Red Flag Rule Policy

RED FLAGS IDENTITY THEFT PREVENTION PROGRAM [DATE] [items to be modified are in italics and brackets] The Board of [Directors/Trustees] of [Practice Legal Name] (hereinafter the “Practice”) approved this Identity Theft Prevention Program (“Program”) at a duly held meeting on ______________, 2009. The Program was developed in order to comply with the Federal Trade Commission’s Identity Theft Prevention Red Flags Rule (16 CFR § 681.2). I. Definitions For purposes of the Program, the following terms are defined as: “Covered Account” means (i) any account the Practice offers or maintains primarily for personal family or household purposes, that involves multiple payments or transactions, including one or more deferred payments; and (ii) any other account the Practice identifies as having a reasonably foreseeable risk to customers or to the safety and soundness of the Practice from Identity Theft. The Practice has identified the following three (3) types of accounts as Covered Accounts: 1) Patient accounts with deferred payments due to insurance billing 2) Patient accounts with deferred payments due to cash payment plan 3) Patient accounts where credit cards are used to make payments “Identity Theft” means fraud committed using the identifying information of another person; “Red Flag” means a pattern, practice, or specific activity that indicates the possible existence of Identity Theft. II. Program Purposes It is the policy of the Practice to follow all federal and state laws and reporting requirements regarding identify theft. Specifically, this policy outlines how the Practice will (1) identify, (2) detect, and (3) respond to “red flags.” The purposes of the Program are to: 1) Identify the relevant Red Flags based on the risk factors associated with the Practice’s covered accounts; 2) Institute policies and procedures for detecting Red Flags; 3) Identify steps the Practice will take to prevent and mitigate Identity Theft; and © i-comply www.redflagmd.com 4) Create a system for regular updates and administrative oversight to the Program. III. Program Administration The Practice will designate one individual in the practice as the Privacy Official. The Privacy Official has the responsibility for developing, implementing, administering and updating the Program. The following individual is designated Privacy Official for the Practice: [Name and Title of designated individual] The Privacy Official will periodically review the effectiveness of the Program and update the Program to reflect the addition or removal of Covered Accounts, and changes in risks to patients/covered account holders from Identity Theft. This review will completed not less than once annually, and shall be approved by the [Board of Directors]. It is the policy of the Practice that, pursuant to the existing HIPAA Security Rule, appropriate physical, administrative and technical safeguards will be in place to reasonably safeguard protected health information and sensitive information related to patient identity from any intentional or unintentional use or disclosure. IV. Program Implementation and Training The Privacy Official is assigned the responsibility of implementing and maintaining the Red Flags Rule requirements. Furthermore, this individual will be provided sufficient resources and authority to fulfill these responsibilities. The Privacy Official will also be responsible for developing a training program for staff identified in this Program as responsible for or having a role in implementing the Program. All members of the Practice who have access to information regarding covered accounts are required to undergo training on the Program, to include the policies and procedures governing compliance with the Red Flags Rule. Initial training will be completed by May 1, 2009. New staff members who require training under this should receive this training within a reasonable period of time after they have joined the Practice. Additionally, staff should receive additional training on the Program should there be any material changes to the Red Flag Rule, and shall receive refresher training annually. The Privacy Official will document the completed training for each staff member (Attachment B). © i-comply www.redflagmd.com V. Service Provider Arrangements The Practice requires all service providers that perform activities in connection with Covered Accounts to have policies and procedures in place designed to detect, prevent and mitigate the risk of Identity Theft with regard to the Covered Accounts. Service providers who violate their agreement in this regard will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by business associate. VI. A. Red Flag Procedures Identification of Red Flags The complete Red Flag Rule Policy is one component of i-Comply’s Red Flag Toolkit. You can purchase this Red Flag Toolkit for $79 at www.redflagmd.com. I-Comply specializes in providing compliance tools for physicians. You can learn more about our other solutions and toolkits, to include HIPAA, at http://www.icomplymd.com © i-comply www.redflagmd.com