Prevention of Identity Theft
We work hard to protect your data.
SCOPE:
All employees, contractors, vendors of Health Quest (HQ) and its Affiliates are to comply with this policy.
PURPOSE:
The Audit Committee of the Board of Directors of Health Quest System, Inc. ("The System") has approved this policy as part of The System's Identity Theft Prevention Program ("The Program") adopted in July 2009. The Program was developed in compliance with the Federal Trade Commission's Identity Theft Prevention Red Flag Rule (16 CFR §681.2. This policy and the Program have been created in consultation with the various applicable departments of Health Quest including but not limited to Compliance, Legal Affairs, Finance, and Health Information Management after conducting an assessment of risk of Identity Theft associated with certain Covered Accounts (as defined below).
POLICY:
The System will implement a program for identification, detection, prevention and mitigation of Identity Theft in accordance with Federal and State laws and regulations. The Fair and Accurate Credit Transaction Act of 2003 (FACTA) requires that all entities that meet the definition of a creditor develop a program to prevent and detect identity theft. The FACTA regulation details requirements for identifying "Red Flags" which serve as indicators of possible identity theft. This policy provides the actions to be taken when a "Red Flag" indicator is found
I. Definitions:
- "The System" refers to Health Quest, Inc. and its Affiliates including (Vassar Brothers Medical Center, Northern Dutchess Hospital, Putnam Hospital Center, Alamo Ambulance Service, Inc., Hudson Valley Home Care, Inc., Wells Manor, Inc., The Foundation for Vassar Brothers Medical Center, NDH Foundation, Putnam Hospital Center Foundation, VBH Insurance Co., Ltd., Riverside Diversified Services, Inc., LLC, Riverside Management Services, Inc., Health Quest Urgent Medical Care Practice (Health Quest Immediate Care Center), HealthServe!, LLC.
- "The Program" refers to the policies, procedures, education and training, and reporting processes which have been implemented by "The System" to prevent, detect, and mitigate "Identity Theft" and "Medical Identity Theft" as defined below.
- "Covered Account" means (1) any account a Health Quest Affiliate offers or maintains for a patient's personal purposes (e.g. the provision of medical services) which involves multiple payments or transactions including one or more deferred payments ; OR (2) any other account a Health Quest Affiliate identifies as having a reasonably foreseeable risk to customers or, to the System as a result of Identity Theft.
- "Identity Theft" means fraud committed using the identifying information of another person
- "Medical Identity Theft" means the use of another person's name or other forms of that persons identity, such as insurance information or Social Security Number without the victim's knowledge or consent to obtain medical services or goods or uses another person's identity to obtain payment by falsifying claims or medical records for medical services
- "Red Flag" means a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
II. Identification of Relevant Red Flags
The following events meet the definition of a Red Flag and require action on the part of System personnel:
1 Alerts, notifications, or warnings from a consumer reporting agency
2 Presentation of suspicious documents such as:
- Identification cards or documents that appear to have been altered or forged, or contain information that is not consistent with existing records
- The photograph or physical description on identification cards or documents provided is inconsistent with the appearance of, or information known about, the individual
- The Social Security number or Health Insurance Number (HIN) is linked to the identity of another individual or the patient is unable to produce the insurance card or other physical documentation of insurance within a reasonable time
3 Inconsistent or suspicious identifying information. E.g. Records showing medical treatment inconsistent with the current physical examination or with the medical history reported by the patient
4 Suspicious activity related to a covered account
5 Notices from patients, victims of identity theft, law enforcement authorities, or other entities about possible identity theft or others. These notifications may include:
- A complaint or question from a patient based on receipt of bill for services the patient denies receiving or
- A complaint or question from a patient about information added to a credit report by the health care provider or insurer *A denial of insurance benefits (Explanation of Benefits) indicating the insured had not received the service
- Notice from an insurance company, fraud investigator or law enforcement agency of a potential identity theft.
EMTALA Policy: At no time will Emergency Care or a Medical Screening Exam in a Dedicated Emergency Room be delayed due to the absence of acceptable identifying documentation or, the existence of a potential Red Flag.
III. Prevention of Identity theft:
Patient Access Registrars and other employees will request photo identification issued by local, state, or federal government agencies or two forms of non-photo identification. It is understood that minors may not have such identification.. A copy of the identification produced should be scanned as part of the registration record. Employees will review the identification provided to determine if there are any "Red Flags" as detailed above.
- The System will provide training on identity theft for all employees as appropriate as part of the mandatory education requirements.
- The System has developed safeguards against inappropriate access to information at risk for identity theft through the System Security policies (see References) on user access and, a process of granting and terminating access to electronic information.
- The System has created policies and procedures relating to Documentation Retention and Destruction to ensure the appropriate controls over information at risk for Identity Theft in accordance with Federal and State Regulations including the HIPAA Security Rules and the FTC Disposal Rule.
IV. Detection and Reporting:
- Staff that suspect that a Red Flag has been implicated are required to immediately report the event to their supervisor and to simultaneously complete a Compliance Intake form as provided on the Health Quest intranet (HQNET)
- The Compliance Office will document the report and will coordinate the review and resolution of the matter
- The potential identity theft will be investigated by HIM, the System Business Office, and Patient Access as appropriate in order to reconcile discrepancies through review of available records and interviews with the patient and/or responsible party. Identified errors in financial or medical records will immediately be corrected as detailed in the appropriate policies of the affected departments. The patients, consumer credit agencies, and law enforcement agencies will be informed when appropriate. (See Appendix A for Resolution and Mitigation Procedures)
- If the issue involves Protected Health Information as defined under the Federal HIPAA Privacy and Security Rules or involves consumer information defined under the New York State Security Privacy Breech Act reports will be made to the affected patients and to the Federal or State agencies as and to the extent required under these respective regulations.
- Compliance will include procedures to prevent and detect potential identity theft in the Compliance program of auditing and monitoring
- The Chief Compliance Officer will include statistics on potential identity theft cases and detailed reports on significant incidents involving identity theft in periodic reports to the System Audit Committee
V. Program Administration:
The Chief Compliance Officer of the System will be responsible for administration of this Program and shall periodically review compliance with and effectiveness of the Program. The Program review will include changes in the risk environment related to identity theft including consideration of the System's experiences with identity theft situations, changes in identity theft methods, changes in identity theft detection and prevention methods, and changes in the System's business arrangements, including joint ventures and service provider arrangements. The Chief Compliance Officer will present management recommendations for Program changes to the System Audit Committee for review and approval.
REFERENCES:
Federal Trade Commission Identity Theft Prevention Red Flags Rule, 16 CFR 681.22
Fair Credit Reporting Act Notice of Address Discrepancy 15 USC 1681c(h)
Health Insurance Portability and Accountability Act of 1996
Administrative Simplification Compliance Act
NYS Security Privacy Breech Act
Health Quest Systems Policies:
Accounting of Disclosure of Protected Health Information (PHI)
Authorization for Uses and Disclosures of Protected Health Information (PHI)
Confidentiality Education and Acknowledgement of Protected Health Information(PHI)
Document Retention and Destruction Policy
HIPAA Training for Employees, Volunteers and Employed Physicians
HQ Business Associate Agreement
Minimum Necessary Requirements for Use and Disclosure
Mitigation of Harmful Effects from Misuse of Protected Healthcare Information(PHI)
Notice of Privacy Practices
Patient Right to Request Amendment to PHI
Privacy Complaints (Designated Privacy Officer/Investigation/Resolution)
Release of Information
Safeguards to Ensure Protected Health Information is Held Private and Secure
Sanctions Process for Violation of Patient Confidentiality
Unrestricted Uses and Disclosures of Protected Health Information (PHI)