Health care providers are already familiar with protecting the privacy and security of their patients' protected health information under the requirements of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").1 In addition, health care providers have been required to develop policies protecting personal financial information in compliance with the requirements of the North Carolina Identity Theft Protection Act of 2005 (the "NC Identity Theft Act").2 Now health care providers need to revisit security protections once more in connection with the federal Fair and Accurate Credit Transactions Act of 2003 ("FACTA"),3 commonly referred to as the "Red Flag Rules," which will go into effect on May 1, 2009.4 Health care providers in North Carolina should use this opportunity to review their existing privacy and security policies to expand safeguards to protect the additional types of information covered under FACTA and to meet the new requirements.
Ongoing Compliance Requirements under HIPAA
Under HIPAA, health care providers have already developed and implemented policies to safeguard the protected health information of their patients against inappropriate use or disclosure. The HIPAA Privacy and Security Rules require protection for all forms of patient information – oral, written and electronic – to secure the confidentiality, integrity and availability of such information. Managing information security requires ongoing risk assessments to identify threats to and vulnerabilities of patient information, and requires that health care providers implement a number of technical and administrative safeguards to manage these risks. As part of HIPAA compliance, health care providers have also appointed privacy and security officers and trained all members of their workforce in procedures to protect patient information.
Compliance Requirements under the NC Identity Theft Act
The NC Identity Theft Act requires businesses, including health care providers, to safeguard certain personal and financial information of customers, employees, vendors and other individuals, which would include patients of health care providers, from inappropriate use and disclosure. Generally, the NC Identity Theft Act protects designated financial information in combination with the individual’s first name or first initial and last name. Health care providers should be aware that the NC Identity Theft Act provides specific requirements related to social security numbers (“SSNs”), including restrictions on collection, use, printing of SSNs on providers’ materials, and disposal of documentation containing SSNs. In addition, it requires that businesses prevent actual or potential incidents of unauthorized access to and acquisition of personal and financial information, and contains specific notification requirements in the event of an actual or potential security breach.
New Compliance Requirements under FACTA
Prior to the publication of an article by the Federal Trade Commission (the “FTC”) in September 2008,5 many health care providers were unaware that they were required to comply with FACTA. It is now clear that most health care providers, including nonprofit providers, will be required to comply with FACTA because they fall within the definition of “creditor” under FACTA and have “covered accounts.” “Creditors” include organizations that regularly extend, renew or continue credit. Most health care providers fall within the definition of “creditor” under FACTA because they allow patients to defer payment for medical services until after the services are rendered, and often take payments over a period of time when health care providers render a bill for services to the patient for any balance owed after collecting payments for a portion of the services from Medicare, Medicaid or a private insurer. “Covered accounts” under FACTA include accounts used primarily for personal, family or household purposes that involve multiple payments or transactions. Most patient accounts would qualify as “covered accounts.” In order to comply with FACTA, health care providers that are “creditors” and have “covered accounts” are required to implement written identity theft prevention programs by May 1, 2009.
Implementing an Identity Theft Prevention Program
The Boards of Directors of health care providers and other businesses subject to FACTA must adopt and implement an identity theft prevention program for the subject organization. While the program adopted should be appropriate to the size, complexity and the nature of the operations of the organization, the program should include the following elements:
- FACTA Officer. The organization must appoint an employee at the senior management level to serve as its FACTA officer and to be responsible for its implementation of the program. At least annually, the FACTA officer must require reports from responsible persons in the organization that evaluate the program and the organization’s recent experiences with identity theft.
- Identifying Red Flags. The organization must identify patterns, practices and specific activities that could occur in its business (called red flags) and that would indicate the possible existence of attempted or successful identity theft.
- Detecting Red Flags. The organization must seek to detect red flags that occur in its day-to-day operations and must establish reasonable safeguards designed to prevent identity theft. A health care provider may detect such red flags, for example, while verifying a patient’s identity, reviewing patient medical records and/or verifying insurance information.
- Responding to Red Flags. The organization must establish policies to respond to red flags that it detects based on the degree of risk a particular red flag poses. If the organization detects a red flag, an appropriate response should address the suspicious activity and prevent against the risk of identity theft.
- Service Provider Compliance. If the organization engages a service provider to perform an activity in connection with its customer accounts, the organization must take reasonable steps to ensure that the service provider performs those activities in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
- Administration of the Program. The organization must describe how the program will be administered, including implementation, appointment of a FACTA officer, staff training, monitoring the work of service providers, annual reports, and a process for updating the program. The Board of Directors and senior management of the organization should be involved directly in the oversight and administration of the program.
- Updating the Program. The organization must update the program and its associated policies and procedures periodically to address current developments in identity theft risks and to improve its methods of addressing those risks. Any changes to the program should be approved by the Board of Directors of the organization.
Penalties for Noncompliance
A violation of FACTA regulations constitutes an unfair or deceptive act or practice in commerce in violation of Section 5(a) of the Federal Trade Commission Act. A knowing violation subjects the organization to a civil penalty of up to $2,500 per violation. If the organization negligently fails to comply, it may be liable to affected consumers for their actual damages and reasonable attorney’s fees. If the organization willfully fails to comply, the court is authorized to award affected patients punitive damages.
Updating Existing Compliance Programs to Cover New Requirements under FACTA
Although FACTA certainly adds additional security requirements to the already burdensome physical, technical and administrative safeguards which are components of health care providers’ security and privacy plans, many of the new FACTA requirements may be addressed by expanding existing HIPAA and NC Identity Theft Act policies and procedures. Health care providers should already have in place privacy and security officers, policies, procedures and training programs, business associate agreements, safeguards for security of oral, written and electronic patient information, and other procedures for appropriate uses and disclosures of patient information. The areas of overlap in these statutes allow existing programs to form a springboard for development of FACTA policies and procedures. We suggest health care providers use this new mandate as an opportunity to evaluate existing privacy and security policies, further identify internal and external risks, and develop new risk management strategies for overall compliance plans.
1 42 U.S.C. 1320(d) and 45 CFR Parts 160 and 164.
2 N.C.G.S. §75-60 et seq.
3 15 U.S.C. §1681 et seq.
4 On October 22, 2008, the FTC announced that it was delaying its enforcement of FACTA and its corresponding regulations until May 1, 2009.
5 Tiffany George & Pavneet Singh, The “Red Flags” Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft (September 2008).