Identity Theft Prevention Program
Purpose: Life Line Medical Ambulance is committed to providing all aspects of our service and conducting our business operations in compliance with all applicable laws and regulations. This policy sets forth our commitment to compliance with those standards established by the Federal Trade Commission under the Identity TheftRed Flags and Address Discrepancies under the Fair and Accurate Credit Transaction Act of 2003 ("the Red Flag Rules") at 16 C.F.R. §681.2, regarding the establishment of a written Identity Theft Prevention Program ("Program") that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.
For a complete report of our practice. Please contact our office.
Scope:This Program contains policies and procedures designed to identify, detect and respond appropriately to "Red Flags" for identity theft. It also contains policies and procedures for the periodic identification of covered accounts and for the general administration of the Program. This Program addresses our general approach to compliance with the Red Flag Rules. As a "creditor" with "covered accounts" under the Red Flag Rules, Life Line Medical Ambulance is required to:
• Periodically identify covered accounts;
• Establish a written Identity Theft Prevention Program; and
• Administer the Identity Theft Prevention Program.
Definitions:
- "Account" means a continuing relationship established by a person with the Life Line Medical Ambulance to obtain services for personal, family, household or business purposes and includes an extension of credit, such as the purchase or services involving a deferred payment.
- "Covered account" means:
- An account that the Life Line Medical Ambulance offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and
- Any other account that Life Line Medical Ambulance offers or maintains for which there is a reasonably foreseeable risk to individuals or to the safety and soundness of Life Line Medical Ambulance from identity theft, including financial, operational, compliance, reputation, or litigation risks.
- "Identity theft" means a fraud committed or attempted using the identifying information of another person without authority.
- "Identifying information" means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any:
- Name, social security number, date of birth, official state or government issued driver's license or identification number, alien registration number, government passport number or employer or taxpayer identification number;
- Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
- Unique electronic identification number, address, or routing code; or
- Telecommunication identifying information or access device (as those terms are defined in 18 U.S.C. §1029(e)).
- Medicare number.
- Health care claim number.
- "Program" means this written Identity Theft Prevention Program developed and implemented by Life Line Medical Ambulance.
- "Red Flag" means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
- "Service provider" means a person who provides a service directly to Life Line Medical Ambulance and includes third party billing companies and other organizations that perform service in connection with Life Line Medical Ambulance's covered accounts.
Procedure- Identify Covered Accounts
- Life Line Medical Ambulance will annually determine whether it offers or maintains covered accounts (see definition of "covered account" in this Program) and shall document that determination.
- As part of this annual identification of covered accounts, Life Line Medical Ambulance shall conduct an annual risk assessment of its accounts to determine whether it offers or maintains accounts that carry a reasonably foreseeable risk to patients or to the safety and soundness of Life Line Medical Ambulance from identity theft, including financial, operational, compliance, reputation, or litigation risks. In determining whether Life Line Medical Ambulance offers or maintains such accounts, Life Line Medical Ambulance will conduct an annual risk assessment that takes into consideration:
i.The methods it uses to open its accounts;
ii.The methods it uses to access its accounts; and
iii.Its previous experiences with identity theft.
- The annual identification of covered accounts should ideally be conducted by an evaluation or audit team acting under the direction and control of the board or other individual in charge of Program administration.
- Identify Red Flags
a.Once Life Line Medical Ambulance has identified its covered accounts, it shall identify Red Flags (see definition in this Program) for those accounts. This shall be conducted on an annual basis in conjunction with Life Line Medical Ambulance's identification of covered accounts. Life Line Medical Ambulance will also identify red flags as they arise and incorporate them into this Program.
- Life Line Medical Ambulance shall consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:
i.The types of covered accounts it offers or maintains;
ii.The methods it provides to open its covered accounts;
iii.The methods it provides to access its covered accounts; and
iv.Any incidents of identity theft that Life Line Medical Ambulance has experienced.
- Life Line Medical Ambulance shall also consider the examples of Red Flags listed in Supplement A to Appendix A to 16 C.F.R. Part 681. The Program shall include relevant Red Flags from the following categories, as appropriate:
i.Alerts, notifications, or other warnings received from consumer report agencies or service providers, such as fraud detection services;
ii.The presentation of suspicious documents;
iii.The presentation of suspicious personal identifying information, such as a suspicious address change;
iv.The unusual use of, or other suspicious address change;
v.Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.
- Life Line Medical Ambulance shall also incorporate Red Flags from sources such as:
i.New and changing risks that Life Line Medical Ambulance has identified; and
ii.Any applicable supervisory guidance from the FTC or other appropriate sources.
- The following are Red Flags identified Life Line Medical Ambulance's covered accounts as of the most recent update to this Program:
i. Patterns of activity on payment accounts that are inconsistent with prior history;
ii. Increases in the volume of inquiries to an account;
iii.The presentation of information that is inconsistent with other sources, e.g., the address, date of birth, or social security number listed for the patient does not match the address given or is inconsistent with other identifying information provided by the patient;
iv.Personal identifying information is identified by third-party sources as having been associated with known fraudulent activity;
v.Personal identifying information of a type commonly associated with fraudulent activity (e.g., fictitious address, use of mail drop, or phone number that is invalid or associated only with a pager or answering service);
vi.The social security number provided by the patient is a duplicate of that of other patients;
vii.The address or telephone numbers given are the same or similar to those of other patients, particularly recent ones;
viii.Attempts to access an account by persons who cannot provide authenticating information;
ix.Requests for additional authorized users on an account shortly following change of address;
x. Uses of an account that are inconsistent with established patterns of activity such as: nonpayment when there is no history of late or missed payments;
xi. Nonpayment of the first payment on the account;
xii.Inactivity on an account for a reasonably lengthy period of time;
xiii.Mail correspondence sent to the provided address is returned and mail is returned despite continued activity in the account;
xiv. Notification of Life Line Medical Ambulance of an unauthorized transaction by the patient;
xv.Notification of Life Line Medical Ambulance by the patient, a law enforcement authority, or other person, that it has opened a fraudulent account;
xvi.A complaint or question from a patient based on the patient's receipt of:
1. A bill for another individual;
2. A bill for a service that the patient denies receiving;
3. A bill from a health care provider that the patient never utilized;
4. A notice of insurance benefits (or Explanation of Benefits) for health services never received; or
5. A patient or insurance company report that coverage for legitimate healthcare service is denied because insurance benefits have been depleted or a lifetime cap has been reached.
xvii.A complaint or question from a patient about information added to a credit report by a health care provider or insurer;
xviii.A dispute of a bill by a patient who claims to be the victim of any type of identity theft;
xix.A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance;
xx.A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency;
xxi.A security breach;
xxii.Unauthorized access to a covered account by personnel;
xxiii.Unauthorized downloading of patient files;
xxiv.Loss or theft of unencrypted data;
xxv.Inappropriate access of a covered account;
xxvi.A computer virus or suspicious computer program;
xxvii.Multiple failed log-in attempts on a workstation;
xxviii.Theft of a password;
xxix.The presentation of an insurance card or form of identification that is clearly altered; and
xxx.Lost, stolen, or tampered facility equipment.
- Detect Red Flags
a.Life Line Medical Ambulance shall adopt reasonable policies and procedures to address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:
i.Obtaining identifying information about, and verifying the identity of, a person opening a covered account, and
ii. Authenticating patients, monitoring transactions, and verifying the validity of change of address requests.
- The following procedures have been adopted by Life Line Medical Ambulance to address the detection of Red Flags as of the most recent update to this Program:
i.Suspicious Documents at the Time of Transport Life Line Medical Ambulance personnel shall be on the alert for patients who present suspicious documents such as an insurance card or form of identification that appears to have been altered or does not match other information about the patient. Whenever possible, the crew shall attempt to verify the identity of the patient with someone who knows the patient and/or someone who has rendered care to the patient. Personnel shall not delay the provision of care when verifying this information and should obtain this information after the transport when it could delay the provision of care.
ii.ID Verification Before Discussing Patient Account Information or Change of Address: Before discussing any information related to a covered account with any individual, or making a change to address information in a covered account; Life Line Medical Ambulance personnel shall sufficiently ascertain the identity of the individual.
1.1. If a patient or appropriate representative makes a telephone inquiry or request regarding a patient account, Life Line Medical Ambulance personnel shall require the patient or appropriate representative of the patient to verify the date of birth, social security number (or at least the last 4 digits), and address of the patient to whom the account pertains.
2. If the patient or appropriate representative of the patient presents in person to the business office of Life Line Medical Ambulance, s/he shall be required to provide a valid government issued photo ID in addition to the date of birth, social security number (or last 4 digits), and address of the patient to whom the account pertains.
3.If the patient or appropriate representative of the patient is unable to provide the necessary information to verify the identity of the patient, Life Line Medical Ambulance staff shall make a notation of the inquiry or address change request in the patient account file and alert an appropriate supervisor without providing access or honoring the address change request.
iii.Under the HIPAA Privacy and Security Rules, Life Line Medical Ambulance is required to implement policies and procedures regarding the protection of protected health information and to implement administrative, physical and technical safeguards to protect electronic protected health information. The following policies and procedures from Life Line Medical Ambulance's HIPAA compliance program serve the dual purpose of detecting identity theft in connection with the opening of and existing covered accounts at Life Line Medical Ambulance and they are hereby incorporated in this Program by reference:
1.General Security of Electronic and Other Patient and Business Information policy
2.Patient Access, Amendment and Restriction On the Use of PHI policy
3.Levels of Access, "Minimum Necessary Standard" and Limiting Disclosure and Use of PHI and e-PHI policy
4.Procedure for Requesting Amendment of PHI policy
5.Access to the Information System and e-PHI policy
6.Physical Security of PHI and e-PHI policy
7.Electronic Information System Activity Review and Auditing policy
8.Facility and Computer Access Point Controls policy
9. Encryption and Decryption policy
10.Use of Computer and Information Systems Equipment policy
11.Use of Electronic Mail and Facsimile Transmissions policy
12.Internet Access and Use policy
13.Computer Hardware/Peripherals/Software Inventory policy
4. Respond to Red Flags
a.Life Line Medical Ambulance will respond to Red Flags of which it becomes aware in a manner commensurate with the degree of risk posed by the Red Flag. In determining an appropriate response, Life Line Ambulance will consider aggravating factors that may heighten the risk of identity theft. For example, notice to Life Line Medical Ambulance that a patient has provided information to someone fraudulently claiming to represent Life Line Medical Ambulance may suggest that identity theft is more likely.
b.Life Line Medical Ambulance shall assess whether the Red Flag detected poses a reasonably foreseeable risk of identity theft and if it does, respond appropriately. Life Line Medical Ambulance determines that the Red Flag does not pose a reasonably foreseeable risk of identity theft, it shall have a reasonable basis choosing not to respond to the Red Flag.
c.If any personnel at Life Line Medical Ambulance believe identity theft has occurred or may be occurring, s/he shall immediately notify a supervisor. The supervisor will contact the designated Red Flag Rule compliance officer who will determine the appropriate response.
d. Appropriate responses may include the following:(i)Monitoring a covered account for evidence of identity theft;
(ii)Contacting the patient;
(iii)Changing any passwords, security codes, or other security devices that permit access to a covered account;
(iv)Reopening a covered account with a new account number;
(v)Not opening a new covered account;
(vi)Closing an existing covered account;
(vii)Not attempting to collect on a covered account or not selling a covered account to a debt collector;
(viii)Notifying law enforcement; or(ix)Determining that no response is warranted under the particular circumstances.
e.
Patient Notification: If there is a confirmed incident of identity theft or attempted identity theft, Life Line Medical Ambulance will notify the patient after consultation with law enforcement about the timing and the content of such notification (to ensure notification does not impede a law enforcement investigation) via certified mail. Victims of identity theft will be encouraged to cooperate with law enforcement in identifying and prosecuting the suspected identity thief, and will be encouraged to complete the FTC Identity Theft Affidavit.
f.
Investigation of Suspected Identity Theft: If an individual claims to be a victim of identity theft, Life Line Medical Ambulance will investigate the claim. The following guidelines apply:
a.The individual will be instructed to file a police report for identity theft.
b.The individual will be instructed to complete the ID Theft Affidavit developed by the FTC, including supporting documentation; or an ID theft affidavit recognized under state law.
c.The individual will be requested to cooperate with comparing his or her personal information with information in Life Line Medical Ambulance's records.
d.If following investigation, it appears that the individual has been a victim of identity theft; Life Line Medical Ambulance will take the following actions:
i.Cease collection on open accounts that resulted from identity theft. If the accounts had been referred to collection agencies or attorneys, the collection agencies/attorneys will be instructed to cease collection activity.
ii.Cooperate with any law enforcement investigation relating to Life Line Medical Ambulance Service the identity theft.
e.If an insurance company, government program or other payor has made payment on the account, the provider will notify the payor and seek instructions to refund the amount paid.f.If an adverse report had been made to a consumer reporting agency, the provider will notify the agency that the account was not the responsibility of the individual.
g.If following investigation, it does not appear that the individual has been a victim of identity theft, Life Line Medical Ambulance or the collection agency will give written notice to the individual that he or she is responsible for payment of the bill. The notice will state the basis for determining that the person claiming to be a victim of identity theft was in fact the patient.
h.(
g) Amendment of Records: Patient medical records and payment records must be corrected when identity theft has occurred. This is necessary to ensure that inaccurate health information is not inadvertently relied upon in treating a patient, and that a patient or a third-party payer is not billed for services the patient did not receive. Patient records will be corrected in consultation with the patient and the patient's treating health care provider(s), and in a manner consistent with the Life Line Medical Ambulance's HIPAA policy on amendments to medical records.
i.
Disclosure/Unauthorized Access to Unencrypted Data: If there is a disclosure of, or an unauthorized access to, unencrypted computerized data containing a person's first name or first initial and last name and
a. (1) a social security number
b. (2) driver's license number, or
c.(3) financial account number (including a credit or debit card number), state law governing notification of patients will be followed.
(i) The Presentation of Suspicious Documents at the Time ofTransport:
When a patient presents a suspicious document such as an insurance card or form of identification that is clearly altered or does not match other information about the patient, ambulance personnel shall:
- Note the nature of the incident and circumstances surrounding the incident in an incident report or other appropriate document so that the claim is "flagged" for review.
- If possible, attempt to obtain identifying information about the patient from other sources such as individuals who know or have treated the patient.
- Notify the individual in charge of Red Flag Rules compliance as soon as possible after the transport about the incident and the circumstances surrounding the incident
- . Before opening a covered account under the name given, the Red Flag Rules compliance officer, or other designated individual, shall make attempts to verify the identity of the patient though any means possible. If it appears the patient has attempted to commit identity theft, the procedures for notification and investigation of the incident (above) shall be followed.
- Update the Program
(a) Life Line Medical Ambulance shall update this Program (including identifying Red Flags determined to be relevant) annually.
(b) The update shall reflect changes in risks of identity theft to patients or to the safety and soundness of Life Line Medical Ambulance's information.
The review and update will be based on factors such as:
(i) The experiences of Life Line Medical Ambulance with identity theft;
(ii) Changes in methods of identity theft;
(iii) Changes in methods to detect, prevent, and mitigate identity theft;
(iv) Changes in the types of accounts that Life Line Medical Ambulance offers or maintains; and
(v) Changes in the business arrangements of Life Line Medical Ambulance, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.
(a) Program Oversight: The board of directors shall designate an individual who is in charge of Red Flag Rules compliance. This individual shall be involved in the oversight, development, and implementation and administration of the Program. The individual shall be responsible for:
(i) Implementation of this Program;
(ii) Reporting to the board of directors, or an appropriate designated committee of the board at least annually on compliance by Life Line Medical Ambulance with this Program. The report shall address material matters related to the Program and evaluate issues such as:
1. The effectiveness of the policies and procedures of Life Line Medical
Ambulance in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts;
2. Service provider arrangements;
3. Incidents involving identity theft and management's response; and
4. Recommendations for material changes to the Program.
(b) After reviewing official annual reports, the board of directors or appropriate designated committee shall approve changes to this Identity Theft Prevention Program, as necessary.
(a). Life Line Medical Ambulance will conduct a general training session for all personnel to provide them with a general overview of this Program. All new personnel shall undergo such training during their orientation process. Documentation of training, including copies of all rosters and sign in sheets showing the training dates and the names of attendees, shall be maintained for at least four years.
(b) All staff that is responsible for the administration of the Program and
staff who regularly deal with covered accounts should be trained on an annual basis.
- Oversee Service Provider Arrangements
If Life Line Medical Ambulance engages a third party to perform an activity in connection with one or more covered accounts (e.g., billing companies, collection agencies), Life Line Medical Ambulance will:
(a) Review the third party's policies for preventing, detecting, and
mitigating identity theft and determine if those policies are acceptable
to Life Line Medical Ambulance; or
(b) Require the third party to comply with the applicable terms of this
Program through contract or agreement.
DISCLOSURE OF OUR PRIVACY POLICY
This notice is being provided to you for informational purposes and may be amended and updated as required. No action is necessary to ensure your privacy and no response is required. Your information will only be disclosed in accordance with HIPAA.
PATIENT RIGHTS & ACCESS
All patients have the right to access their patient health information (PHI). You may request to amend your records and or request a copy of your trip sheet, which must be submitted in writing by the patient or the POA. If you have questions about your trip sheet you should contact the office. There is a charge for access and a processing fee per page. We thank you for your cooperation.
Placed into affect: July 28th, 2009
Reviewed May 2010