Table of Contents. Section 1: Red Flags Rule Policy 3. Section 2: Identification of Red Flags 4. Section 3: Detection of Red Flags 6

    Red Flags Rule Policy                 Table of Contents Section 1: Red Flags Rule Policy……………………………………………………………… 3 Section 2: Identi...
Author: Julian Haynes
2 downloads 0 Views 300KB Size
 

 

Red Flags Rule Policy

 

 

 

 

 

 

 

 

Table of Contents

Section 1: Red Flags Rule Policy……………………………………………………………… 3

Section 2: Identification of Red Flags……………………………………………………… 4

Section 3: Detection of Red Flags……………………………………………………………

6

Section 4: Response to Red Flags…………………………………………………………..

8

Section 5: Prevention Procedures………………………………………………………….. 10

Section 6: Administration……………………………………………………………………….. 12

Section 7: Approval of Policy………………………………………………………………….. 18

2

SECTION 1

Red Flags Rule Policy This Red Flags Rule Policy is for__________________________________. Insert name of office here

Recognizing that while in the course of caring for and treating patients and while in the business of providing medical care patients, this office has been entrusted with sensitive information related to patient’s identity including, but not limited to, medical identification numbers, social security numbers, drivers license numbers, credit card information, tax employer identification numbers, personal health information, background check information and other types of information related to patient identity that should be reasonably safeguarded from any intentional or unintentional use or disclosure that is not authorized. This Red Flags Policy has been developed to detect and prevent medical identity theft and to comply with the Red Flags Rule of the Federal Trade Commission (FTC), adopted by our __________________________________________ on _____________. Physician, Board of Directors, or designated representative

Date

The designated Senior Administrative employee to over see this policy is ____________________________. This employee has the responsibility to Senior Administrative employee

administer and oversee this policy as it is implemented in this medical practice to reasonably and safely protect health information and sensitive information related to patient identity from disclosure. The designated employee will also assure that all staff receives training on the policy and procedures. Finally, the designated employee will make arrangements to apply this practice’s policies with any service providers of the practice. It is the policy of _________________________________that all members, Name of office goes here

employees and contracted services have been trained about the policies and procedures of this office to comply with the Red Flags Rule. The Red Flags policies are in addition to the HIPPA requirements for security, and other federal or state laws regarding identity theft or recordkeeping involving sensitive medical information pertaining to individual patients.

3

SECTION 2

Identification of Red Flags (add to this list if needed) A “Red Flag” is a suspicious pattern, practice or specific activity that may indicate the possibility of identity theft occurring within this medical practice. These “Red Flags” are in addition to fraud prevention and any other security practices that are currently in place. The FTC identifies notice from a patient, a victim of identity theft, a law enforcement agent or someone else that an account has been opened or used fraudulently as a Red Flag for all businesses. From an assessment of this practice, our Red Flags have been identified as set forth below. The following are identified as potential Red Flags: Notice from a patient, a victim of identity theft, a law enforcement agency, or someone else that an account has been opened or used fraudulently. Records showing medical treatment inconsistent with physical exam or medical history of patient. Coverage for a legitimate service is denied because insurance benefits have been depleted or a life time cap has been reached. Complaint or question from patient about information added to a credit report by a health care provider or insurer. Complaint or question from patient about a billing where the patient claims identity theft. Complaint or question from patient about a billing where the patient was not aware of the medical service being provided or the provider. Patient who is unable to provide an insurance card or other documentation of insurance but claims to be insured with a particular number.

4

Other: Patient can not provide a valid picture ID, or person providing ID does not resemble the picture on the ID. (i.e. drivers license) Mail keeps being returned as undeliverable or not a valid address. Any address discrepancy.

5

SECTION 3

Detection of Red Flags (add any specific detection that applies to your office) All staff will be trained to detect Red Flags or any other suspicious activity that might indicate identity theft is occurring or ahs occurred. The following procedures will apply: Instruct new patients to bring photo ID and an insurance card to their appointment for verification together with proof of address. Staff will verify identity of new patient and address. Staff will verify the identity of all patients including requesting photo identification for those patients who are unknown to staff. Staff will update patient information on a regular basis, at least annually. Only personally identifiable information that is needed in the practice will be maintained as a record within the practice.

6

Other Detection that applies to office:

7

SECTION 4

Response to Red Flags (add specific responses that apply to your office) Our office will respond to Red Flags that have been identified and detected in the following manner: 

If any Red Flags are identified, the employee should obtain the documentation and report the incident to the designated employee who administers this policy.



The designated employee administrator will determine if the activity is fraudulent and then specific and immediate action will be taken which my include: 

Not opening an account or cancelling an account or transaction if appropriate



Notifying appropriate law enforcement and making a report to add to your records.



Contacting or assisting the patient to contact any other health care providers offering to help acquiring credit checks and even giving them a year of credit protection and monitoring.



Encouraging patients who claim identity theft to fill out the FTC’s ID Theft Affidavit and contact law enforcement to make a report (www.ftc.gov/bcp/edu/resources/forms/affidavit.pdf )

If the designated employee administrator determines that the patient has not been a victim of identity theft, the office will take whatever action is deemed to be appropriate.

8

Other actions that apply to this office include:

9

SECTION 5

Prevention Procedures To prevent identity theft from occurring in our practice we will: Shred all sensitive information and dispose of it properly. Monitor our electronic data and files to make sure no one has altered or infiltrated information. Follow our procedures for employee termination or leaving practice. Changing all passwords, changing locks if applicable, changing voice mail account password or removing their access to it, etc. and keep a record of the date the procedure was completed.

10

Other for Prevention Procedures:

11

SECTION 6

Administration (Insert names, dates and check all that apply) Our program and policies have been approved as set forth above and we have a designated employee to assist in administering this program. We will train our employees as stated in Section 1 and keep them informed of any and all changes or additions to the policy. A signed document verifying the date they completed their training will be added to this policy for every employee of our practice. Any new employees will be trained within 30 days of hire. See attached page for employee log and employee verification documents. A list of our service providers has been added and will be kept up to date. Our service providers will be asked to follow our policy for Red Flags Rules and trained appropriately if they do not have a Red Flags Rule policy of their own. We will keep a record of which method each service provided is bound by and a singed document that they understand and will abide by the Rule. The staff will be trained as indicated. Service providers include any outside person or company who handles or deals with accounts or who may have access to information contained within out offices. We do not use any outside contractors in connection with any accounts covered by the Red Flags Rule. We have identified the following service providers in connection with accounts covered by the Red Flags Rule and indicate training. See attached page for log of service providers. We plan to review our program and update this policy if appropriate every 3 months and/or when any of the following occur: Changes in the Red Flags Rules. Identity theft experienced by this office.

12

We significantly change the manner and method of how we do business or how they use patient information.

13

Employee Name

Start Date

Trained

14

End Date

Employee Training Verification Form

This is to verify that ______________________________________ has completed the employee training process which is required to comply with our Red Flags Rule Policy. Employee signs this document to verify that he/she has completed the training process and understands all the procedures and requirements to comply with the Red Flags Rule Policy of this practice.

Employee's Signature __________________________________ Date _________________

15

Service Provider

Effective Date

Trained

16

End Date

Other Administration Information for this Office:

17

SECTION 7

Approval of Policy This policy has been reviewed and accepted by _________________________, and will be reviewed and updated as stated. Administrative Employee name here

____________ Date This policy approved and will be adopted by this office as of date below: _______________ Date ______________________________ Administrative Employee Signature

All practices should have an attorney of their choice review their Red Flags Rule Policy prior to implementation. Sensitive data will be protected in the collection, retrieval and storage processes within the office. Access to sensitive data will be limited to those needing such information and protected with proper security measures and proper disposal of sensitive data will be monitored. If any Red Flags are identified, the employee should obtain the documentation and report the incident to the designated employee who administers this policy.

18

Suggest Documents