UAMS Identity Theft Program—Red Flag Rule Computer Based Training (CBT) Module Prepared for UAMS Registration and Admissions Personnel Each slide contains audio, so please adjust your volume and sound settings at this time.
Objectives Overview Red Flag Rule Definitions Identification of possible red flags UAMS Policy and Procedures Verification Assistant Adding Critical Alerts
Program Adoption Identity theft is the fastest growing crime in the United States It affected more than 10 million Americans in A new victim every 2 seconds. Federal Trade Commission Red Flag Rule Fair and Accurate Credit Transactions Act of 2003: Section 113
Program Purpose To protect UAMS patients and students from the risk of identity theft ID Theft/Red Flag Rule program contains policies and procedures to: 1. Identify relevant Red Flags for new and existing covered accounts and incorporate those Red Flags into the Program; 2. Detect Red Flags that have been incorporated into the Program; 3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and 4. Ensure the Program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the creditor from Identity Theft.
Enforcement Deadline Program must be in place by June 1, 2010 Entities failing to comply with the Red Flag Rule could face enforcement actions by the FTC, which is authorized to seek up to $2,500 in penalties for each independent violation of the rule Enforcement actions by state attorneys general, which are authorized to recover up to $1,000 for each violation (plus attorney’s fees) on behalf of their residents
Definitions Identity Theft Fraud committed using the identifying information of another person. Medical Identity Theft Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity (e.g. insurance information or Social Security number) without the person’s consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods.
Definitions Covered Account Any account UAMS offers or maintains that involves multiple payments or transactions, or for which there a foreseeable risk of Identity Theft. Red Flag A pattern, practice, or specific activity that indicates the possible existence of Identity Theft. Identifying Information Any name or number that may be used, alone or in conjunction with any other information, to identify a specific person.
Medical Identity Theft Healthcare effects Medical record may be polluted with potentially life threatening misinformation Patients may: Receive the wrong medical treatment or delayed medical treatment from inaccurate diagnosis Find their health insurance exhausted Fail physical exams for employment due to erroneous disease entries in their health record
Identifying Information name address telephone number social security number date of birth government issued driver’s license or ID number alien registration number government passport number employer or taxpayer identification number unique electronic identification number computer’s Internet Protocol address or routing code
Detection of Red Flags Verify Patient’s Identity UAMS Policy on identity theft states that registration personnel will obtain and verify the identity of all patients to the extent possible. Pharmacy, clinical, billing, and Health Information Management (HIM) personnel also have specific patient verification processes.
Registration Procedure I and II I. All adult patients will be asked for photo identification. II. Minor patients’ parent/guardian will be asked for photo identification. Examples include state issued drivers license, state issued ID card, military ID, passport, etc.
Registration Procedure III III. The photo identification will be scanned into the patient account. An adult patient’s photo ID should be scanned into EPF folder “Drivers License” even if it’s a state ID card. An adult guarantor’s photo ID should be scanned into EPF folder “Drivers License” their own CPI #, not the patient’s.
Registration Procedure IV IV. In the event the patient does not have a photo ID, ask for two forms of non- photo ID, one of which has been issued by a state or federal agency. Examples include a Social Security Card, utility bill, or company/school ID. Scan the IDs into the “Drivers License” EPF folder.
Registration Procedure V V. Any patient who is unable to provide photo identification will have their Social Security Number verified in the hospital electronic verification system. No one should be refused care because they do not have acceptable ID with them. The patient should be asked to bring appropriate ID to their next visit.
Verification Assistant
Verification Assistant Screen 1
Response Screen 1
Response Screen 2
Partial Response Screen
Responding to Questions Patient: “Why am I being asked for ID?” Registration Personnel: “We ask for your photo ID to protect our patients from identity theft. Because of that, we are now using the same processes used in the community to cash a check, make a large credit card purchase, or board a plane.”
Responding to Red Flags If any employee believes potential identity theft has occurred, the account should be flagged immediately and details should be documented in CPI comments. The supervisor should be notified. Investigation and follow-up will be conducted by the hospital privacy officer. Registration personnel may be contacted for additional information during this period. Hospital bills will be suspended until investigation and follow-up have been completed.
Registration Procedure VI VI. The appropriate identity theft flag in the ADT system will be set as follows: a. DR—Duplicate Record—alert that records of two patients may be co-mingled such as two patients with same identifying information. b. ID—Identity Theft Victim – alert that this is a confirmed case of identity theft. c. NA—Notice of Activity—alert that some source has notified UAMS of possible ID theft. The source may be the patient, the patient’s credit agency, law enforcement or any other source. d. SA—Suspicious Activity—will alert that there are suspicious documents or clinical inconsistencies present.
Registration System ID Flags
Critical Alert Field
Critical Alert Table
Person Information I Screen
Registration Workstation Screens
Registration Policies VII and VIII VII. Emergency care will not be delayed for lack of ID VIII. Any unresolved Identity Theft Flags noted at point of registration should be reported to supervisor or manager for follow up.
Signs of Possible Identity Theft Suspicious personally identifying information: Patient appears and gives an identity that has been flagged. Patient provides a photo ID that does not match the patient Patient gives a SSN different than one used on a previous visit or is the same as another patient account Patient gives information that conflicts with information in his/her file Family member/friend calls the patient by a different name than that provided at the time of registration.
Signs of Possible Identity Theft Suspicious documents Identification documents appear to have been altered or forged Other information is inconsistent with readily accessible information on file such as a signature mismatch Unusual use of or suspicious activity related to a covered account For example mail sent to the customer is returned repeatedly as undeliverable although recent business activity reflects the address in question
Signs of Possible Identity Theft Alerts, notifications, or warnings from a patient, student, victim, law enforcement, consumer reporting agency, or other institution or business
Contact Information Revenue Integrity Specialist Team Hotline: RevenueIntegritySpecialist- Vera Chenault, J.D., UAMS Identity Theft Prevention Program Administrator Office:
Certificate of Completion Please RIST for your certificate of completion. Add the text “Red Flag Rule” to the subject line.