When the Federal Register printed this rule in late 2007, hospice, home and community care providers might not have given it a second glance. Now as the implementation date for this component of the Fair and Accurate Credit Transactions (FACT) Act of 2003 is close, it has come to light that this requirement will impact hospice, home and community care providers.
The element of this Act that most impacts providers is its focus on identity theft. Organizations are expected to implement a program to detect, prevent and mitigate instances of identity theft. [http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm]
The Federal Trade Commission [FTC], along with federal banking regulators and the National Credit Union Administration (NCUA), collaborated in the issuance of the final regulations. This collaborative issuance speaks to the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.
The defining terminology, within the Act, that includes “any other entity that holds a “transaction account” belonging to a consumer” in its application and the application to “creditors” is the indication that this regulation applies to providers. A transaction account is further defined in this FTC release as a deposit or other account from which the owner makes payments or transfers.
Compliance
Providers are asked to develop a written program that identifies and detects the relevant warning signs / “red flags” to indicate potential identity theft. The program should include responding to potential warning signs, as well as decreasing the impact of any identity theft activities. This interpretation indicates that the oversight should be the responsibility of senior employees / management and that this oversight should also be part of the function of the organization’s Board of Directors.
The Red Flag Guidelines lists 26 potential ‘red flags’ that should alert organizations to the potential for identity theft activities. There are five general categories of red flag alerts:
- alerts, notifications or warnings from a consumer reporting agency
- suspicious documents
- suspicious personal identifying information, such as a suspicious address
- unusual use of – or suspicious activity relating to – a covered account; and
- notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
State associations, such as the Texas Association for Home Care and Ohio Council for Home Care, are working together to provide teleconferences specific to this topic. As the Act is further implemented, providers should be alert for ongoing educational offerings and send a representative to learn more details about how the Act affects their organization.
While today, the implications appear to be focused on policy development, actions and monitoring, there is the potential for additional applications to health care providers to be identified as the implementation progresses. Details and guidelines are available at this time and can be found on line. For information about the Act and guidelines, providers should go to: http://www.ftc.gov/opa/2007/10/redflag.shtm.
In addition to the Act, the FTC has published a number of guidelines and resources to assist organizations impacted by the Act to obtain and review for application to their operations and services. The FTC’s “FIGHTING FRAUD WITH THE RED FLAGS RULE” 32- page booklet, which details the implementation and specifies the red flags, is available for providers to download at: http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf
It is important that someone within the organization be designated the key individual responsible for maintaining up-to-date knowledge about the Red Flags Rule and its application within the organization’s provider setting.
References
FIGHTING FRAUD WITH THE RED FLAGS RULE. Federal Trade Commission. March 2009. Available from http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf
Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy. Retrieved April 15 2009 from http://www.ftc.gov/opa/2007/10/redflag.shtm
|
