On December 4, 2003, the President signed the Fair and Accurate Credit Transactions Act of 2003 (FACTA) into law. It added several new provisions to the Fair Credit Reporting Act of 1970 (FCRA). In November of 2007, the group of implementing agencies issued a final rule implementing the Act. The mandatory compliance date for rule is November 1, 2008. It is only recently that the FTC has indicated the applicability of the rule to the health care sector. The Federal Trade Commission (FTC) will be the agency that enforces the rules for the health care provider.
The rule is actually three different but related rules. The first rule applies to nursing facilities and assisted living facilities (hereinafter both referred to as “facilities.”) that use credit reports. The second rule, pertaining to creditors, may apply to facilities. There is some uncertainty regarding its application, and AHCA is seeking an FTC opinion. The third and last rule, involving credit cards, does not apply to facilities.
- The first rule is referred to as address discrepancies or verification of address. Users of consumer reports must develop reasonable policies and procedures to respond to any notice of an address discrepancy they receive from a consumer reporting agency. (Section 315 of the Act and 12 CFR Section 334.82 of the regulations.) This rule applies to facilities only to the extent they use consumer reports; i.e. credit reports (for example to screen potential employees). Under this rule, criminal background checks are not considered consumer reports.
- The second rule requires that financial institutions and creditors holding consumer or other “covered accounts” must develop and implement a written identity theft prevention program that covers both new and existing accounts. (Section 114 of the Act and 12 CFR Section 681.2 of the regulations.) This rule may apply to facilities since the FTC currently appears to consider health care entities to be “creditors.” However, AHCA believes there are strong reasons why facilities should not be considered creditors under FACTA and is addressing this issue directly with the FTC. In the interim, we believe it is important for facilities to become familiar with the rules and to take steps towards compliance.
- The third rule provides that debit and credit card issuers must develop policies and procedures to assess the validity of a request for a change of address that is followed closely by a request for an additional or replacement card. (Section 114 of the Act and 12 CFR Section 681.3 of the regulations.) This rule does not apply to facilities.
The rules are referred to as red flag rules because the meaning of the term “red flag,” provided in the regulation, is a pattern, practice, or specific activity that indicates the possible existence of identity theft. Thus, the identity theft programs must include a list of red flags pertinent to the nature, size and complexity of the entity.
As facilities become familiar with the rules, in preparation for developing an identity theft program, we advise that they review their compliance with the Health Insurance Portability and Accountability Act (HIPAA). There may be features of a facility’s HIPAA compliance program that, while not substituting for an identity theft program, might nevertheless complement the identity theft program and could be useful in meeting the requirements of the red flag regulations.
We have provided a comprehensive memorandum on the red flag rules prepared by our General Counsel, Reed Smith, for AHCA to distribute to members. The memo includes two attachments: (1) A sample form/checklist to help with compliance with the rule regarding consumer reports. (2) Illustrative examples of red flags provided in the final rule to assist with compliance with the rule covering “creditor.”
We will inform members immediately regarding a response from the FTC on the application of the “creditor” rule. In the interim, as indicated above, we believe it is important for facilities to take steps towards compliance. To assist with this effort, AHCA is working with compliance workgroup of the Long Term Care Consortium, to develop guidance on examples of red flags pertaining to the two applicable rules. We will be providing those to members shortly.
The following is a summary of the applicable rules and some suggestions for compliance.
I. Rule # 1 -- Address Discrepancies Or Verification Of Address Rule Regarding Use of Consumer Reports
This is the less onerous and burdensome of the two rules that apply to facilities. Many businesses use consumer reports, such as credit checks for employment purposes. If a facility does not use credit checks for employment purposes or for consideration of admitting private pay residents, the rule does not apply to the facility. Criminal background checks are not considered consumer reports.
If the report shows an address that is not the same as what the applicant reported, the facility must take a few steps to investigate. The red flag regulations require that in the event of an address mismatch, before making any decision based on the report, the recipient take steps sufficient to form a “reasonable belief” as to whether or not this applicant is who the person claims to be. If the facility is unable to achieve a reasonable belief that the person is who he claims to be, the facility may choose not to hire or admit the person. Importantly, there is no affirmative duty for the facility to report the discrepancy to the credit bureau or other agency. The regulation requires companies to have a written policy in place. Please see the model checklist developed by Reed Smith and provided as Attachment A of the Reed Smith memo. This checklist is a good starting point for a policy and can be modified as needed.
II. Rule # 2 -- Creditors Providing Covered Accounts and the Identity Theft Prevention Program
Under this rule, creditors must establish a written identity theft prevention program to detect, prevent and mitigate the risk of identify theft pertaining to resident information in a covered account. In short, if a business entity extends credit to a consumer by establishing an account that permits multiple payments, the entity is a creditor offering a covered account and is subject to the red flag rules. The key issue is whether or not facilities are “creditors.” As we have already stated, AHCA believes there are strong reasons why facilities should not be considered creditors under FACTA and is addressing this issue directly with the FTC. In the interim, we believe it is important for facilities to become familiar with the rules and to take steps towards compliance.
While the regulations do not specify the precise nature of the program, the facility must be able to demonstrate that it has established policies and procedures to detect and respond to any identity theft red flags pertaining to covered accounts, i.e.,
- To identify red flags;
- To detect red flags; and
- To respond appropriately to red flags.
The program must be approved by the board of directors, if there is one, or senior management. In addition, the program must be periodically updated to reflect changes in risks. Significantly, the FTC has indicated that the program should be tailored to the size and complexity of the organization, and the nature and scope of its activities. Red flag risks in some settings, such as hospitals, may not be present in long term care. As with HIPAA, there is no “one size fits all” program.
There are two prongs to this second rule: (1) action that must take place at the time of admission to confirm the identity of the potential admission and (2) ongoing protection of patient records. In short, the responsibilities and duties under this final rule boil down to the following.
Upon Admission the facility must:
- Be sure that individuals at the time of admission are who they say they are;
- Develop a set of red flags to alert the Facility to the effect that an individual upon admission does not appear to be who he says he is. Examples of red flags include:
- Person presenting at admission is not who he/she claims to be;
- Person using an insurance card that is not their own;
- Person providing a billing address that is not theirs;
- Person presents an insurance card or government program card that appears to be altered or forged.
At that point, the facility should consider this information in proceeding with the admission. There is no duty under the red flag rules to report to the FTC or another agency. However, as discussed below, a facility’s response to a forged government program card could be to alert the applicable payor. Also, the facility may choose to refuse the admission, depending on any restrictions that may apply under state law. In short, the facility should develop a protocol about how to address these circumstances. This becomes part of the facility medical identity theft prevention program.
On an ongoing basis, the facility must:
- Be sure that the records of residents – both financial and medical information – are protected from identity theft;
- Develop a set of red flags to alert facility personnel that either the financial or medical information of a resident has been or may be about to be stolen.
- Develop standard responses of what to do in the event of potential medical identity theft. In some cases, the response might be “Contact the Administrator.”
III. Consequences of Noncompliance With The Rules
Under FACTA, the FTC is authorized to bring civil actions in federal court for violations for up to $2,500 for each separate violation. Additionally, the State Attorney Generals are authorized to bring civil actions for their state residents and may recover up to $1,000 per violation and attorney’s fees if successful.
At least one court has held there is a right to a private cause of action under most of the applicable sections of FACTA. However, the U.S. Court of Appeals for the Seventh Circuit recently held there was no private right of action. Nonetheless, some states may permit private actions by individuals under various state laws.
To our knowledge, there are no plans to actively audit organizations; however, historically, a negative event, such as a security breach, an employee reporting noncompliance or a patient complaint could lead to an investigation by the FTC, which is typically how the FTC operates. Once the FTC finds noncompliance, fines, future audits and ongoing obligations of reporting are possible. Additionally, class actions under state law could follow.
If you have any questions regarding this or the Reed Smith Memorandum, please contact me, Elise Smith, at 202-898-6305 or firstname.lastname@example.org.
The implementing agencies are: Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, Treasury (OTS); National Credit Union Administration (NCUA); and Federal Trade Commission (FTC or Commission). The rule is Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Joint Final Rules and Guidelines 72 Federal Register 63718, November 9.2007.
See http://www.ahcancal.org/facility_operations/hipaa/Pages/default.aspx The Long Term Care Consortium is a group of members and AHCA staff whose mission is to provide leadership and guidance to the long term care profession utilizing the member organizations' collective knowledge, expertise and information resources to reduce the overall burden of compliance of the Health Insurance Portability and Accountability Act (HIPAA) through collaboration on those initiatives that are common to the profession.
By reference to 15 USC 1695a(r)(5), the final rule provides that the term “creditor” means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.
See Perry v. First National Bank, 459 F.3d 816 (7th Cir. 2006).