Purpose:To Protect Client Health Identity Information

Posted by Leadingage WASHINGTON

October 2009

TITLE: Red Flag

POLICY: (Community) has a program designed to detect, prevent and mitigate the incidence of identity theft with respect to the covered account(s) offered or maintained by the (community).

purpose:To protect client health identity information.

To assist staff in the detection of potential identity theft.

PROCEDURE:

The Red Flag program is administered by the Board of Directors, or an appropriate committee of the Board, and the Compliance Officer of the Organization. The oversight of the plan includes:

1. Assigning specific responsibility for the Program’s implementation;

1. Reviewing reports prepared by staff regarding compliance; and

1. Approving material changes to the Program as necessary to address changing identity theft risks.

Identification of Relevant Red Flags

The FTC lists the following categories of Red Flags that our program must identify and attempt to prevent:

1. Alerts, notifications, or other warnings received from consumer reporting agencies or services providers, such as fraud detection services;

1. The presentation of suspicious documents;

1. The presentation of suspicious personal identifying information, such as a suspicious address change;

1. The unusual use of, or other suspicious activity related to, a covered account; and

1. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

Alerts, Notifications or Other Warnings

This category includes anything suspicious revealed by credit checks or other sources of credit-related information. Some examples of this category of red flags include:

1. A fraud or active duty alert is included with a consumer report

1. A notice of credit freeze issued in response to a request for a credit report

1. A notice of address discrepancy is received

1. A credit report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity established by the subject of the report. This can include a recent, significant increase in the volume of inquiries, an unusual number of recently established credit relationships, a material change in the use of credit that is not otherwise explained, or a notice that an account was closed for cause or identified for abuse of account privileges.

The Presentation of Suspicious Documents:

1.Identification documents, such as medical records, appear to have been altered or forged or are otherwise inconsistent with other records or a physical examination of the senior.

2.The photograph or physical description on the identification is not consistent with the appearance of the senior or his/her family member, as the case may be.

3.Other information on the identification is not consistent with readily accessible information on file with the creditor, such as a signature or recent check.

4.An application appears to have been altered or forged, or gives the appearance of having been destroyed or reassembled.

5.The presentation of suspicious personal identifying information. This would include the following:

1. An address that doesn’t match any address in a credit report or other document.

1. The Social Security Number (“SSN”) has not been issued or is listed on the Social Security Administration’s “Death Master File.”

1. Personal identifying information provided by the senior is not consistent with other personal identifying information provided by the senior; Example: there is no correlation between a person’s SSN range and the person’s date of birth.

1. Personal identifying information given by a senior is associated with known fraudulent activity. Example: the provider’s own information or information from a third party alerts the provider to the use of fraudulent information.

1. Personal identifying information given by a senior is of a type commonly associated with fraudulent activity. Example: case where the address given is fictitious, a mail drop, a prison or a hotel, or where a phone number is invalid or is associated with a pager or answering service.

1. The SSN provided by the senior is the same as another senior.

1. The senior or the senior’s family member or other representative fails to provide all required personal identifying information in response to notification that the information is incomplete. This would be the case where a senior or family number provides an insurance policy number but cannot produce a written policy or insurance card.

The Unusual Use of, or Other Suspicious Activity Related To, a Covered Account.

1.Notice from seniors or their families, victims of identity theft, law enforcement authorities, or others regarding possible identity theft in connection with accounts held by the provider. This is the most significant source of information about red flags. Specific examples in the health care field include the following:

1. A senior questions or complains about receiving a bill or health insurance Explanation of Benefits for (i) another person, (ii) products or services never received by the senior, (iii) a healthcare provider that the senior never saw.

1. A senior receives a collection notice from a bill collector.

1. Coverage by an insurer of a legitimate hospital stay by the senior is denied because the senior’s insurance benefits have been depleted or a lifetime cap has been reached when the senior’s medical history or records do not indicate anything to that effect.

1. A senior questions or complains about information added to the senior’s credit report by a healthcare provider or insurer.

1. A notice or inquiry from an insurance fraud investigator, federal healthcare (community) or law enforcement (community).

Detecting Red Flags Detection of Red Flags is accomplished through the following:

1.Obtaining all the identifying information about, and verifying the identity of a person opening a covered account. This is accomplished by:

1. Viewing the insurance card and verifying the signatures on the card with the one on the consent for services.
2. Viewing picture identification to assure that the person presenting for services is the person identified on the insurance plan.

2.Additionally the (community) (community) monitors for Red Flag by:

1. Authenticating the identity or seniors,
2. monitoring transactions;
3. and verifying the validity of change of address requests, in the case of existing covered accounts.

Preventing and Mitigating Identity Theft

1.The (community) appropriately responds to Red Flags in a manner that is commensurate with the degree of risk posed.

2.The (community) recognizes that the degree of risk is increased by certain aggravating factors, such as a data security incident that results in unauthorized access to a senior’s account records held by the provider, or notice that a senior has provided information about his or her account to someone fraudulently claiming to represent the provider or to a website representing that it is maintained by the provider.

3. In such circumstances, appropriate responses include the following:

1. Monitoring the senior’s account for evidence of identity theft.

1. Contacting the senior.
2. Changing any passwords, security codes, or other security devices that permit access to the account.

1. Reopening the senior’s account with a new number.

1. Not opening a new account.

1. Closing the existing account.

1. Not attempting to collect on the account or not selling the account to a debt collector.

1. Notifying law enforcement.

1. Determining that no response is necessary under the particular circumstances.

4.In each case, the response, and the reason(s) therefore, is documented.

Updating the Program

The program is updated periodically to reflect changes in risk, both to seniors and the (community). Factors to be evaluated include the following:

1.The experiences of the (community) with identity theft.

2.Changes in methods of identity theft as identified by national bodies.

3.Changes in methods to detect, prevent and mitigate theft.

4.Changes in the types of accounts that the (community) maintains with respect to seniors.

5.Changes in the business arrangements of the (community), such as vendor contracts, other service providers, etc.

Oversight

1.Responsibility for oversight of the Red Flag program is vested with the Board of Directors (or an appropriate committee of the board), and the Compliance Officer of the (community).

2.Duties of the overseer include:

1. Assigning specific responsibility for implementation of the program,

1. Reviewing reports from staff with respect to compliance with the requirements of the program and;

1. Approving material changes to the program as necessary to address changing identity theft risks.

Reports

1.The Compliance Office is responsible for development, implementation and administration of the program and reports to the Board of Directors at least annually regarding compliance with the requirements of the Red Flag Rule.

2.The report will evaluate:

(i)the effectiveness of the policies and procedures designed to address the risk of identity theft,

(ii) service provider arrangements,

(iii) incidents of identity theft and the organization’s response to them, and;

(iv)recommendations for material changes to the program.

Training

1.All staff is trained, during orientation and updated yearly, regarding the detection of and response to a Red Flag.

2.All training is documented in the in the employee file and also maintained in the orientation and in-service logs of the (community).

Oversight of service provider arrangements

All Business Associate with the (community) are subject to scrutiny for Red Flag rules and the Business Associate is required to maintain similar oversight as it pertains to the (community) client accounts. Example: if the (community) were to outsource its accounting or other financial functions to a third party, (community) will ensure that the activities of the Business Associate are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft, much as is the case with Business Associates under the HIPAA privacy rule.

Date Revised:

Page 1 of 6