NYU Langone Medical Center NYU Hospitals Center NYU School of Medicine



Similar documents
THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

FAYETTEVILLE STATE UNIVERSITY

Information Security Policy

Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

Texas Woman's University University Policy Manual

Key Steps for Organizations in Responding to Privacy Breaches

Plus500CY Ltd. Statement on Privacy and Cookie Policy

NAIC Replacement Requirements For Certain Life Insurance Policies And Annuity Contracts

Audit Committee Charter

Hampton Roads Orthopaedics & Sports Medicine. Notice of Privacy Practices

Municipal Advisor Registration

GUIDANCE FOR BUSINESS ASSOCIATES

Identity Theft Prevention Program (ITPP) under the FTC FACTA Red Flags Rule PROCEDURES DOCUMENT. I. Purpose/Scope... 1

THIRD PARTY PROCUREMENT PROCEDURES

DisplayNote Technologies Limited Data Protection Policy July 2014

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

VCU Payment Card Policy

Sources of Federal Government and Employee Information

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

UNIVERSITY OF WINCHESTER

Kentwood Police Department 4742 Walma Ave SE Kentwood, Michigan (616) REPORTING IDENTITY THEFT

Credit Work Group Recommendation

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

Peratr Accreditatin and Services in Queensland

FINANCIAL OPTIONS. 2. For non-insured patients, payment is due on the day of service.

Project Open Hand Atlanta. Health Insurance Portability and Accountability Act (HIPAA) NOTICE OF PRIVACY PRACTICES

General Records Authority 33. Accredited Training

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF UPLAND SOFTWARE, INC.

HIPAA Notice of Privacy Practices. Central Ohio Surgical Associates, Inc.

Interagency Guidance on Privacy Laws and Reporting Financial Abuse of Older Adults

GOVERNORS PHARMACY HIPAA NOTICE OF PRIVACY PRACTICES For Your Protected Health Information

Process for Responding to Privacy Breaches

COMPLIANCE WITH THE FEDERAL TRADE COMMISSION S SAFEGUARDS RULE

o o 2) Program Rewards

ERISA Compliance FAQs: Fiduciary Responsibilities

TrustED Briefing Series:

RQ10.06 AACo Share Trading Policy

FIREFIGHTER HEART AND CIRCULATORY MALFUNCTION BENEFITS PROGRAM STANDARD OPERATING GUIDELINES Approved by the DOLA Executive Director July 1, 2014

This regulation is adopted by the director pursuant to the authority in Neb. Rev. Stat

Online Banking Agreement

IMT Standards. Standard number A GoA IMT Standards. Effective Date: Scheduled Review: Last Reviewed: Type: Technical

Dear Flexible Spending Account (FSA) Enrollee:

Johnston Public Schools Special Education Procedural Manual. IEP Overview

NSW FAIR TRADING. Real Estate Fraud Prevention Guidelines

Munising Memorial Hospital. Administrative/Financial Policy

First Global Data Corp.

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

How To Ensure Your Health Care Is Safe

Privacy and Security Training Policy (PS.Pol.051)

Texas Department of Insurance Division of Workers Compensation. Insurance Carrier/Utilization Review Agent Plan-Based Audit

Nursing Pragdocs and Freign Instituteutins - A Review

Our Privacy Policy and Credit Reporting Privacy Policy. 1. Privacy at FlexiGroup Our Privacy Policy and Credit Reporting Privacy Policy

ES PROCEDURES FOR OVERPAYMENT RECOVERY

Merchant Processes and Procedures

Scotiabank Group Privacy Agreement

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Columbine Federal Credit Union ONLINE BANKING/ BILL PAYMENT AGREEMENT & DISCLOSURES AND PRIV ACY DISCLOSURE

Symantec User Authentication Service Level Agreement

Montana Acquisition & Contracting System (emacs) emacs Handbook. Vendor Registration and Data Management

Systems Support - Extended

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

Appendix 5. Arkansas Insurance Department Network Adequacy Guidelines and Targets

FORM ADV (Paper Version) UNIFORM APPLICATION FOR INVESTMENT ADVISER REGISTRATION AND REPORT FORM BY EXEMPT REPORTING ADVISERS

GENERAL MOTORS COMPANY AUDIT COMMITTEE CHARTER. Most Recently Amended: December 8, 2015

LOUISIANA TECH UNIVERSITY Division of Student Financial Aid Post Office Box 7925 Ruston, LA 71272

What Information Is Collected and How Is It Collected?

Investment Adviser Switch Workshop

If the CAP is acceptable, the serious deficiency determination for the provider is temporarily deferred.

MAYFAIR INSURANCE & MORTGAGE CONSULTANTS LTD 11 Lurke Street, Bedford MK40 3HZ Telephone:

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

TITLE: RECORDS AND INFORMATION MANAGEMENT POLICY

CLEARANCE REVIEWS FOR STUDENT RESTRICTION ISSUES OTHER THAN ACADEMIC PROGRESS

Heythrop College Disciplinary Procedure for Support Staff

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Personal Data Security Breach Management Policy

ITRC Fact Sheet 117 Identity Theft and the Deceased: Prevention and Victim Tips

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

E-Business Strategies For a Cmpany s Bard

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Application for 477 Services

AIG Annuities Fixed and Income

Workers Disability Compensation Claims Procedures Issued: January 1, 1994 Revised: March 29, 2012

State Fleet Card Oversight Usage and Responsibilities

Creating an Ethical Culture and Protecting Your Bottom Line:

CORPORATE CREDIT CARD POLICY

FINANCIAL SERVICES FLASH REPORT

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. HIPAA: Use and Disclosure of Protected Health Information

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

DATE APPROVED March Version Date Comments / Changes 1.0 March 2011 Initial policy released

Frequently Asked Questions about the Faith A. Fields Nursing Scholarship Loan

TO: Chief Executive Officers of all National Banks, Department and Division Heads, and all Examining Personnel

Accessible Service Policy

BUPA DENTAL PLAN A P P L I C AT I O N F O R M

Transcription:

Title: Identity Theft Prgram Effective Date: July 2009 NYU Langne Medical Center NYU Hspitals Center NYU Schl f Medicine POLICY It is the plicy f the NYU Langne Medical Center t educate and train staff in the early identificatin f pprtunities invlving identity theft. Staff will be trained t verify identity and t authenticate and mnitr transactins f patients, students, and staff, including validating requests fr changes f persnal infrmatin including hme addresses in cmpliance with the requirements f the FTC Red Flag Rules. Accrdingly, NYULMC has develped an Identity Theft Preventin Prgram ( Prgram ) which is designed t meet the requirements f the Rules t identify, prevent, r mitigate identity theft. This written prgram is attached t this plicy as Appendix A. PROGRAM DESIGN The Prgram is tailred t NYULMC s size, cmplexity and the nature f its peratins, and is based upn the Medical Center s previus experience with Identity Theft assciated with relevant cvered accunts. The prgram cntains mechanisms t: Identify Relevant Red Flags applicable t the type f credit extended and incrprate thse red flags int the Prgram; Detect such Red Flags; Respnd apprpriately t any Red Flags that are detected t prevent theft and mitigate damages; Ensure that the prgram is updated peridically t reflect changes in risk. The Prgrams als addresses discrepancies related t cnsumer credit reprts thrugh prcedures that: Help ensure that the persn abut whm a reprt is requested is the same as the subject f the reprt prvided by the cnsumer reprting agency; and Prvide the verified address f the subject back t the cnsumer reprting agency. PURPOSE: The U.S. Cngress has prvided prtectin fr cnsumers frm identity theft by enacting the fair and Accurate Credit Act ( FACTA ) and the Fair Credit Reprting Act ( FCRA ). FACTA directed the Federal Trade Cmmissin ( the FTC ) t issue regulatins, nw generally referred t as the Red Flag Rules ( the Rules ), which require financial institutins and creditrs t adpt plicies and prcedures that prtect cnsumers frm identity theft. Red Flags are defined by the Rules as events which shuld alert an rganizatin that there is a risk f identity theft. There are three sectins f Rules that are relevant t Hspitals: 16 C.F.R. 681.1 users f cnsumer reprts; (2) 16 C.F.R. 681.2 financial institutins and creditrs; and (3) 16 C.F.R. 681.3 issues f debit r credit cards. As set frth in the Definitins sectins belw, NYULMC is a user f cnsumer reprts and a creditr under the Rules, but nt an issuer f debit r credit cards. Accrdingly, NYULMC adpts this Plicy t: Identify, prevent and mitigate identity theft in cmpliance with the Rules; Apprve and establish am Identity Theft Preventin Prgram ( Prgram ) (which is attached heret as Appendix A); Appint an Identity Theft Preventin Prgram ( Prgram ) Administratr wh has primary respnsibility fr versight f the prgram. APPLICABILITY: All NYULMC persnnel invlved in the prcessing f persnally identifying infrmatin as applied t the administratin f cvered accunts. Definitins The fllwing Red Flag Rule definitins will apply t this Plicy and the Prgram: 16 C.F.R. 681.1 users f cnsumer reprts

Under the Rules, a user f cnsumer reprts is smene wh btains a cnsumer reprt frm a cnsumer reprting agency fr legally permissible purpses, such as emplyment screening r backgrund checks r credit purpses. Applicatin f Definitin: NYULMC is a user f cnsumer reprts as defined in the Rules. 16 C.F.R. 681.2 financial institutins and creditrs Under the Rules, a financial institutin r creditr wh ffers r maintains ne r mre cvered accunts must develp and implement a written Identity Theft Preventin Prgram that will identify, detect, prevent and mitigate damages resulting frm identity theft in cnnectin with a cvered accunt. Creditr: Fr purpses f this cmpnent f the Rules, a creditr is defined under the FCRA as...[any] persn wh regularly extends, renews, r cntinues credit; any persn wh regularly arranges fr the extensin, renewal r cntinuatin f credit, as any assignees f an riginal creditr wh participates in the decisin t extend, renew r cntinue credit. (Emphasis added). 15 U.S.C.A 1691 (a)(e). Credit: is defined as [the] right granted by a creditr t a debtr t defer payment r t incur debts and defer payment r t purchase prperty r services and defer payment therefre. 15 U.S.C.A. 1681 (a)(d). Cvered accunts: are accunts [established] primarily fr persnal, family r husehld purpses that invlve r are designed t permit multiple payments f transactins, i.e. cnsumer accunts. Such accunts specifically include transactin and credit accunts, [Or] any ther accunts fr which there is a reasnably freseeable risk t custmers r the safety and sundness f the financial institutin r creditr frm identity theft. Under the Rules, Identity Theft Preventin Prgrams are nly required fr these cvered accunts. Applicatin f Definitins: NYULMC is a cvered entity under the Rules because the Medical Center acts as a creditr by ffering services fr its patients prir t receiving payment. NYULMC als regularly extends, renews, r cntinues credit and by regularly arranging fr the extensin, renewal, r cntinuatin f credit. NYULMC Cvered Accunts include all student, faculty, r staff accunts r lans fr persnal, family r husehld purpses that permit deferred r multiple payments r transactins, and are administered by the Medical Center r an authrized service prvider. These NYULMC cvered accunts include lans t students, Deferred Tuitin Payments Plans, and funds due based n patient care services. 16 C.F.R. 681.3 issuers f debit r credit cards Under the Rules, issuers f debit and credit cards must develp plicies and prcedures t asses the validity f a request fr a change f address that is fllwed clsely by a request fr an additinal r replacement card. Debit Card: means any card issued by a financial institutin t a cnsumer fr use in initiating an electrnic fund transfer frm the accunt f the cnsumer at such financial institutin, fr the purpse f transferring mney between accunts r btaining mney, prperty, labr, r services. 15 U.S.C. 1681a (3) Applicatin f Definitins: NYULMC des nt issue debit r credit cards. The prvisin f the Rules des nt apply t meal cards issues thrugh the CBORD system fr use in the hspital cafeterials and fd carts While these cards have sme debit card functinality, they are stred value cards under the Rules rather than debit cards. Other Relevant Definitins Identifying Infrmatin: is any name r number that may be used alne r in cnjunctin with any ther infrmatin t identify a specific persn, including: name, address, telephne number, scial security number, date f birth, driver s license r identificatin number, alien registratin number, passprt number, emplyer r taxpayer identificatin number.

Identity Theft: is a fraud cmmitted r attempted using the identifying infrmatin f anther persn withut authrity. Red Flag: is a pattern, practice r specific activity that indicates the ptential fr Identity theft. Prgram Administratr: is the individual designated by the Senir Vice President fr Finance and Budget t have primary respnsibility fr versight f the Prgram. Apprved by: PCQAOC, September 16, 2009

APPENDIX A The Identity Theft Prevent Prgram I Identificatin f Red Flags T identify relevant Red Flags, the NYULMC cnsiders the types f Cvered Accunts that it ffers and maintains; the methds it prvides t pen and access the Cvered Accunts, including in-persn, mailed r nline methds, and the NYULMC s previus experience with Identity Theft. NYULMC ffers lans t students, and deferred payment plans. NYULMC als has patient billing and infrmatin accunts. These prgrams may invlve accunts that qualify as cvered accunts. The MC has cnsequently identified the fllwing Red Flags: Ntificatins r Warnings frm Cnsumer/credit Reprting Agencies: Alerts, ntificatins, r ther warnings received frm cnsumer reprting agencies r service prviders indicating: A credit freeze; Active duty alert; Address discrepancy in respnse t a credit reprt request, and Activity that is incnsistent with the usual pattern r activity f the accunt hlder. Suspicius Dcuments: Presentatin f suspicius dcuments which appear t be alerted, frged r inauthentic, including incnsistent appearance f phtgraphs r physical descriptin n a dcument with the persn presenting it. Suspicius Persnal Identifying Infrmatin: Presentatin f incnsistent persnal indentifying infrmatin such as: An incnsistent birth date; An address that des nt match a prir address submitted n an applicatin; A scial security number, telephne number r address that is the same as that given by anther accunt hlder; r Repeated failure t prvide identifying infrmatin n an applicatin. Suspicius Use r Activity in Cvered Accunt: Unusual use f r ther suspicius activity related t a cvered accunt including, but nt limited t: Requests made frm nn-issued e-mail accunt; Unfficial frms which are presented with requests fr infrmatin; Mail returned as undeliverable; r Ntice f change in payments fr an therwise cnsistent backgrund infrmatin prvided; The same identificatin used by multiple family members fr patient services; Used an identificatin that des nt match the presenting individual; Cmplaint frm a recipient f healthcare services based n receipt f: A bill fr anther individual A bill fr a prduct r service the patient denies receiving A bill frm a healthcare prvider that the patient never patrnized; A ntice frm insurance benefits (r Explanatin f Benefits) fr healthcare services never received. Alerts frm Others: Ntice frm an accunt hlder, victim f identity theft r law enfrcement authrities that the Medical Center has pened r is maintaining fraudulent accunt fr a persn engaged Identity Theft. II Detectin f Red Flags The Prgram is required t establish prcedures fr the detectin f Red Flags in the designated areas f activity. These prcedures are set frth belw: Opening f Cvered Accunts: Identity verificatin f first-time accunt hlders will be required, including presentatin f identifying infrmatin such as name, date f birth, academic recrds r insurance card, and hme address, which will be subsequently verified by review f driver s license, passprt, r ther gvernment-issued pht identificatin ad insurance cmpany infrmatin.

Risk Assessment: A minimal number f instances f Identity Theft have been identified and reprted as required by NYS regulatin. Existing Cvered Accunts: Authenticatin f accunt hlders and mnitring f transactins n the cvered accunt will be required, including: Verificatin f the identity f accunt hlders if they request infrmatin (in persn, via telephne, via facsimile, via email); Verificatin f changes in banking infrmatin given fr billing r payment purpses: Requests fr billing address changes fr Cvered Accunts must be verified and means prvided t accunt hlders fr ntificatin f changed r incrrect billing addresses; Requests fr medical recrds (identity shuld match pht) n file/identificatin card) must include all apprpriate release frms; Patients arriving fr treatment need t prvide prf f identity by gvernment issued identificatin r insurance card cpied and checked against data in existing recrds; Name, gender, and DOB matched against the patient presenting insurance card; Risk Assessment: N Identity Theft has been experienced by NYULMC while maintaining the identified NYULMC cvered accunts. Cnsumer / Credit Reprt Requests: When a cnsumer/credit reprt request results in ntice f address discrepancy frm the reprting agency, Medical Center persnnel will request written verificatin frm the subject f the reprt that the address he/she prvided is accurate, and nce and address is verified, Medical Center persnnel will reprt such address t the reprting agency. III IV V Respnses t Red Flags In respnse t the detectin f Red Flags, Medical Center persnnel will take the apprpriate actin t prevent and mitigate Identity Theft depending upn degree f risk psed by the Red Flags, including: Mnitring a Cvered fr suspicius activity; Denying access t the Cvered Accunt until infrmatin is verified t eliminate Red Flags; Cntacting the accunt hlder t verify activity in the Cvered Accunt: Changing passwrds, security cdes r ther security devices; Clsing and repening the Cvered Accunt; Refuse t pen a new Cvered Accunt; Ntifying law enfrcement; Determining that n respnse is warranted upn reasnable investigatin f the particular circumstances. Updating The Prgram NYULMC shall update this Prgram (including the Red Flags determined t be relevant) peridically, t reflect changes in risks t students, faculty members, r thers r t the safety and sundness f NYULMC frm identity based n such factrs as: The experiences f NYULMC with identity theft; Changes in methds f identity theft; Changes in methds t detect, prevent, and mitigate identity theft; Changes in the types f accunts that NYULMC, including mergers, acquisitins, alliances, jint ventures, and service prvider arrangements. Methds Fr Administering The Prgram Oversight f Prgram: This prgram shall be verseen by the Audit and Cmpliance Cmmittee f the Bard f Trustees. This versight shall include: Implementatin f the prgram by the Senir Vice President fr Finance r designee; Reprts prepared by staff regarding cmpliance by NYULMC with the Identity Theft Preventin Plicy and Prgram shall be reviewed by the Senir Vice President fr Finance r designee and the Vice President f Audit and Cmpliance with findings presented t the Audit and Cmpliance Cmmittee; and Material changes t the Prgram as necessary t address changing Identity Theft risks shall be apprved by the Audit and Cmpliance Cmmittee.

Staff Training and Reprting: NYULMC persnnel will be trained by r under the directin f the Prgram Administratr t effectively implement the Prgram and detect and respnd t Red Flags. NYULMC will ntify the Prgram Administratr f any incident f Identity Theft r the Medical Center s failure t cmply with the Prgram. Medical Center persnnel designated by the Prgram Administratr will reprt t the Prgram Administratr at least annually, r as requested. Such reprts will include, amng ther relevant issues: The effectiveness f the specific plicies and prcedures fr addressing the current risks f Identity Theft in cnnectin with the Cvered Accunts; Any significant incidents invlving Identity Theft and the respnse taken; and Recmmendatins fr material changes t the Prgram. Oversight f Service Prviders: In the event that the Medical Center cntracts with an utside service prvider t perfrm any activity in cnnectin with Cvered Accunts, the Medical Center will ensure that: The service prvider s activities are cnducted in accrdance with reasnable plicies and prcedures designed t detect, prevent and mitigate risk f Identity Theft and; The service prvider reviews the Prgram and reprts and Red Flags t the Prgram Administratr r the designated Medical Center persnnel with primary versight f the service relatinship. Apprved by: PCQAOC, September 16, 2009

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information