Identity Theft Prevention Program

Posted by LeadingAge Washington
October 2009

IDENTITY THEFT PREVENTION PROGRAM

I.  Approval of Initial Written Identity Theft Prevention Program

_____ (“Facility”) developed this Identity Theft Prevention Program (“Program”) pursuant to the Federal Trade Commission’s Identity Theft Red Flags Rule (the “Rule”) to detect, prevent, and mitigate Identity Theft in connection with Facility’s Covered Accounts. Facility’s Board of Directors has determined that considering Facility’s size, complexity, and the nature of its operations, this Program, inclusive of the Red Flags identified in Exhibit A (“Relevant Identity Theft Red Flags”), is appropriate and approved the Program on April _____, 2009. Facility has designated _____ to serve as the Program Administrator.

[IMPLEMENTATION NOTE 1: The entity’s board, or an appropriate committee designated by the board, has the authority to approve the initial written Program. If the entity does not have a board, a designated employee at the level of senior management may approve the Program. Facility should consider creating an Identity Theft Committee. Such a committee may be a sub-committee of an already existing compliance committee. The Identity Theft Committee should be headed by the Program Administrator who shall be Facility’s Director of Billing & Collections or his or her designee.]

[IMPLEMENTATION NOTE 2: Before adopting this Program, the entity should review the attached Exhibit A to determine if any of the Red Flags included in the Exhibit are irrelevant to the entity’s operations and if additional Red Flags should be added. This assessment should be performed by people who have experience in issues related to billing, records, security, health information maintenance, and other relevant fields and should be reviewed by an attorney prior to seeking board approval. As stated below, even after initial approval, the Facility is required to periodically update the Program which includes assessing the Red Flags identified.]

II.  Purpose of the Program

The purpose of the Program is to detect, prevent, and mitigate Identity Theft pursuant to the Rule. Specifically, the Program includes reasonable policies and procedures that:

A.  Identifies relevant Red Flags for the Facility’s covered accounts and incorporates those Red Flags into the Program;

B.  Detects Red Flags that have been incorporated into the Program;

C.  Responds appropriately to any Red Flags that are detected by the Facility to prevent and mitigate Identity Theft; and

D.  Ensures the Program is updated periodically to reflect changes in risks to the Facility’s Patients, as well as to the safety and soundness of the Facility from Identity Theft.

[IMPLEMENTATION NOTE 3: In the long term care context, consider replacing the term “patient” with “resident” throughout the Program. See definition of Patient below.]

III.  Identification of Red Flags

The Identity Theft Red Flags attached as Exhibit A identifies the Red Flags that are most relevant to the Facility. Exhibit A may be revised periodically. In identifying relevant Red Flags, the Facility should consider the types of Covered Accounts that exist, the methods it provides to open its Covered Accounts, the methods it provides to access its Covered Accounts, and previous experience with Identity Theft. The Red Flags generally fall within one of the following four categories: (i) suspicious documents; (ii) suspicious personal identifying information; (iii) suspicious or unusual use of Covered Account; and (iv) alerts or notices from others (e.g., residents, Identity Theft victims, law enforcement, credit reporting agencies).

IV.  Detection of Red Flags

In order to facilitate the detection of the Red Flags identified in Exhibit A, Facility staff shall take reasonable steps to obtain Patient’s Identifying Information in order to verify the Patient’s identity. With respect to new Patients, Facility staff shall obtain and record Patient’s Identifying Information, such as the Patient’s legal name, date of birth, driver’s license, relevant addresses (including mailing, home, and business) and telephone numbers (including home, work and mobile). With respect to existing Patients, Facility staff shall take reasonable steps to identify and detect Red Flags such as authentication of an existing Patient’s identity when he or she comes in for an appointment. Facility staff shall also be alert for suspicious documents, suspicious personal identifying information, and notices of possible Identity Theft. Facility staff shall also monitor transactions for suspicious or unusual activities and verify the validity of requests to change a Patient’s address or banking information.

[IMPLEMENTATION NOTE 4: In the Long Term Care Context, the 3rd sentence above should be deleted and the 4th and 5th sentences should be revised as follows: With respect to existing Covered Accounts, Facility staff shall be alert for suspicious documents, suspicious personal identifying information, and notices of possible Identity Theft. Facility staff shall also monitor transactions for suspicious or unusual activities, and verify the validity of requests to change a Patient’s address or banking information.]

V.  Preventing and Mitigating Identity Theft

In order to prevent and mitigate the effects of Identity Theft, Facility staff shall follow the appropriate procedures identified below to prevent and mitigate Identity Theft. In determining an appropriate response, Facility staff shall consider aggravating factors that may heighten the risk of Identity Theft, such as a data security incident that results in the unauthorized access to a Patient’s account records held by the Facility or a third party or a notice that a Patient has provided information related to a Facility’s Covered Account to someone fraudulently claiming to represent the Facility. Facility shall take one or more of the following steps, depending on the degree of risk related to the Red Flag:

A.  Monitor a Covered Account for evidence of Identity Theft and, if appropriate, flag Covered Account and place on hold, if necessary;

B.  Contact the Patient to request information regarding the Red Flag that was detected;

C.  Change any passwords, security codes, or other security devices that permit access to a Covered Account;

D.  Close an existing Covered Account;

E.  Not open a new Covered Account;

F.  Reopen a Covered Account with a new account number;

G.  Not attempt to collect on a Covered Account or not sell a Covered Account to a debt collector;

H.  Notify law enforcement including the Medicaid Office of Inspector General if there is actual knowledge of Medicaid fraud and the U.S. Postal Inspection Service if the Identity Theft involved mail theft, if necessary.

I.  Notify the victim of Identity Theft if the Patient does not know Identity Theft has occurred; or

J.  Determine that no response is warranted under the particular circumstances.

Facility shall not condition the provision of emergency care on a Patient’s ability to provide Identifying Information. The process of confirming a Patient’s identity shall never delay the provision of an appropriate medical screening examination or necessary stabilizing treatment for emergency medical conditions.

[IMPLEMENTATION NOTE 5: Language regarding emergency care as stated in the paragraph above may not be relevant in the long term care context]

To ensure that inaccurate health information is not inadvertently relied upon in treating a Patient, a Patient or third-party payer is not billed for services the Patient did not receive, and Patient health information is protected from inappropriate disclosures, Patient records shall be corrected when a case of Identity Theft occurs. Facility will make corrections to the Patient’s records to be certain the record does not contain incorrect information. Facility shall notify all parties that received incorrect information of the incident and provide them with corrected information. If the identity of the identity thief who received the services is not known, the Facility will create an Identity Theft record until such time as the identity of the thief is known or the required record retention period ends.

VI.  Program Administration and Updating

A.  Updating the Program

1.  Facility shall, at least annually, review the Program (including the list of Red Flags determined to be relevant) to ensure that it maintains its relevance and effectiveness with respect to risks to Patients or to the safety and soundness of the Facility from Identity Theft. Facility shall review and update the Program based on the following:

2.  Facility’s experiences with Identity Theft, and changes in methods of Identity Theft;

3.  Changes in methods of detecting, preventing and mitigating Identity Theft;

4.  Changes in the types of Covered Accounts Facility maintains; and

5.  Changes in the Facility’s business arrangements.

B.  Oversight of Program

1.  The Program must be overseen by the Board of Directors, an appropriate committee of the board, or a designated employee at the level of senior management. Oversight shall include:

(a)  Periodically determining, at least annually, whether or not the Facility maintains Covered Accounts by reviewing Facility’s accounts, including conducting a risk assessment to determine whether Facility maintains accounts for which there is a reasonably foreseeable risk to Patients or the safety and soundness of the Facility from Identity Theft. This assessment shall take into consideration how the Facility opens accounts, how it provides access to its accounts, and any previous experience with Identity Theft;

(b)  Assigning specific responsibility for the Program’s implementation;

(c)  Reviewing reports prepared by Facility staff regarding compliance with the Rule;

(d)  Approving material changes to the Program as necessary to address changes in Identity Theft risks; and

(e)  Exercising appropriate and effective of the service provider arrangements.

[IMPLEMENTATION NOTE 6: See implementation note 1, above, and determine if the board or a committee shall have the authority to oversee the Program. If the entity does not have a board, a designated employee at the level of senior management may oversee the Program. The Facility should consider creating an Identity Theft Committee. Such a committee may be a sub-committee of an already existing compliance committee. The Identity Theft Committee should be headed by the Program Administrator who shall be Facility’s Director of Billing & Collections or his or her designee.]

C.  Staff Training

1.  Facility shall train staff, as necessary, to effectively implement the Program.

D.  Reports

1.  Facility staff responsible for the development, implementation, and administration of this Program shall report to the Board of Directors, an appropriate committee of the board, or a designated employee at the senior management level at least annually regarding Facility compliance with the Program and Rule.

2.  The Reports shall address material matters related to the Program and evaluate issues such as the Program’s effectiveness, significant incidents involving Identity Theft and Facility’s response, and recommendations for material changes to the Program.

E.  Service Provider Arrangements

1.  If Facility engages a service provider to perform an activity in connection with one or more Covered Accounts, the Facility shall take the following steps, as reasonable, to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of Identity Theft.

(a)  Facility shall require, by contract, that a service provider have policies and procedures that meet the minimum standards set out in the Rule to detect relevant Red Flags that may arise in the performance of its activities involving the Covered Accounts; and

(b)  Facility shall require, by contract, that a service provider report the Red Flags to the Facility or take appropriate steps to prevent or mitigate Identity Theft.

VII.  Definitions

A.  Account – a continuing relationship established by a Patient with the Facility to obtain a product or service for personal, family, household or business purposes.

B.  Board of Directors -

C.  Covered Account – an account that the Facility maintains primarily for personal, family, or household purposes that involves or permits multiple payments or transactions or any other account that the Facility maintains for which there is a reasonably foreseeable risk to Patients or the safety and soundness of the Facility from Identity Theft.

D.  Creditor – any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

E.  Credit – the right granted by a Creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payments therefore.

F.  Identity Theft – a fraud committed or attempted using the identifying information of another person without authority.

G.  Identifying Information – any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including a person’s name, social security number, date of birth, government issued driver’s license or identification number, alien registration number, passport number, employer or taxpayer identification number, unique biometric data such as image or other unique physical representation or unique electronic identification number, address, or routing code.

H.  Patient – any person who has a Covered Account with the Facility, including Patient’s responsible party, agent, power of attorney, or guardian.

I.  Red Flag – a pattern, practice or specific activity that indicates the possible existence of Identity Theft.

Page 6 of 8

4251309.1

57791.1

EXHIBIT A

RELEVANT IDENTITY THEFT RED FLAGS

I.  Suspicious Documents
A.  Documents provided for identification appear to have been altered or forged;
B.  The photograph or physical description on the identification is not consistent with the appearance of the Patient presenting the identification;
C.  Other information on the identification is not consistent with additional information provided by Patient or information is not consistent with readily accessible information that is on file with the Facility; and
D.  An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
II.  Suspicious Personal Identifying Information
A.  Identifying Information provided by Patient is inconsistent when compared against external information sources used by the Facility. For example, the social security number (“SSN”) has not been issued or is listed on the Social Security Administration’s (“SSA”) Death Master File. Note the following SSN numbers are always invalid:
1.  The first three digits are in the 800, 900, or 000 range or are in the 700 range above 772 or are 666;
2.  The fourth or fifth digits are 00; or
3.  The last four digits are 0000.
B.  The address on an application is fictitious, or the phone number on an application is invalid or associated with a pager or answering service;
C.  Identifying Information provided by the Patient is not consistent with other Identifying Information provided by the Patient or information that is on file with the Facility. For example, there is a lack of correlation between the SSN range and the Patient’s date of birth;
D.  Identifying Information provided by the Patient is associated with known fraudulent activity as indicated by internal or third-party sources used by the Facility. For example, the address and/or telephone number on an application is the same as the address and/or telephone number provided on a fraudulent application; and
E.  The Patient opening the Covered Account fails to provide all required Identifying Information on an application or in response to notification that the application is incomplete. For example, the Patient has an insurance number but never produces an insurance card or other physical documentation of insurance.
III.  Suspicious or Unusual Use of Covered Account
A.  Patient complains or inquires regarding receipt of:
1.  A bill for another individual;
2.  A bill for a product or service that the Patient denies receiving;
3.  A bill from a health care provider that the Patient never patronized; or
4.  A notice of insurance benefits (or Explanation of Benefits) for health services never received.
B.  Patient complains or inquires regarding non-receipt of paper account statement;
C.  Patient or insurance company reports that coverage for legitimate stay at Facility is denied because insurance benefits have been depleted or a lifetime cap has been reached;
D.  Patient complains or questions receipt of a collection notice from a bill collector; and
E.  Mail sent to the Patient is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the Patient’s account.
[IMPLEMENTATION NOTE 7: “C” ABOVE ONLY APPLIES IN THE CONTEXT OF AN IN-PATIENT FACILITY SUCH AS A HOSPITAL]
IV.  Alerts, Notices, or Warnings from Others (Including Consumer Reporting Agency, Patients, Identity Theft Victims, Law Enforcement, or other Authorities) regarding Possible Identity Theft.
A.  A fraud alert is included with a consumer report;
B.  A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report;
C.  A consumer reporting agency provides a notice of address discrepancy[1];
D.  A consumer reporting agency indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of a Patient; and
E.  Facility is notified by a Patient, Identity Theft victim, law enforcement authority, or other person that Facility has opened a fraudulent account for a person engaged in Identity Theft.

Page 6 of 8