UAMS Identity Theft Program—Red Flag Rule

Computer Based Training (CBT) Module Prepared for UAMS Registration and

Admissions Personnel

Each slide contains audio, so please adjust your volume and sound settings at this time.

Objectives Overview Red Flag Rule Definitions Identification of possible red flags UAMS Policy and Procedures Verification Assistant Adding Critical Alerts

Program Adoption Identity theft is the fastest growing crime

in the United States It affected more than 10 million Americans in

2008. A new victim every 2 seconds.

Federal Trade Commission Red Flag Rule

Fair and Accurate Credit Transactions Act of 2003: Section 113

Program Purpose To protect UAMS patients and students

from the risk of identity theft ID Theft/Red Flag Rule program contains

policies and procedures to:1. Identify relevant Red Flags for new and existing

covered accounts and incorporate those Red Flags into the Program;

2. Detect Red Flags that have been incorporated into the Program;

3. Respond appropriately to any Red Flags that are detected to prevent and mitigate Identity Theft; and

4. Ensure the Program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the creditor from Identity Theft.

Enforcement Deadline Program must be in place by June 1, 2010 Entities failing to comply with the Red Flag

Rule could face enforcement actions by the FTC, which is authorized to seek up to $2,500 in penalties for each independent violation of the rule

Enforcement actions by state attorneys general, which are authorized to recover up to $1,000 for each violation (plus attorney’s fees) on behalf of their residents

Definitions Identity Theft

Fraud committed using the identifying information of another person.

Medical Identity Theft Medical identity theft occurs when someone

uses a person’s name and sometimes other parts of their identity (e.g. insurance information or Social Security number) without the person’s consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods.

Definitions Covered Account

Any account UAMS offers or maintains that involves multiple payments or transactions, or for which there a foreseeable risk of Identity Theft.

Red Flag A pattern, practice, or specific activity that

indicates the possible existence of Identity Theft.

Identifying Information Any name or number that may be used, alone

or in conjunction with any other information, to identify a specific person.

Medical Identity Theft Healthcare effects

Medical record may be polluted with potentially life threatening misinformation

Patients may: Receive the wrong medical treatment or delayed

medical treatment from inaccurate diagnosis Find their health insurance exhausted Fail physical exams for employment due to erroneous

disease entries in their health record

Identifying Information name address telephone number social security

number date of birth government issued

driver’s license or ID number

alien registration number

government passport number

employer or taxpayer identification number

unique electronic identification number

computer’s Internet Protocol address or routing code

Detection of Red Flags Verify Patient’s Identity

UAMS Policy on identity theft states that registration personnel will obtain and verify the identity of all patients to the extent possible.

Pharmacy, clinical, billing, and Health Information Management (HIM) personnel also have specific patient verification processes.

Registration Procedure I and III. All adult patients will be asked for photo

identification.II. Minor patients’ parent/guardian will be

asked for photo identification. • Examples include state issued drivers

license, state issued ID card, military ID, passport, etc.

Registration Procedure IIIIII. The photo identification will be scanned

into the patient account.• An adult patient’s photo ID should be

scanned into EPF folder “Drivers License” even if it’s a state ID card.

• An adult guarantor’s photo ID should be scanned into EPF folder “Drivers License” their own CPI #, not the patient’s.

Registration Procedure IVIV. In the event the patient does not have a

photo ID, ask for two forms of non-photo ID, one of which has been issued by a state or federal agency.

• Examples include a Social Security Card, utility bill, or company/school ID.

• Scan the IDs into the “Drivers License” EPF folder.

Registration Procedure VV. Any patient who is unable to provide

photo identification will have their Social Security Number verified in the hospital electronic verification system.

• No one should be refused care because they do not have acceptable ID with them.

• The patient should be asked to bring appropriate ID to their next visit.

Verification Assistant

Verification Assistant Screen 1

Response Screen 1

Response Screen 2

Partial Response Screen

Responding to Questions Patient: “Why am I being asked for ID?”

Registration Personnel: “We ask for your photo ID to protect our patients from identity theft. Because of that, we are now using the same processes used in the community to cash a check, make a large credit card purchase, or board a plane.”

Responding to Red Flags If any employee believes potential identity theft

has occurred, the account should be flagged immediately and details should be documented in CPI comments.

The supervisor should be notified. Investigation and follow-up will be conducted by

the hospital privacy officer. Registration personnel may be contacted for additional

information during this period. Hospital bills will be suspended until investigation and

follow-up have been completed.

Registration Procedure VIVI. The appropriate identity theft flag in the ADT

system will be set as follows:a. DR—Duplicate Record—alert that records of two

patients may be co-mingled such as two patients with same identifying information.

b. ID—Identity Theft Victim – alert that this is a confirmed case of identity theft.

c. NA—Notice of Activity—alert that some source has notified UAMS of possible ID theft. The source may be the patient, the patient’s credit agency, law enforcement or any other source.

d. SA—Suspicious Activity—will alert that there are suspicious documents or clinical inconsistencies present.

Registration System ID Flags

Critical Alert Field

Critical Alert Table

Person Information I Screen

Registration Workstation Screens

Registration Workstation Screens

Registration Policies VII and VIIIVII. Emergency care will not be delayed for

lack of ID VIII. Any unresolved Identity Theft Flags

noted at point of registration should be reported to supervisor or manager for follow up.

Signs of Possible Identity Theft Suspicious personally identifying

information: Patient appears and gives an identity that has

been flagged. Patient provides a photo ID that does not

match the patient Patient gives a SSN different than one used on

a previous visit or is the same as another patient account

Patient gives information that conflicts with information in his/her file

Family member/friend calls the patient by a different name than that provided at the time of registration.

Signs of Possible Identity Theft Suspicious documents

Identification documents appear to have been altered or forged

Other information is inconsistent with readily accessible information on file such as a signature mismatch

Unusual use of or suspicious activity related to a covered account For example mail sent to the customer is

returned repeatedly as undeliverable although recent business activity reflects the address in question

Signs of Possible Identity Theft Alerts, notifications, or warnings from a

patient, student, victim, law enforcement, consumer reporting agency, or other institution or business

Contact Information Revenue Integrity Specialist Team

Hotline: 686-5102 Email:

RevenueIntegritySpecialist-Admissions@uams.edu

Vera Chenault, J.D., UAMS Identity Theft Prevention Program Administrator Office: 526-4817 Email: VMChenault@uams.edu

Certificate of Completion Please email RIST for your certificate of

completion. Add the text “Red Flag Rule” to the subject

line.