[FACILITY NAME] IDENTITY THEFT PREVENTION PROGRAM. Effective May 1, 2009

Transcription

1 [FACILITY NAME] IDENTITY THEFT PREVENTION PROGRAM Effective May 1, 2009 Because [FACILITY NAME] offers and maintains covered accounts, as defined by 16 C.F.R. Part 681 (the Regulations ), [FACILITY NAME] is required to develop and implement a written Identity Theft Prevention Program (the Program ). The Program serves to prevent, detect, and mitigate identity theft in connection with the opening of covered accounts and maintenance of existing covered accounts. I. Definitions As used herein, the specified terms shall be defined as follows: A. Covered account means an account receivable generated by [FACILITY NAME] for payment of goods or services subsequent to the delivery of such goods or services to the patient (even if payment is expected to be made by a third-party payer) and all paper and electronic records relating to or reflecting that receivable, but not including the underlying medical records. B. Identifying information is any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including: 1. Name, date of birth, address, telephone number, address 2. Social Security or employer taxpayer identification number 3. Health, disability, or other insurance plan identification number 4. Government-issued driver s license or identification number, alien registration number, government passport number 5. Checking and savings account and credit and debit card numbers or any other numbers or information that may be used to access a person's financial information or resources (e.g., PINs, passwords) 6. Biometric data (e.g., fingerprints) C. Identity theft means using or transferring without legal authority another person's means of identification with the intent to commit (or to aid and abet) any unlawful activity that constitutes a violation of law.

2 D. Medical identity theft occurs when someone assumes or attempts to assume the identity of another person through fraudulent means or false pretenses to obtain or attempt to obtain medical services or goods, or to make false claims for medical services or goods. E. Patient refers to an individual for whom [FACILITY NAME] provides medical goods or services, as well as the personal representative of such individual and any person responsible for payment for goods and services provided to the individual. F. "Red Flags" refers to those patterns, practices, and specific activities with respect to covered accounts which may signal identify theft. II. Oversight [JOB TITLE] shall be responsible for the implementation and operation of the Program with the full support and cooperation of the mangement team. [JOB TITLE] shall be responsible for the maintenance of appropriate documentation of [FACILITY NAME]'s identity theft prevention activities. [JOB TITLE] shall regularly communicate with employees directly involved in the Program's operations and provide at least annual reports to the Board of Directors concerning those operations. [JOB TITLE] shall continuously review and evaluate the Program's effectiveness in achieving its stated goals and make appropriate revisions or enhancements to the Program based on the following considerations: A. [FACILITY NAME] s experiences with identity theft B. Changes in prevalent methods of identity theft C. Advancements in strategies and technological solutions to detect, prevent, and mitigate identity theft D. Changes in types of accounts that [FACILITY NAME] offers or maintains E. Changes in [FACILITY NAME]'s business arrangements including mergers,acquisitions, alliances, joint ventures, and service provider arrangements F. Changes in or clarifications of legal requirements 2

3 II. Business Associate Notification Within thirty (30) days of the effective date of this Program, [JOB TITLE] or his/her designee shall identify those existing business associates who engage in activities on behalf of [FACILITY NAME] in connection with one or more covered accounts and provide written notice to those business associates concerning their duty to conduct such activities in accordance with reasonable policies and procedures designated to detect, prevent, and mitigate the risk of identity theft. Alternatively, [FACILITY NAME] may enter into a revised business associate agreement with such business associates which includes such requirements, and all business associate agreements into which [FACILITY NAME] enters after the effective date of this Program shall include such requirements. IV. Employee Education [JOB TITLE] shall develop and oversee the implementation of Red Flags training for employees. Such training shall address the requirements of this Program, including identification and detection of Red Flags and prevention and mitigation of identify theft. Initial training for those employees involved in opening or maintaining covered accounts shall be completed within thirty (30) days following adoption of this Program. Thereafter, such training shall be incorporated into the HIPAA Privacy and Security training for all new hires. [JOB TITLE] also shall arrange for appropriate follow-up training and targeted training in response to specific incidents. V. Identification of Relevant Red Flags [FACILITY NAME] has identified the following patterns, practices, and specific activities relating to patient registration and maintenance of covered accounts which may signal identify theft: A. Presentation of suspicious documents 1. Documents relating to or submitted by or an behalf of a patient appear to have been altered or forged 2. The photograph or physical description on the identification provided by a patient does not match his/her appearance 3. Other information listed on the identification provided by or on behalf of a patient is inconsistent with other information provided by or on behalf of the patient or currently on file with [FACILITY NAME] (e.g., address, date of birth) 3

4 B. Presentation of suspicious personal identifying information 1. Personal identifying information provided by or on behalf of a patient is inconsistent when compared against information on file with [FACILITY NAME] or external information sources used by [FACILITY NAME] (e.g., address or telephone number provided does not match any address on file or in existence, lack of correlation between Social Security number and date of birth) 2. The Social Security number provided has not been issued or is listed on the Social Security Administration s Death Master File. The following numbers are known to be invalid: the first three digits are in the 800, 900, or 000 range, are in the 700 range above 772, or are 666; the fourth and fifth digits are 00; or the last four digits are The Social Security or other identification number provided by or on behalf of a patient is the same as that submitted by another patient 4. Personal identifying information provided by or on behalf of a patient is associated with known or possible fraudulent activity as indicated by internal or third-party sources used by [FACILITY NAME] (e.g., address or telephone number provided by a patient is fictitious, a mail drop, or a prison; telephone number is invalid or is associated with a pager or answering service) 5. A patient fails to provide all required personal identifying information regarding himself/herself on any form or in response to notification that a form is incomplete 6. Patient provides an insurance policy number but cannot produce an insurance card or other documentation demonstrating insurance coverage C. Suspicious activities or communications related to a covered account 1. Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient (e.g., inconsistent blood type) 2. The patient disputes the validity of a bill, including a complaint or question related to a patient's receipt of a bill for another individual; a bill or EOB for a product or service furnished by [FACILITY NAME] the patient claims he or she did not receive; 4

5 or a bill from an [FACILITY NAME] provider from whom the patient did not receive care 3. Mail sent to the patient is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the patient's covered account 4. The patient notifies [FACILITY NAME] that he/she has not received a bill or account statement when one was expected 5. The patient complains about information added to a credit report by [FACILITY NAME], another healthcare provider, or insurer 6. The patient complains about or questions notice received from collection agency in connection with an [FACILITY NAME] bill 7. The patient or insurance company reports that coverage for legitimate services is denied because insurance benefits have been depleted or a lifetime cap has been reached D. Receipt of notice from a patient, a victim of identity theft, lawenforcement authority, or any other person or entity that a patient has been the victim of identity theft or that [FACILITY NAME] has opened a fraudulent account for a person engaged in identity theft VI. Detection of Red Flags [FACILITY NAME] shall make reasonable efforts to detect Red Flags in connection with the opening and maintenance of accounts using the following strategies: A. Patient registration process 1. [FACILITY NAME] shall undertake to inform and educate patients and prospective patients concerning [FACILITY NAME]'s requirements for the presentation of identifying information during the registration process to protect patients from identity theft. 2. Patients shall be required to provide the following information during the registration process. An employee should not offer identifying information, but request the person to provide information for validation (i.e., "What is your address?" rather than "Do you still reside on Elm Street?") a. Name, date of birth, address, telephone number(s) 5

6 b. Social Security number (or, in the case of a non-u.s. person 1, a passport number and country of issuance, an alien identification card number, or the number and country of issuance of a government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard) c. Presentation of driver s license, passport, state identification card, or other photo identification (such as employment identification) (scan or copy for inclusion in the patient record) d. Insurance card (if available) (scan or copy for inclusion in patient record) e. Signature verifying such information B. Access to patient records No employee shall provide a third party with access to a patient's records without having first confirmed the identity and authority of the person to whom access is to be granted. In the case of access granted to the patient, the procedure for confirming the person's identity shall be the same as that for registration process. C. Other interactions Every employee shall be attentive to the presence of Red Flags in the course of other interactions with patients and their identifying information including, but not limited to, the following: 1. An employee, while reviewing a medical history for a patient, identifies particular goods or services the patient denies ever receiving. 2. An employee is notified by an insurance company (or is contacted by a patient who has been notified by an insurance company) that coverage for certain services is denied due to a diagnosis or condition that the patient denies ever having. 3. An employee is contacted by a patient who has reviewed an Explanation of Benefits or his/her patient record that contains documentation regarding health care diagnosis or treatment that the patient denies ever having. 1 A non-u.s. person is a person who is neither a U.S. citizen nor a legal entity (such as a corporation, partnership or trust) that is established or organized under the laws of the United States or one of its states. 6

7 VII. Prevention and Mitigation of Identify Theft When a Red Flag is detected, or when identifying information is compromised, [FACILITY NAME] shall respond in a manner commensurate with the degree of risk posed, taking into account aggravating factors that may heighten the risk of identity theft, such as a data security incident resulting in unauthorized access to a patient s records held by [FACILITY NAME]. A. Internal reporting and investigation of Red Flags 1. Every employee has an affirmative obligation to be vigilant for any evidence of a Red Flag, and to immediately report any detected Red Flag (including a patient's inability to produce requested identifying information) using the reporting methods established in [FACILITY NAME] s compliance program. A supervisor receiving such report shall respond to the matter in an appropriate manner based on the circumstances and promptly notify [JOB TITLE] or his/her designee. 2. Upon notification of a detected Red Flag, [JOB TITLE] or his/her designee shall investigate and take appropriate action as necessary pursuant to established procedures for compliance-related investigations, including maintenance of appropriate documentation. B. Appropriate responses to suspected identity theft may include one or more of the following: 1. Communicating with the patient, insurance company, or other person or entity to resolve any identified discrepancy or other issue 2. Requiring the patient to produce additional documentation or obtaining such documentation from third party 3. Terminating or not commencing treatment until any identified discrepancy or other issue is resolved 4. Monitoring the account for evidence of identity theft 5. Reopening the account with a new account number 6. Imposing new security restrictions on the account (e.g., password protection) 7. Not opening a new account or closing an existing account 7

8 8. Referring a patient whose identity may have been compromised to resources which may assist in responding to and resolving identity theft 9. Notifying law enforcement (as permitted under [FACILITY NAME]'s HIPAA Privacy policies and procedures) 10. Determining that no response is warranted under the particular circumstances. C. Notification of suspected identity theft to the patient or other affected individual 1. Kansas Security Breach Notification Statute, K.S.A. 50-7a01 [JOB TITLE] or his/her designee shall evaluate incidents of suspected identity theft to determine whether notification is required under state law and provide such notice as necessary. The Kansas statute requires [FACILITY NAME] to notify persons residing in Kansas if their "computerized data" has been "accessed and acquired" by an unauthorized person," but only if [FACILITY NAME] determines that there is a reasonable likelihood that the computerized data "accessed and acquired" has been used or will be used for identity theft. For purposes of the statute, "personal information" means a person's name and at least one other piece of personal identifying information about that person, including the person's Social Security number. 2. HIPAA Privacy and Security Rules D. Other measures [JOB TITLE] with the assistance of the Privacy Officer, shall evaluate incidents of suspected identify theft to determine whether notification is required under [FACILITY NAME]'s HIPAA Privacy and Security Rules policies and procedures and provide such notification as necessary. If, through the course of its investigation, [FACILITY NAME] determines a patient's identifying information was improperly disclosed by [FACILITY NAME] or its business associate, and that such disclosure may place the patient or other individual at a heightened risk of identity theft, [FACILITY NAME] may, in appropriate circumstances, offer assistance to that individual to protect his/her identity, e.g., enrollment in an identity theft protection program, access to credit reports. 8

9 VIII. Consumer Report Alerts If [FACILITY NAME] for any reason receives a consumer report regarding a patient that includes a fraud alert or active duty alert, [FACILITY NAME] shall not establish any new account or make any new extension of credit for or to the patient, or extend the existing terms on the account, unless [FACILITY NAME] is able to verify the identity of the patient, through face-to-face contact or by calling a telephone number specified as the number to be used for identity verification purposes in the fraud or active duty alert or the consumer report of which it is a part. 9