Cracking Down on ID TheftComplying with PCI DSS, Red Flags Rule
For example, any organization that accepts credit and/or debit cards must comply with the Payment Card Industry Data Security Standard, but many hospitals and clinics have overlooked this obligation, says security expert Tom Walsh (See: PCI DSS Compliance Tips).
Also, organizations that request consumer credit reports and report information to consumer reporting agencies generally must comply with the Identity Theft Red Flags Rule. "But the specific steps that are outlined in the Red Flags Rule legislation are best practices regardless of whether you're legally required to comply," stresses Jeremy Miller, director of operations at Kroll Fraud Solutions (See: Identity Theft Prevention Strategies). "Implementing ongoing training and conducting risk assessments are meaningful things that any organization can do."
PCI DSS ComplianceCompliance with the PCI DSS criteria, designed to help prevent credit card fraud and theft, can help healthcare organizations comply with the HIPAA security rule as well, Walsh stresses. That's because the PCI standard offers far more security specifics than HIPAA, including, for example, detailed password requirements, he notes.
"If an organization can meet all of the requirements of PCI, it's going to be in great shape when it comes to HIPAA security compliance," Walsh contends. "The problem is that most organizations just can't afford right now to invest in their infrastructure as well as all of the controls required to meet all the standards required in PCI. If they could, it would be a great help with HIPAA."
The PCI Security Standards Council created the criteria, but the five leading credit card companies each maintain their own compliance and enforcement programs, Walsh notes, "and each has its own way to validate compliance." In many cases, banks or merchant service providers are now sending letters to organizations that have smaller payment card transaction levels and asking them to prove they are compliant by completing a self-assessment questionnaire, he explains. Organizations that handle larger volumes of transactions must have independent audits and frequent vulnerability tests.
A hospital or clinic should create an action plan to remediate any problems that it identifies in a risk assessment, Walsh says. Other key steps include creating a detailed credit card handling policy and training all staff members annually on how to carry it out.
The PCI standard applies only to those systems and applications used for storage, processing or transmission of cardholder data, Walsh notes. "That's why a lot of organizations try to segregate out credit card data transactions from their other operations," he says.
In May, Walsh will conduct an in-depth webinar on PCI DSS compliance in partnership with Information Security Media Group.
Red Flags ComplianceUnder the Red Flags Rule, which became effective Jan. 1, 2008, organizations that extend credit to their clients must develop and implement written identity theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as "red flags," that could indicate identity theft.
At the end of last year, President Obama signed the Red Flag Program Clarification Act that re-defined the term "creditor" that's used to determine who must comply. As a result, the rule no longer automatically applies to entities that regularly permit deferred payments for goods and services, including professionals such as lawyers and physicians, who bill clients after services are rendered.
But that doesn't necessarily mean that all physician practices, or, for that matter, hospitals, are exempt from compliance, Miller notes. The rule still applies to any organization that obtains and uses consumer reports in connection with credit transactions and furnishes information to consumer reporting agencies, such as when a patient fails to pay a bill.
Miller stresses that healthcare organizations should work with their legal counsel to precisely determine if they must comply with the Red Flags Rule, because the issue is far from black-and-white.
Regardless of whether they must comply, however, healthcare organizations should add education on how to fight identity theft to their ongoing patient privacy protection training programs, Miller suggests. For example, staff needs to be trained on how to spot a fake ID or identify inconsistencies in a patient's intake forms.
"Education is key to helping fight against identity theft, and training programs can be a very cost- effective way to help reduce the chance that identity theft could occur," Miller says. "It's also important to ... implement an identity verification solution that's appropriate to your business."