STAFF TRAINING: UCHC IDENTITY THEFT PREVENTION PROGRAM

1
STAFF TRAININGUCHC IDENTITY THEFT PREVENTION
PROGRAM

• Uphams Corner Health Committee, Inc.DBAUphams
  Corner Health CenterUphams Elder Service
  PlanUphams Home Health Care

Effective August 1, 2009
2
This Training Will

• Introduce you to the federal regulations that
  require the establishment of an Identity Theft
  Prevention Program.
• Describe how the regulations are applicable to
  UCHC.
• Explain the major components of UCHCs Identity
  Theft Prevention Program
• Red Flags likely to occur at UCHC
• Protocols for detecting Red Flags
• Protocols for responding to Red Flags
• Highlight the correlation between the Identity
  Theft Prevention Program other UCHC policies

3
Governing Regulations

• The Federal Trade Commission (FTC) issued the
  Red Flags Rule (in 2007) with a final
  compliance date of August 1, 2009.
• The regulations were issued to address the rising
  occurrences of identity theft throughout the
  United States. The FTC estimated that as many as
  9 million Americans have their identities stolen
  each year.
• In addition to being damaging to the individuals
  whose identity is stolen, there is great damage
  to businesses (who are left with unpaid bills).

4
The Red Flags Rule Requires

• Generally, the Red Flags Rule requires businesses
  that extend credit maintain covered
  accounts to develop a program (identity theft
  prevention program) designed to detect warning
  signs (red flags) of identity theft in their
  day-to-day operations and, to establish
  protocols for responding appropriately.
• Businesses that extend credit maintain
  covered accounts, and therefore must establish
  an identity theft prevention program, must also
  (a) fully train staff members on the program and
  (b) develop annual reports on its effectiveness.

5
Applicability of the Red Flags Rule to UCHC

• All medical providers, including UCHC, are
  considered to be businesses that extend credit
  because patients/clients/participants are not
  required to pay for services on the same day they
  visit the doctor/clinician. Credit
  is extended for the cost of the visit, until such
  time the patient (or their insurance company)
  pays for the services.
• None of the programs at UCHC require
  patients/clients to make a full payment at the
  time services are rendered.

6
Applicability of the Red Flags Rule to UCHC

• The term covered account is defined in the
  regulations as an account that a creditor offers
  or maintains, that involves or is designed to
  permit multiple payments or transactions
  (including continuing relationships with
  consumers for the provision of medical
  services).
• All UCHC patients/clients/participants have
  accounts established in their name to track
  services billed and paid for. The UCHC EDP
  department oversees patient accounts (they send
  claims to insurance companies for payment or,
  they bill the patients directly (if the person
  does not have medical insurance).

7
One Other Note of Applicability

• Regarding health care providers, commentary in
  the Federal Trade Commissions publication of the
  Red Flags Rule states that such businesses may
  also be at risk of medical identity theft
  (identity theft for the purpose of obtaining
  medical services).
• UCHC has experienced medical identity theft
  particularly with patients who pretend to be
  existing patients (or who register as new
  patients with stolen identity information) for
  the purpose of trying to obtain a prescription
  for narcotics (Oxycodone, Percocet, etc.).

8
The UCHC Identity Theft Prevention Program

• To comply with the Red Flags Rule, UCHC developed
  a written Identity Theft Prevention Program.
• The UCHC Board of Directors approved the program
  at its April 2009 Board meeting.
• All staff members that interact with
  patients/clients and/or regularly work with
  patient accounts must complete this training and
  comply with the policies in the UCHC Identity
  Theft Prevention Program.

9
UCHC Identity Theft Prevention Program

• Identification of Red Flags
• Detecting Red Flags
• Responding to Red Flags

10
Identification of Red FlagsThe following red
flags are likely at UCHC

• A complaint or question from a patient based on
  the patients receipt of
• A bill for another individual
• A bill for a product or service the patient
  denies receiving
• A bill from a provider the patient claims to have
  never seen or
• A notice of insurance benefits from their insurer
  for services never received by the patient.
• Records showing medical treatment that is
  inconsistent with a physical exam or with a
  medical history as reported by the patient.

11
List of Possible UCHC Red Flags Continued

• A complaint or question from a patient about the
  receipt of a collection notice from a bill
  collector.
• A patient health insurer report that coverage for
  legitimate services is denied because insurance
  benefits have been depleted or a lifetime cap has
  been reached.
• A dispute of a bill by a patient who claims to be
  the victim of any type of identity theft.

12
List of Possible UCHC Red Flags Continued

• Identification documents provided by a patient on
  which the persons photograph or physical
  description is not consistent with the person
  presenting the document.
• A patient who has an insurance number, but never
  produces an insurance card or other physical
  documentation of insurance.

13
List of Possible UCHC Red Flags Continued

• A notice or inquiry from an insurance fraud
  investigator for a private health insurer or law
  enforcement agency, including but not limited to
  a Medicare or Medicaid fraud agency.
• A security breach in UCHCs computer system
  and/or unauthorized access to electronic or paper
  records containing patient/client/participant
  information.

14
UCHC Identity Theft Prevention Program

• Identification of Red Flags
• Detecting Red Flags
• Responding to Red Flags

15
Detecting Red Flags at UCHC

• UCHC staff members must pay careful attention
  when interacting with patients and when working
  with patient accounts and remain alert for
  discrepancies in documents and/or patient
  information that suggest risk of identity theft
  or fraud.
• To assist with this, reminders of red flags
  will be posted throughout selected department
  areas at each UCHC site.
• The following protocols must be followed in the
  performance of duties

16
Protocols for Detecting Red Flags

• New Patients
• Each new patient is essentially opening a new
  account. In order to detect any red flag, UCHC
  registration staff (or other-titled staff
  performing registration duties) will take the
  following steps to obtain and verify the identity
  of the person
• Require identifying information (name, DOB,
  address, insurance information, etc.) of all
  family members who will receive care at UCHC.
• A drivers license or other photo identification
  (passport, state-issued ID) is required. Copy.
• Verify the patients identity by comparing the
  information provided to that which is on the
  photo identification presented by the patient.

17
Protocols for Detecting Red Flags

• Established Patients - Reception
• UCHC reception staff, when checking a patient/
  client in for an appointment, must take the
  following steps to verify the identity of the
  person about to receive services
• Verify the identity of the individual by asking
  for their birthdate, address, phone insurance
  info.
• Compare the information provided by the person to
  the information recorded in UCHC systems (or
  other related systems such as online insurance
  eligibility verification systems).
• Obtain supporting documentation if/as appropriate
  to the particular UCHC program (PACE, health
  center, dental/eye clinic, teen clinic, etc.).

18
Protocols for Detecting Red Flags

• Established Patients All Other Staff
• The following steps (next slide) must be taken by
  all other staff members conducting an activity
  related to an existing patient (or their account)
  to obtain and verify the identity of the
  patient/client they are interacting with (or
  discussing).
• Examples of all other staff include billing
  staff members answering patient/client inquiries
  (via phone or in person) benefits staff
  assisting patients with insurance applications
  clinical or administrative staff answering
  inquiries by associated organizations (such as
  Department of Children and Families or insurers),
  etc.

19
Protocols for Detecting Red Flags

• Established Patients All Other Staff
• ContinuedSteps that must be taken (as
  applicable) when conducting an activity related
  to an existing patient/client account
• Verify the identity of the individual (if it is a
  patient) by asking them for at least 2
  identifiers (birthdate, address, SSN) and compare
  their response to information in UCHC
  systems/records.
• Obtain supporting documentation if/as appropriate
  to the UCHC program.
• (If it is a 3rd party request for information)
  Verify the authority of the person making the
  inquiry or requesting action, to confirm whether
  they are legally allowed to access/obtain the
  information about the patient account.

20
UCHC Identity Theft Prevention Program

• Identification of Red Flags
• Detecting Red Flags
• Responding to Red Flags

21
Responding to Red Flags

• If a UCHC employee detects any identified red
  flags in the course of their day, they should
  notify their supervisor immediately and provide
  him/her with any related documentation.
• The supervisor is responsible for evaluating the
  information/documentation and determining whether
  the incident requires further investigation.
• If further investigation is required, the
  incident should be documented according to the
  General Internal Incident Reporting Procedure.

22
Responding to Red Flags

• If the investigation results in a determination
  that fraudulent activity is/was underway, one or
  more of the following will be considered
  (depending on the red flag detected and degree of
  risk posed by the red flag)
• Comply with State M.G.L. Chapter 93H and/or
  Federal requirements related to a breach of
  computer security.
• Contact the affected patient(s).
• Notify law enforcement.
• Continue to monitor the affected patient account
  for evidence of identity theft.

23
Responding to Red Flags

• List of possible responses continued
• Notify other appropriate UCHC personnel (i.e. EDP
  staff members responsible for patient account
  balances clinical personnel responsible for
  oversight of care/prescription medications Human
  Resources responsible for terminating employment,
  etc.).
• Change any passwords or other security codes that
  allow access to an affected account.
• Place a restriction code or flag on the
  affected account to hold further transactions.

24
Note About Responding to Medical Identity Theft

• If a determination is made during the course of
  an investigation that medical identity theft has
  occurred, there may be errors in the patients
  chart as a result. Fraudulent information may
  have been added to a pre-existing chart, or the
  contents of an entire chart may refer only to the
  health condition of the identity thief, but under
  the victims personal identifying information.
• In such cases, UCHC administrative and clinical
  staff will work together to respond appropriately.

25
Correlation to Other UCHC PPs

• It is important for staff members to recognize
  the close correlation between the components of
  this Identity Theft Prevention Program and other
  UCHC PPs particularly those PPs that relate
  to HIPAA Privacy and Security regulations.
• The policies in place at UCHC which relate to
  HIPAA Privacy and Security primarily aim to
  prevent unauthorized access and disclosure of
  patient health information. The policies under
  this Identity Theft Prevention Program aim to
  recognize signs that a persons information is
  already being misused.

26
Correlation to Other UCHC PPs

• Some examples of HPAA-related PPs closely
  related to this Program include
• Computer Workstation Use and Security
• Facility Access Controls and Security Plan
• IT (Computer System) Access Management.
• UCHC PPs can be accessed via the UCHC webpage
  (www.uphamscornerhealthctr.org).

27
Concluding Note

• UCHCs overall goal is that ALL policies and
  procedures aimed at data security, the protection
  of client confidentiality, and identity theft
  prevention/recognition, will equally be practiced
  by all staff to create a secure and confidential
  environment for our patients/clients.

28
ACTION REQUIREDPlease click the link below to
access the training certificate Print Your
Certificate 1) Print the certificate2) Read
and sign the certificate 3) Send the
certificate to Human Resources at 547 for filing
in your personnel file.