ANW Policies

return to policy list

IDENTITY THEFT RED FLAG POLICY

Purpose:
Implement security practices to help protect employees and patients of Arthritis Northwest from damages related to the loss or misuse of sensitive information by undertaking the following:

 

This policy enables Arthritis Northwest to comply with rules intended to protect existing patients, reduce further risk from identity theft; and minimize potential damage to the organization from fraudulent new accounts by undertaking the following:

 

Definitions of Terms used in the Program:

Covered Accounts: A covered account includes any account that involves, or is designed to permit multiple payments or transactions; this includes personal accounts of clients as well as the business accounts of Arthritis Northwest, PLLC. 

Identify Information: is defined under this Rule as any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including name, address, telephone number, social security number, date of birth, government issued driver’s license or identification number, alien registration number, passport number, employer or taxpayer identification number, unique electronic identification number, computer’s internal address or routing code.

Identify Theft: is fraud committed using the identifying information of another person, which can be medical identity theft and/or financial identity theft.

Compliance officer: is the practice’s administrative personnel charged with the implementation of this program.

Red Flags:  Red Flags are potential indicators of fraud.  Any time a red flags or relevant warning sign is detected it should be investigated for verification.  Red flags also include consumer reports that indicate a pattern of activity inconsistent with the history and usual pattern of activity of an applicant or customer. 

Suspicious Documents and Suspicious Personal Identify Information:  Suspicious documents are those materials that appear to have been altered or forged, or give the appearance of having been destroyed and reassembled.    Suspicious personal identifying information is any information or document that is inconsistent when compared against external information sources used by Arthritis Northwest.  For example: driver’s license photograph is inconsistent when compared with the appearance of the patient, or the address on an application is fictitious, a mail drop, or prison.

Suspicious Account or Medical Record Activity:  Payments stop on an otherwise consistently up to date account, mail sent to the patient is repeatedly returned as undeliverable.  Breach in the practices computer system security.  Records showing that medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.

Alerts from Others:  Include a complaint or questions from a patient based on patient’s receipt of a bill for another individual, a bill for a product or service that the patient denies receiving.  A bill from Arthritis Northwest that the patient never patronized, an explanation of benefits for health services never received.

 

Scope:
This policy applies to all Arthritis Northwest employees, consultants, temporary employees and business associates.

Policy:

Arthritis Northwest employees are responsible for ensuring protection and security of sensitive information in accordance with state and federal laws.

1: Sensitive Information Policy (refer to HIPAA privacy and security policy/procedures.)

ANW employees are encouraged to exercise common sense and discretion in securing sensitive information.   Sensitive information pertains to electronic or printed format of credit card information, tax identification, payroll information, medical record information, patient demographic information (i.e. date of birth, address phone number etc.)

2: Hard copy distribution

Each employee will ensure that sensitive and confidential hard copy documents are safeguarded while in use and secured when not in use.   When documents containing sensitive information are discarded they will be destroyed or locked in discard bins for destruction.

3: Electronic Distribution

ANW employees will ensure cautious electronic transmission of sensitive information.

Sensitive information may be internally transmitted using approved ANW network email.

No sensitive information should be sent outside of ANW secure network unless the information is encrypted and password protected and only to approved recipients.  Additionally confidentially statement should be included in any such emails.

 

Detecting Red Flags

New Accounts: In order to detect any the red flags identified above associated with the opening of a new covered account, ANW personnel will take the following steps to obtain and verify the identity of the person opening the account:

 

Existing Accounts: In order to detect any of the red flags identified above for an existing account ANW personnel will take the following steps to monitor the transactions and activity on an account, in compliance with ANW’s HIPAA privacy policies and procedures:

 

Responding to any Red Flags

In the event that ANW personnel detect any identified Red Flags, the practice shall take one or more of the following steps, depending on the Red Flag detected and on the degree of risk posed by the Red Flag:

 

Protect Patient’s Identifying Information
Arthritis Northwest HIPAA privacy and security program will be utilitized, and updated along with this program, if necessary, to further prevent the likelihood of identity theft occurring with respect to the practice’s accounts.

 

Protecting and Correcting Medical Information
If Arthritis Northwest determines that medical identity theft has occurred, there may be errors in the patient’s chart as a result.  Fraudulent information may have been added to a pre-existing chart, or the contents of an entire chart may refer only to the health condition of the identity thief, but under the victim’s personal identifying information.   In such cases, Arthritis Northwest shall take the appropriate steps to avoid mistreatment due to fraudulent information, such as file extraction, cross-referencing charts etc. 

 

Program Updates:

Oversight of the Program
The compliance officer will periodically, but no less than annually, review and update this program to reflect changes in risks to patients and the soundness of the practice in protecting against identity theft, taking into consideration the practice’s experience with identity theft occurrences, changes in methods of how identity theft is being perpetrated, changes in methods of detecting, preventing and mitigating identity theft, changes in the types of accounts the practice offers and changes in the practices business relationships with other entities.  After considering these factors the compliance officer will determine whether changes to this program are warranted.  The compliance officer will present any recommended changes to the Practice Administrator for Arthritis Northwest, who will make a determination whether to accept, modify or reject the recommended changes to the program.

Staff Training and Reporting
Arthritis Northwest personnel whose role requires their participation in implementing this program will be trained by the compliance officer.  Training shall cover the Red Flags identified in the program, detecting red flags, and reporting and responding to detected Red Flags.  The compliance officer shall report annually to Arthritis Northwest’s practice administrator on the practice’s compliance with this Rule in terms of effectiveness of addressing identity theft, service provider arrangements, significant incidents involving identity theft and the practice’s response and recommendations for material changes to the program.

return to policy list