NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine

Transcription

1 Title: Identity Theft Prgram Effective Date: July 2009 NYU Langne Medical Center NYU Hspitals Center NYU Schl f Medicine POLICY It is the plicy f the NYU Langne Medical Center t educate and train staff in the early identificatin f pprtunities invlving identity theft. Staff will be trained t verify identity and t authenticate and mnitr transactins f patients, students, and staff, including validating requests fr changes f persnal infrmatin including hme addresses in cmpliance with the requirements f the FTC Red Flag Rules. Accrdingly, NYULMC has develped an Identity Theft Preventin Prgram ( Prgram ) which is designed t meet the requirements f the Rules t identify, prevent, r mitigate identity theft. This written prgram is attached t this plicy as Appendix A. PROGRAM DESIGN The Prgram is tailred t NYULMC s size, cmplexity and the nature f its peratins, and is based upn the Medical Center s previus experience with Identity Theft assciated with relevant cvered accunts. The prgram cntains mechanisms t: Identify Relevant Red Flags applicable t the type f credit extended and incrprate thse red flags int the Prgram; Detect such Red Flags; Respnd apprpriately t any Red Flags that are detected t prevent theft and mitigate damages; Ensure that the prgram is updated peridically t reflect changes in risk. The Prgrams als addresses discrepancies related t cnsumer credit reprts thrugh prcedures that: Help ensure that the persn abut whm a reprt is requested is the same as the subject f the reprt prvided by the cnsumer reprting agency; and Prvide the verified address f the subject back t the cnsumer reprting agency. PURPOSE: The U.S. Cngress has prvided prtectin fr cnsumers frm identity theft by enacting the fair and Accurate Credit Act ( FACTA ) and the Fair Credit Reprting Act ( FCRA ). FACTA directed the Federal Trade Cmmissin ( the FTC ) t issue regulatins, nw generally referred t as the Red Flag Rules ( the Rules ), which require financial institutins and creditrs t adpt plicies and prcedures that prtect cnsumers frm identity theft. Red Flags are defined by the Rules as events which shuld alert an rganizatin that there is a risk f identity theft. There are three sectins f Rules that are relevant t Hspitals: 16 C.F.R users f cnsumer reprts; (2) 16 C.F.R financial institutins and creditrs; and (3) 16 C.F.R issues f debit r credit cards. As set frth in the Definitins sectins belw, NYULMC is a user f cnsumer reprts and a creditr under the Rules, but nt an issuer f debit r credit cards. Accrdingly, NYULMC adpts this Plicy t: Identify, prevent and mitigate identity theft in cmpliance with the Rules; Apprve and establish am Identity Theft Preventin Prgram ( Prgram ) (which is attached heret as Appendix A); Appint an Identity Theft Preventin Prgram ( Prgram ) Administratr wh has primary respnsibility fr versight f the prgram. APPLICABILITY: All NYULMC persnnel invlved in the prcessing f persnally identifying infrmatin as applied t the administratin f cvered accunts. Definitins The fllwing Red Flag Rule definitins will apply t this Plicy and the Prgram: 16 C.F.R users f cnsumer reprts

2 Under the Rules, a user f cnsumer reprts is smene wh btains a cnsumer reprt frm a cnsumer reprting agency fr legally permissible purpses, such as emplyment screening r backgrund checks r credit purpses. Applicatin f Definitin: NYULMC is a user f cnsumer reprts as defined in the Rules. 16 C.F.R financial institutins and creditrs Under the Rules, a financial institutin r creditr wh ffers r maintains ne r mre cvered accunts must develp and implement a written Identity Theft Preventin Prgram that will identify, detect, prevent and mitigate damages resulting frm identity theft in cnnectin with a cvered accunt. Creditr: Fr purpses f this cmpnent f the Rules, a creditr is defined under the FCRA as...[any] persn wh regularly extends, renews, r cntinues credit; any persn wh regularly arranges fr the extensin, renewal r cntinuatin f credit, as any assignees f an riginal creditr wh participates in the decisin t extend, renew r cntinue credit. (Emphasis added). 15 U.S.C.A 1691 (a)(e). Credit: is defined as [the] right granted by a creditr t a debtr t defer payment r t incur debts and defer payment r t purchase prperty r services and defer payment therefre. 15 U.S.C.A (a)(d). Cvered accunts: are accunts [established] primarily fr persnal, family r husehld purpses that invlve r are designed t permit multiple payments f transactins, i.e. cnsumer accunts. Such accunts specifically include transactin and credit accunts, [Or] any ther accunts fr which there is a reasnably freseeable risk t custmers r the safety and sundness f the financial institutin r creditr frm identity theft. Under the Rules, Identity Theft Preventin Prgrams are nly required fr these cvered accunts. Applicatin f Definitins: NYULMC is a cvered entity under the Rules because the Medical Center acts as a creditr by ffering services fr its patients prir t receiving payment. NYULMC als regularly extends, renews, r cntinues credit and by regularly arranging fr the extensin, renewal, r cntinuatin f credit. NYULMC Cvered Accunts include all student, faculty, r staff accunts r lans fr persnal, family r husehld purpses that permit deferred r multiple payments r transactins, and are administered by the Medical Center r an authrized service prvider. These NYULMC cvered accunts include lans t students, Deferred Tuitin Payments Plans, and funds due based n patient care services. 16 C.F.R issuers f debit r credit cards Under the Rules, issuers f debit and credit cards must develp plicies and prcedures t asses the validity f a request fr a change f address that is fllwed clsely by a request fr an additinal r replacement card. Debit Card: means any card issued by a financial institutin t a cnsumer fr use in initiating an electrnic fund transfer frm the accunt f the cnsumer at such financial institutin, fr the purpse f transferring mney between accunts r btaining mney, prperty, labr, r services. 15 U.S.C. 1681a (3) Applicatin f Definitins: NYULMC des nt issue debit r credit cards. The prvisin f the Rules des nt apply t meal cards issues thrugh the CBORD system fr use in the hspital cafeterials and fd carts While these cards have sme debit card functinality, they are stred value cards under the Rules rather than debit cards. Other Relevant Definitins Identifying Infrmatin: is any name r number that may be used alne r in cnjunctin with any ther infrmatin t identify a specific persn, including: name, address, telephne number, scial security number, date f birth, driver s license r identificatin number, alien registratin number, passprt number, emplyer r taxpayer identificatin number.

3 Identity Theft: is a fraud cmmitted r attempted using the identifying infrmatin f anther persn withut authrity. Red Flag: is a pattern, practice r specific activity that indicates the ptential fr Identity theft. Prgram Administratr: is the individual designated by the Senir Vice President fr Finance and Budget t have primary respnsibility fr versight f the Prgram. Apprved by: PCQAOC, September 16, 2009

4 APPENDIX A The Identity Theft Prevent Prgram I Identificatin f Red Flags T identify relevant Red Flags, the NYULMC cnsiders the types f Cvered Accunts that it ffers and maintains; the methds it prvides t pen and access the Cvered Accunts, including in-persn, mailed r nline methds, and the NYULMC s previus experience with Identity Theft. NYULMC ffers lans t students, and deferred payment plans. NYULMC als has patient billing and infrmatin accunts. These prgrams may invlve accunts that qualify as cvered accunts. The MC has cnsequently identified the fllwing Red Flags: Ntificatins r Warnings frm Cnsumer/credit Reprting Agencies: Alerts, ntificatins, r ther warnings received frm cnsumer reprting agencies r service prviders indicating: A credit freeze; Active duty alert; Address discrepancy in respnse t a credit reprt request, and Activity that is incnsistent with the usual pattern r activity f the accunt hlder. Suspicius Dcuments: Presentatin f suspicius dcuments which appear t be alerted, frged r inauthentic, including incnsistent appearance f phtgraphs r physical descriptin n a dcument with the persn presenting it. Suspicius Persnal Identifying Infrmatin: Presentatin f incnsistent persnal indentifying infrmatin such as: An incnsistent birth date; An address that des nt match a prir address submitted n an applicatin; A scial security number, telephne number r address that is the same as that given by anther accunt hlder; r Repeated failure t prvide identifying infrmatin n an applicatin. Suspicius Use r Activity in Cvered Accunt: Unusual use f r ther suspicius activity related t a cvered accunt including, but nt limited t: Requests made frm nn-issued accunt; Unfficial frms which are presented with requests fr infrmatin; Mail returned as undeliverable; r Ntice f change in payments fr an therwise cnsistent backgrund infrmatin prvided; The same identificatin used by multiple family members fr patient services; Used an identificatin that des nt match the presenting individual; Cmplaint frm a recipient f healthcare services based n receipt f: A bill fr anther individual A bill fr a prduct r service the patient denies receiving A bill frm a healthcare prvider that the patient never patrnized; A ntice frm insurance benefits (r Explanatin f Benefits) fr healthcare services never received. Alerts frm Others: Ntice frm an accunt hlder, victim f identity theft r law enfrcement authrities that the Medical Center has pened r is maintaining fraudulent accunt fr a persn engaged Identity Theft. II Detectin f Red Flags The Prgram is required t establish prcedures fr the detectin f Red Flags in the designated areas f activity. These prcedures are set frth belw: Opening f Cvered Accunts: Identity verificatin f first-time accunt hlders will be required, including presentatin f identifying infrmatin such as name, date f birth, academic recrds r insurance card, and hme address, which will be subsequently verified by review f driver s license, passprt, r ther gvernment-issued pht identificatin ad insurance cmpany infrmatin.

5 Risk Assessment: A minimal number f instances f Identity Theft have been identified and reprted as required by NYS regulatin. Existing Cvered Accunts: Authenticatin f accunt hlders and mnitring f transactins n the cvered accunt will be required, including: Verificatin f the identity f accunt hlders if they request infrmatin (in persn, via telephne, via facsimile, via ); Verificatin f changes in banking infrmatin given fr billing r payment purpses: Requests fr billing address changes fr Cvered Accunts must be verified and means prvided t accunt hlders fr ntificatin f changed r incrrect billing addresses; Requests fr medical recrds (identity shuld match pht) n file/identificatin card) must include all apprpriate release frms; Patients arriving fr treatment need t prvide prf f identity by gvernment issued identificatin r insurance card cpied and checked against data in existing recrds; Name, gender, and DOB matched against the patient presenting insurance card; Risk Assessment: N Identity Theft has been experienced by NYULMC while maintaining the identified NYULMC cvered accunts. Cnsumer / Credit Reprt Requests: When a cnsumer/credit reprt request results in ntice f address discrepancy frm the reprting agency, Medical Center persnnel will request written verificatin frm the subject f the reprt that the address he/she prvided is accurate, and nce and address is verified, Medical Center persnnel will reprt such address t the reprting agency. III IV V Respnses t Red Flags In respnse t the detectin f Red Flags, Medical Center persnnel will take the apprpriate actin t prevent and mitigate Identity Theft depending upn degree f risk psed by the Red Flags, including: Mnitring a Cvered fr suspicius activity; Denying access t the Cvered Accunt until infrmatin is verified t eliminate Red Flags; Cntacting the accunt hlder t verify activity in the Cvered Accunt: Changing passwrds, security cdes r ther security devices; Clsing and repening the Cvered Accunt; Refuse t pen a new Cvered Accunt; Ntifying law enfrcement; Determining that n respnse is warranted upn reasnable investigatin f the particular circumstances. Updating The Prgram NYULMC shall update this Prgram (including the Red Flags determined t be relevant) peridically, t reflect changes in risks t students, faculty members, r thers r t the safety and sundness f NYULMC frm identity based n such factrs as: The experiences f NYULMC with identity theft; Changes in methds f identity theft; Changes in methds t detect, prevent, and mitigate identity theft; Changes in the types f accunts that NYULMC, including mergers, acquisitins, alliances, jint ventures, and service prvider arrangements. Methds Fr Administering The Prgram Oversight f Prgram: This prgram shall be verseen by the Audit and Cmpliance Cmmittee f the Bard f Trustees. This versight shall include: Implementatin f the prgram by the Senir Vice President fr Finance r designee; Reprts prepared by staff regarding cmpliance by NYULMC with the Identity Theft Preventin Plicy and Prgram shall be reviewed by the Senir Vice President fr Finance r designee and the Vice President f Audit and Cmpliance with findings presented t the Audit and Cmpliance Cmmittee; and Material changes t the Prgram as necessary t address changing Identity Theft risks shall be apprved by the Audit and Cmpliance Cmmittee.

6 Staff Training and Reprting: NYULMC persnnel will be trained by r under the directin f the Prgram Administratr t effectively implement the Prgram and detect and respnd t Red Flags. NYULMC will ntify the Prgram Administratr f any incident f Identity Theft r the Medical Center s failure t cmply with the Prgram. Medical Center persnnel designated by the Prgram Administratr will reprt t the Prgram Administratr at least annually, r as requested. Such reprts will include, amng ther relevant issues: The effectiveness f the specific plicies and prcedures fr addressing the current risks f Identity Theft in cnnectin with the Cvered Accunts; Any significant incidents invlving Identity Theft and the respnse taken; and Recmmendatins fr material changes t the Prgram. Oversight f Service Prviders: In the event that the Medical Center cntracts with an utside service prvider t perfrm any activity in cnnectin with Cvered Accunts, the Medical Center will ensure that: The service prvider s activities are cnducted in accrdance with reasnable plicies and prcedures designed t detect, prevent and mitigate risk f Identity Theft and; The service prvider reviews the Prgram and reprts and Red Flags t the Prgram Administratr r the designated Medical Center persnnel with primary versight f the service relatinship. Apprved by: PCQAOC, September 16, 2009