compliant.
Lisa Asbell 2012 41
FACTA The Value of Health information
Lisa Asbell 2012 42
A Patient Chart is valued at $100,000 to a Identity Thief!
The USA today reports that average damages to an individual who
is a victim of identity theft is over $90,000
How many are in your facility? In a chart, there is a copy of
driver’s license, health insurance cards, social security numbers,
birthdates…. EVERYTHING!
The health insurance CRISIS is real… Medical identity theft is
going to get worse.
It only takes one compliant to ruin your year or your career.
LAWSUITS with FACTA
To date over 3,000 lawsuits have been filed
because of merchants not complying with
FACTA.
Radio Shack According to the complaint, which
was posted on the state attorney general's Web
site, "thousands" of records containing customer
names, addresses, telephone numbers and other
data were found in a trash can in an alley behind a
RadioShack store located in Portland, Texas, in
March 2007. Fined $630,000 Lisa Asbell 2012 43
FACTA Red Flag Rules What you must do
Lisa Asbell 2012 44
In simple terms Red Flag Rules was passed as a Federal Law because
Identity Theft is so rampant. It is a huge problem facing the medical industry
today. It can apply to your facility because you extend credit because you bill
patients. If you any type of financing or put credit reports
Your facility is required to adopt a WRITTEN IDENTITY PREVENTION
PROGRAM. This plan is put in place to help prevent identity theft at your
practice.
While HIPAA is a law about privacy, physically securing a patients information
in your facility. Red Flag Rules says stop a thief who may come into your
facility to receive services that has already stolen an identity!
VERIFICATION….. And Authentication are the two main
components. You must train your employees the steps to take
to limit the possibility of identity theft in your organization.
Red Flag Rules Overview Are you impacted?
Lisa Asbell 2012 45
It applies to all types of businesses….
The law applies to two types of organizations
1. Financial Institutions
2. Creditors– Defined by DELAYED billing.
It is position of the FTC that a Provider will be
deemed a “creditor” under the Red Flag Rules
with respect to at least some, if not all the
payment arrangements with patients. Accordingly,
a Provider should plan to comply with the Red
Flag Rules.
Red Flag Rules Overview Action Steps
Lisa Asbell 2012 46
Your Written Identity Theft PREVENTION Program
includes:
Identifying the Red Flags that apply to your
practice
Employee Training on those Red Flags(Detect
and Defend)
Oversight of Service Providers
Adoption of plan by Board Members or Senior
Management.
Updating the plan on a yearly basis.
Three Parts of Red Flags
Identify – Look at your organizations business practices
and how you collect information. What type of information
are you collecting and how do you identify that person, client
or patient is who they really say they are. Identify which of
the 26 red flags applies to your facility.
Detect – Employee training is KEY to detecting red flags are
they appear. This training should be conducted by someone outside
your facility who has real knowledge of identity theft and the laws.
Defend – When multiple Red Flags have been detected
what are you going to do, How will you respond, Call the
police? Ask for more information?
Lisa Asbell 2012 47
What are the 26 Red Flags?
Suspicious activities, documents, etc.
Personal identification information that does not
match other sources
Altered or forged documents – description not
matching the patient
Inconsistent information with other records
Notices from victims of ID theft, law enforcement
officers, insurers, or anyone suggesting possible
identity theft
Lisa Asbell 2012 48
Lisa Asbell 2012 49
Lisa Asbell 2012 50
The following ‘Red Flags’ are potential indicators of fraud and any time when a Red Flag, or a situation closely resembling a Red Flag, is apparent, it should be investigated for verification.
1.Alerts, Notifications or Warnings from a Consumer Reporting Agency
1.A fraud or active duty alert is included with a consumer report. 2.A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3.A consumer reporting agency provides a notice of address discrepancy, as defined in
334.82(b) of this part.
4.A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
•A recent and significant increase in the volume of inquiries
•An unusual number of recently established credit relationships
•A material change in the use of credit, especially with respect to recently established credit relationships •An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor
Lisa Asbell 2012 51
1.Suspicious Documents
1.Documents provided for identification appear to have been altered or forged. 2.The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 3.Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. 4.Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 5.An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
Lisa Asbell 2012 52
1.Personal Identifying Information
1.Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example: The address does not match any address in the consumer report. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File. 2.Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 3.Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:
•The address on an application is the same as the address provided on a fraudulent application
1.Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: The address on an application is fictitious, a mail drop, or prison. The phone number is invalid, or is associated with a pager or answering service
Lisa Asbell 2012 53
When potentially fraudulent activity is detected, it is essential to act quickly as a rapid appropriate response can protect customers and the company from damages and loss.
1.Once potentially fraudulent activity is detected, gather all related documentation and write a description of the situation. Take this information and present it to the designated authority for determination. 2.The designated program representative will complete additional authentication to determine whether the attempted transaction was fraudulent or authentic. 3.If a transaction is determined to be fraudulent, appropriate actions must be taken immediately. Actions may include:
•Cancel the transaction
•Notify and cooperate with appropriate law enforcement •Determine extent of liability to company
•Notify actual customer that fraud has been attempted
DEFEND
What happens when Red Flags are ignored?
I didn’t think to do harm to anyone; I only wanted the pain to
end,” murmured Mariana de la Torre, 28, nearly two years
after her cervical cancer pushed her, an illegal Mexican
immigrant, into secretly using another woman’s name and
Social Security number for Medicaid benefits and other aid.
She got $530,000 in medical treatments using another
person’s name!
Sierra Morgan was billed $12,000 on her health-care credit
card in November for liposuction, a procedure she never
requested or had. “It’s depressing to know that someone used
my name and knows so much about me,” said the 31-year-old
respiratory therapist from Modesto, California.
Lisa Asbell 2012 54
More Stories……
Brandon Sharp, 38, found more than $100,000 of unpaid
medical bills on his credit report when he went to buy a
home. The charges included $19,501 for a life-flight
helicopter trip and emergency room visits he never used, said
Sharp, a project manager for an oil company in Houston,
Texas. “I’m as healthy as they come,” he said.
Lisa Asbell 2012 55
Employees Careless or Corrupt?
The AMA reports that 70% of breaches in a medical facility comes
for either a careless or corrupt employee.
In a widely reported case in 2006, a clerk at a Cleveland Clinic
branch office in Weston, Fla., downloaded the records of more
than 1,100 Medicare patients and gave the information to her
cousin, who in turn, made $2.8 million in bogus claims.
Feb 19, 09 Summary: Records of more than 1,000 patient visits to
Northeast Orthopaedics, a large Albany surgical practice on
Everett Road, have been posted on the Internet, a violation of
patient privacy laws. Alan Okun, practice administrator, said the
North Carolina company that transcribes dictation for the doctors
had a security lapse. The problem was discovered earlier this week
and the company, removed the records...
Lisa Asbell 2012 56
Damages Recoverable Under FACTA Actual Damages– Under Section 1681o(a)(1), a plaintiff may
bring an action and recover actual damages for a negligent
violation of the Act
Statutory Damages– Under Section 1681n(a)(1)(A), a
plaintiff may bring an action and recover statutory damages
between $100 and $1,000 for a willful violation of the Act
Punitive Damages– Under Section 1681n(a)(2), a plaintiff
may also seek punitive damages
Attorneys’ Fees– Under Sections 1681n(a)(3) and
1681o(a)(2), a plaintiff may also seek costs, including
attorneys’ fees
• NOTE: There is no statutory limit on recoverable damages
Lisa Asbell 2012 57
Lisa Asbell 2012 58
HITECH
Lisa Asbell 2012 59
Health Information Technology and Clinical
Health Act
Part of the ARRA American Recovery and
Reinvestment Act. “Stimulus Package
Signed into the law in Feb 2009
Some are calling it HIPAA 2 Compliance
Areas of changes
WHAT IS HITECH?
The Health Information Technology for Economic and
Clinical Health Act (“HITECH”) is Title XIII of the
American Recovery And Reinvestment Act (“ARRA”) of
2009
HITECH was signed into law on February 17, 2009
In short, HITECH changes and significantly broadens the
scope and application of the Health Insurance Portability and
Accountability Act (“HIPAA”)
Both the Department of Health and Human Services
(“HHS”) and the Federal Trade Commission
Lisa Asbell 2012 60
HITECH Changes to HIPAA
Significantly expands the scope, penalties and compliance
challenges of HIPAA
Changes the application of the provisions of the HIPAA
Privacy Rule and the HIPAA Security Rule
Increases the penalties for HIPAA violations
Expands the definition of a Business Associate
Provides additional methods of enforcement
Requires proactive auditing of covered entities by HHS
Both HHS and FTC have issued proposed rules pursuant to
HITECH
Lisa Asbell 2012 61
Lisa Asbell 2012 62
Beginning on February 17, 2011, the Secretary of
HHS will be required:
– To investigate every complaint of a HIPAA
violation to determine if a violation is due to
willful neglect
– To impose a civil monetary penalty for any
HIPAA violation determined to be due to willful
neglect
Lisa Asbell 2012 63
New requirements for "Business Associates" –
Deadline: February 17, 2010
HIPAA rules were strengthened by extending the responsibility for protection of PHI to
"Business Associates." Under the new law, the "Business Associates" have the same
responsibilities for any breach of private health care information as do the provider of the
services. However, it is the medical practice's responsibility to create new "Business Associate
Agreements" or amend the agreements currently in place to add the additional language to
effectively communicate this added responsibility to any party or entity that might have access
to private healthcare information of the patients of the medical practice. Your agreements
should outline these responsibilities and the practice should make sure that all such associates
have read, signed, and returned the agreements for appropriate record-keeping requirements
of the practice. "Business Associates" would include Attorneys, Consultants, Accountants,
Third-Party Billing Companies, Computer Vendors or maintenance companies, etc.
Every requirement under the HIPAA Privacy
Rule or HIPAA Security Rule will now apply
to business associates and not just to covered
entities
Lisa Asbell 2012 64
Business associates will be required to:
– Adopt all of the technical safeguards, including:
• Encryption
• Password protection
– Adopt administrative safeguards, including:
• Training
• Policy adoption
– Adopt physical safeguards, including:
• Locks
• Building security measures
• Persons whose PHI is stored, may obtain
accounting disclosures
Lisa Asbell 2012 65
Disclosure Agreement Provision –
Effective: February 18, 2010
Patients have the right to pay in full for out of pocket
expenses for health care services and request that
your practice not disclose his or her medical
information to a health plan or other entity. Your
practice must comply with this request. Make sure
that all your employees are informed about this
provision and modify notification or follow-up
procedures where applicable. This is information
that will have to be shared with all employees in the
medical practice that is involved in health
information and insurance processing.
Lisa Asbell 2012 66
Information Breach Notification
Effective February 22, 2010
New provision requiring that HIPAA covered entities such
as physicians, hospitals, and health plans notify patients
(and Business Associates notify the partnering entity) of
any breach of health care information. If a breach
involves 500 people or less, the responsible party must
notify each affected individual by written notice. This
notice must contain the details of the breach, the
information disclosed, and the steps being taken by the
practice or entity to avoid any future breaches, as well as
explaining the rights of the patient(s) in protecting their
private healthcare information. If the breach involves
more than 500 persons, the Act requires that the
Department of Health and Human Services be notified as
well as the local media outlets
Lisa Asbell 2012 67
Breach = “the unauthorized acquisition,
access, use, or disclosure of protected health
information [“PHI”]which compromises the
security or privacy of such information, except
where an unauthorized person to whom such
information is disclosed would not reasonably
have been able to retain such information.”
• A discovery of a breach occurs when:
– Entity has actual knowledge of a breach,
and
– Entity should reasonably have known of the
breach
Lisa Asbell 2012 68
As drafted, no harm is necessary for a breach to
occur
• Definition of breach does not include:
– Unintentional access by employees of covered
entities or business associates if occurring within
the scope of their duties and if the information is not
the subject of a further breach
– Inadvertent disclosures within a covered entity by
and to people otherwise authorized to access the
Information
• This would cover a wide range of inadvertent
disclosures in the treatment context
Lisa Asbell 2012 69
Breach only applies to “unsecured protected health
information”
• Strong incentive to utilize technologies and
methodologies approved by HHS, because if there is
a breach, but PHI is secure, then entity avoids the
costly breach notification requirements
• Secure PHI = HHS guidance provides that PHI
must be rendered unusable, unreadable, or
indecipherable to unauthorized individuals
• HHS provides specific encryption and destruction
guidance (74 Federal Register19006, 19009-19010)
Lisa Asbell 2012 70
Indeed, the first reported criminal conviction for violation of the Health Insurance
Portability and Accountability Act (“HIPAA”) privacy rules involved a theft of
protected health information by a former Seattle Cancer Care Alliance employee,
Richard Gibson. Mr. Gibson used a patient's name, date of birth and Social
Security number to obtain credit cards; he subsequently charged
$9,100 for personal items and expenses. While Mr. Gibson’s theft of protected
health information resulted in his conviction under HIPAA, his actions also might
have been prosecuted under various other Federal criminal statutes targeting
identity theft or other cybercrimes such as 18 U.S.C.
1028, which makes
personal identity theft a felony under Federal law punishable with
fines, up to 15 years imprisonment, or both. Health care entities may face vicarious
liability for crimes committed by their employees and agents. Accordingly, payers
and providers should take appropriate steps to prevent and detect identity theft and
other cybercrime by their employees and business partners. Documenting such
preventative measures will be useful in defending against such security breaches.
HIPAA VIOLATIONS
Breach Notification Requirements
Lisa Asbell 2012 71
Made “without unreasonable delay”
• Notice must be provided within 60 days (outer limit) of
the date the unauthorized disclosure, access, or
acquisition of unsecured PHI is discovered and must be
given to each individual whose unsecured PHI is
affected
• If there are more than 500 residents affected in a
single state, a notice must be published in the media
and given to the Secretary of HHS
• If there are less than 500 residents affected in a single
state, a log of such disclosures must be maintained and
forwarded to the Secretary of HHS each year
BN Requirements continued
Lisa Asbell 2012 72
Notice requirements apply to all PHI
• Notice requirements will take effect for breaches occurring 30 days
after the promulgation of regulations by the Secretary of HHS, which
must occur on or before August 17, 2009
• Notices must contain at least
– A brief description of what occurred
– A description of the types of unsecured PHI that were involved in the
breach
• Name
• SSN
– The steps individuals should take to protect themselves from
potential harm
– A brief description of what the covered entity is doing to investigate
the breach, mitigate damage and protect against further breaches
– Covered entity’s contact information for questions by patients
HITECH and FTC Concerns
Lisa Asbell 2012 73
• For purposes of HITECH, the FTC notes that the reach
of the FTC is beyond its traditional jurisdiction under
Section 5 of the FTC Act because the ARRA does not
limit the FTC’s enforcement authority to the provisions of
Section 5
• FTC broadly defines “identifiable health information”
– Many entities will be unexpectedly subject to FTC’s
jurisdiction
• FTC requires notification within five (5) days of discovery
of breach involving more than 500 individuals (HHS says
within 60 days)
Lisa Asbell 2012 74
HITECH and the FTC – Concerns • Terms with respect to penalties are unclear:
– Reasonable cause
– Reasonable diligence
– Willful neglect
• Currently, there is not a clear understanding of the
terms; “reasonable cause” and “reasonable diligence”
often turn on “business care and diligence,” however
“business care and diligence” is not defined in HITECH
• In case law, the definitions of all of these terms occur in
tax fraud and tax avoidance cases, and courts have not
been traditionally favorable to business entities under
these standards
Accounting For Disclosures
Lisa Asbell 2012 75
• HITECH adds a new burden of accounting for entities that
maintain PHI in electronic health records
• The accounting requirement applies only to releases of PHI
outside the covered entity
• HITECH now requires covered entities and business associates
to account for all electronic discloses of PHI
• The accounting must produce disclosures made for three (3)
years prior to the date of the request for accounting
• A covered entity may choose to either
– Produce an accounting of all disclosures made by itself and all
of its business associates, or
– Produce an accounting of all disclosures made by itself and a
list of all business associates receiving electronic PHI
Accounting For Disclosures
Lisa Asbell 2012 76
There are two separate effective dates for this
expanded accounting obligation:
– For covered entities and business associates
currently using an electronic health record system, the
effective date is January 1, 2014
– For covered entities and business associates who
acquire an electronic health record system after
January 1, 2009, the effective date is the later of
January 1, 2011 or the date that the electronic health
system is acquired
• Late adopters have less time to comply (why?)
• The Secretary of HHS can extend both of these
deadlines up to a maximum of two (2) years by
regulation
Restrictions On Disclosure Of PHI
Lisa Asbell 2012 77
• Will apply six (6) months after the Secretary of HHS
promulgates regulations, which must occur on or
before August 17, 2009
• HITECH does not prohibit the sale of properly de-
identified information
• HITECH requires covered entities and business
associates to agree to requested restrictions if:
– The disclosure is to be made to a health plan for
purposes other than treatment
– If the patient or someone else pays in full for the
care that is the subject of the PHI
Restrictions On Disclosure Of PHI
Lisa Asbell 2012 78
Patients will be able to prevent third-party payers from
having access to records of care for which the payer is
not financially responsible
– This restriction would not apply if the payer is also a
provider of health care treatment, such as HMOs
• Covered entities should consider whether their current
technology will enable them to keep track of such
requests and ensure that such information is not
disclosed in violation of a patient’s request
• For providers participating in a RHIO, the tracking may
be particularly difficult to accomplish without
sophisticated technology and training
Restrictions On Disclosure Of PHI
Lisa Asbell 2012 79
HITECH makes it clear that the sale of PHI
by covered entities or business associates is
not permitted, except in very limited
circumstances, without a specific advance
patient authorization
• The authorization must include “a
specification of whether the [PHI] can be
further exchanged for remuneration by the
entity receiving [PHI]”
• De-identified data can still be sold
Marketing and Fundraising
Lisa Asbell 2012 80
These restrictions apply on and after February 17, 2010
and severely limit marketing communications
• HITECH clearly states that:
– All patients must have the opportunity to opt out of
communications regarding fundraising
– Fundraising communications may no longer be
considered “health care operations”
• Covered entities will be severely limited in their ability to
receive payment from third parties in exchange for
communicating with their patients in a way that would
have been considered marketing under the HIPAA
Privacy Rule
Lisa Asbell 2012 81
Government Oversight – Audits
• The Secretary of HHS is required to conduct periodic audits to
ensure that covered entities and business associates are in
compliance with HIPAA
• The Secretary of HHS could begin conducting audits as soon as
February 17, 2010
• If audits are dependent upon the enactment of implementing
regulations, then the audits of those obligations could begin by
February 17, 2011
• Covered entities and business associates should prepare for audits
to begin no later than February 17, 2010 for all HIPAA requirements
in effect at the time of HITECH’s adoption and all provisions of
HITECH that are implemented by that date
NEW HIPAA FINES
Lisa Asbell 2012 82
Tier A – If the offender did not know
$100 for each violation, total for all violations of an identical
requirement during a calendar year cannot exceed $25,000.
Tier B – Violation due to reasonable cause, not willful neglect
$1,000 for each violation, total for all violations of an identical requirement
during a calendar year cannot exceed $100,000.
Tier C – Violation due to willful neglect, but was corrected.
$10,000 for each violation, total for all violations of an identical requirement
during a calendar year cannot exceed $250,000.
Tier D – Violation due to willful neglect, but was NOT corrected.
$50,000 for each violation, total for all violations of an identical requirement
during a calendar year cannot exceed $1,500,000.
Importance of Staff Training
Lisa Asbell 2012 83
A recent study from the AMA says that over 70% of identity thefts in a medical facility/practice is an INSIDE job.
You must train every employee specifically on Identity Theft, FACTA, HITECH all policies and the “Red Flags” that apply to your facility.
Training should be conducted by some one with extensive knowledge of identity theft and the laws.
Lisa Asbell 2012 84
Lisa Asbell 2012 85
Lisa Asbell 2012 86
1. Everything we have covered today has to do with
information protection. True or False?
2. You can truly protect yourself from identity theft.
True or False?
3. The scariest type of identity theft is medical. T or F?
4. Every company/medical facility regardless of size has at
least one law to comply with when it comes to protecting
information?
T or F?
5. FACTA is enforceable by FEDERAL law and there are
fines attached. T or F?
Lisa Asbell 2012 87
6. Red Flags Rules is about information protection?
T or F?
7. All 26 flags apply to every organization
in America. T or F?
8. A data breach as defined by HIPAA applies only to
encrypted information. T or F?
9. Under HITECH the areas to update are HIPAA Security
Policy, Breach Notification Policy and BA Agreement.
T or F?
10.Business Associates are Covered entities under the
new changes. T or F?
DM Solutions
Lisa Asbell 2012 88
FACTA/ Red Flag Rules /HITECH $899.00
Includes a template of the program that you can personalize for your organization. For
Red Flags and HITECH
Updated BA agreement
Data Breach Notification Policy
Red Flag Policy
Security Policy
Step by Step guide to implement In only 1-2 hours
All forms for training employees and a employee training recorded call for your
convenience
A 30 minute consultation to ask questions and so you can jump start getting your program
in place
Includes live employee audio training
Order both today for only $499.00
As a special offer. I have included FULL OSHA and HIPAA
manuals on the CDs!
Thank You!
Lisa Asbell 2012 89
Lisa Asbell, RN, CHP, CITRMS 727.502.7427