160 likes | 396 Views
IMPLEMENTING IDENTITY THEFT CONTROLS. TTUHSC OP 52.10, Identity Theft Prevention, Detection and Mitigation Program http://www.ttuhsc.edu/hsc/op/op52/op5210.pdf http://www.ttuhsc.edu/hsc/op/op52/op5210a.pdf. Background – Where We Are. Federal Trade Commission (FTC)
E N D
IMPLEMENTING IDENTITY THEFT CONTROLS TTUHSC OP 52.10, Identity Theft Prevention, Detection and Mitigation Program http://www.ttuhsc.edu/hsc/op/op52/op5210.pdf http://www.ttuhsc.edu/hsc/op/op52/op5210a.pdf
Background – Where We Are • Federal Trade Commission (FTC) • Final Regulations issued November, 2007 • Effective 1/1/08 • Compliance and Enforcement Date 11/1/08 • Enforcement Delayed Twice to 8/1/09 • Creditors must implement written policies/procedures to prevent, detect and mitigate identity theft related to consumer accounts • TTUHSC OP 52.10 – 4/30/09
How Does it Apply to TTUHSC? • TTUHSC is a Creditor • Regularly defers payment for goods or services or provides goods or services and bills later. • FTC stance: Physicians who accept insurance or payment plans are “creditors”. • TTUHSC has Consumer Accounts • Accounts permitting multiple payments • Accounts where there is a reasonable foreseeable risk of identity theft • BUT, WHAT ABOUT HIPAA?
Common Terms • Identity Theft • Fraud committed or attempted by an individual using another person’s identifying information to obtain goods/services • Identifying Information • Name; SSN; birth date; phone number; government identity card (license, passport, visa); PHI, bank/credit/debit account numbers insurance information, biometric information; electronic identification information
What is in the Policy • Identify relevant “Red Flags” • Those likely to encounter during business operations • Detect Red Flags • Establish procedures to detect red flags in day-to-day operations • Prevent & Mitigate Identity Theft • Respond to red flags found • Update the Program
Two Oversight Areas • Electronic Data/Interchanges • External Security Breaches • Internal Security Breaches • Physical Points of Service • Setting up a New Patient • Patient Encounters – Medical Information • Account Collection Activity VERIFY VERIFY VERIFY
Medical Identity Theft • Types • False Identity • Use another individual’s insurance information to obtain health care items/services • Risks • Non-payment/Refund to the Insurer • Inaccurate medical history for the insured • Inaccurate/False Medical Record • Inaccurate billing information
Real Life Examples • Current OB Patient previously received OB care under a false identity. • Patient receives treatment using cousin’s insurance card • Patient does not use real name to receive treatment. • Patient denies having received treatment from the provider.
What is a “Red Flag” • A RED FLAG • DOES NOT EQUAL IDENTITY THEFT • IS AN INDICATOR OF POSSIBLE IDENTITY THEFT • Categories of “Red Flags” – Attachment A • Credit Report Alerts • Suspicious Documents/Identity Information • Suspicious Activity • Patient Notices/Complaints
Relevant Medical “Red Flags” • Patient Complains that items/services billed were not received by them • Patient’s medical histories are inconsistent • Patient uses various “aliases” to receive services • False/Forged Documentation Presented • Patient complaint/question about collections or entry on a credit report
Relevant “Medical Red Flags” • Insurer denial of coverage for the service because patient previous received the service • Appendectomy; Hysterectomy; etc. • Insurance Information Does Not Match Patient Information • Patient Personal Information Does Not Match Information Presented or on File • Photo IDs, Insurance Card
Procedures to Detect “Red Flags” • Educate Staff on Medical Identity Theft and Detecting Red Flags • What is a “red flag” – 52.10, Attachment “A” • Who to Contact? • Supervisor/Manager/Administrator • Institutional Privacy Officer • Institutional Security Officer (Identified security breach)
Identity Verification & Authentication • New Patients: • Copy of current insurance cards • Over 16 years of age: Government-issued ID checked and copied for medical record • Under 16 years of age: Other government –issued documents • Copy of Birth Certificate for medical record • Copy of School Enrollment • Patient Refusal – Contact Supervisor
Identity Verification & Authentication • Existing/Returning Patients • Verify patient matches photo ID – get copy if not already in the medical record • No photo ID – Verify patient using other individual identifying information, such as: • Address • Phone number • Last 4 of Social Security Number • Other unique information (last visit; insurer; etc.) • You may already be doing some or all of this
Detection “After the Fact” • Patient Complaint/Notice • Unusual/Suspicious Activity/Information • Medical Record Information • Payment Denials • Insurer Inquiries related to a submitted claim • Name discrepancies • Number of children • Active patient with mail returned as undeliverable
Resources • FTC Fighting Fraud with Red Flag Rules http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf • AMA Publication http://www.ama-assn.org/ama1/pub/upload/mm/368/red-flags-rule-edu.pdf • FTC Website http://ftc.gov/bcp/edu/microsites/redflagsrule/publish-articles.shtm