Red Flag Rules

From Standard Operating Guidelines
Jump to: navigation, search

Section 1 - ADMINISTRATIVE

110.05 Red Flag Rules

PURPOSE:

  • The purpose of this policy is to assure that the City of Maitland Fire Rescue Department (hereafter known as “the Provider”) maintains compliance with the requirements regarding the prevention, detection, and mitigation of Identity Theft as set forth in the federal regulations known as the “Red Flag Rules.”
  • “Identity Theft” means a fraud committed or attempted using the identifying information of another person without authority. This includes “Medical Identity Theft, “i.e., identity theft committed for the purpose of obtaining medical services, such as the use of another person’s insurance card or number. Although Medical Identity Theft may occur without the knowledge of the individual whose medical identity is stolen, in some cases the use of an individual’s medical identity may occur with the knowledge and complicity of that individual.

OVERVIEW:

This policy sets forth the steps the Provider will take in implementing a program for detecting, preventing, and mitigating identity theft (hereafter known as the “Program”) in connection with covered accounts, as required by the Red Flag Rules. “Covered Account” means:

  1. An account that the Provider offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and
  2. Any other account that the Provider offers or maintains for which there is a reasonably foreseeable risk to individuals or to the safety and soundness of the Provider from identity theft, including financial, operational, compliance, reputation or litigation risk
  • Section II of this Policy describes the risk assessment the Provider shall conduct at the inception of the Program and annually thereafter. Section III sets forth the “Red Flags” (i.e. warning signs) that may alert Provider personnel to the possible existence of identity theft in the course of the Provider’s day to day operations. Section IV sets forth the procedures the Provider will follow in attempting to detect those “Red Flags”. Section V sets forth the procedures the Provider will follow in responding appropriately to “Red Flags” that are detected, in order to prevent and mitigate identity theft. Section VI sets forth the procedures the Provider will take in responding to a claim by an individual that he has been a victim of identity theft. Section VII describes how the Provider will administer the Program. Section VIII describes the annual updating of the Program.
  • Questions regarding this Policy or the Program shall be directed to the Program Compliance Officer (the Fire Chief) designated pursuant to Section VII.

Section II - Risk Assessment

  • Upon initial implementation of the Program, and annually thereafter as a part of the annual update described in Section VIII of this Policy, the Provider shall determine whether it maintains covered accounts. As part of that determination, the Provider shall conduct a risk assessment to determine whether it offers or maintains covered accounts that carry a reasonably foreseeable risk of identity theft, including financial, operational, compliance, reputation or litigation risks. The risk assessment shall take into consideration:
    • The methods the Provider provides to open its accounts;
    • The methods it provides to access its accounts; and
    • Its previous experiences with identity theft.

Section III - Identification Of “Red Flags”

  • A “Red Flag” is a pattern, practice or specific activity that indicates the possible existence of identity theft. In other words, a “Red Flag” is a warning sign regarding the possibility of identity theft.
  • In identifying “Red Flags” relevant to its operations, the Provider has:
    • Reviewed the examples of “Red Flags” found in the Red Flag Rules (see the Supplement to the Guidelines);
    • Considered the factors specified in Section II.A above, and
    • Incorporated “Red Flags” from sources such as changes in identity theft risks of which the Provider becomes aware and applicable regulatory guidance.
  • Based on the process specified in the Section III.B above, the Provider has identified the following situation as “Red Flags” that should alert Provider personnel to the possibility of identity theft:
    1. A patient submits a driver’s license, insurance card or other identifying information that appears to be altered or forged;
    2. The photograph on a driver’s license or other government-issued photo I.D. submitted by a patient does not resemble the patient;
    3. Information on one form of identification submitted by a patient is inconsistent with information on another form of identification, or with information already in Provider’s records or information obtained from other sources such as a consumer credit data base;
    4. A patient has an insurance member number but no insurance card;
    5. The Social Security Number (“SSN”) or other identifying information furnished by a patient is the same as identifying information in Provider’s records furnished by another patient.
    6. The SSN furnished by a patient has not been issued, is listed on the Social Security’s Administration’s Death Master File, or is otherwise invalid. The following numbers are always invalid:
      • the first 3 digits are in the 800, 900, or 000 range, or in the 700 range above 772, or are 666;
      • the fourth and fifth digits are 00; or
      • the last four digits are 0000;
    7. The address given by a patient does not exist or is a post office box, or is the same address given by an unusually large number of other patients;
    8. The phone number given by the patient is invalid or is associated with a pager or an answering service, or is the same telephone number submitted by an unusually large number of other patients;
    9. The patient refuses to provide identifying information or documentation; Personal identifying information given by a patient is not consistent with personal identifying information in the Provider’s records, or with information provided by another source such as an insurance company or consumer credit database;
    10. A patient’s signature does not match the signature on file in the Provider’s records;
    11. A patient contacts the Provider [or Provider’s billing service] and indicates that he or she has received an invoice, explanation of benefits or other document reflecting a transport that the patient claims was never received;
    12. Mail correspondence is returned to the Provider [or Provider’s billing service] despite continued activity associated with the mailing address;
    13. The Provider [or Provider’s billing service] receives a warning, alert, or notification from a credit reporting agency, law enforcement or other credible source regarding a patient or a patient’s insurance information;
    14. The Provider or a Service Provider has suffered a security breach, loss of unprotected data or unauthorized access to patient information;
    15. An insurer denies coverage due to a lifetime benefit limit being reached or due to an excessive volume of services;
    16. A discrepancy exists between medical or demographic information obtained by the Provider from the patient and the information found in health facility records;
    17. Attempts to access an account by persons who cannot provide authenticating information;
    18. [Review list of Red Flags in the Supplement to the Guidance and add any others from that list that appear relevant].
  • The Provider shall update the foregoing list of “Red Flags” as part of its annual update of the Program.
  • All Provider personnel have an affirmative obligation to be vigilant for any evidence of a “Red Flag” and to notify their immediate supervisor, or the Program Compliance Officer, to report the “Red Flag”.

Section IV - Procedures for Identifying Red Flags

Provider personnel will follow the following procedures in order to detect the “Red Flags” indicated above, which indicate the possibility of identity theft.

  • The process of confirming a patient’s identify should never delay the delivery of emergent medical care. When a patient’s condition permits collection of demographic information and documentation, medical transport crews shall request, in addition to an insurance card, a driver’s license or other form of government issued photographic personal identification. If the patient lacks such photographic identification, medical transport personnel shall:
    1. Request other form of identification, such as a credit card; and/or
    2. Ask a family member or other person at the scene who knows the patient to verify the patient’s identity.
  • Billing personnel, in the course of creating and processing claims, and verifying patient information, shall be alert for the existence of any of the “Red Flags” listed in Section III above.
  • Before providing information regarding an account or making any changes to an address or other information associated with an account, the requester shall be required to provide the social security number, full name, date of birth and address of the patient. If the requester makes the request in person, a driver’s license or other government issued photographic identification shall be requested.
  • In the event medical transport personnel or billing personnel encounter a “Red Flag”, the existence of the “Red Flag” shall be brought to the immediate attention of the individual’s supervisor or the Program Compliance Officer so that it can be investigated and addressed, as appropriate, in accordance with the procedures set forth in Section V below.

Section V - Responding To “Red Flags”

  • When a “Red Flag” is detected, Provider personnel shall investigate the situation, as necessary, to determine whether there is a material risk that identity theft has occurred or whether there is a benign explanation for the “Red Flag”. The investigation shall be documented in accordance with the Provider’s incident reporting policy. If it appears that identity theft has not occurred, the provider may determine no further action is necessary.
  • The Provider’s response shall be commensurate with the degree of risk posed by the “Red Flag”. In determining an appropriate response, the Provider shall consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a patient’s account records, or notice that a patient has provided information related to a Provider account to someone fraudulently claiming to represent the provider or to a fraudulent website.
  • If it appears that identity theft has occurred, the following steps should be considered and taken, as appropriate:
    1. Except in cases where there appears to be obvious complicity by the individual whose identity was used, promptly notify the victim of identity theft by certified mail using the “Identity Theft Notice Letter” developed by the Provider. Notification may also be provided by telephone, to be followed by a mailed letter;
    2. Place an “Identity Theft Alert “on all patient care reports (PCR’S) and financial accounts that may have inaccurate information as a result of the identity theft;
    3. Discontinue billing on and/or close out the account;
    4. Re-open the account with the appropriate modifications including a new account number;
    5. If a claim has been submitted to an insurance carrier or government program (Payor) in the name of the patient whose identity was stolen, notify the Payor, withdraw the claim and refund any charges previously collected from the Payor and/or the patient;
    6. If the account has been referred to collection agencies or attorneys, instruct those entities to cease collection activity;
    7. Notify law enforcement and cooperate in any investigations;
    8. Request that law enforcement notify any health facility to which the patient using false identity has been transported regarding the identity theft;
    9. If an adverse report has been made to a consumer credit reporting agency regarding a patient whose identity has been stolen, notify the agency that the account was not the responsibility of the individual;
    10. Correct the medical record of any patient of the Provider whose identity was stolen, with the assistance of the patient as needed;
    11. If the circumstances indicate that there is no action that would prevent or mitigate the identity theft, no action need be taken.

Section VI - Investigation of Report by a Patient of Identity Theft

  • If an individual claims to have been a victim of identity theft (e.g., the individual claims to have received a bill for a transport he did not receive), the Provider [or its billing service] shall investigate the claim. Authentication of the claim shall require a copy of a police report and either;
    • The “Identity Theft” affidavit developed by the FTC, including supporting documentation; or
    • An identification theft affidavit recognized under state law.
  • Provider personnel shall review the foregoing documentation and any other information provided by the individual and shall make a determination as to whether the report of identity theft is credible.
  • The individual who filed the report shall be informed in writing of the Provider’s conclusion as to whether the provider finds the report credible.
  • If, following investigation, it appears the individual has been a victim of identity theft; the Provider will take the appropriate actions as indicated in Section V of this policy.
  • If, following investigation, it appears the report of identity theft was not credible, the individual shall be notified and the provider may continue billing on the account upon the approval of the Program Compliance Officer. The account shall not be billed without such approval.

Section VII - Administration of the Program

  • The program and all material changes thereto, shall be approved by the Program Compliance Officer. The Program Compliance Officer shall be responsible for oversight, development and implementation of the program.
  • The Provider shall train staff, as needed, to effectively implement the program. The following categories of personnel shall be trained in the implementation of the program:
    • All medical transport personnel;
    • All billing office personnel;
    • All management personnel and administrative support staff
  • Initial training shall occur no later than May 1,2009 for all current personnel. Newly hired personnel shall be trained in the implementation of the program as part of their standard compliance and HIPPAA training. Refresher training shall be included in the annual compliance and HIPPAA training given to the provider personnel and may be given to specific employees time to time on an “as needed” basis.
  • The provider shall exercise appropriate and effective oversight of all arrangements involving a service provider whose duties include opening, monitoring or processing patient accounts or performing other activities which place them in a position to prevent, detect or mitigate identity theft. Each service provider shall be required to execute an amendment or addendum to its service agreement or business associate agreement which requires it to:
    • Implement a written Identity Theft Program that meets the requirements of the “Red Flag Rule”;
    • Provide a copy of such program to the Provider no later than May 1, 2009;
    • Provide copies of all material changes to such Program on an annual basis; and;
    • Either report all “Red Flags” which it encounters to the Provider, or take the appropriate steps to prevent or mitigate identity theft itself.
  • The Program Compliance Officer shall review the program on an annual basis and evaluate issues such as:
    • The effectiveness of the program in addressing the risk of identity theft;
    • Service Provider agreements;
    • Significant incidents involving identity theft and the Provider’s response;
    • Recommendations for material changes to the Program.

Section VIII - Annual Update of the Program

The program will be reviewed, revised and updated on an annual basis. In performing such update, the Provider shall consider:

  • The provider’s experiences with identity theft over the period prior to the last revision of the program;
  • Changes in the methods of identity theft, or in the methods to detect, prevent or mitigate identity theft;
  • Changes in the Providers technology and operations including any new electronic health record or financial software programs implemented by the Provider, and;
  • Changes in business arrangements of the Provider, including but not limited to changes in its relationships with service providers.
Retrieved from "http://www.mfrdinfo.com/sog1/index.php?title=Red_Flag_Rules&oldid=872"