FTC's ID Theft Red Flags Rules by dandanhuanghuang

VIEWS: 6 PAGES: 41

									        FTC’s ID Theft Red Flags Rules
       A practical approach to achieving compliance

                      HFMA Florida Chapter
                      2010 Spring Conference

                 George Rousis, Compliance Officer
                          Halifax Health
                     george.rousis@halifax.org




Outline

  • Definitions
  • Legal environment
  • How big is the problem?
  • ID Theft Risk Management
     – Prevention, detection and mitigation
     – Red flags
     – Incident response
  • Address discrepancies
  • Case scenarios
  • Resources
5/18/2010                    halifaxhealth.org        2




Why Be Concerned about ID Theft?

  • Medical ID theft is a patient safety
    concern
  • Preventing, detecting and mitigating its
    effects is a legal and ethical obligation




5/18/2010                    halifaxhealth.org        3
ID Theft Definitions

  • ID theft: fraud committed or attempted using the
    identifying information of another person without
    authority.
  • Medical ID Theft: misuse of an identity to obtain medical
    goods or services or submit a false claim for same, with or
    without the ID owner’s knowledge or permission.




5/18/2010                     halifaxhealth.org                       4




ID Theft Definitions

  • ID Theft Red Flag: pattern, practice, or specific activity that
    indicates the possible existence of identity theft.
  • Identifying Information: any name or number that may be
    used, alone or in conjunction with any other information,
    to contact, identify or locate a specific person.




5/18/2010                     halifaxhealth.org                       5




Types of ID theft

  • Financial
     – Credit fraud
     – Check fraud
     – Medical
  • Driver’s license
  • Social Security
  • Criminal




5/18/2010                     halifaxhealth.org                       6
How big is the problem?

    6.6M - 10.3M victims in 2005
    (3.7% of adult population)
    Source: Federal trade Commission, 2006


    23 million received ID theft notifications
    in 2005
    Source: Ponemon Institute, 2006

    1,673 data breaches 2006 – 2009
    194,782,190 records exposed
    Source: Identity Theft Resource Center (based on media reports)


5/18/2010                              halifaxhealth.org                        7




How big is the problem?

  • 2006 FTC Report
     – 3.7% of adult population were victims in 2005
       (8.3 million)
     – 3.3 million (1.5%) experienced misuse of non-credit
       accounts
     – 3.2 million (1.4%) experienced misuse of existing
       accounts
     – 1.8 million (0.8%) new accounts and other fraud
     – 250,000 were medical-related


5/18/2010                              halifaxhealth.org                        8




      Legal Environment

    • ID Theft and Assumption                     • Florida data breach
      Deterrence Act                                notification law
      (PL 105-318)                                  (FS 817.5681)
    • ID Theft Penalty                            • HIPAA
      Enhancement Act                                – Privacy Rule
      (PL 108-275)                                   – Security Rule
    • Health Care False Statements                   – Breach Notification
      (18 USC § 1035)
                                                  • FTC Red Flags Regulations
    • Florida health services fraud                 16 C.F.R. Part 683
      statute                                       FR
      (FS § 817.50)


5/18/2010                              halifaxhealth.org                        9
ID Theft and Assumption Deterrence
Act (PL 105-318, Oct. 1998)
  • …knowingly transfers or uses, without lawful authority, a
    means of identification of another person with the intent to
    commit, or to aid or abet, any unlawful activity that
    constitutes a violation of Federal law, or that constitutes a
    felony under any applicable State or local law…".
  • 5-15 years imprisonment




5/18/2010                     halifaxhealth.org                      10




ID Theft Penalty Enhancement Act
(PL 108-275, July 2004)
  • Expanded to cover possession of another persons ID with
    intent to commit ID theft
  • Prevents courts from placing convicted person on
    probation
  • Longer sentences through count aggregation with related
    felonies




5/18/2010                     halifaxhealth.org                      11




False statements in health care
(18 USC § 1035)
  • (a) Whoever, in any matter involving a health care benefit
    program, knowingly and willfully— (1) falsifies, conceals,
    or covers up by any trick, scheme, or device a material fact;
    or
  • (2) makes any materially false, fictitious, or fraudulent
    statements or representations, or makes or uses any
    materially false writing or document knowing the same to
    contain any materially false, fictitious, or fraudulent
    statement or entry, in connection with the delivery of or
    payment for health care benefits, items, or services, shall be
    fined under this title or imprisoned not more than 5 years,
    or both.
5/18/2010                     halifaxhealth.org                      12
FL Health Services Fraud Statute
(§ 817.50)
  • Whoever shall, willfully and with intent to defraud, obtain
    or attempt to obtain goods, products, merchandise, or
    services from any health care provider in this
    state…commits a misdemeanor of the second degree…
  • If any person gives to any health care provider in this state
    a false or fictitious name or a false or fictitious address… or
    assigns…the proceeds of any…insurance contract, then
    knowing that such contract is [invalid] for any reason, such
    action shall be prima facie evidence of the intent of such
    person to defraud the health care provider.


5/18/2010                     halifaxhealth.org                   13




Florida ID Theft
Notification Law ( § 817.5681)
  • Effective 7/1/2005
  • Requires notification of individuals whose unencrypted PII
    accessed by unauthorized person as a result if computer
    system breach
  • PII = Personal Identification Information
     – Individual’s name with
        • Social Security number; or
        • Driver’s license number; or
        • Financial account number with security codes


5/18/2010                     halifaxhealth.org                   14




Florida ID Theft
Notification Law ( § 817.5681)
  • Notification of individuals required within 45 days of
    discovery
     – $1,000/day fine for each day breach is undisclosed
     – $50,000 for each 30 day period after 30 days
     – $500,000 if undisclosed after 180 days
  • Business associates have 10 days to notify the business
    before penalties apply




5/18/2010                     halifaxhealth.org                   15
HIPAA Security Rule
45 C.F.R. § 164.306 – General Rules
  (a) General requirements. Covered entities must do the
      following:
  (1) Ensure the confidentiality, integrity, and availability of
      all electronic protected health information the covered
      entity creates, receives, maintains, or transmits.
  (2) Protect against any reasonably anticipated threats or
      hazards to the security or integrity of such information.
  (3) Protect against any reasonably anticipated uses or
      disclosures of such information that are not permitted or
      required under subpart E of this part.
  (4) Ensure compliance with this subpart by its workforce.
5/18/2010                     halifaxhealth.org                    16




HIPAA Security Rule

  • Security Management Process
     – Risk Analysis
     – Risk Management
     – System Activity Review
  • Integrity Standard
     – Mechanism to authenticate electronic PHI
  • Security Incident Procedures
  • Audit Controls



5/18/2010                     halifaxhealth.org                    17




HIPAA Security Rule

  • Mechanism to Authenticate Electronic Protected Health
    Information - § 164.312(c)(2)

       “Implement electronic mechanisms to corroborate that
       electronic protected health information has not been
       altered or destroyed in an unauthorized manner.”
       (Addressable)




5/18/2010                     halifaxhealth.org                    18
Federal Security Standards




        SP 800-30 Risk Management Guide for
        Information Technology Systems, National
        Institute for Standards an Technology


5/18/2010                     halifaxhealth.org                19




ID theft red flags regulations
16 C.F.R. Part 683
  • Red Flag: a pattern, practice, or specific activity that
    indicates the possible existence of identity theft.
  • Requires formal program to:
     – Prevent
     – Detect
     – Mitigate
     – Recognize and respond to “red flags”
     – Respond to address discrepancies



5/18/2010                     halifaxhealth.org                20




ID theft red flags regulations
16 C.F.R. Part 683
  • 11/1/2007          Funeral rule publication
  • 11/1/2008          Original compliance date
  • 6/1/2010           Enforcement commencement date
                       (after three postponements)

        Oct 2009       Houses passes bill exempting small
                       businesses
                       U.S. District court exempts attorneys
        Nov 2009       Accountants file suit
        Feb 2010       FTC appeals attorney exemption
5/18/2010                     halifaxhealth.org                21
ID Theft
How it Occurs




5/18/2010                                halifaxhealth.org                             22




ID Theft
How it Occurs

     • Other Threats                                  • Threat Agents
            –   Electronic media theft                       – Insider
            –   Data interception                            – Outsider acting alone
            –   Mail box raiding                             – Outsider in collusion
            –   Pre-texting                                    with ID owner
            –   Vishing                                      – Vendor/Contractor
            –   Address change                               – Organized crime
            –   Keystroke logger                             – Terrorist group
            –   Worm program



5/18/2010                                halifaxhealth.org                             23




Data Breaches Continue




5/18/2010                                halifaxhealth.org                             24
Data Breaches Continue




5/18/2010           halifaxhealth.org   25




Data Breaches Continue




5/18/2010           halifaxhealth.org   26




Data Breaches Continue




5/18/2010           halifaxhealth.org   27
Medical Records Targeted
of ID Thieves?




5/18/2010                                                 halifaxhealth.org                                            28




Who Wants Our Data?




5/18/2010                                                 halifaxhealth.org                                            29




Who Wants Our Data?


            “I have your (expletive)! In *my* possession, right
            now, are 8,257,378 patient records and a total of
            35,548,087 prescriptions. Also, I made an encrypted
            backup and deleted the original. Unfortunately for
            Virginia, their backups seem to have gone missing,
            too. Uhoh :(For $10 million, I will gladly send along
            the password.”

            Source: wikileaks.org; first public report of Virginia Prescription Monitoring Program web site defacing
            (5/3/2009)



5/18/2010                                                 halifaxhealth.org                                            30
Who Wants Our Data?


            A post on carder’s forum…




5/18/2010             halifaxhealth.org   31




Who Wants Our Data?




5/18/2010             halifaxhealth.org   32




Who Wants Our Data?




5/18/2010             halifaxhealth.org   33
Medical Records Targeted by
ID Thieves?
     •      Incidence of medical ID theft
     •      FTC Medical ID Theft web page
     •      HHS funded study by Booz Allen
     •      Carders’ forums




5/18/2010                       halifaxhealth.org             34




What do we know about
medical ID theft?
  • FTC ID Theft Study 2006
  • World Privacy Forum, other advocacy groups
  • HHS Office of National Coordinator
     – Environmental Scan
     – Final Report
     – More research to come…
  • Potential for harm through false medical record entries
  • Not well documented; extent not well understood



5/18/2010                       halifaxhealth.org             35




2008 Breach Details

  • 82% of 2008 breaches involved electronic records
  • 11% involved medical/health entities
    (7.1 million records exposed)
  • 21% data in transit
  • 16% insider
  • 14% hacker
  • 14% accident
  • 10% subcontractor



5/18/2010                       halifaxhealth.org             36
What do we know about medical ID
theft?




5/18/2010                      halifaxhealth.org   37




What do we know about
medical ID theft?
  • Typical scenarios
     – Bad guy gets sick
     – Friend or relative in need
     – Dishonest insider
     – Clinical takeovers
     – Opportunists




5/18/2010                      halifaxhealth.org   38




ID Theft Risk Assessment and Risk
Management Plan
  •    Acknowledge as a threat to data integrity
  •    Identify threats and threat agents
  •    Identify vulnerabilities
  •    Assess existing safeguards
  •    Implement additional safeguards
  •    Monitor and audit
  •    Manage incidents
  •    Reassess risk
  •    Revise the plan as needed

5/18/2010                      halifaxhealth.org   39
Managing the Risk of
Medical ID Theft

  • What is the real risk?
    – Frequency of occurrence?
    – Impact?




5/18/2010                     halifaxhealth.org             40




ID Theft Safeguards
Defense in Depth
  •    Program Administration
  •    Prevention
  •    Detection
  •    Mitigation
  •    Incident response, containment & recovery




5/18/2010                     halifaxhealth.org             41




ID Theft Program Administration

  • Written policies and procedures;
  • Involvement of the governing body and senior
    management;
  • Periodic reports on compliance;
  • Staff training;
  • Oversight of service provider arrangements; and
  • Consideration of a set of guidelines and implementing
    those guidelines that are appropriate



5/18/2010                     halifaxhealth.org             42
ID Theft Prevention

  •    Workforce training on red flags and response procedures
  •    Workforce clearance and supervision
  •    ID authentication at each encounter
  •    ID discrepancy response procedures
  •    Protect personal identification information
  •    User ID and authentication controls




5/18/2010                       halifaxhealth.org                    43




ID Theft Prevention

  • Understand the flow of PII within and to/from the organization
  • Protect PII
     – SSNs
     – Insurance numbers
     – Other demographic identifiers
  • Follow “minimum necessary” principle
     – E.g., mask or truncate SSNs on output
  • Network access controls
  • Encrypt mobile data
  • Restrict data downloads


5/18/2010                       halifaxhealth.org                    44




ID Theft Prevention

  •    Be aware of the environment while conducting business
  •    Strong authentication methods for computer users
  •    Patient/customer identity authentication
  •    Safeguard physical environment
  •    Consider insurance to minimize losses
  •    Data loss prevention technology




5/18/2010                       halifaxhealth.org                    45
Patient ID Authentication

  • Patient Authentication Options
     – Picture ID check
     – Picture ID storage
     – Secondary ID
     – Challenge-response dialog
        • Based on existing data
        • Shared secret
     – Third-party verification
     – ID Card (see FIPS Pub 201-1)
     – Biometric
     – Public records search
5/18/2010                            halifaxhealth.org                               46




ID Authentication in Practice

  • Driver’s license check common
  • Stored photo becoming the norm
  • Biometric ID less common
     – Expense and usability issues cited as barriers
  • Service not provided unless ID can be verified
     – Except in Emergency Room


     See: Desla Mancilla & Jackie Moczygemba, “Exploring Medical Identity Theft,
     Perspectives in Health Information Management 6, Fall 2009, AHIMA Foundation.


5/18/2010                            halifaxhealth.org                               47




Biometrics @ Baycare Health System




5/18/2010                            halifaxhealth.org                               48
Problems in ID Authentication

   •   Time constraints at registration points
   •   Non-compliance with established procedures
   •   Photo ID age, clarity
   •   Customer inconvenience and ill will
   •   Work flow and system design
   •   Emergency treatment mandates




5/18/2010                    halifaxhealth.org      49




ID Theft Detection

  • Any “red flag” such as:
    – Any ID discrepancy at time of encounter
    – Billing statements
    – Insurance Explanation of Benefits (EOB)
    – Address discrepancy
    – Encounter list discrepancy
    – Patient access to his/her medical records
    – Accounting of disclosures



5/18/2010                    halifaxhealth.org      50




ID Theft Detection through Data
Analytics
  • Demographic information alert
    – Record comparison
    – SSN validation check
    – Address check
    – Drivers license check
    – Public records search




5/18/2010                    halifaxhealth.org      51
ID Theft Detection through Data
Analytics
  • Clinical alerts
     – Interventions inconsistent with diagnoses
     – Drug prescription discrepancy
     – Allergy discrepancy
     – Blood type discrepancy
     – Problem list discrepancy




5/18/2010                   halifaxhealth.org                   52




Medical ID Theft Red Flags

  • A complaint or question from a patient about:
    – Inaccurate or incomplete medical information
    – A bill for another individual
    – A bill for services patient denies receiving
    – Bill from another provider the patient never patronized
    – Insurance EOB for services never received




5/18/2010                   halifaxhealth.org                   53




Medical ID Theft Red Flags

  • Medical treatment inconsistent with physical examination
    or history
  • Health care encounters denied by patient
  • Insurance denied for legitimate services because benefits
    are depleted or reached lifetime cap
  • Complaint about information added to a credit report by a
    provider




5/18/2010                   halifaxhealth.org                   54
Medical ID Theft Red Flags

  • Doubt of identity expressed by anyone
  • Disputed bill with ID theft given as the reason
  • Patient with an insurance number can’t produce card or
    other evidence of insurance
  • Inquiry by insurance fraud investigator, law enforcement
    agency or other source




5/18/2010                      halifaxhealth.org                55




Medical ID Theft Red Flags

  •    Suspicious documents
  •    Suspicious personal identifying information
  •    Suspicious account activity
  •    Mail returns




5/18/2010                      halifaxhealth.org                56




Medical ID Theft Red Flags

  • Any type of address discrepancy
    – Patient requests change of address, but unwilling or
      unable to verify new address
    – Refusal or inability to produce statement sent to
      previous address
    – Refusal or inability to use change of address form sent
      to previous address,




5/18/2010                      halifaxhealth.org                57
ID Theft Mitigation – The Basics

  •    Prevent harm
  •    Access trained personnel
  •    Mobilize incident response team
  •    Collect and preserve evidence
  •    Place hold on bill and correspondence
  •    Notify and assist the victim
  •    Clean up records




5/18/2010                     halifaxhealth.org              58




ID Theft Mitigation – Some Details

  •    Obtain ID Theft Affidavit
  •    Report to law enforcement
  •    Report to FTC
  •    Report to insurance company, Medicare, Medicaid
  •    Notify current and past providers, payers
  •    List and compare records




5/18/2010                     halifaxhealth.org              59




ID Theft Mitigation – More Details

  • Obtain victim’s assistance in ID’ing erroneous records
  • Amend/correct medical and billing records
  • Accounting of disclosures
  • Red flag alert in medical and billing records
  • John/Jane Doe record extraction
  • Notify other parties and users of medical and billing
    records
  • Assist the victim



5/18/2010                     halifaxhealth.org              60
Assisting Victims

  • Provide access to encounter lists, medical records, billing
    records
  • Amend/correct medical records
  • Notify other parties
  • Security freeze on credit, other documents
  • Advice on consumer credit and ID monitoring services
  • Help desk or call center access
  • Web resources
  • ID Theft Affidavit

5/18/2010                       halifaxhealth.org                     61




Assistance Via Access
to a Summary Record
  •    Demographics
  •    Physical description
  •    List of encounters & providers
  •    Problem list, dx list
  •    Medications (active and d/c’d)
  •    Blood type, genetic test results
  •    Allergies
  •    Medical and social history
                    See also: www.worldprivacyforum.org

5/18/2010                       halifaxhealth.org                     62




FTC ID theft Affidavit


                                                     ID Theft
                                                     Affidavit
                                                    ftc.gov/idtheft




5/18/2010                       halifaxhealth.org                     63
Florida ID Theft Victims Kit




            myfloridalegal.com/identitytheft



5/18/2010                       halifaxhealth.org                            64




Driver’s License Fraud Investigation
Request


                                                Florida Driver’s
                                                    License
                                                     Fraud
                                                 Investigation
                                                    Request
                                                    http://www.flhsmv.gov/



5/18/2010                       halifaxhealth.org                            65




ID Theft Incident Response

  •    Preparation
  •    Detection
  •    Analysis
  •    Containment
  •    Recovery
  •    Post-incident activity




5/18/2010                       halifaxhealth.org                            66
Incident Response
Script Contents
  • Response team identification
  • Mobilization procedures
  • Escalation procedures
  • Response procedures:
     – Patient in-house vs. post-discharge
  • Data preservation and retention procedures
  • Mitigation activities
  • Lessons-learned meeting



5/18/2010                   halifaxhealth.org                   67




Measuring Effectiveness

  • % of covered workforce members who completed training
  • % of registration locations using standard ID proofing
    process
  • $ written off due to ID proofing failures
  • Red flag occurrence statistics by location
  • Secret shopper observations




5/18/2010                   halifaxhealth.org                   68




Address Discrepancies

   • Applies to users of consumer reports
   • Basic requirements
      – Must establish “reasonable belief” that a consumer
        report is for the individuals for whom it has been
        requested
      – Must furnish reasonably confirmed address in response
        to a notice of address discrepancy received from a
        consumer reporting agency




5/18/2010                   halifaxhealth.org                   69
Interactive Case Scenarios

  •    “This bill is not mine!”
  •    The bad SSN
  •    “Hey, she looks different than the last time I saw her.”
  •    “Ummm, what did you say your name was?”




5/18/2010                       halifaxhealth.org                 70




ID Theft Resources

  • HHS Office of National Coordinator
    healthit.hhs.gov
  • Federal Trade Commission
    ftc.gov/bcp/edu/microsites/idtheft/
  • World Privacy Forum
    www.worldprivacyform.org
  • Health Privacy Project
    www.heathprivacy.org




5/18/2010                       halifaxhealth.org                 71




ID Theft Resources

  • Privacy Rights Clearinghouse
    www.privacyrights.org
  • President’s ID Theft Task Force
    www.idtheft.gov
  • Nichols, Cindy, et al. Medical ID Theft. American Health
    Information Management Association (2008).
  • ID Theft red Flags guidance for AMA members
    ama-assn.org




5/18/2010                       halifaxhealth.org                 72
Resources - FTC




5/18/2010                halifaxhealth.org      73




Resources – Center for Medical Record
Rights and Privacy




5/18/2010                halifaxhealth.org      74




Conclusion




                 Open Forum
            George Rousis, Compliance Officer
                     Halifax Health
                george.rousis@halifax.org

5/18/2010                halifaxhealth.org      75
                                                                                                           Page 1
                                                         Halifax Health
                                                                                                    Approved:
                                                       Compliance Standards                         Compliance Dept.
                                                                                                    Effective:
                               Section    Privacy                                                   11/13/2008
                                                                                                    (Board Adoption)
                                                                                                    Revised:
   No: PV-45.2                    Title   Identity Theft Prevention, Detection, and Mitigation      4/30/2009



A. Applicability
     This policy is applicable to
          Halifax Health entities and departments that offer or maintain "covered accounts";
          Halifax Health entities and departments, that use consumer reports obtained from a consumer
          reporting agency;
          Business associates that offer or maintain covered accounts on behalf of Halifax Health; and
          Business associates that use consumer reports obtained from a consumer reporting agency on behalf
          of Halifax Health.

B. Policy
     It is the policy of Halifax Health to implement and maintain policies and procedures for the prevention,
     detection and mitigation of identity theft, and to appropriately respond to customer address
     discrepancies of which it becomes aware.

C. Background
     The frequency of data security breaches motivated by identity theft is increasing. The Federal Trade
     Commission reports more than 158 million data records of U.S. residents have been exposed due to
     security breaches since January 2005. As of 7/1/2005, Florida businesses are obligated by law to notify
     individuals whose personal identification information may have been accessed by an unauthorized
     person as a result of a security breach. Effective November 1, 2008, federal regulations require that
     organizations that use consumer credit reports and/or offer or maintain accounts for the settlement of
     financial obligations are required to have policies and procedures in place to prevent, detect ID theft and
     mitigate its effects. Users of consumer credit reports must have policies and procedures in place to
     handle address discrepancies with respect to a customer account.

     As distinguished from ID theft motivated by financial gain, ID theft can also occur in the health setting
     in order the fraudulently obtain medical benefits with or without the knowledge of the person whose ID
     is used. For example, an individual with single insurance coverage might share insurance information
     with a friend of relative so that the person can receive insurance benefits. Medical identity theft can
     result in false entries in medical records, and victims can receive the wrong medical treatment or find
     their insurance benefits exhausted.

D. Definitions
     ID theft is a fraud committed or attempted using the identifying information of another person without
     authority.’ It also prescribes duties of users of consumer reports regarding address discrepancies.

     Identifying information means any name or number that may be used, alone or in conjunction with any
     other information, to identify a specific person, including any—

PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                             Printed: 5/18/2010 11:42 AM
      No: PV-45.2               Identity Theft Prevention, Detection, and Mitigation                                                       Page 2

              (1) Name, social security number, date of birth, official State or government issued driver’s license
              or identification number, alien registration number, government passport number, employer or
              taxpayer identification number;

              (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique
              physical representation;

              (3) Unique electronic identification number, address, or routing code; or

              (4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e))."
              [relating to the means for identifying a specific telecommunications account]

        Creditor means any person who regularly extends, renews, or continues credit; any person who regularly
        arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who
        participates in the decision to extend, renew, or continue credit. Guidance published by the Federal
        Trade Commission states, “Creditors include finance companies, automobile dealers, mortgage brokers,
        utility companies, and telecommunications companies. Where non-profit and government entities defer
        payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those
        regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the
        FTC. 1 Under this definition, a third party debt collector could also be subject to the requirements if it
        extends, renews or continues credit. Halifax Health is a creditor to the extent it 1) offers repayment
        terms to patients for the settlement of their financial obligations, 2) allows individuals to leave the
        premises without payment in full, or 3) maintains an account against which multiple payments can be
        recorded.

        Covered account means an account that a financial institution or creditor offers or maintains, primarily for
        personal, family, or household purposes, that involves or is designed to permit multiple payments or
        transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone
        account, utility account, checking account, or savings account; and

        Any other account that the financial institution or creditor offers or maintains for which there is a
        reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or
        creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. 2

        Consumer Reporting Agency (CRA) means Experian, Transunion or Equifax

        Consumer report means any written, oral, or other communication of any information by a consumer
        reporting agency (CRA) bearing on a consumer's credit worthiness, credit standing, credit capacity,
        character, general reputation, personal characteristics, or mode of living which is used or expected to be
        used or collected in whole or in part for the purpose of serving as a factor in establishing the patient's
        eligibility for--

              credit or insurance to be used primarily for personal, family, or household purposes;

              employment purposes; or

              any other purpose authorized under the Fair and Accurate Credit Transactions Act.

1FTC Business Alert, “New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft“
http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm, accessed 10/8/2008)
2   Patient accounts receivable meet the definition of “a covered account”; an accont established for an employee advance is not a covered account.

PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                                                               Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                       Page 3

     Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft.

     Notice of address discrepancy means a notice sent to a user (Halifax Health) by a consumer reporting agency
     that informs the user of a substantial difference between the address for the consumer that the user
     provided to request the consumer report and the address(es) in the agency’s file for the consumer.

E. Standards
     1. ID Theft Prevention Program
          a. A Halifax Health entity or department that offers or maintains covered accounts must
             implement and maintain an ID theft prevention, detection and mitigation program (Program).
          b. The design of the Program must, at a minimum, address the following elements (as more fully
             described in Exhibit 1):
               (1) Identification of relevant Red Flags for covered accounts;
               (2) Procedures for the detection of Red Flags;
               (3) Procedures for responding to Red Flags that are detected and preventing and mitigating the
                   effects of ID theft;
               (4) Procedures for periodic review of the Program and updating the program to reflect changes
                   in risks to patients, employees, medical staff and other constituencies for whom the entity
                   maintains identifying information;
               (5) Procedures for administering the program
               (6) Evaluating other applicable legal requirements
          c. In medical settings, the Program must address the ID theft Red Flags listed in Exhibit 2.
     2. Program Administration
          The Program must be continually administered through:
          a. Involvement of the governing body and senior management;
          b. Periodic reports on compliance;
          c. Staff training;
          d. Oversight of service provider arrangements; and
          e. Consideration of a set of guidelines and implementing those guidelines that are appropriate, such
             as those listed under Implementation Guidance below and attached Exhibits.
     3. Address Discrepancies
          A Halifax Health department or entity that is a user of Consumer Reports must comply with the
          following:
          a. Establishment of reasonable belief that a consumer report is for the individual for whom it has
             been requested:
               A Halifax Health entity that uses consumer reports must implement and maintain reasonable
               policies and procedures designed to enable the entity to form a reasonable belief that a


PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                          Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                      Page 4

               consumer report relates to the consumer about whom it has requested the report, when the user
               receives a notice of address discrepancy.
               Examples of reasonable policies and procedures:
               (1) Comparing the information in the consumer report provided by the consumer reporting
                   agency with information the user:
                    (a) Obtains and uses to verify the consumer’s identity
                    (b) Maintains in its own records, such as billing and medical records
                    (c) Obtains from third-party sources; or
               (2) Verifying the information in the consumer report provided by the consumer reporting
                   agency with the consumer.
               (3) Refraining from 100% reliance on data from secondary sources known to contain errors or
                   defects.
          b. Furnishing of consumer's address
               (1) The Halifax Health entity must implement and maintain reasonable policies and procedures
                   for furnishing an address for the consumer that the user has reasonably confirmed is
                   accurate to the consumer reporting agency from whom it received the notice of address
                   discrepancy when the Halifax Health entity:
                          • Can form a reasonable belief that the consumer report relates to the consumer about
                            whom the user requested the report;
                          • Establishes a continuing relationship with the consumer; and
                          • Regularly and in the ordinary course of business furnishes information to the
                          consumer reporting agency from which the notice of address discrepancy relating to
                          the consumer was obtained.
                    For example, the Halifax Health entity may reasonably confirm an address is accurate by:
                       • Verifying the address with the consumer about whom it has requested the report;
                          • Reviewing its own records to verify the address of the consumer;
                          • Verifying the address through third-party sources; or
                          • Using other reasonable means.
               (2) Timing.
                   The Halifax Health entity must furnish the consumer’s address that the user has reasonably
                   confirmed is accurate to the consumer reporting agency as part of the information it
                   regularly furnishes for the reporting period in which it establishes a relationship with the
                   consumer.
     4. Identifying Information Limited to Minimum Necessary
          Halifax Health entities must limit identifying information acquired, maintained, used, disclosed or
          transmitted to the minimum necessary needed to meet its objectives. For example,
                          On output (screens and reports), Social Security, insurance ID and financial account
                          numbers should be masked or truncated to the last four digits, when the full number is
                          not needed by the user(s) of the information.

PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                         Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                        Page 5

                          Social Security number, insurance ID and financial account numbers should not be
                          requested, used, disclosed, or stored as a person's unique identifier unless absolutely
                          necessary.
     5. Safeguards for Identifying Information
          a. Halifax Health entities that receive, request, use or disclose identifying information must
             implement and maintain reasonable and appropriate safeguards to protect the confidentiality of
             identifying information.
          b. The policies and standards of the Halifax Health Information Security Program should be
             considered, including, but not limited to, Halifax Health security standards for:
                   • Workforce clearance, supervision and              • Device and media controls
                      termination                                      • System activity review
                   • Facility access controls
                                                                       • Audit controls
                   • Workstation security
                                                                       • Transmission security
                   • Information access controls for access
                                                                       • Web server security (for identifying
                      authorization, access establishment and            information maintained on web servers)
                      modification, unique user identification,
                      encryption, automatic logoff, and                • Facsimile security (for identifying
                      emergency access                                   information transmitted by fax)
                   • Person or entity authentication                   • Business associate agreements

                   • Logon monitoring
          c. Halifax Health entities must reasonably and appropriately limit access to consumer reports,
             public records search services, and internal sources of identifying information.
     6. Business Associates
          a. Halifax Health entities must ensure that business associates that use or disclose personal
             identification information for or on behalf of Halifax Health have reasonable policies and
             procedures designed to detect, prevent, and mitigate the risk of identity theft. The responsibility
             for compliance with this policy remains with Halifax Health, even if duties are outsourced to a
             third party.
          b. Halifax Health may require the business associate, by contract, to have policies and procedure to
             detect relevant Red Flags that may arise in the performance of the service provider’s activities
             and either report the Red Flags to Halifax Health or take appropriate steps to prevent or
             mitigate identity theft.
     7. Protected Health Information; Limitations on Uses and Disclosures
          a. Except as expressly permitted by this standard, a Halifax Health entity may not use or disclose
             protected health information of any individual in connection with the detection, prevention, or
             mitigation of ID theft.
          b. A Halifax Health entity may use protected health information it has created or received in order
             to conduct an internal investigation of an ID theft Red Flag, or suspected ID theft involving a
             patient, health plan member, employee, other customer or business associate.



PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                           Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                   Page 6

          c. A Halifax Health entity may disclose to a law enforcement official the name, address, telephone
             number and physical description of a victim of ID theft, or an individual reasonably suspected to
             have committed ID theft against a patient, employee health plan member or other customer.
          d. Requests for disclosures beyond that permitted in this standard must be referred to the Legal
             Department or Compliance Department.
     8. Identification of Patients and Other Customers
          a. Written procedures shall establish the requirements for verifying the identity of a patient or
             other customer for whom a covered account is established or maintained.
          b. For patients and other customers who are minors, identification shall be verified with the parent
             or guardian, or other legal representative, such as an official with the custodial agency
             responsible for the minor.
          c. Identity verification procedures shall not delay treatment of individuals requesting evaluation
             and treatment of an emergency medical condition as required by the Emergency Treatment and
             Active Labor Act.
     9. Training and Education
          a. The Compliance Department is responsible for educating the leadership team on the
             requirements of this policy.
          b. The Compliance Department will establish and maintained web-based education for employees
             on:
               (1) How employees can protect themselves from ID theft and mitigate its the effects; and
               (2) How employees can protect patients and other customers from ID theft.
          c. Managers are responsible for educating their team members on the requirements of this policy.
          d. The Compliance Department will post and maintain information on the Halifax Health intranet
             on ID Theft for team members, patients and other constituents on how they can protect
             themselves from ID Theft and what do if ID theft is suspected.
     10. Documentation
          a. Managers of Halifax Health entities or departments to which this policy is applicable are
             responsible for documenting compliance with the policy.
          b. Documentation of compliance must be retained for six (6) years.
     11. Compliance Dates
          a. The compliance date for the ID theft prevention, detection and mitigation standards is
             5/1/2009
          b. The compliance date for the address discrepancy standards is 11/1/2008

F. Implementation Guidance
     In addition to incorporating Red Flags from the sources that must be considered in the design of the
     Program (Exhibit 1), each entity or department may consider incorporating into its Program, whether
     singly or in combination, Red Flags from the following illustrative examples in connection with covered
     accounts:

PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                      Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                      Page 7

     1. Alerts, Notifications or Warnings from a Consumer Reporting Agency
          a. A fraud or active duty alert is included with a consumer report.
          b. A consumer reporting agency provides a notice of credit freeze in response to a request for a
             consumer report.
          c. A consumer reporting agency provides a notice of address discrepancy.
          d. A consumer report indicates a pattern of activity that is inconsistent with the history and usual
             pattern of activity of a patient or other customer, such as:
               (1) A recent and significant increase in the volume of inquiries;
               (2) An unusual number of recently established credit relationships;
               (3) A material change in the use of credit, especially with respect to recently established credit
                   relationships; or
               (4) An account that was closed for cause or identified for abuse of account privileges by a
                   financial institution or creditor.
     2. Suspicious Documents
          a. Documents provided for identification appear to have been altered or forged.
          b. The photograph or physical description on the identification is not consistent with the
             appearance of the applicant or customer presenting the identification.
          c. Other information on the identification is not consistent with information provided by the
             person opening a new covered account or customer presenting the identification.
          d. Other information on the identification is not consistent with readily accessible information that
             is on file with the Halifax Health entity, such as a completed form or a recent check.
          e. An application or other document presented by the individual appears to have been altered or
             forged, or gives the appearance of having been destroyed and reassembled.
     3. Suspicious Personal Identifying Information
          a. Personal identifying information provided is inconsistent when compared against external
             information sources used by Halifax Health. For example:
               (1) The address does not match any address in the consumer report; or
               (2) The Social Security Number (SSN) has not been issued, or is listed on the Social Security
                   Administration’s Death Master File.
               (3) In a public records search, identifying information is associated with multiple individuals or
                   possible aliases of the same individual.
          b. Personal identifying information provided by the customer is not consistent with other personal
             identifying information provided by the customer. For example,
               (1) There is a lack of correlation between the SSN range and date of birth.
               (2) The identifying information presented in a previous encounter does not match the
                   information provided in the current encounter.
          c. Personal identifying information provided is associated with known fraudulent activity as
             indicated by internal or third-party sources used by the Halifax Health entity. For example:

PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                         Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                    Page 8

               (1) The address on a document or report is the same as the address provided on a fraudulent
                   document; or
               (2) The phone number on a document or report is the same as the number provided on a
                   fraudulent document or report.
          d. Personal identifying information provided is of a type commonly associated with fraudulent
             activity as indicated by internal or third-party sources used by the Halifax Health entity. For
             example:
               (1) The address on a document or report is fictitious, a mail drop, or a prison; or
               (2) The phone number is invalid, or is associated with a pager or answering service.
          e. The SSN provided is the same as that submitted by one or more other individuals in the Halifax
             Health entity’s records.
          f. The address or telephone number provided is the same as or similar to the address or telephone
             number submitted by an unusually large number of other persons in the Halifax Health entity’s
             records.
          g. The person for whom an account is being established fails to provide all required personal
             identifying information.
          h. Personal identifying information provided by the person is not consistent with identifying
             information that is already on file with the Halifax Health entity.
          i.   In a challenge-response dialogue, the person for whom an account is being established or
               accessed cannot provide authenticating information beyond that which generally would be
               available from a wallet or consumer report.
     4. Unusual Use of, or Suspicious Activity Related to, the Covered Account
          a. Shortly following the notice of a change of address for a covered account, the Halifax Health
             entity receives a request for copies of medical records, billing records, insurance card, ID card or
             other credential or document maintain by the Halifax Health entity, or a request to cover
             additional persons within a benefit offered by Halifax Health.
          b. An account is used in a manner commonly associated with known patterns of fraud patterns.
             For example: The customer fails to make the first payment or makes an initial payment but no
             subsequent payments.
          c. A covered account is used in a manner that is not consistent with established patterns of activity
             on the account. There is, for example:
               (1) Nonpayment when there is no history of late or missed payments;
               (2) Unexplained increases in the use of services or benefits related to the account;
               (3) A request to change the mailing address or guarantor information associated with an account
                   that is in conflict with other records maintained for the individual.
          d. A covered account that has been inactive for a reasonably lengthy period of time is used (taking
             into consideration the type of account, the expected pattern of usage and other relevant factors).
          e. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue
             to be conducted in connection with the customer’s covered account.
          f. Halifax Health is notified that the customer is not receiving paper account statements.

PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                       Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                     Page 9

          g. Halifax Health is notified of unauthorized charges or transactions in connection with a
             customer’s covered account.
          h. Halifax Health is notified by a customer, a victim of identity theft, a law enforcement authority,
             or any other person that it has an account for a person engaged in identity theft.
          i.   Halifax Health receives notice from a customer that he/she has received a bill or other
               correspondence but never received services form Halifax Health.
          j.   Halifax Health is notified that a bill or explanation of benefits has been sent in connection with
               services not received by the individual making the notification.

G. Exhibits
     1. Exhibit 1 – Program Design Elements
     2. Exhibit 2- ID Theft Red Flags in Medical Settings
     3. Exhibit 3 – Sample Letter to Consumer Reporting an Identification Discrepancy

H. References
     Title 16, Part 683, Code of Federal Regulations (Identity Theft Rules)

     § 817.5681, Fla. Stat. (Florida ID Theft Notification Law)

     Dixon, Pam. Medical Identity Theft: the Information Crime that Can Kill You, World Privacy Forum,
     5/3/2006.

     ID theft resources at the Florida Office of the Attorney General
     http://myfloridalegal.com/identitytheft

     Florida’s Identity Theft Victim Kit
     http://myfloridalegal.com/identitytheft)

     ID theft resources at the Florida Department of Highway Safety and Motor Vehicles
     http://www.hsmv.state.fl.us/IDtheft.html

     ID theft resources at the Federal Trade Commission
     http://www.ftc.gov/bcp/edu/microsites/idtheft/index.html

I. Related Policies
     PV-30 Uses and disclosures limited to the minimum necessary

     PV45.1, Breach of Computer Security with Respect to Personal Identification Information; Notification
     Requirements




PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                        Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                                     Page 10

J. Revision History
      Date            Revision/Review                                                                              By
      1/9/08          Policy created.                                                                              G.Rousis
      4/14/08         Added sample letter to consumer; updated with comments of Shelly Shiflet, Collections        G.Rousis
                      Counsel ; add standard on use or disclosure of PHI in connection with ID theft
                      investigations
      10/8/08         Added clarification language to definition of “creditor”                                     G.Rousis
      11/13/08        Policy approved by HH Board of Commissioners; added compliance dates to standards;           G.Rousis
                      added standards for identity verification.
      4/27/2009       Revised Exhibit 2 (red flags in medical settings); added footnote to definition of covered   G.Rousis
                      account.




PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                                      Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                     Page 11

                                                              Exhibit 1
                                                       Program Design Elements

     1. Identifying Relevant Red Flags
          a. Risk Factors
               The department or entity should consider the following factors in identifying relevant Red Flags
               for covered accounts, as appropriate:
               (1) The types of covered accounts it offers or maintains;
               (2) The methods it provides to open its covered accounts;
               (3) The methods it provides to access its covered accounts; and
               (4) Its previous experiences with identity theft.
          b. Sources of Red Flags
               The department or entity should incorporate relevant Red Flags from sources such as:
               (1) Incidents of identity theft that Halifax Health has experienced;
               (2) Methods of identity theft that Halifax Health has identified that reflect changes in identity
                   theft risks; and
               (3) Applicable supervisory guidance
          c. Categories of Red Flags
               The Program should include relevant Red Flags from the following categories, as appropriate.
               Examples of Red Flags from each of these categories are in the Implementation Guidance
               section of the policy.
               (1) Alerts, notifications, or other warnings received from consumer reporting agencies or service
                   providers, such as fraud detection services;
               (2) The presentation of suspicious documents;
               (3) The presentation of suspicious personal identifying information, such as a suspicious address
                   change;
               (4) The unusual use of, or other suspicious activity related to, a covered account; and
               (5) Notice from customers, victims of identity theft, law enforcement authorities, or other
                   persons regarding possible identity theft in connection with covered accounts held by the
                   department or entity.
     2. Detecting Red Flags
          The Program's policies and procedures should address the detection of Red Flags in connection with
          the opening of covered accounts and existing covered accounts, such as by:
          a. Obtaining identifying information about, and verifying the identity of, a person opening a
             covered account, for example, using the policies and procedures regarding identification and
             verification set forth in the Customer Identification Program rules implementing 31 U.S.C.
             5318(l) (31 CFR § 103.121) to the extent applicable to health care organizations; and



PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                        Printed: 5/18/2010 11:42:00 AM
    No: PV-45.2                Identity Theft Prevention, Detection, and Mitigation                                                            Page 12

            b. Authenticating customers, monitoring transactions, and verifying the validity of change of
               address requests, in the case of existing covered accounts.
      3. Preventing and Mitigating Identity Theft
            The Program's policies and procedures should provide for appropriate responses to the Red Flags
            the department or entity has detected that are commensurate with the degree of risk posed. In
            determining an appropriate response, the department or entity should consider aggravating factors
            that may heighten the risk of identity theft, such as a data security incident that results in
            unauthorized access to a customer’s account records held by the financial institution, creditor, or
            third party, or notice that a customer has provided information related to a covered account to
            someone fraudulently claiming to represent Halifax Health or to a fraudulent website. Appropriate
            responses may include the following:
            a. Monitoring a covered account for evidence of identity theft;
            b. Contacting the customer;
            c. Changing any passwords, security codes, or other security devices that permit access to a
               covered account;
            d. Reopening a covered account with a new account number;
            e. Not opening a new covered account;
            f. Closing an existing covered account;
            g. Not attempting to collect on a covered account or not selling a covered account to a debt
               collector;
            h. Notifying law enforcement 3 ; or
            i.    Determining that no response is warranted under the particular circumstances.
      4. Updating the Program
            The department or entity should update the Program (including the Red Flags determined to be
            relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of
            Halifax Health from identity theft, based on factors such as:
            a. The experiences of Halifax Health with identity theft;
            b. Changes in methods of identity theft;
            c. Changes in methods to detect, prevent, and mitigate identity theft;
            d. Changes in the types of accounts that the financial institution or creditor offers or maintains;
               and
            e. Changes in the business arrangements of Halifax Health , including mergers, acquisitions,
               alliances, joint ventures, and service provider arrangements.
      5. Methods for Administering the Program
            a. Oversight of Program

3If a person has made a claim of identity theft with respect to a Halifax Health bill for health care services, that person will generally be required to report the ID
theft to law enforcement before a collection hold will be placed on the account. Department procedures should address the situations in which the organization
will make a report to law enforcement, and the Halifax officials authorized to make such reports.

PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                                                                  Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                    Page 13

               Oversight by the Board of Commissioners, an appropriate committee of the Board, or a
               designated employee at the level of senior management should include:
               (1) Assigning specific responsibility for the Program’s implementation;
               (2) Reviewing reports prepared by staff regarding compliance by Halifax Health ; and
               (3) Approving material changes to the Program as necessary to address changing identity theft
                   risks.
          b. Reports
             (1) In General
                 Staff of Halifax Health responsible for development, implementation, and administration of
                 its Program should report to the Board of Commissioners, an appropriate committee of the
                 Board, or a designated employee at the level of senior management, at least annually, on
                 compliance with this policy by Halifax Health.
             (2) Contents of Report
                 The report should address material matters related to the Program and evaluate issues such
                 as: The effectiveness of the policies and procedures of Halifax Health in addressing the risk
                 of identity theft in connection with the opening of covered accounts and with respect to
                 existing covered accounts; service provider arrangements; significant incidents involving
                 identity theft and management’s response; and recommendations for material changes to the
                 Program.
          c. Oversight of Service Providers
               Whenever Halifax Health engages a service provider to perform an activity in connection with
               one or more covered accounts Halifax Health should take steps to ensure that the activity of the
               service provider is conducted in accordance with reasonable policies and procedures designed to
               detect, prevent, and mitigate the risk of identity theft. For example, Halifax Health could require
               the service provider by contract to have policies and procedures to detect relevant Red Flags that
               may arise in the performance of the service provider’s activities, and either report the Red Flags
               to Halifax Health, or to take appropriate steps to prevent or mitigate identity theft.
     6. Other Applicable Legal Requirements
          Halifax Health departments and entities should be mindful of other related legal requirements that
          may be applicable, such as:
          a. Requirements of 45 C.F.R. Parts 160 and 164, federal standards for the privacy and security of
             individually identifiable health information (HIPAA);
          b. Breach notification requirements of § 817.5681, Fla. Stat., relating to the notification of
             individuals whose identifying information may have been access by an unauthorized person
             through a computer security breach;
          c. Breach notification requires of HIPAA;
          d. Applicable requirements of 15 U.S.C. §§ 1692-1692p, Fair Debt Collection Practices Act
          e. If applicable under 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with
             applicable law and regulation;




PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                       Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                 Page 14

          f. If applicable, implementing any requirements under 15 U.S.C. 1681c–1(h) regarding the
             circumstances under which credit may be extended when Halifax Health detects a fraud or active
             duty alert;
          g. If applicable, implementing any requirements for furnishers of information to consumer
             reporting agencies under 15 U.S.C. 1681s–2, for example, to correct or update inaccurate or
             incomplete information, and to not report information that the furnisher has reasonable cause to
             believe is inaccurate; and
          h. If applicable, complying with the prohibitions in 15 U.S.C. 1681m on the sale, transfer, and
             placement for collection of certain debts resulting from identity theft.




PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                    Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                     Page 15

                                                            Exhibit 2
                                              ID Theft Red Flags in Medical Settings

          A complaint or question from a patient about::
                   A bill for services the patient denies ever receiving;

                   A bill from another provider the patient never patronized;

                   An insurance Explanation of Benefits for services the patient never received;

                   Medical record entries for health care encounters, problems, family/social history, diagnoses,
                   the individual denies having or medical interventions the individual patient denies receiving;

                   Unexplained loss of insurance coverage, denial of benefits or exhausted insurance benefits; or

                   Information added to a consumer credit report
          Patient has an insurance plan ID number but cannot produce insurance card of other evidence of
          insurance;
          Inquiry by insurance fraud investigator or law enforcement agency;
          Any formal dispute of services or goods rendered by a provider who is given the specific reason of
          identity theft as a reason for the dispute;
          Discrepancies in patient demographic information observed during scheduling, registration, patient
          placement or treatment within the facility;
          Personal identification information, e.g., Social Security number of driver’s license number, assigned
          to more than one individual in a Halifax Health system of records;
          Patient give’s an identifier matching that of another person in a Halifax Health system of records;
          Multiple records identifying the same individual in a Halifax Health system of records, but with
          conflicting personal identifiers or demographic information, or with conflicting medical information;
          Records showing previous diagnoses or treatment that is inconsistent with physical examination,
          medical history or social history as reported by the patient;
          Records showing substantial discrepancies in age, race, and other physical descriptions;
          Blood type discrepancy when processing an order for blood cross-match or blood products; and
          Inconsistent drug-allergy conflicts recognized by the pharmacy system




PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                       Printed: 5/18/2010 11:42:00 AM
   No: PV-45.2            Identity Theft Prevention, Detection, and Mitigation                                     Page 16

                                                  Exhibit 3
             Sample Letter to Patient Or Other Individual Reporting an Identification Discrepancy

[Date]
[Individual name and address]
Dear __________:
We are writing to you to let you know of information [in our records, we received] that indicates the possibility you may be at risk
for identity theft fraud. Identity theft fraud is a crime in which your personal identification is used to fraudulently obtain goods or
services, obtain a driver’s license, or open a credit or bank account. We are reporting this to you so that you may take steps to
protect yourself from identity theft fraud. The reason we believe you may at risk for identity theft fraud is:
[Insert description of the “red flags” that indicate the possibility of identity theft fraud]
To protect yourself from identity theft fraud, we recommend that you place a fraud alert on your credit file. A fraud alert lets
creditors know to contact you before opening new accounts. Just call any one of the three credit reporting agencies at the
number below. This will let you automatically place fraud alerts and order your credit report from all three.
         Equifax                                  Experian                               Trans Union
         800-525-6285                             888-397-3742                           800-680-7289

         Equifax Consumer Fraud Division          Experian Fraud division                Fraud Victim Assistance Division
         P.O. Box 740241                          P.O. Box 9532                          P.O. Box 6790
         Atlanta, GA 30374- 0241                  Allen, TX 75013                        Fullerton, CA 92834-6790
         www.equifax.com                          www.experian.com                       www.transunion.com

Credit reports may also be obtained online at: www.annualcreditreport.com. Reports requested online are available immediately
after verification of identity. Requests by mail or phone are processed within 15 days of the request. You can request a free
credit report every 12 months. All three agencies offer additional services for a fee.
When you receive your credit reports, look them over carefully. Look for accounts you did not open. Look for inquiries from
creditors that you did not initiate. And look for personal information, such as home address and Social Security number, that is
not accurate. If you see anything you do not understand, call the credit agency at the telephone number on the report. If you do
find suspicious activity on your credit reports, call your local police or sheriff’s office and file a report of identity theft. Get a
copy of the police report. You may need to give copies to creditors to clear up your records.
[Add this sentence if an individual is an employee: Assistance is also available through the Halifax Health Employee Assistance
Program. For more information, please feel free to contact me, or in Human Resources, contact Terri Martin or Alex Posson at
(386) 254-4035.]
[modify this paragraph , as needed] In summary, we suggest you take the precautions described in this letter to protect yourself
from identity theft fraud. We have no evidence that identity theft fraud has actually occurred. It is possible a clerical error
resulted in the information discrepancy.
If you have any questions about this matter, please feel free to contact me.
Sincerely,
[Name, title, contact information]




PV-45.2-ID_Theft_Detection_Prevention_Mitigation.doc                                                        Printed: 5/18/2010 11:42:00 AM

								
To top