280 likes | 367 Views
STAFF TRAINING: UCHC IDENTITY THEFT PREVENTION PROGRAM. Upham’s Corner Health Committee, Inc. DBA Upham’s Corner Health Center Upham’s Elder Service Plan Upham’s Home Health Care. Effective: August 1, 2009. This Training Will….
E N D
STAFF TRAINING:UCHC IDENTITY THEFT PREVENTION PROGRAM Upham’s Corner Health Committee, Inc.DBAUpham’s Corner Health CenterUpham’s Elder Service PlanUpham’s Home Health Care Effective: August 1, 2009
This Training Will… • Introduce you to the federal regulations that require the establishment of an Identity Theft Prevention Program. • Describe how the regulations are applicable to UCHC. • Explain the major components of UCHC’s Identity Theft Prevention Program: • “Red Flags” likely to occur at UCHC • Protocols for detecting “Red Flags” • Protocols for responding to “Red Flags” • Highlight the correlation between the Identity Theft Prevention Program & other UCHC policies
Governing Regulations • The Federal Trade Commission (FTC) issued the “Red Flags Rule” (in 2007) with a final compliance date of August 1, 2009. • The regulations were issued to address the rising occurrences of ‘identity theft’ throughout the United States. The FTC estimated that as many as 9 million Americans have their identities stolen each year. • In addition to being damaging to the individuals whose identity is stolen, there is great damage to businesses (who are left with unpaid bills).
The “Red Flags Rule” Requires… Generally, the Red Flags Rule requires businesses that ‘extend credit’ & maintain ‘covered accounts’ to develop a program(identity theft prevention program) designed to detect warning signs (‘red flags’) of identity theft in their day-to-day operations; and, to establish protocols for responding appropriately. Businesses that ‘extend credit’ & maintain ‘covered accounts’, and therefore must establish an identity theft prevention program, must also (a) fully train staff members on the program and (b) develop annual reports on its effectiveness.
Applicability of the ‘Red Flags Rule’ to UCHC • All medical providers, including UCHC, are considered to be businesses that ‘extend credit’ because patients/clients/participants are not required to pay for services on the same day they visit the doctor/clinician. …Credit is extended for the cost of the visit, until such time the patient (or their insurance company) pays for the services. • None of the programs at UCHC require patients/clients to make a full payment at the time services are rendered.
Applicability of the ‘Red Flags Rule’ to UCHC • The term ‘covered account’ is defined in the regulations as “an account that a creditor offers or maintains,… that involves or is designed to permit multiple payments or transactions (including continuing relationships with consumers for the provision of medical services)”. • All UCHC patients/clients/participants have ‘accounts’ established in their name to track services billed and paid for. The UCHC EDP department oversees patient accounts (they send claims to insurance companies for payment; or, they bill the patients directly (if the person does not have medical insurance).
One Other Note of Applicability: Regarding health care providers, commentary in the Federal Trade Commission’s publication of the Red Flags Rule states that such businesses may also be at risk of ‘medical identity theft’ (identity theft for the purpose of obtaining medical services). UCHC has experienced medical identity theft – particularly with patients who pretend to be existing patients (or who register as new patients with stolen identity information) for the purpose of trying to obtain a prescription for narcotics (Oxycodone, Percocet, etc.).
The UCHC Identity Theft Prevention Program • To comply with the Red Flags Rule, UCHC developed a written Identity Theft Prevention Program. • The UCHC Board of Directors approved the program at its April 2009 Board meeting. • All staff members that interact with patients/clients and/or regularly work with patient accounts must complete this training and comply with the policies in the UCHC Identity Theft Prevention Program.
UCHC Identity Theft Prevention Program • Identification of Red Flags • Detecting Red Flags • Responding to Red Flags
Identification of Red FlagsThe following ‘red flags’ are likely at UCHC: • A complaint or question from a patient based on the patient’s receipt of: • A bill for another individual; • A bill for a product or service the patient denies receiving; • A bill from a provider the patient claims to have never seen; or • A notice of insurance benefits from their insurer for services never received by the patient. • Records showing medical treatment that is inconsistent with a physical exam or with a medical history as reported by the patient.
List of Possible UCHC ‘Red Flags’ Continued… • A complaint or question from a patient about the receipt of a collection notice from a bill collector. • A patient health insurer report that coverage for legitimate services is denied because insurance benefits have been depleted or a lifetime cap has been reached. • A dispute of a bill by a patient who claims to be the victim of any type of identity theft.
List of Possible UCHC ‘Red Flags’ Continued… • Identification documents provided by a patient on which the person’s photograph or physical description is not consistent with the person presenting the document. • A patient who has an insurance number, but never produces an insurance card or other physical documentation of insurance.
List of Possible UCHC ‘Red Flags’ Continued… • A notice or inquiry from an insurance fraud investigator for a private health insurer or law enforcement agency, including but not limited to a Medicare or Medicaid fraud agency. • A security breach in UCHC’s computer system and/or unauthorized access to electronic or paper records containing patient/client/participant information.
UCHC Identity Theft Prevention Program • Identification of Red Flags • Detecting Red Flags • Responding to Red Flags
Detecting Red Flags at UCHC UCHC staff members must pay careful attention when interacting with patients and when working with patient accounts and remain alert for discrepancies in documents and/or patient information that suggest risk of identity theft or fraud. To assist with this, reminders of ‘red flags’ will be posted throughout selected department areas at each UCHC site. The following protocols must be followed in the performance of duties:
Protocols for Detecting Red Flags New Patients Each new patient is essentially opening a ‘new account’. In order to detect any red flag, UCHC registration staff (or other-titled staff performing registration duties) will take the following steps to obtain and verify the identity of the person: • Require identifying information (name, DOB, address, insurance information, etc.) of all family members who will receive care at UCHC. • A driver’s license or other photo identification (passport, state-issued ID) is required. [Copy.] • Verify the patient’s identity by comparing the information provided to that which is on the photo identification presented by the patient.
Protocols for Detecting Red Flags Established Patients - Reception UCHC reception staff, when checking a patient/ client in for an appointment, must take the following steps to verify the identity of the person about to receive services: • Verify the identity of the individual by asking for their birthdate, address, phone # & insurance info. • Compare the information provided by the person to the information recorded in UCHC systems (or other related systems – such as online insurance eligibility verification systems). • Obtain supporting documentation if/as appropriate to the particular UCHC program (PACE, health center, dental/eye clinic, teen clinic, etc.).
Protocols for Detecting Red Flags Established Patients – All Other Staff The following steps (next slide) must be taken by all other staff members conducting an activity related to an existing patient (or their account) to obtain and verify the identity of the patient/client they are interacting with (or discussing). Examples of ‘all other staff’ include – billing staff members answering patient/client inquiries (via phone or in person); benefits staff assisting patients with insurance applications; clinical or administrative staff answering inquiries by associated organizations (such as Department of Children and Families or insurers), etc.
Protocols for Detecting Red Flags Established Patients – All Other Staff …[Continued]…Steps that must be taken (as applicable) when conducting an activity related to an existing patient/client account: • Verify the identity of the individual (if it is a patient) by asking them for at least 2 identifiers (birthdate, address, SSN) and compare their response to information in UCHC systems/records. • Obtain supporting documentation if/as appropriate to the UCHC program. • (If it is a 3rd party request for information) Verify the authority of the person making the inquiry or requesting action, to confirm whether they are legally allowed to access/obtain the information about the patient account.
UCHC Identity Theft Prevention Program • Identification of Red Flags • Detecting Red Flags • Responding to Red Flags
Responding to Red Flags If a UCHC employee detects any identified red flags in the course of their day, they should notify their supervisor immediately and provide him/her with any related documentation. The supervisor is responsible for evaluating the information/documentation and determining whether the incident requires further investigation. If further investigation is required, the incident should be documented according to the General Internal Incident Reporting Procedure.
Responding to Red Flags If the investigation results in a determination that fraudulent activity is/was underway, one or more of the following will be considered (depending on the red flag detected and degree of risk posed by the red flag): • Comply with State [M.G.L. Chapter 93H]and/or Federal requirements related to a breach of computer security. • Contact the affected patient(s). • Notify law enforcement. • Continue to monitor the affected patient account for evidence of identity theft.
Responding to Red Flags […List of possible responses continued…] • Notify other appropriate UCHC personnel (i.e. EDP staff members responsible for patient account balances; clinical personnel responsible for oversight of care/prescription medications; Human Resources responsible for terminating employment, etc.). • Change any passwords or other security codes that allow access to an affected account. • Place a ‘restriction code’ or flag on the affected account to hold further transactions.
Note About Responding to Medical Identity Theft If a determination is made during the course of an investigation that medical identity theft has occurred, there may be errors in the patient’s chart as a result. Fraudulent information may have been added to a pre-existing chart, or the contents of an entire chart may refer only to the health condition of the identity thief, but under the victim’s personal identifying information. In such cases, UCHC administrative and clinical staff will work together to respond appropriately.
Correlation to Other UCHC P&Ps It is important for staff members to recognize the close correlation between the components of this Identity Theft Prevention Program and other UCHC P&Ps – particularly those P&Ps that relate to HIPAA Privacy and Security regulations. The policies in place at UCHC which relate to HIPAA Privacy and Security primarily aim to preventunauthorized access and disclosure of patient health information. The policies under this Identity Theft Prevention Program aim to recognize signs that a person’s information is already being misused.
Correlation to Other UCHC P&Ps Some examples of HPAA-related P&Ps closely related to this Program include: Computer Workstation Use and Security; Facility Access Controls and Security Plan; IT (Computer System) Access Management. UCHC P&Ps can be accessed via the UCHC webpage (www.uphamscornerhealthctr.org).
Concluding Note UCHC’s overall goal is that ALL policies and procedures aimed at data security, the protection of client confidentiality, and identity theft prevention/recognition, will equally be practiced by all staff to create a secure and confidential environment for our patients/clients.
ACTION REQUIRED:Please click the link below to access the training certificate: Print Your Certificate1) Print the certificate;2) Read and sign the certificate; 3) Send the certificate to Human Resources at 547 for filing in your personnel file.