Date post: | 16-Jan-2016 |
Category: |
Documents |
Upload: | doreen-mccormick |
View: | 213 times |
Download: | 0 times |
500 Attorneys • 21 Offices • www.cozen.com© 2009 Cozen O’Connor. All Rights Reserved.
Katherine M. LaymanSalvatore G. Rotella, Jr.
SAFEGUARDING ACCESS TO HEALTH INFORMATION AND
MEDICAL IDENTITY
January 28, 2010
Presented by:
500 Attorneys • 21 Offices • www.cozen.com© 2009 Cozen O’Connor. All Rights Reserved.
Katherine M. LaymanCozen O’Connor
1900 Market StreetPhiladelphia, PA 19103
(215) 665-2746(215) 701-2446 (fax)[email protected]
HIPAA and Health Information Technology (HIT)
Provisions in the American Recovery and
Reinvestment Act of 2009 (ARRA)
Presented by:
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com3
GENERAL OVERVIEW OF HITECH
• Title XIII of Division A of the ARRA includes the provisions pertaining to HITECH (the Health Information Technology for Economic and Clinical Health Act)
• Creation of a Nationwide HIT infrastructure
• Goal of Certified Electronic Health Records (EHRs) for Every Person in the U.S. by 2014
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com4
• Significant Revisions to HIPAA Privacy and Security Rules
• Increased Enforcement of and Penalties for HIPAA Violations
• $17 Billion in Incentive Payments for the Adoption of EHRs (Title IV of Division B of the ARRA)
GENERAL OVERVIEW OF HITECH
500 Attorneys • 21 Offices • www.cozen.com© 2009 Cozen O’Connor. All Rights Reserved.
CHANGES IN BUSINESS ASSOCIATE RULES
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com6
EXISTING LAW
• Business associates (BAs) not directly subject to HIPAA
• BA contract created a “back door” way to protect PHI in hands of BAs
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com7
BASIC RULE
• Business Associate relationship:– a Covered Entity engages another person or
entity
– to perform a function on behalf of the Covered Entity
– which requires disclosure of PHI by the Covered Entity to the Business Associate
– or creation of new PHI by the Business Associate
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com8
BASIC RULE
• Also applies when specified services are provided to a Covered Entity, not “on behalf of” the Covered Entity, but which the Covered Entity must obtain to exist as a business, i.e. legal, accounting, etc.
• Members of the workforce, e.g. employees, volunteers, & trainees are not Business Associates
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com9
BUSINESS ASSOCIATE CONTRACTS
Current Rule• Covered entities must have a contract with
each Business Associate to receive satisfactory assurances that the BA will appropriate safeguard the PHI
• Required to take reasonable steps to cure a breach or terminate the contract, if Covered Entity knows of a material violation
• If termination is not feasible, violations must be reported to HHS
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com10
PRIVACY RULE CHANGESFeb. 17, 2010
• BAs will be more directly subject to the requirements of the Privacy and Security Rules
• Enforcement by DHHS or state Attorneys General can be directly against BAs– BAs subject to same civil and criminal penalties
as covered entities
• Breach notification obligation
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com11
PRIVACY RULE
• Conference Agreement. ARRA applies the Privacy Rule, as well as the new privacy requirements and enforcement penalties, to BAs in the same manner as they apply to providers and health plans for whom they are working.
• Statutory language. The BA may use or disclose PHI only if such use or disclosure complies with privacy provisions of of the BA Agreement.
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com12
PRIVACY RULE – POST HITECH
• BAs subject to direct enforcement for failure to comply with HIPAA privacy rule
• At present, there is no requirement for a BA to have a privacy officer, policies and training
• Question: How should BAs demonstrate the steps they have taken to be compliant?
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com13
SECURITY RULE - CURRENT RULE
• Covered entities must comply with administrative, physical and technical safeguards (and require BAs to comply as well)– Administrative – assigning or delegating
security responsibilities to employees; training– Physical – protect electronic systems and data
from threats, environmental hazards, and unauthorized access
– Technical – IT functions to protect and control access to data
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com14
SECURITY RULE - POST HITECH
• BAs directly subject to administrative, physical and technical safeguards as if they were covered entities
• BAs will have to have a security officer, develop written policies and procedures, document security compliance actions, and train workforce
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com15
BREACH NOTIFICATION
• BAs must notify covered entities of security breaches they discover
• BAs responsibility if it knows of a pattern of activity or practice by covered entity that is a breach of BA Agreement– Terminate agreement– Report to HHS if termination not feasible
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com16
BUSINESS ASSOCIATE CONTRACTS
• “Additional” requirements of HITECH relating to privacy and security shall be incorporated into BA agreements
• Differing interpretations as to scope of amendments of BA agreements
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com17
WHAT TO DO?
• BUSINESS ASSOCIATES– Engage in a HIPAA security compliance process
• Risk analysis and risk management process• Develop policies and procedures
– Evaluate how to implement compliance for privacy obligations
– Revisit BA agreements
– Downstream agreements?
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com18
WHAT TO DO?
• COVERED ENTITIES– Amend BA agreements– Plan for requests for amendments to existing
agreements– Develop a strategy for downstream entities
(“sub business associates”)
500 Attorneys • 21 Offices • www.cozen.com© 2009 Cozen O’Connor. All Rights Reserved.
USE AND DISCLOSURE OF PHI
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com20
GENERAL
• Except for TPO, written authorization required for use or disclosure of PHI
• Requires Individual Authorization if– Used for Marketing – Used and Disclosed to Non-Health
Related Entities– Sale, Rental or Barter– Psychotherapy Notes
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com21
GENERAL – Marketing and Fundraising
• Issue: “Healthcare Operations”?
• Healthcare Operations– Quality assessment and improvement activities– Professional competence evaluations and
training programs– Conducting and arranging for medical review,
legal services and auditing functions, including compliance programs
– Business planning and development– Business management and general
administrative activities
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com22
MARKETING
• Current Rule: Communications that encourage recipient to purchase or use a product or services is “marketing” and requires an authorization except:– Describing a product/service included in
CE’s benefit plan– For treatment– Case management/care coordination or
to recommend alternative treatments to an individual
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com23
MARKETING
• Under HITECH, receiving compensation for these communications changes the rules.– Such communication is not healthcare operations
• EXCEPTIONS– Communication by CE describing ONLY a drug or
biologic that is currently being prescribed to recipient, or
– CE or BA receives Valid Authorization from recipient– Communication by BA must be on behalf of CE and
consistent with Business Associate Agreement (BAA)– Payment received is “reasonable in amount” – TBD
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com24
FUNDRAISING
• Fundraising activities considered healthcare operations
• The Act continues to permit fundraising activities by the provider using a patient’s PHI so long as any written fundraising provides an opportunity to opt out of future fundraising communications
• If the recipient chooses to opt out of future fundraising communications, that choice is treated as a revocation of authorization– Result: does not change substance of rule, but
increases importance of tracking authorizations
• Cannot be denied treatment as a result of opting out
• DHHS to promulgate regulations
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com25
MINIMUM NECESSARY
• Whenever a CE uses or discloses PHI or requests such information from another CE, it must make reasonable efforts to limit the information to the “minimum necessary” to accomplish the intended purpose of the use or disclosure.– HITECH puts medical necessity determination on the
disclosing CE
• Under the Act, Secretary must develop guidance within 18 months from enactment on what constitutes the minimum necessary
• The Secretary must take into consideration the information necessary to improve patient outcomes and to manage chronic disease
• Prior HIPAA exceptions still apply– Request by a healthcare provider for treatment purposes– Disclosure of “limited data set” for specified purposes (e.g.,
research) pursuant to a data use agreement
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com26
ACCOUNTING OF PHI DISCLOSURES
• General Rule -- Individuals have a right to an accounting of disclosures of their PHI by a CE during the previous six years, except for TPO use and disclosures
• HITECH extends right to an accounting to CE for TPO uses and disclosures during the previous 3 (rather than 6) years if via EHR
• Effective date of provision depends on when CE acquires EHR– If acquire EHR after 1/1/09 – eff. 1/1/11– If acquire EHR before 1/1/09 – eff. 1/1/14
• Secretary required to issue regulations within 18 months
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com27
DISCLOSURES TO HEALTH PLANS
• Current Rule: CE not required to comply with a restriction on CE’s use and disclosure of PHI
• New Rule: Where individual pays for service out of pocket, CE may not refuse to restrict use and disclosure to a health plan where disclosure is for payment or health care operations– CE must have a mechanism to flag– This is a challenge if CE allows health plans
to access EHRs to confirm medical necessity
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com28
WHAT TO DO?
• Keep an eye on upcoming regulations
• Review IT capabilities for new accounting responsibilities – Not effective until 1/1/2011 at the earliest
• Does a use or disclosure activity fit within “Healthcare Operations”?
500 Attorneys • 21 Offices • www.cozen.com© 2009 Cozen O’Connor. All Rights Reserved.
INCREASED ENFORCEMENT AND PENALTIES
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com30
Enforcement
• A violation of HITECH by a covered entity is subject to HIPAA’s criminal and civil penalties.
• The Secretary of HHS is required to conduct “periodic” audits to ensure that covered entities and business associates are complying with HITECH and HIPAA.
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com31
Enforcement
Enforcement by State Attorneys General• HITECH permits State Attorney Generals to
bring civil actions in federal district court on behalf of their residents for violations of HIPAA
• to enjoin further violations
• to obtain damages ($100 per violation; Limit of $25,000 for all violations of an identical requirement in a calendar year).
500 Attorneys • 21 Offices • www.cozen.com© 2009 Cozen O’Connor. All Rights Reserved.
Safeguarding Access to Health Information and Medical
Identity: Breach Notification
January 28, 2010
Salvatore G. Rotella, Jr.Cozen O’Connor
1900 Market StreetPhiladelphia, PA 19103
(215) 665-3729(215) 701-2129 (fax)[email protected]
Presented by:
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com33
Breach Notification Law and Regulations
• “Notification in the case of breach” -- Section 1342 of HITECH (The Health Information and Technology for Economic and Clinical Health Act), 42 U.S.C. § 17932
• HITECH a part of Stimulus Bill (American Reinvestment and Recovery Act of 2009)
• CMS issued interim final rule, “Breach Notification for Unsecured Protected Health Information,” on August 24, 2009 (74 Fed. Reg. 42740), 45 C.F.R. § 164.400-164.414
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com34
Overview of Response to Potential Breach
• Determine if there was a breach• Give notice to affected individuals• Give notice to media (if necessary)• Give notice to HHS (now or later)• Address state law issues
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com35
Was there a breach?(Definitions)
• Breach: the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information – i.e., poses a significant risk of financial, reputational, or other harm to the individual
• PHI: any information, whether oral or recorded in any form or medium, that is created or received by a Covered Entity that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and that either indentifies or can be used to identify the individual
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com36
Was there a breach?(Questions to ask)
• Was PHI involved?• Was PHI unsecured? Only deemed not unsecured
if PHI was encrypted or destroyed.– Encrypted? Algorithmic process used to
transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key
• Process must meet National Institute of Standards and Technology (NIST) publication requirements for “data at rest” (in databases) or “data in motion” (moving through network) – www.csrc.nist.gov
– Destroyed?• Paper, film, or other hard copy shredded or destroyed• Electronic media purged or destroyed consistent with
NIST publication requirements
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com37
Was there a breach?(Questions to ask)
• Was there acquisition, access, use, or disclosure in violation of the Privacy Rule?
• Do any of the three exceptions to breach apply?– Unintentional, good faith use by workforce employee
within scope of employment and no further impermissible use
• Nurse mistakenly sends email with PHI to billing employee, who tells nurse and deletes email
– Inadvertent disclosure by one workforce member authorized to access PHI to another, and no further impermissible use
– Covered Entity/Business Associate reasonably believes that unauthorized person to whom information was disclosed would not have been able to retain it
• EOB sent in the mail to wrong patient comes back unopened as undeliverable
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com38
Was there a breach?(Questions to ask)
• Does the use or disclosure of PHI pose a significant risk of financial, reputational, or other harm to the individual whose PHI is at issue? – Who impermissibly used or disclosed the PHI,
and to whom was it disclosed?– Any immediate steps taken to mitigate
potential harm of use or disclosure (e.g., assurance from recipient that he or she destroyed PHI)?
– Whether PHI was returned prior to it being accessed for an improper purpose?
– Type and amount of PHI used or disclosed– If disclosed PHI was in a Limited Data Set, the
risk of re-identification of the individual
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com39
Notice to Affected Individuals(Timing of Notice)
• Give notice to affected individuals without unreasonable delay and within 60 days of discovery of breach
• Breach considered discovered as of first day it is known to Covered Entity or its agent, or would have been discovered by either through exercise of due diligence
• Business Associate contracting issues for CE– Provision stating that Covered Entity and Business
Associate are independent contractors– Provision requiring Business Associate to notify
Covered Entity of potential breach within 5 days– Provision requiring Business Associate to indemnify
Covered Entity for cost of providing notification
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com40
Notice to Affected Individuals(Content of Notice)
• Brief description of incident, including date of breach and discovery
• Description of types of unsecured PHI that were involved
• Steps individuals should take to protect themselves from potential harm resulting from breach
• Brief description of what Covered Entity is doing to investigate breach, mitigate harm, and protect against future breaches
• Contact procedures to learn more (toll-free phone number, email address, website, or postal address)
• Federal Trade Commission website and toll-free number (in light of State identity theft laws)
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com41
Notice to Affected Individuals(Methods of Notification)
• Written notice by first class mail, if Covered Entity has contact info– To next of kin if deceased, to personal representative if
minor– May provide notice by email, if individual has agreed to
receive electronic notices• Substitute notice, if Covered Entity does not have contact info
– 9 of fewer affected individuals: by alternative form of written notice, telephone, or other means
– 10 or more affected individuals:• Through 90-day posting on CE’s website or notice in major
print or broadcast media in geographic areas where the affected individuals likely reside
• Include toll-free number active for 90 days with info on breach
• Urgent notice, if there’s possible imminent misuse: notice by telephone or other appropriate means in addition to written notice
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com42
Notice to Media
• If breach of unsecured PHI involved more than 500 residents of a single State or jurisdiction (e.g., city or town), notice must be given to “prominent media outlets serving the State or jurisdiction”
• Media notice is in addition to written notice to affected individuals
• Media notice must meet same timing and content requirements as written notice
• Most covered entities will issue press release to meet media notice requirement
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com43
Notice to HHS
• Breach involving 500 or more individuals: Covered Entity must notify Secretary of HHS as soon as reasonably possible and not later than sixty (60) calendar days following discovery. Notice to be submitted electronically on form found at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html
• Breach involving fewer than 500 individuals: Covered Entity must provide a log of all such breaches to the Secretary within 60 days of the end of the calendar year. Notice to be submitted electronically on form found at website.
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com44
Law Enforcement Delays
• If law enforcement official states to Covered Entity that notification would impede a criminal investigation or cause damage to national security, Covered Entity must:– If statement is in writing and specifies
length of delay, delay notification accordingly
– If statement is oral, document statement, and delay notification for no longer than 30 days from date of statement (unless written request for delay is also made in that time)
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com45
State Law Issues(Overview)
• 45 States, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. See National Conference of State Legislatures, December 9, 2009 posting.
• Various bills introduced in Congress to create federal law to protect all personal information maintained in electronic format by businesses engaged in interstate commerce– Data Accountability and Trust Act (passed by House in
December 2009)– Personal Data Privacy and Security Act of 2009
(introduced in Senate in July 2009 and in committee)
• State laws are not preempted by HITECH to the extent Covered Entity can comply with both
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com46
State Law Issues(Focus on Identity Theft)
• State laws generally apply if a breach involves an impermissible use or disclosure of personal information maintained in an electronic format
• Personal information defined as the first name or first initial and last name of an individual who is a resident of the State, linked with one of the following data elements:– social security number;– driver’s license or State identification card
number; or– account number or credit/debit card number, in
combination with PIN.
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com47
State Law Issues(Notice Obligations)
• State laws require Covered Entity to provide notice to affected individuals in a format substantially similar to HITECH requirements
• If the breach involves more than 1,000 affected individuals, also notify all consumer reporting agencies that compile or maintain files on consumers on a nationwide basis, as defined by subsection (b) of section 603 of the federal Fair Credit Reporting Act (15 U.S.C. § 1681a), of the timing, distribution and number of notices
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com48
State Law Issues(Pennsylvania)
• Pennsylvania: Breach of Personal Information Notification Act, 73 P.S. § 2301 et seq.
• Law enforcement request for delay must specifically reference PA law (73 P.S. § 2304)
• “An entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures or guidelines established by the entity’s primary or functional Federal regulator shall be in compliance with this act” (73 P.S. § 2307(b)(2))
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com49
State Law Issues(New Jersey)
• New Jersey: New Jersey Identity Theft Prevention Act, N.J.S.A. § 56:8-163
• Must alert State Police of breach of personal information before providing notice to affected individuals
• “Notwithstanding subsection [d] of this section, a business or public entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and is otherwise consistent with the requirements of this section, shall be deemed to be in compliance with the notification requirements of this section if the business or public entity notifies subject customers in accordance with its policies in the event of a breach of security of the system.” N.J.S.A. § 56:8-163(e)
500 Attorneys • 21 Offices • www.cozen.com© 2009 Cozen O’Connor. All Rights Reserved.
Safeguarding Access to Health Information and Medical
Identity: Identity Theft Red Flags
Rule
January 28, 2010Katherine M. Layman
Cozen O’Connor1900 Market Street
Philadelphia, PA 19103(215) 665-2746
(215) 701-2446 (fax)[email protected]
Presented by:
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com51
Overview
• The Red Flags Rule implements certain sections of the Fair and Accurate Credit Transactions Act of 2003, and requires financial institutions and creditors with covered accounts to develop, implement, and administer a written Identity Theft Prevention Program designed to detect the warning signs – or "red flags" – of identity theft, take steps to prevent the crime, and mitigate any damage
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com52
Overview
• The Rule was enacted in November 2007 but enforcement has been delayed several times due to concerns regarding who constitutes a “creditor” and thus, is subject to the Rule
• Enforcement is currently set to begin June 1, 2010
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com53
Applicability
Who Must Comply: – Financial institutions
• State or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer
– Creditors• Very broadly defined• Includes businesses or organizations that regularly
defer payment for goods or services or provide goods or services and bill customers later
• May include health care providers that bill insurers and are not actually paid until after services are rendered
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com54
Covered Accounts
• Rule applies to “covered accounts” maintained by financial institutions and creditors– Two types of covered accounts:
• a consumer account you offer your customers that is primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions. E.g., credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts.
• any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. E.g., small business accounts, sole proprietorship accounts, or single transaction consumer accounts that may be vulnerable to identity theft.
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com55
Identity Theft Prevent Program
• If you are a creditor or financial institution with covered accounts, you must develop and implement a written Identity Theft Prevention Program.
• The Program must be: – designed to prevent, detect, and
mitigate identity theft in connection with the opening of new accounts and the operation of existing ones, and
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com56
Identity Theft Prevent Program (Cont’d.)
– appropriate to the size and complexity of your business or organization and the nature and scope of its activities. A company with a higher risk of identity theft or a variety of covered accounts may need a more comprehensive Program.
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com57
How to Comply: A Four Step Process
STEP 1: Identify relevant red flags• What are “red flags”?
– Potential patterns, practices, or specific activities indicating the possibility of identity theft
• Although there’s no one-size-fits-all approach, consider:
– Risk Factors– Sources of Red Flags– Categories of Common Red Flags
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com58
How to Comply (Cont’d)
• Five categories of red flags:– Notifications, alerts, or warnings from a
consumer reporting agency;– Suspicious documents;– Suspicious personally identifying
information;– Unusual use of, or suspicious activity
relating to a covered account; and– Notices from consumers, victims of identity
theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com59
How to Comply (Cont’d)
• When determining which red flags exist, creditors should consider:– Past incidents of identity theft;– Previously identified methods of identity
theft that reflect changes in identity theft risks; and
– Applicable supervisory guidance
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com60
How to Comply (Cont’d)
STEP 2: Detect red flags• Set up procedures to detect those red flags
in your daily operations– New Accounts
» Reasonable procedures may include getting a name, address, and identification number and, for in-person verification, checking a current government-issued identification card, like a driver’s license or passport
– Existing Accounts» Reasonable procedures to authenticate
customers (confirming that the person you’re dealing with really is your customer), monitor transactions, and verify the validity of change-of-address requests
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com61
How to Comply (Cont’d)
STEP 3: Prevent and mitigate identity theft• If you spot the red flags you’ve identified,
respond appropriately to prevent and mitigate the harm done. Your response depends upon the degree of risk posed.
• Appropriate responses include:– monitoring a covered account for evidence of
identity theft– contacting the customer– changing passwords, security codes, etc.– closing an existing account– reopening an account with a new account number – notifying law enforcement – determining that no response is warranted under
the particular circumstances
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com62
How to Comply (Cont’d)
STEP 4: Update your program– The Rule recognizes that new red flags
emerge as technology changes or identity thieves change their tactics. Thus, creditors should update the Program periodically to reflect current identity theft risks.
– Factors to consider include: • the creditor’s experience with identity theft; • changes in identity theft methods; • changes in new methods to detect, prevent, and
mitigate identity theft; • changes in the accounts the creditor offers; and • changes in the creditor’s business and
arrangements
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com63
Administering the Program
• The board or an appropriate committee (or if no board, someone in senior management) must:– Approve the initial written Program; – Oversee, develop, implement, and administer
the Program (board may designate a senior employee to do so);
– Assign specific responsibility for the Program’s implementation;
– Review staff reports regarding the organization’s compliance;
– Approving changes to the Program; and– Train appropriate staff
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com64
Administering the Program (Cont’d)
• Reports:– The person responsible for the Program
should report at least annually to the board or a designated senior manager regarding compliance
– Report should evaluate the effectiveness of the Program in addressing the risk of identity theft, monitoring of service provider arrangements, significant incidents of identity theft and responses, and recommended changes to the Program
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com65
Administering the Program (Cont’d)
• Service Providers:– Creditor must monitor the activities of its service
providers- those that perform activities in connection with covered accounts (opening or managing accounts, billing customers, providing customer service, collecting debts, etc.)- and ensure that they take reasonable steps to detect, prevent, and mitigate identity theft
– Creditor may accomplish this by:• Including a provision in contracts requiring provider to have
appropriate policies and procedures and report red flags to creditor or respond appropriately
• Giving them a copy of creditor’s Program• Reviewing providers’ red flags policies• Requiring periodic reports about red flags and their response
© 2009 Cozen O’Connor. All Rights Reserved. 500 Attorneys • 21 Offices • www.cozen.com66
Final Thoughts
• Several pieces of legislation were introduced in 2009 to restrict the definition of “creditor” and exempt certain businesses from the Rule; none have passed
• AMA objects to the FTC’s view that health care providers are covered by the Rule
• Prepare now for June 1 enforcement date, although it is possible the FTC will delay enforcement yet again