RED FLAGS IDENTITY THEFT PREVENTION PROGRAM The Board Directors of Springhill Hospitals, Inc. ( Hospital ) approved this Identity Theft Prevention Program ( Program ) at a duly held meeting on August 17, 2009. The Program was developed in order to comply with the Federal Trade Commission s Identity Theft Prevention Red Flags Rule (16 CFR 681.2). This Program has been created in consultation with after conducting an assessment of risk of Identity Theft associated with certain Covered Accounts (as defined below) offered by the Hospital. I. Definitions For purposes of the Program, the following terms are defined as: Covered Account means (i) any account Hospital offers or maintains primarily for personal family or household purposes, that involves multiple payments or transactions, including one or more deferred payments; and (ii) any other account the Hospital identifies as having a reasonably foreseeable risk to customers or to the safety and soundness of the Hospital from Identity Theft. As of January 1, 2009, the Hospital has identified the following types of accounts as Covered Accounts 1) non-emergency patient billing 2) patient payment plan Identity Theft means fraud committed using the identifying information of another person; Red Flag means a pattern, practice, or specific activity that indicates the possible existence of Identity Theft II. Program Purposes The purposes of the Program are to: 1) Identify the relevant Red Flags based on the risk factors associated with the Hospital s covered accounts; 2) Institute policies and procedures for detecting Red Flags; 3) Identify steps the institution will take to prevent and mitigate Identity Theft; and 4) Create a system for regular updates and administrative oversight to the Program. III. Identification of Red Flags The Identity Theft Red Flags Mitigation and Resolution Procedures (Appendix A) identifies the Red Flags that would be most relevant to the Hospital. The Red Flags generally fall within one of the following general types of Red Flags: 1) Suspicious Documents; 2) Suspicious Personal Identifying Information; 3) Suspicious or Unusual Use of Covered Account; and
4) Alerts from Others (e.g. customer, Identity Theft victim, or law enforcement) IV. Detection of Red Flags In order to facilitate detection of the Red Flags identified in Appendix A, Admissions will take the following steps to obtain and verify the identity of the person. A. New Patients/Accounts 1) Require identifying information (e.g., full name, date of birth, address, government issued ID, insurance card, etc.) 2) When available, verify information with insurance company s information 3) Run an Accurint check to validate information given by the patient. B. Existing Accounts 1) Verify validity of requests for changes of billing address 2) Verify identification of customers before giving out any personal information V. Preventing and Mitigating Identity Theft In order to prevent and mitigate the effects of Identity Theft, staff will follow the appropriate steps identified in the attached Identity Theft Red Flags Mitigation and Resolution Procedures (Appendix A). VI. Program Administration The Identity Theft Committee is responsible for developing, implementing, administering and updating the Program. The Privacy Officer will be responsible for developing a training program for staff identified by Privacy Officer as responsible for or having a role in implementing the Program. VII. Service Provider Arrangements Hospital will require, by contract, that service providers that perform activities in connection with Covered Accounts have policies and procedures in place designed to detect, prevent and mitigate the risk of Identity Theft with regard to the Covered Accounts. VIII. Updating of Program The Identity Theft Committee will periodically review the effectiveness of the Program and update the Program to reflect the addition or removal of Covered Accounts, and changes in risks to patients/covered account holders from Identity Theft.. Page 1 of 8
Attachment A Relevant Identity Theft Red Flags Mitigation and Resolution Procedures IDENTITY THEFT RED FLAG Documents provided for identification appear to have been altered or forged. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the patient. For example, there is a lack of correlation between the Social Security Number (SSN) range and date of birth. The SSN provided is the same as that submitted by other persons opening an account or other customers. Patient provides an insurance number but identity associated with the insurance number does not match the information given by the patient. PREVENTION/MITIGATION PROCEDURE Stop the admissions/billing process and require applicant to provide additional satisfactory information to verify identity. Stop the admissions/billing process and require applicant to provide additional satisfactory information to verify identity. Stop the admissions/billing process and require applicant to provide additional satisfactory information to verify identity. Stop the admissions/billing process and require applicant to provide additional satisfactory information to verify identity. RESOLUTION OF RED FLAG process. process. process. process. Contact insurance company as necessary. Page 2 of 8
Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient (e.g., inconsistent blood type). Complaint/inquiry from an individual based on receipt of: -a bill for another individual -a bill for a product or service that the patient denies receiving -a bill from a health care provider that the patient never patronized - a notice of insurance benefits (or Explanation of Benefits ) for health services never received. Complaint/inquiry from a patient about information added to a credit report by a health care provider or insurer Complaint or question from a patient about the receipt of a collection notice from a bill collector. individuals as appropriate, review previous files for potential inaccurate records. Items to consider include: blood type, age, race, and other physical descriptions that may be evidence of medical identity theft. individuals as appropriate individuals as appropriate individuals as appropriate Page 3 of 8 Depending on the inconsistency and review of previous file, either delay/do not open a new covered account, or terminate services. Terminate treatment/credit until identity has been accurately resolved; refuse to continue attempting to collect on the account until identity has been resolved. Terminate treatment/credit until identity has been accurately resolved; refuse to continue attempting to collect on the account until identity has been resolved. Terminate treatment/credit until identity has been accurately resolved; refuse to continue attempting to collect on the account until identity has been resolved.
Mail sent to the patient is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the patient's covered account. Hospital is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. Personal identifying information provided by the patient is associated with known fraudulent activity as indicated by internal or third-party sources used by the Hospital. For example: - The address on an application is the same as the address provided on a fraudulent application; or - The phone number on an application is the same as the number provided on a fraudulent application. Skip-tracing procedures are used to find the patient s current mailing address. Investigation to determine if billing was made fraudulently. individuals as Patient is found and contact information is updated. process. Contact insurance company as necessary. Terminate treatment/credit until identity has been accurately resolved; refuse to continue attempting to collect on the account until identity has been resolved. Page 4 of 8
Suspicious patterns, practices or other activity of an employee or other system user revealed through an audit or any other proactive resource. Monitoring of system users accessing patient files and noting suspicious activity. Investigation under the direction of the Privacy Officer and Administration. Issue Sanctions as IX. Specific Departmental Procedures for Mitigating Identity Theft PROCEDURE: Emergency Room: 1) After the medical screening by the physician, patients in stable condition will be asked for photo identification. 2) The identification is scanned into POSC/SRM by the registration clerk. 3) If the patient does not have photo identification, a photo will be taken and scanned into POSC/SRM. This includes children without photo identification. The child s photo should be taken and scanned along with the parent s ID. 4) The clerk should ensure that the patient signs the consent with the same name as the name provided. 1) Patients will be asked for photo identification. Front Admissions: 2) The identification is scanned into POSC/SRM by the registration clerk. 3) If the patient does not have photo identification, a photo will be taken and scanned into POSC/SRM. This includes children without photo identification. The child s photo should be taken and scanned along with the parent s ID. Post-Discharge Reports of Identity Theft: 1) The victim will be required to complete the following steps, in order for the account balance to be removed from their name: a. Produce their ID and allow us to copy it for our records b. Sign a forgery affidavit Page 5 of 8
c. File a police report and provide a copy for our records. If the victim refuses to file a report, then SMH legal counsel should be consulted. 2) The above documentation is scanned in the medical record that is in question and the photo ID is scanned into SRM. 3) The following people are notified immediately when identity theft is alleged. Admissions Director, ER Admissions Supervisor, Business Office Director/Business Office Manager, Health Information Management Director or Assistant Director, The Privacy Officer should be notified of all alleged identity theft occurrences. The Privacy Officer will notify Homeland Security Office of Investigations (251)441-5739 when necessary. (Note: Medical records are not to be provided to the agents. Only the name of the victim, the name of the individual alleged to have stolen the victim s identity, if known, and the date of the occurrence are provided.) 4) The Admitting Office will place a note on the visit level, clearly detailing the allegation, and also add an alert to Registrar stating Alleged identity theft positive ID required to notify anyone attempting to register the patient, that the patient s identity is in question. 5) Once the victim s I.D, police report and forgery affidavit have been received, Identity Theft will be prominently noted on each document in the chart by adding an annotation on the image in SRM. 6) Billing is immediately suspended when identity theft is alleged. If, after 30 days, the requested paperwork has not been received, the account is taken off suspension and billing resumes. 7) Once the required paperwork has been received (police report, affidavit, and ID) the allegation will be considered substantiated. When it has been substantiated by the victim, the account balance is adjusted with the code designated for identity theft. 8) When the claim of identity theft has been confirmed, documentation is moved from the electronic record by performing the following steps. a. If the offender s identity is unproven, the patient s name is changed to Theft, Identity F with a medical record number of 299975 for females and Theft, Identity M with a medical record number of 299918 for males in AM_PFM in order to remove the electronically stored documentation from the record of the individual whose identity was used to obtain services. For future reference, the demographic data is to remain that of the individual whose identity was used to obtain services. b. If the offender s identity is proven, the patient s name is changed to that of the individual who received the treatment. If the patient has an existing MRN, the account is moved to the correct MRN for the patient. If the patient has not previously been to Springhill, a new MRN will be assigned. Each of the downstream systems must be verified to ensure the documentation is displayed under the correct MRN and name. Page 6 of 8
c. A note is placed at the account level in SRM, stating that this was a case of identity theft. The victim s name may be used in the note for future reference. d. Notify Eclipsys Sunrise Clinical Manager support that changes are being made. e. Each dictated report in emon updates automatically when the name is changed in AM_PFM. f. Sunrise Clinical Manager auto-updates as well, so no merging or moving of records is necessary. g. Notify Radiology, Electrodiagnostics and the Lab to ensure the patient name change updated their systems as well. 9) If payment has been received from a third party payor, payments will be refunded after it is determined that identity theft has occurred. 10) The Identity Theft Committee reserves the right to make further decisions on a case-by-case basis as necessary. Page 7 of 8