Information

Online Forms

Our Tweets

bryanpolyclinic > The Bryan Polyclinic is now closed. We will reopen on Monday, May 21st at 1pm. Dr. Jenkinson will be seeing patients starting at 2:30pm

Monday, 14 May 2012

 

SecureLive

SecureLive Badge

Identity Theft Policy

  • Print

Identity Theft Policy for  PolyClinics.Net, PLLC


Title of Policy: Identity Theft Prevention and Detection in PolyClinics.Net, PLLC

Effective Date: 10/16/2009

Assessment Date(s):

Practice discussed what actions or events might lead to identity theft from Practice on 10/10/2009. Practice concluded its red flag assessment on 10/14/2009. The following individuals participated in the assessment: David M. Jenkinson. A summary of the assessment was prepared by David M. Jenkinson for our “Red Flag” compliance file.

Next scheduled Policy Review Date: October 1, 2010 for implementation by November 1, 2010

Applicability: All Practice staff and independent contractors in Practice workforce

Purpose:

The purpose of this policy is to implement a compliance program in Practice to prevent, detect, and respond to identity theft and protect patient personal medical and financial information received and handled by Practice. This policy is required by the Federal Fair and Accurate Credit Transactions Act and the “Red Flag” rules promulgated pursuant thereto by the FTC.

Policy

It is the stated policy of Practice to: PolyClinics.Net, PLLC

Prevent identity theft from Practice

  • Identify potential and actual identity theft from Practice
  • Respond to possible or actual theft of identity from Practice and to minimize its proliferation
  • Assist in the prosecution of any persons responsible for theft of identity from Practice
  • Update this Policy as needed or required but at least annually
  • Train all current staff in Policy; train any new staff added hereafter within a reasonable time; and train all staff within a reasonable time after Policy is updated


Procedures


I. Person Responsible for Compliance Program: Dr Jenkinson

A) Responsible for implementation of Policy.

B) Responsible for ensuring all staff is successfully trained in requirements of Policy and thereafter re-trained as Policy is updated.

C) Responsible for providing and maintaining documentation of dates, participants, and syllabus in all training sessions conducted on Policy and ensure that such documentation can be easily produced upon authorized request.

D) Responsible for periodically updating Policy and documenting updates.

E) Maintaining a secure red flag file with the above information as well as information and results of investigations conducted under this Policy.


II. Training:

A) All current staff of Practice will be trained in Policy by 11/1/2009.

B) Staff added will be trained in Policy as part of new employee orientation but in no instance later than two (2) weeks after date of hire.

C) The subject matter of the initial training in Policy for each staff person will be this entire Policy document.


III. Identification of Red Flags:

The following are red flags for possible identity theft for which Practice staff should be alert during the course of delivering medical services and conducting daily business:



A) Credit or Consumer Report Warnings
1) Alerts, notifications, or other warnings received from consumer report agencies or service providers, such as fraud detection services:
2) A fraud or active duty alert is included with a consumer report.
3) A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
4) A consumer reporting agency provides a notice of address discrepancy.
5) A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of a patient such as a recent and significant increase in the volume of inquiries; an unusual number of recently established credit relationships; a material change in the use of credit, especially with respect to recently established patients; or an account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.
6) A consumer credit report that we run comes back indicating that there is a freeze on a patient’s credit report.

B) Documents that Appear to be Suspicious

1)ID presented by a patient that looks altered or forged.
2)The patient presents a picture ID that does not look like the patient or match the physical description on the ID.
3) Other information on the ID is not consistent with information provided by the patient presenting the ID or does not match with other ID or other information presented.
4) The patient’s signature or handwriting is not consistent with other documentation presented by the patient.
5) An application, patient sheet or other information presented appears to have been altered or forged or gives the appearance of having been destroyed and then reassembled.

C) Personal Identifying Information that Appears to be Suspicious

1) Personal identifying information provided is inconsistent when compared against external information sources used by the Practice; for example, the address does not match any address in the consumer report.
2) The patient’s SSN has not been issued or is listed on the Social Security Administration’s Death Master File. Invalid SSN may be indicated by such red flags as the first three digits are 000, 666, above 772, or are in the 800 or 900 ranges; the middle two numbers are 00; or the last four numbers are 0000.
3) Personal identifying information provided by the patient is not consistent with other personal identifying information provided by the patient; for example, a lack of correlation between the SSN range from the Social Security Administration’s issuance tables and date of birth.
4) Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third party sources used by Practice; for example, the address on an application is the same as the address provided on a fraudulent application, or the phone number on an application is the same as the number provided on a fraudulent application.
5) Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by Practice; for example, the address on a patient is fictitious, a mail drop, or a prison, or the phone number is invalid or is associated with a pager or answering service.
6) A SSN provided by a patient is the same as that submitted by another patient.
7) An address or telephone number provided by a patient is the same as or similar to an address or telephone number submitted by many other patients.
8) A patient fails to provide all of the required identification information on our forms and then does not response to our request to provide us with the missing information.
9) Personal identifying information provided is not consistent with personal identifying information that is on file with Practice.
10) When staff uses challenge questions in the process of verifying a patient’s ID, but the patient cannot provide an answer that matches information we are given by the patient.
11) The patient is unable to provide authenticating information beyond that which would be generally available from a wallet or consumer report.

D) Patient or Other Activity that Appears Suspicious

1) Mail sent to the patient is repeatedly returned as undeliverable even though transactions continue to be conducted on the patient’s account.
2) A patient contacts Practice to report that he/she is not receiving mail/bills from Practice.
3) Practice receives a report from a patient that unauthorized charges are appearing on the patient’s HSA or other information.
4) A report from a patient, a victim of identity theft, law enforcement or other source.


IV. Procedure for Detection of Red Flags

A) Patients will be notified to bring identification to all appointments with Practice.

1) When a patient calls to schedule an appointment at Practice, staff will instruct the patient to bring a valid photo ID such as a driver’s license and their current health insurance card to their appointment.
2) Practice updated our web site on 11/1/2009 with message on our on-line appointment page requiring patients to bring a valid photo ID such as a driver’s license and their current insurance card to their appointment.
3) During Practice calls to remind patients of their next appointment with Practice, staff making the call will include a reminder to bring the required documentation with them to the appointment.
4) Practice updated our appointment reminder postcards on 11/1/2009 to now include a statement of our policy regarding patients brining photo ID and insurance card with them to the appointment.
5) If the patient to be seen is an unemancipated minor, the minor’s parent or legal guardian must bring their own ID and insurance card before the minor patient can be seen.


B) When the patient checks in for his/her appointment, staff will request to see the patient’s (or minor patient’s parent or guardian’s) photo ID and insurance card. If Practice uses an electronic registration kiosk, the patient will be called to the front desk as soon as possible to verify ID and insurance information consistent with this Policy. The ID and insurance card will be copied and such copies will be placed in the patient’s record available to check-in staff so that current information on the patient is always on file and staff can compare IDs at future appointments.

C) When an established patient presents requesting a copy of their medical records; requesting a HIPAA inspection of their medical records, requesting a HIPAA accounting of disclosures of medical records, or requesting an itemized statement of their financial balance with Practice, staff will request the patient (or minor patient’s parent or guardian) to produce a valid photo ID and insurance card. Staff will compare the ID presented to the one on file.

D) Patients must present an ID to be seen at Practice (except in an active emergency).

1) New patients will not be seen without presenting a photo ID and insurance card (if insured) at check-in. Reschedule an appointment with these patients.
2) Established patients who fail to bring a photo ID to the appointment must have at least two (2) other types of credible ID such as credit card, SSN card and must be able to verify their SSN#, birth date, address and telephone number. Staff will cause notice to be placed in the patient’s file that the patient failed to bring ID to the appointment and will be notified to do so at their next appointment.


E) Updating Information.

1) If any registration information must be updated such as a change of address, staff shall cause the patient to present either an updated current ID such as a driver’s license or current utility bill with the patient’s name and address on it. Staff will copy such documentation and place it in the patient’s file.
2) Without such documentation, staff shall not make the update in Practice’s patient data system. However, practice shall take down the information requested to be changed and notify the patient that he/she will need to bring in proper documentation in order to have the updates entered into the system.


F) When any document is presented that appears to be altered, forged, or otherwise suspicious, staff shall ask challenge questions in order to verify the person’s identity.

G) Laptop Computers.

1) Under no circumstances will laptops computers, memory sticks, jump files or other device containing personal patient identifying information be taken off of Practice’s premises.
2) No paper files containing personal patient identifying information be taken off of Practice’s premises.
3) Practice’s HIPAA Security Policy shall govern with respect to the handling of all patient identifying information and data encryption.


H) Social Security Numbers. Pursuant to TCA 47-18-2110:

1) No SSNs will be posted or displayed where patients or the public can see them.
2) No SSNs will be required to be transmitted over the Internet unless the Internet connection is secure or the SSN is encrypted.
3) No SSN will be required in order to log on to our website.
4) No SSN will be printed on any materials mailed to anyone unless the disclosure is required by law or the document is a form or application.


V. Procedure for Responding to Red Flags

A) If staff detects a red flag, this procedure must be followed in order to reduce the possible damage to the affected patient and to Practice. If a staff member is unsure whether suspicious activity is a red flag, assume it is and immediately seek confirmation from Practice’s Compliance Officer. This might require investigation by staff and the Compliance officer in order to verify.

B) As soon as the red flag is detected, the Compliance Officer shall be notified and presented with all documentation of the red flag. The Compliance Officer, or if the Compliance Officer cannot be reached, then staff, is authorized to respond immediately by:

1) Investigating the situation to determine the scope of the problem. If the suspected identity theft is due to the release of personal information based on a breach of security of unencrypted computerized data, state law requires that measures be taken “necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” TCA 47-18-2107.
2) Notifying law enforcement. It is required by state law that law enforcement be notified prior to any notification to the patient or person whose identity may have been stolen if there is a breach of the security of our system. A breach of security occurs when we there is an “unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity” of personal identifying information maintained by Practice. TCA 47-18-2107.
3) Notifying the affected person(s) in writing of the identity theft or possibility that identity theft has occurred. Notification shall include a brief summary of the facts surrounding the discovery of the red flag and advice to monitor credit reports for suspicious activity. Notice can be by mail or e-mail if we have an e-mail on file for the person(s) affected. If the release of any personal information is unencrypted and was released, or believed to be released, to any unauthorized person, then this disclosure is required by state law to take place “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.” TCA 47-18-2107(b). Thus, we must have permission from law enforcement to notify the affected person(s) if the identity theft is due to a breach of our system security. There are special laws pertaining to security breaches affecting multiple persons. If this happens, we will seek guidance on giving notice pursuant to TCA 47-18-2107(e)-(g) after consulting Practice’s lawyer or TMA.
4) Notifying, if appropriate, the patient’s physician if medical information about the patient is compromised and/or law enforcement.
5) Closing the patient’s financial account and reopen it with a new account number, flagging the old account for further attempts at activity. Change any associated passwords or security codes.
6) Facilitating a review of the patient’s medical records with appropriate staff and the patient to identify and remove any medical records that are not consistent with the patient’s medical history. Removed records shall be maintained in a separate file until the matter is concluded, either by prosecution of the offender or upon the expiration of 7 years.
7) Correcting any misinformation provided as a result of the red flag occurrence to pharmacies, other medical practices, the State Controlled Substance Database, etc.
8) Ceasing any collections on the patient’s account until the problem is straightened out and otherwise determining the correct balance.


C) If a patient contacts Practice to report being a victim of identity theft, the Compliance Officer shall be notified and presented with all documentation of the red flag. The Compliance Officer, or if the Compliance Officer cannot be reached, then staff, is authorized to respond immediately by:

1) Suggesting that the patient notify local law enforcement about their identity theft if they have not already done so.
2) Suggesting that the patient file an FTC ID Theft Affidavit. See www.ftc.gov/idtheft to access it.
3)Notifying, if appropriate, the patient’s physician if medical information about the patient is compromised and/or law enforcement.
4) Closing the patient’s financial account and reopen it with a new account number, flagging the old account for further attempts at activity. Change any associated passwords or security codes.
5) Facilitating a review of the patient’s medical records with appropriate staff and the patient to identify and remove any medical records that are not consistent with the patient’s medical history. Removed records shall be maintained in a separate file until the matter is concluded, either by prosecution of the offender or upon the expiration of 7 years.
6) Correcting any misinformation provided as a result of the red flag occurrence to pharmacies, other medical practices, the State Controlled Substance Database, etc.
7) Ceasing any collections on the patient’s account until the problem is straightened out and otherwise determining the correct balance.



Approved by PolyClinics.Net, PLLC on 10/16/2009:

David M. Jenkinson 10/16/2009