University Policies

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Alburger, Katherine A

Saved on

compared with

New Version 5

changes.mady.by.user Alburger, Katherine A

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Identity Theft Red Flag and Security Incident Reporting Procedure

 

  1. Purpose
    1. The purpose of the Identify Theft Red Flag and Security Incident Reporting Procedure is to provide information to assist individuals in (1) detecting, preventing, and mitigating identity theft in connection with the opening of a “covered account” or any existing “covered account” or who believe that a security incident has occurred and (2) reporting a security incident.
  2. Background
    1. Security Incident 
      1. The American Recovery and Reinvestment Act (ARRA) requires that any organization that owns computerized data that includes personal information shall disclosure any breach of security of the system following discovery or notification of the breach in the security of the system to whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
    2. Red Flag Rules
      1. In 2003, the U.S. Congress enacted the Fair and Accurate Credit Transaction Act of 2003 (FACT Act) which required the Federal Trade Commission (FTC) to issue regulations requiring “creditors” to adopt policies and procedures to prevent identify theft.
      2. In 2007, the Federal Trade Commission (FTC) issued a regulation known as the Red Flag Rule. The rule requires “financial institutions” and “creditors” holding “covered accounts” to develop and implement a written identity theft prevention program designed to identify, detect and respond to “Red Flags.”
      3. The Red Flag Rule has been implemented by the Federal Trade Commission (FTC) on August 1, 2009.
  3. Definitions
    1. Covered Account
      A covered account is a consumer account designed to permit multiple payments or transactions.  These are accounts where payments are deferred and made by a borrower periodically over time such as a  fee installment payment plan.
    2. Creditor
      A creditor is a person or entity that regularly extends, renews, or continues credit and any person or entity that regularly arranges for the extension, renewal, or continuation of credit. Examples of activities that indicate a college or university is a “creditor” are:
      1. Offering institutional loans to faculty or staff;
      2. Offering a plan for payment of patient services rather than requiring full payment
    3. Personal Information
      This information includes an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: Social Security Number, driver’s license, health insurance information, medical information, or financial account number such as credit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
    4. Red Flag
      A red flag is a pattern, practice or specific activity that indicates the possible existence of identity theft.
    5. Security Incident
      A collection of related activities or events which provide evidence that personal information could have been acquired by an unauthorized person.
  4. Identification of Red Flags
    1. Broad categories of “Red Flags” include the following:
      1. Alerts – alerts, notifications, or warnings from a consumer reporting agency including fraud alerts, credit freezes, or official notice of address discrepancies.
      2. Suspicious Documents – such as those appearing to be forged or altered, or where the photo ID does not resemble its owner, or an application which appears to have been cut up, re-assembled and photocopied.
      3. Suspicious Personal Identifying Information – such as discrepancies in address, Social Security Number, or other information on file; an address that is a mail-drop, a prison, or is invalid; a phone number that is likely to be a pager or answering service; personal information of others already on file; and/or failure to provide all required information.
      4. Unusual Use or Suspicious Account Activity –such as material changes in payment patterns, notification that the account holder is not receiving mailed statement, or that the account has unauthorized charges;
      5. Notice from Others Indicating Possible Identify Theft–such as the institution receiving notice from a victim of identity theft, law enforcement, or another account holder reports that a fraudulent account was opened.
  5. Detection of Red Flags
    1. Detection of Red Flags in connection with the opening of covered accounts as well as existing covered accounts can be made through such methods as:
      1. Obtaining and verifying identity;
      2. Authenticating employees or patients;
      3. Monitoring transactions
    2. A data security incident that results in unauthorized access to an employee’s or patient’s  account record or a notice that an employee or patient  has provided information related to a covered account to someone fraudulently claiming to represent RowanSOM or to a fraudulent web site may heighten the risk of identity theft and should be considered Red Flags.
  6. Response to Red Flags
    1. If an employee or patient detects fraudulent activity (a red flag) or if an employee or patient claims to be a victim of identity theft, RowanSOM will respond to and investigate the situation.  If the fraudulent activity involves protected health information (PHI) covered under the HIPAA security standards, RowanSOMwill also apply its existing HIPAA and ARRA security policies and procedures to the response.  If potentially fraudulent activity (a red flag) is detected by an employee or patient of RowanSOM: 
      1. The employee/patient should gather all documentation and report the incident to his or her designated compliance officer.
      2. The compliance officer will determine whether the activity is fraudulent or authentic based upon the evidence presented.
      3.  If the activity is determined to be fraudulent, then RowanSOM should take immediate action.  Actions may include:
        1. Cancel the transaction
        2. Notify appropriate enforcement agencies
        3. Notify the affected employee or patient
        4. Notify affected physician(s)
    2. If an employee or patient claims to be a victim of identity theft:
      1. the employee/patient should be encouraged to file a police report for identity theft if he/she has not done so already
      2. the employee/patient patient should be encouraged to complete the ID Theft Affidavit developed by the FTC, along with supporting documentation  www.ftc.gov/bcp/edu/resources/forms/affidavit.pdf.
    3. If following investigation, it appears that the employee/patient has been a victim of identity theft, RowanSOM will promptly consider what further remedial action/notifications may be needed under the circumstances.
  7. Security Incident Reporting
    1. An employee who believes that a security incident has occurred, shall immediately notify their designated compliance officer or call the hotline at 1-855-431-9967. 
    2. Service Providers
  8. RowanSOM remains responsible for compliance with the Red Flags Rule even if it outsourced operations to a third party service provider. The written agreement between RowanSOM and the third party service provider shall require the third party to have reasonable policies and procedures designed to detect relevant Red Flags that may arise in the performance of their service provider’s activities. The written agreement must also indicate whether the service provider is responsible for notifying only RowanSOM of the detection of a Red Flag or if the service provider is responsible for implementing appropriate steps to prevent or mitigate identify theft.
  9. Training
    1. All employees who process any information related to a covered account shall receive training following appointment on the procedures outlined in this document.  Refresher training may be provided annually.
    2. References:   
      1. Fair and Accurate Credit Transactions Act of 2003 (FACTA)
      2. American Medical Association

...

[Facility]

[Telephone number]


ATTACHMENT F

Identity Theft/Patient Misidentification Policy

Sample Letter regarding Identity Theft Report

 

[Date]

[Patient Name]

[Patient Address]

[Patient Address]

 

 

Re:                          Identity    Identity Theft Report Made on_______________ [date]

...