University Policies

Page tree

Versions Compared

Old Version 5

changes.mady.by.user Alburger, Katherine A

Saved on

compared with

New Version 6

changes.mady.by.user Alburger, Katherine A

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


ROWAN UNIVERSITY POLICY

 

Title: Identity Theft Prevention Program-Red Flag Rules
Subject: Corporate Compliance and

...

Privacy                       

...


Policy No: CCP:2017:01                                                                 
Applies: Rowan University School of Osteopathic Medicine (RowanSOM)       
Issuing Authority:

...

 Dean, RowanSOM
Responsible Officer:

...

Chief Audit, Compliance & Privacy Officer
Date Adopted: 03/20/2017
Last Revision: 03/20/

...

2020
Last Reviewed: 03/20/

...

2020


I.     PURPOSE

The purpose of this policy is to ensure that the RowanSOM complies with the Federal Trade Commission’s (FTC) Identity Theft Rules under sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACT Act).  These regulations are also known as the Red Flags Rule.  Under this policy, RowanSOM shall design a program to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account.  This program shall mitigate the risks associated with identity theft and mitigate the effects of identity theft on RowanSOM, its employees, its students, its patients, its constituents and its customers.  This policy also addresses the administration of Perkins Loans, Institutional Loans and the provision of an extended tuition payment plan.

II.    ACCOUNTABILITY

Under the direction of the Dean, the Clinical Dean for Academic and Clinical Affairs, the General Counsel and the Chief Audit, Compliance & Privacy Officer shall ensure compliance with this policy. The Dean, and Chief Operating Officer of RowanSOM shall implement this policy.

III.   APPLICABILITY

This policy applies to the schools and units of RowanSOM, to the RowanSOM Community which includes RowanSOM management, faculty, and other academic personnel, clinical staff, researchers, employees, contractors, agents and others associated with or supporting RowanSOM.

IV.    DEFINITIONS 

  1. Account: a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.  Account includes:

    1. An extension of credit, such as services involving a deferred payment, e.g. patient accounts, Perkins Loans and Institutional Loans; and

    2. A deposit account.

  2. Covered Account:   the Red Flags Regulations define the term “covered account” to mean:

    1. “an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions” and

    2. “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers, or to the safety and soundness of the financial institution, or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.”

    3. For the purposes of the RowanSOM’s Identity Theft Program, the term “covered account” is extended to include any RowanSOM account or database (financially based or otherwise) for which RowanSOM believes there is a reasonably foreseeable risk to the RowanSOM,  faculty, staff, patients, constituents or customers from identity theft.

  3. Credit:  the  the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.

  4. Creditor:  any  any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit. A RowanSOM example of a “creditor” is Patient Accounts.
  5. Customer: any person with a covered account with a creditor.  A RowanSOM example of a “customer” is a patient who has been afforded a patient payment plan.
  6. Financial Institution:  a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.
  7. Identity Theft:  the  the act of: knowingly obtaining, possessing, buying, or using, the personal identifying information of another:   (i) with the intent to commit any unlawful act including, but not limited to, obtaining or attempting to obtain credit, goods, services or medical information in the name of such other person; and (ii) (a) without the consent of such other person; or (b) without the lawful authority to obtain, possess, buy or use such identifying information.
  8. Theft of Services:  includes includes:   (i) intentionally obtaining services by deception, fraud, coercion, false pretense or any other means to avoid payment for the services; and (ii) having control over the disposition of services to others, knowingly diverts those services to the person's own benefit or to the benefit of another not entitled thereto.
  9. Notice of address discrepancy:  a  a notice sent to a user by a consumer reporting agency pursuant to 15 U.S.C. § 1681(c)(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency’s file for the consumer.
  10. Person:  a  a natural person, a corporation, government or governmental subdivision or agency, trust, estate, partnership, cooperative, or association.
  11. Personal Identifying Information:  any  any information that is requested in conjunction with a covered account that may be used alone, or in conjunction with any other information, to identify a specific person, e.g., credit card account information, debit card information, bank account information and drivers’ license information, social security number, mother’s birth name, and date of birth.
  12. Red Flag:  a  a pattern, practice, or specific activity that indicates the possible existence of Identity Theft.  The FTC regulations provide a list of 26 common red flags; organizations may decide that some of these 26 are not applicable, and/or that other red flags are more useful.
  13. Service Provider:  a  a person that provides a service directly to the financial institution or creditor.
  14. Transaction Account:  a  a deposit or account on which the depositor or account holder is permitted to make withdrawals by a negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.  Such term includes demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

V.   REFERENCES

  1. 45 C.F.R. § 164.512(f)(5) (HIPAA crime on premises); 42 C.F.R. § 2.12 (c)(5)(ii);
  2. Fair and Accurate Credit Transactions Act and federal regulations 16 CFR § 681

...

  1. RowanSOM strives to prevent the intentional or inadvertent misuse of patient names, identities and medical records; to report criminal activity relating to identity theft and theft of services to appropriate authorities; and to take steps to correct and prevent further harm to any person whose name or other identifying information is used unlawfully or inappropriately. 
  2. In response to the growing threats of identity theft in the United States, Congress passed the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which amended a previous law, the Fair Credit Reporting Act (FCRA).  This amendment to FCRA charged the Federal Trade Commission (FTC) and several other federal agencies with promulgating rules regarding identity theft.  On November 7, 2007, the FTC, in conjunction with several other federal agencies, promulgated a set of final regulations known as the “Red Flags Rule”.  The Red Flags Rule became effective January 1, 2008, however, the FTC has deferred its enforcement of the rule pending limiting legislation in Senate.     On December 18, 2010, the Red Flag Rule Program Clarification Act of 2010 was signed by the President of the United States which clarifies the type of creditor that must comply with the rule and limits the circumstances under which creditors are covered.  These creditors must comply by December 31, 2010.  The new law covers creditors who regularly, and in the ordinary course of business, meet one of three general criteria. They must:
    1. obtain or use consumer reports in connection with a credit transaction;
    2. furnish information to consumer reporting agencies in connection with a credit transaction; or
    3. advance funds to -- or on behalf of -- someone, except for funds for expenses incidental to a service provided by the creditor to that person.
  3. The Red Flags Rule regulations require entities with accounts covered by the Red Flags Rule regulations, including universities, to develop and implement a written Identity Theft Prevention Program (hereinafter, the “Program” or the “Identity Theft Program”) for combating identity theft in connection with certain accounts.  The Program must include reasonable policies and procedures for detecting, preventing and mitigating identity theft and enable the entity with covered accounts to:
    1. Identify relevant patterns, practices, and activities, dubbed “Red Flags”, signaling possible identity theft and incorporate those Red Flags into the Program; Detect the Red Flags that the program incorporates;
    2. Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and
    3. Ensure the Program is updated periodically to reflect changes in risks.  

...

  1. This policy outlines the Identify Theft Prevention Program of RowanSOM which encompasses not only financial or credit accounts, but any RowanSOM account or database for which RowanSOM believes there is a reasonably foreseeable risk to RowanSOM, faculty, staff, patients, constituents or customers from identity theft.
  2. RowanSOM will implement and maintain an Identify Theft Prevention Program to assure compliance with federal law and RowanSOM policies preventing, detecting and mitigating possible identity theft of its patients, customers, clients and its constituents.
  3. All RowanSOM employees and individuals working on behalf of RowanSOM in any capacity (including Board members, medical staff, business associates, independent contractors, and volunteers) will conduct themselves and their activities in a manner so as to protect the sensitive information, such as personal identifying information that may be used to defraud or aid identity theft as required by federal law and in conformance with RowanSOM policies.
  4. Requirements:
    1. RowanSOM’s Identity Theft Prevention Program will consist of the following elements:
      1. a detailed policy that specifically addresses this identity theft prevention program that includes reasonable policies and procedures to detect or mitigate identity theft and enable RowanSOM to:
        1. Conduct a survey to identify and detect potential and relevant “Red Flags” (See FTC’s examples of red flags, EXHIBIT A) and incorporate the results of the survey into the program.
        2. Respond appropriately to red flags to prevent and mitigate identity theft.
        3. Identify the Process of Establishing a Covered Account - this generally happens automatically when a patient makes an appointment and information is collected as part of that registration process.
        4. Maintain access control to covered account information.
        5. Address credit card payments.
        6. Establish training requirements of employees and vendors, and
        7. Ensure the Program is updated periodically to reflect changes in risks.
      2. RowanSOM is required to adopt detailed processes and procedures (refer to EXHIBIT B) that will address the following identity theft concerns:
        1. Refusal to provide or lack of identification.
        2. Process to follow if there are signs of possible identity theft.
        3. Process to follow when an employee reasonably believes identity theft has occurred or may be occurring; include in the process to notify the Compliance Officer to advise of the potential identity theft. (Refer to EXHIBIT C for sample form).
        4. Process to follow when identity theft is alleged by a patient; include the process to notify the Compliance Officer to advise of the potential identity theft. (Refer to EXHIBIT D for sample letter).
        5. Process to follow when identity theft is suspected to have occurred (including notification to law enforcement, customers, patients, etc.). (Refer to EXHIBIT E for sample letter).
        6. Appropriately responding to detected Red Flags.
        7. Notification from law enforcement and customers, patients, etc., when identify theft is suspected or known to have occurred (Refer to EXHIBIT F for sample letter).
        8. Coordinating with area health care providers.
        9. Process for entering patient accounts affected by identity theft on hold.
        10. Prevention and mitigation of identity theft.
        11. Recoveries from suspect.
        12. Accounting for inappropriate disclosures of protected health information.
        13. When patient misidentification occurs. (Refer to EXHIBIT E).
        14. Documenting identity theft or patient misidentification.
        15. Updating the policy and procedures
    2. Education and Training
      1. The Chief Audit, Compliance & Privacy Officer, or designee, will provide general training to refresh the University workforce regarding the Identity Theft Prevention Program, policies and procedures and the Red Flags Rule regulatory requirements.
      2. Training of appropriate staff as determined by the Dean, Chief Operations Officer & Chief Audit, Compliance & Privacy Officer.
      3. The Department of Human Resources will ensure that all new members of the workforce partake in Identity Theft Prevention training within one month after the person joins the workforce.
      4. School or Unit Privacy Liaisons will ensure retraining of the workforce whose functions are affected by a material change in the policies and procedures within a reasonable period after the change becomes effective.
      5. Training provided will be appropriately documented and the documentation will be maintained by RowanSOM Privacy Liaisons for a minimum of six (6) years or as specified by the New Jersey State Record Retention Schedule.
    3. Updating The Program
      1. On an annual basis, as part of the Office of  Compliance and Corporate Integrity’s monitoring plan, the Program will be re-evaluated to determine whether all aspects of the Program are up to date and applicable.  This review will include an assessment of which accounts and/or databases are covered by the Program, whether additional Red Flags need to be identified as part of the Program, whether training has been implemented, and whether training has been effective.  In addition, the review will include an assessment of whether mitigating steps included in the Program remain appropriate, and/or whether additional steps need to be defined.
  5. Responsibilities:
    1. The Vice President for Human Resources shall be responsible for communicating and enforcing the above policy as it relates to all RowanSOM employees.
    2. The Chairpersons and Dean shall be responsible for communicating and enforcing the above policy as it relates to persons involved in patient contact.
    3. The Clinical Affairs and Deans, shall be responsible for communicating and enforcing the above policy as it relates to persons involved in Faculty Practice and patient care. The Director of Purchasing or his or her successors shall be responsible for communicating and enforcing the above policy as it relates to contractors, agents, business associates, and others associated with or supporting RowanSOM.
    4. Monitoring and Evaluation
      1. The Office of Compliance and Corporate Integrity Compliance Committee is the governing body for the evaluation and monitoring of the Identity Theft Prevention Program.
      2. The program is subject to periodic audit.
      3. The RowanSOM’s Chief Audit, Compliance & Privacy Officer and RowanSOM Chief Operating Officer (COO or their designee) will review the program at least annually.
      4. RowanSOM’s The Chief Audit, Compliance & Privacy Officer and Investigators are responsible for investigating and reporting on allegations of non-compliance with RowanSOM Identity Theft Prevention Program policies.
      5. Privacy Liaisons, under the direction of the RowanSOM Chief Audit, Compliance & Privacy Officer, RowanSOM COO, and Investigators may be asked to conduct investigations of non-compliance with RowanSOM Identity Theft Prevention Program policies.
  6. Documentation
    1. Documentation evidencing implementation of the Identify Theft Prevention Program, including complaints, training, sanctions, auditing, etc., will be maintained for a minimum of six (6) years or the time period specified by New Jersey State Retention Schedules, whichever is longer.
  7. Enforcement: 
    1. The Deans, Vice Presidents and Directors, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently.

...