PITTSBURGH CARE PARTNERSHIP, INC. COMMUNITY LIFE PROGRAM POLICIES AND PROCEDURES. Identity Theft Prevention Program Policy for Health Care Providers

Transcription

1 SUBJECT: Identity Theft Prevention Program Policy for Health Care Providers NUMBER: 1022 REG. REF.: Identity Theft Red Flags Rule (the Rule ), 16 C.F.R. 681, adopted by the Federal Trade Commission Adoption Community LIFE (the Provider ) has adopted this Identity Theft Prevention Program (the Program ) in compliance with the Federal Trade Commission s Red Flags Rule. This Program has been adopted by the Board of Directors/ audit committee of the Board of Directors after consideration of the size, complexity, and nature of the Provider s activities, operations, and account systems. I. Purpose The purpose of this Program is to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or an existing covered account, and to provide for the continued administration and periodic updating of the Program. II. Oversight, Administration, and Maintenance The Director of Corporate Compliance and Risk Management will serve as the Program Administrator. The Program Administrator will exercise appropriate and effective oversight over the Program. The Program Administrator shall be responsible for: LIFE; (1) Developing, implementing, and updating the Program throughout the Community (2) Ensuring appropriate training of Provider staff; (3) Reviewing any reports of suspected Red Flags and ensuring that an appropriate response has been taken; and (4) Ensuring compliance with this Program or an equivalent identity theft prevention program by service providers to the Provider who deal with Community LIFE s Covered Accounts, as discussed more fully in Section VIII below. The Program Administrator shall report at least annually to the Audit committee and the Board of Directors regarding any incidents of identity theft, the effectiveness of the Program, compliance with the Program, and recommended revisions or updates to the Program. The Program Administrator will ensure that the Program is reviewed at least annually to consider any changes in identity theft risks, technology, and/or Community LIFE s activities, operations, Page 1 of 5

2 or account systems. The Program Administrator recommends Program updates to the Audit committee and the Board of Directors to reflect any changes that may have occurred. In developing, implementing, and updating the Program, the Program Administrator will consult with, and/or obtain the participation of, all necessary Community LIFE staff to ensure that the Provider complies with the Program. III. Definitions A. Covered account means any account that the Provider offers or maintains primarily for personal, family, or household purposes, that involves deferred payment made in multiple payments or transactions over time. B. Client means any person with a covered account with or through the Provider. [NOTE: The persons falling within this definition may include patients as well as employees if the Provider offers loans to employees either directly, through a tuition repayment plan, or by providing loans from Provider-sponsored 401(k) or similar retirement plans.] C. Identifying Information means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, such as (but not limited to): 1. name; 2. address; 3. telephone number; 4. Social Security number; 5. date of birth; 6. government-issued driver s license or identification number; 7. government-issued passport number; 8. alien registration number; and 9. Employer or taxpayer identification number. D. Identity theft means a fraud committed using the identifying information of another person. E. Red Flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft. Page 2 of 5

3 IV. Identification of Red Flags In developing the following list of Red Flags, the Program Administrator consulted with all appropriate staff and evaluated risk factors in light of the Provider s activities, operations, and account systems. This evaluation considered information collected and maintained from clients when opening or in the course of maintaining a Covered Account. Based on that evaluation, the Program Administrator compiled the following list of Red Flags based on the risk factors unique to Community LIFE and in consideration of the Red Flags identified in the Red Flags Rule: A. Suspicious Documents 1. Identification document or card that appears to be forged, altered, or inauthentic; 2. Identification document or card on which a person s photograph or physical description is not consistent with the person presenting the document; 3. Other document with information that is not consistent with existing client information (such as if a person s signature on a check appears forged); 4. Application that appears to have been altered or forged; and 5. Medical information provided is inconsistent with an examination of the person. B. Suspicious Personal Identifying Information 1. Identifying information presented that is inconsistent with other information the client provides (example: inconsistent birth dates or Social Security numbers); 2. Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address in County Assistance office or Medicare data bases); 3. Identifying information presented that is the same as information shown on other applications that were found to be fraudulent; 4. Identifying information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address); 5. Social Security number presented that is the same as one given by another person; 6. An address or phone number presented that is the same as that of another person; 7. A person fails to provide complete personal identifying information on an application when reminded to do so; 8. A person s identifying information is not consistent with the information that is on file for the person; and 9. A person provides an insurance number, but no insurance card or other proof of insurance despite a request. Page 3 of 5

4 V. Detection of Red Flags PITTSBURGH CARE PARTNERSHIP, INC. The Program s general Red Flag detection practices are set forth here. The Program Administrator will develop and implement specific methods and protocols appropriate to meet the requirements of this Program. A. Enrollments In order to detect any Red Flags [identified above] associated with enrollment, Community LIFE staff will take the following steps to obtain and verify the identity of the person opening the account: 1. Require identifying information, such as name, date of birth, residential or business address, driver s license or other identification; 2. Verify the person s identity (for instance, review a driver s license or other identification card); and 3. Independently contact the person as appropriate, if not physically present. B. Existing Enrollees In order to detect any Red Flags [identified above] for existing Information, Community LIFE staff will take the following steps to monitor transactions with an account: 4. Verify the identification of clients if they request information (in person, via telephone, via facsimile, via ); 5. Verify the validity of requests to change billing addresses; and 6. Verify changes in banking information given for billing and payment purposes. VI. Response to Detected Red Flags Any staff member, who detects an identified Red Flag, will bring it to the attention of the Program Administrator. The Program Administrator and or their designee will investigate the threat of identity theft to determine whether the attempted transaction or information provided was fraudulent and will respond appropriately. The Program Administrator and or their designee will ensure that there is an appropriate response to any identified red flags after consulting, if necessary, with legal counsel, executive director and the board president. Page 4 of 5

5 VII. Training Community LIFE staff responsible for implementing the program, including anyone who handles information related to a covered account, such as administrative, management, enrollment, social work and accounts receivable staff shall be trained by or under the direction of the Program Administrator in the detection of Red Flags and the responsive steps to be taken when a Red Flag is detected. Such staff shall receive additional training regarding any changes made to the Program and may receive refresher training as appropriate. VIII. Service Contractors For any service contractor engaged by Community LIFE to perform an activity in connection with one or more covered accounts, Community LIFE will take the following steps to ensure the service contractor performs its activity in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Community LIFE will require that service contractors agree to have policies and procedures in place that are the same as, or substantially similar as, Community LIFES s Program. ORIGINAL DATE: July 17, 2009 REVISED DATE: February 14, 2012 PRECEDING REVISION DATE: Page 5 of 5