Medical Identity Theft Prevention Policy

Similar documents
FOX VALLEY ORTHOPEDICS. Identity Compliance Program

Polson/ Ronan Ambulance Service Identity Theft Prevention Program

RED FLAGS IDENTITY THEFT PREVENTION PROGRAM. Raleigh Radiology, LLC. Raleigh Radiology Associates. January 21, 2009

THE CHILDREN'S MERCY HOSPITAL ADMINISTRATIVE POLICY

Identity Theft Prevention Program. Approved by the Board of Trustees on February 20, 2009

University of Cincinnati FACTA Red Flag Identity Theft Prevention Program

Financial Transaction

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Chapter Five: Student Services and Operations AP 5800 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Identity Theft Prevention Program

AP 5800 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Prevention of Identity Theft in Student Financial Transactions

Identity Theft Prevention. Red Flags. Training Program

Middlebury Institute of International Studies Identity Theft Prevention Program

Middlebury College Identity Theft Prevention Program

ADMINISTRATIVE PROCEDURE 5800 DESERT COMMUNITY COLLEGE DISTRICT

Riverside Community College District Policy No Student Services PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Fitchburg State College Identity Theft Prevention Program updated 11/17/09

Palomar Community College District Procedure AP 5900 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

EXHIBIT A IDENTITY THEFT PREVENTION PROGRAM

NEVADA SYSTEM OF HIGHER EDUCATION PROCEDURES AND GUIDELINES MANUAL CHAPTER 13 IDENTITY THEFT PREVENTION PROGRAM (RED FLAG RULES)

Identity theft detection, prevention and mitigation policy. (a) : policies and procedure for student records;

IV:07:11 IDENTITY THEFT PREVENTION POLICY SECTION 1: BACKGROUND

TITLE II ADMINISTRATIVE REGULATIONS IDENTITY THEFT PREVENTION PROGRAM

Red Flag Rule Procedures Under Princeton University s Identity Theft Prevention Program Effective: December 31, 2010

WASHTENAW COMMUNITY COLLEGE IDENTITY THEFT DETECTION, PREVENTION, AND MITIGATION PROGRAM

University of Connecticut IDENTITY THEFT PREVENTION PROGRAM

CITY OF ISSAQUAH. Identity Theft Prevention Program

Attachment to Identity Theft Prevention Service Provider Attestation

DAWSON PUBLIC POWER DISTRICT 300 South Washington Street P. O. Box Lexington, Nebraska Tel. No.- 308/324/2386 Fax No.

Minnesota State Colleges and Universities Identity Theft Prevention Program

The Interagency Guidelines on Identity Theft Detection, Prevention and. Mitigation, commonly referred to as the Red Flag Rules, require each financial

Identity Theft Prevention Program

16 CFR Duties regarding the detection, prevention, and mitigation of identity theft.

AUDIT AND FINANCE COMMITTEE Wednesday, June 17, 2009

IDENTITY THEFT DETECTION POLICY

Christopher Newport University. Policy: Red Flag Identity Theft Identification and Prevention Program Policy Number: 3030

Identity Theft Prevention Program Procedure

Clarion University Identity Theft Prevention Program

AIMS COMMUNITY COLLEGE PROCEDURE IDENTITY THEFT PREVENTION - RED FLAG PROCEDURE

30.17 Identity Theft Protection Policy October 2018

Washington Association of Sewer and Water Districts (WASWD) IDENTITY THEFT PREVENTION PROGRAM

Policy Statement. Definitions -Covered Account -Identifying Information -Identity Theft -Red Flag

LOUISIANA COMMUNITY & TECHNICAL COLLEGE SYSTEM Policy # Title: IDENTITY THEFT PREVENTION PROGRAM

ORGANIZATIONAL MANUAL

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Identity Theft Prevention: The FTC s Red Flags Rules and Health Care Providers HCCA Physician Practice Compliance Conference October 13, 2009

Identity Theft Prevention Program

University Identity Theft and Detection Program

POLICY: Identity Theft Red Flag Prevention

Identity Theft Prevention Program. FY17 Core Training

CoreLogic Credco First American Way Poway, CA (800)

LexisNexis Developing an Effective Red Flags Rule Program

The National Association of Community Health Centers, Inc. Issue Brief on. Complying with the FTC s Red Flag Rules. February, 2009

IDENTITY THEFT RED FLAG POLICY/GUIDELINES JULY 2008

Illinois Eastern Community Colleges. Frontier Community College Lincoln Trail College Olney Central College Wabash Valley College

POLICY SUMMARY FORM. Unit(s) Responsible for Policy Implementation: Vice President for Finance and Administration

Olivet Nazarene University Identity Theft Prevention Program

California State University Bakersfield Identity Theft Prevention ( Red Flag ) Implementation Plan

UM Identity Theft Protection Policy

Jack Byrne Ford & Mercury Identity Theft Program (ITPP)

Red Flags Rule Identity Theft Training Program

PROCEDURE. This procedure is intended to identify third party arrangements and red flags involving College activities that will:

B. The College is considered a "creditor" under the Red Flags Rule because it defers payment for services rendered.

UNIVERSITY OF DENVER POLICY MANUAL IDENTITY THEFT PREVENTION

Identity Theft Prevention Program

Red Flag! Now What? An SME s Guide for FACTA Red Flag Compliance. see} white paper

THE COOPER UNION FOR THE ADVANCEMENT OF SCIENCE AND ART. February 24, 2010

Identity Theft Prevention Program Lake Forest College Revision 1.0

Identity Theft Prevention Program (DRAFT)

Note: Action items are italicized

The New England College of Optometry Identity Theft Prevention Program October 30, 2009 _

Templeton Municipal Light and Water Plant

SCOPE AND APPLICABILITY: This policy is applicable to all University faculty and staff.

2016 Business Associate Workforce Member HIPAA Training Handbook

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

The Federal Identity Theft Red Flag Rules and North Carolina Local Health Departments

Identity thieves use a variety of ways to gain access to your personal information:

Number: Identity Theft Program Procedures and Protocol Responsible Office: Business and Finance

Chapter 3. Identifying Red Flags. 3:1 Overview

c» BALANCE C:» Financially Empowering You The World of Credit Reports Podcast [Music plays] Nikki:

Eastpointe Community Credit Union Identity Theft and Deterrence Policy

WEST VIRGINIA UNIVERSITY BOARD OF GOVERNORS POLICY 54. Rule on Identity Theft Detection and Prevention Program

What s New for Stage 1 in 2014

ADDENDUM #1 RFP# DBE/ACDBE Consultant January 19, 2015

NOTICE OF PRIVACY PRACTICES SOUTH DAYTON ACUTE CARE CONSULTANTS, INC.

RED FLAG LAW made EASY! HIPAA made EASY. Training, Implementation & Sign-off Sheets

Procedure for Identity Theft Prevention Program

Effective Date: 4/3/17

(2) Detect red flags that have been incorporated into the program;

c» BALANCE C:» Financially Empowering You Identity Theft Podcast [Music plays] Nikki:

IDENTITY THEFT RED FLAGS AND RESPONSES

MID-CAROLINA ELECTRIC COOPERATIVE, INC. SERVICE RULES AND REGULATIONS

ADMINISTRATIVE POLICY STATEMENT

KENT COUNTY EMPLOYEE NOTICE OF PRIVACY PRACTICES

Sample Privacy Notice

SAFEGUARDING YOUR CHILD S FUTURE. Child Identity Theft. Protecting Your Child s Identity

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

CENTRAL MICHIGAN UNIVERSITY CHAPTER 13

Transcription:

SUBJECT: NUMBER: EFFECTIVE DATE: SUPERSEDES SPP: APPROVED BY: DISTRIBUTION: Medical Identity Theft Prevention Policy (signature) DATED: I. STATEMENT OF PURPOSE: To define medical identity theft and outline various measures to prevent, identify and mitigate medical identity theft II. STATEMENT OF POLICY: [Insert name of hospital/provider here] is committed to protecting patient identification and health insurance information from theft and fraudulent use. All employees, medical staff members and affiliates are responsible for reporting actual and suspected patient medical identity theft and threats to the security of related information. III. PROCEDURE: A. Definitions: COPYRIGHTED 1. Medical Identity Theft: According to the World Privacy Forum: Medical identity theft occurs when someone uses a person s name and sometimes other parts of their identity such as insurance information without the person s knowledge or consent to obtain medical services or goods, or uses the person s identity information to make false claims for medical services or goods. 1 2. Covered Account: Any account that [insert name of hospital/provider here] offers or maintains, primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions, including one or more deferred payments, or any other account of [insert name of hospital/provider here] for which there is a reasonably foreseeable risk to customers or to the safety and soundness of [list name of hospital/provider here] from identity theft. 2 Covered accounts include, but are not limited to: a. Non-emergency patient billing b. Patient payment plan c. [insert other accounts that have deferred payments] 3. Red Flag: The World Privacy Forum defines a Red Flag as, a pattern, practice, or specific activity that could indicate identity theft. 3 Examples include: A complaint or question from a patient based on the patient s receipt of: a bill for another individual, a bill for a product or service that the patient denies receiving, a bill from a healthcare provider that the patient never patronized, or a notice of insurance benefits (or Explanation of Benefits) for healthcare services never received.

Records showing medical treatment that is inconsistent with a physical examination or medical history as reported by the patient. A complaint or question from a patient about receipt of a collection notice from a bill collector. A patient or insurance company report that coverage for legitimate hospital stays are being denied because insurance benefits have been depleted, or that a lifetime cap has been reached. A complaint or question from a patient about information added to a credit report by a healthcare provider or insurer. A dispute of a bill by a patient who claims to be the victim of any type of identity theft. A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance. A notice or inquiry from an insurance fraud investigator for private insurance company or law enforcement agency. 4 4. Notice of an Address Discrepancy: A notice sent by a credit bureau to a person or business that requested a credit report that there is a discrepancy in the consumer/patient s address. 5 NOTE: the notice of address discrepancy triggers an investigation and management under the Red Flags Rule. B. General Information: 1. The Federal Trade Commission s Identity Theft Red Flags Rule requires creditors to develop and implement written identity theft protection programs. 6 The [insert title of responsible individual] and the appropriate oversight committee are responsible for developing, implementing, administering and updating the program, upon approval by the governing body. 2. The [insert title of responsible individual] is responsible for the oversight of the Medical Identity Theft Protection Program (Program). 3. The [insert title of responsible individual] shall establish and coordinate a committee (Committee) for the Program. See Part F of this section regarding Committee duties. 4. Committee members may include, but are not limited to, representatives from the following departments: a. Compliance b. Medical records c. Billing d. Patient registration e. Medical staff office f. Information technology g. Patient complaints/management C. Prevention of Medical Identity Theft 1. Employee Background Check Procedures: a. Background checks will be conducted on all new employees (refer to [insert title of policy] policy for details regarding employee background checks). 2. Patient Identification Procedures: a. Reasonable efforts will be implemented to verify the patient s identity when new or existing patient account transactions occur. b. New Patient Accounts:

i. Verify patient identification (e.g., name, date of birth, address, driver s license, government issued picture identification, insurance card). c. Existing Patient Accounts: i. When applicable, verify patient identification (e.g., name, date of birth, address, driver s license, government issued picture identification, insurance card). ii. Verify the validity of requests for change of billing address. iii. Verify patient identification prior to providing personal information. 3. Medical Record Security: a. All paper medical records and patient charts shall be maintained in a secured and/or designated area and/or under the complete control of an employee at all times. Please refer to [insert title of policy] policy for additional information. b. All computers will be password protected and locked when the operator is away from the computer. Please refer to [insert title of policy] policy for additional information. c. All computers located in patient care areas will be situated to avoid viewing by patients and visitors. Please refer to [insert title of policy] policy for additional information. d. Ensure that secure measures are in place for patients to access their electronic health records (EHRs). 7 4. Portable Electronic and Data Devices That Contain Patient Information: a. Employees, medical staff members and affiliates are accountable for maintaining the security of patient information that may be contained on laptops, thumb drives and other portable data devices. b. Any suspected or actual breaches or threats to the security of portable electronic and data devices must be immediately reported to the appropriate supervisor and to the compliance officer. 5. Patient Education: a. Patients will be educated on medical identity theft [state when patients will be educated and how]. b. Patient education includes, but is not limited to, review of: i. A definition of medical identity theft ii. How to identify medical identity theft iii. How to report actual and/or suspected medical identity theft iv. The patient s right to review and correct his/her medical record when discrepancies are identified and how to exercise this right - please refer to the [insert title of policy] policy for additional information. v. The patient s right to an accounting of medical record disclosures and how to exercise this right vi. The importance of guarding insurance card numbers and health insurance records vii. How to protect their insurance information and personal health information from family and friends 8 c. Patients will be educated about the Health Insurance Portability and Accountability Act (HIPPA) and standards for privacy. 9 6. Employee, Medical Staff Member and Affiliate Staff Education: a. [Insert title of responsible individual] is responsible for developing a training program. b. Employees, medical staff members and affiliates will be educated on the Program upon hire, on an annual basis and when significant changes have been made to the Program. c. Education will be provided by [insert title of responsible party]. d. Documentation of the completion of education regarding the Program will be maintained as follows: i. Employee and affiliate documentation for the completion of education will be maintained in their [insert name of appropriate file].

ii. Medical staff documentation for the completion of education will be maintained in their medical staff office file. 7. Employee, Medical Staff and Affiliate Related Breaches to the Integrity of the Program: a. Any employee, medical staff member or affiliate who obtains and/or uses patient financial or medical information fraudulently is subject to disciplinary action, including but not limited to, termination and/or revocation of privileges. b. Fraudulent activities will be reported to law enforcement and other agencies as necessary. D. Identification, Management and Mitigation of Medical Identity Theft: 1. Reporting Suspected and Actual Identity Theft: a. All employees, medical staff members and affiliates are expected to immediately report verbal or written notice (e.g., patient-generated reports, receipt of a notice of address discrepancy) of suspected or actual identity theft to their immediate supervisor and to the [insert title of responsible individual]. b. The employee, medical staff member or affiliate who receives information regarding suspected or actual identity theft shall complete a Report of Suspected Identity Theft form (See Appendix B) and submit it to the [insert title of responsible individual] the same business day. 2. Patient-generated Reports of Actual or Suspected Medical Identity Theft: a. Patient-generated reports of actual or suspected medical identity theft (e.g., receipt of bills for services not rendered, knowledge of someone else using their information to obtain medical services) will be investigated under the direction of the compliance officer. i. A written response, including the results of the investigation and actions taken, will be provided to the patient/guardian/surrogate. 3. Investigation of Actual or Suspected Identity Theft: a. Investigations will be coordinated by the [insert title of responsible individual]. b. Upon completion of the investigation, a written report will be completed at the direction of the [insert title of responsible individual] and will include: i. Details outlining the investigation ii. Measures taken to prevent a recurrence of a similar event, if applicable iii. Information regarding reports to law enforcement and/or outside agencies in response to confirmed identity theft iv. Information regarding all communications made to the patient/ guardian/surrogate 4. External Reporting of Confirmed Identity Theft: a. [Insert name of hospital/provider here] s Program will comply with state data security breach notification laws. b. Confirmed medical identity theft shall be reported to law enforcement and appropriate agencies, at the direction of the [insert title of responsible individual]. c. NOTE: Receipt of a Notice of Address Discrepancy from a credit bureau will trigger an investigation. 5. Police and/or Agency Requests for Information and/or Investigation of Actual or Suspected Identity Theft: a. Requests for medical record information and/or billing/financial information (without a court order/subpoena) require the patient s authorization for release of medical information, according to [insert title of policy] policy. b. Any employee receiving a police or agency request for information and/or investigation shall immediately report it to the appropriate supervisor and to the [insert title of responsible individual].

c. A Report of Suspected Identity Theft form shall be completed following police or agency requests for investigation. 6. Medical Record Corrections: a. Please refer to the [insert title of policy] policy, which outlines patient rights under HIPAA, including the patient s right to request a correction/amendment to his/her medical records and the patient s right to an accounting of medical record disclosures. b. When incorrect information is identified in the patient s medical record as the result of actual or suspected fraudulent activities, the medical record will be corrected according to HIPAA guidelines and according to the [insert title of policy] policy. c. The patient will be notified when corrections are made to his/her medical record, according to [insert title of policy] policy. d. An alert will be placed in the patient s medical record to caution healthcare providers that a correction/amendment has been made to the patient s medical record. E. Service Provider Arrangements/Contractor Compliance: 1. [Insert title of responsible individual] is responsible for the oversight of service provider arrangements in compliance with the Federal Trade Commission s Identity Theft Red Flags Rule. 2. [Insert name of hospital/provider here] will require, by contract, that the contractors, business associates and other service providers that perform activities in connection with covered accounts have policies and procedures in place that are designed to detect, prevent and mitigate the risk of identity theft with regard to covered accounts. F. The Role of the Program Committee: 1. The Committee shall develop and present the initial Program to the governing body for approval. 2. The Committee shall update the Program on an annual basis and as needed to reflect changes in methods to prevent, identify and mitigate medical identity theft. 3. Committee activities include, but are not limited to: a. Coordinating the annual medical identity theft risk assessment i. The Committee will evaluate the information gathered, determine potential areas for improvement, coordinate implementation of appropriate measures, and evaluate the effectiveness of the actions taken. ii. A summary of the risk assessment will be presented in a written report. b. Reviewing reported actual and suspected medical identity theft events c. Implementing measures to address events related to medical identity theft, including an evaluation of the effectiveness of actions taken d. Conducting and/or facilitating ongoing research to identify changes in methods to prevent, identify and mitigate medical identity theft 4. The Committee shall report to the governing body, at least annually: a. Reports summarizing actual and suspected medical identity theft events (including actions taken and an evaluation of the effectiveness of actions taken) b. Reports summarizing Committee activities, including activities to mitigate the risk of medical identity theft c. Reports summarizing the annual risk assessment (including actions taken and an evaluation of the effectiveness of actions taken) d. Proposed updates to the Program

G. The Role of the Governing Body: 1. The governing body shall review and approve the initial Program. 2. The governing body will review and approve all revisions to the Program. 3. The governing body shall review Committee activities and a summary of medical identity theft reports on an annual basis and as determined by the Committee. [Insert name of hospital/provider here] takes medical identity theft very seriously and is committed to ensuring appropriate security measures are in place to prevent medical identity theft and fraudulent use of information. Chief Executive Officer Signature [title of responsible party] Signature Date Date This Program has been approved by the governing body on [insert date]. References 1. Pam Dixon, Medical Identity Theft: The Information Crime that Can Kill You, World Privacy Forum, May 3, 2006, p. 5. 2. 16 CFR 681.1(b)(3). 3. Robert Gellman and Pam Dixon, Red Flag and Address Discrepancy Requirements: Suggestions for Health Care Providers, Version 2, World Privacy Forum, September 25, 2009, p. 4. 4. Ibid, p. 8. 5. Ibid. 6. 16 CFR 681.1(b)(3). 7. Ponemon Institute, Fifth Annual Study on Medical Identity Theft, February 2015, p. 22, http://medidfraud.org/wp-content/uploads/2015/02/2014_medical_id_theft_study1.pdf, 06/09/2016. 8. Ibid, p.2. 9. Ibid. p. 17.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback