Understanding the Red Flag Rules - Log in - American Health ...
Understanding the Red Flag Rules - Log in - American Health ...
Understanding the Red Flag Rules - Log in - American Health ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Program Requirements 1 XXX Response 2<br />
Local/Organizational Level (<strong>in</strong> collaboration with <strong>the</strong> above):<br />
• Local Compliance Officers<br />
• Local Privacy Officers<br />
• Local Security Officers<br />
Report<strong>in</strong>g Structure and<br />
Reports<br />
The Program Manager is responsible, with regard to implementation of <strong>the</strong> Program,<br />
to <strong>the</strong> XXX Board of Directors or an appropriate committee of <strong>the</strong> Board or a<br />
designated employee at <strong>the</strong> senior level of management. Activity under <strong>the</strong> Program<br />
shall be reported through Compliance reports to <strong>the</strong> Board (semi-annually).<br />
The reports shall address material matters related to <strong>the</strong> Program and evaluate <strong>the</strong><br />
effectiveness of <strong>the</strong> Organization’s policies and practices designed to safeguard <strong>the</strong><br />
privacy and security of <strong>in</strong>formation that could reasonably be used for identity <strong>the</strong>ft.<br />
Reports shall <strong>in</strong>clude significant <strong>in</strong>cidents <strong>in</strong>volv<strong>in</strong>g identity <strong>the</strong>ft or attempted<br />
identity <strong>the</strong>ft, as well as organizational response and recommendations for<br />
improvements.<br />
Identification of <strong>Red</strong><br />
<strong>Flag</strong>s<br />
<strong>Red</strong> <strong>Flag</strong>s <strong>in</strong>clude, but are not limited to:<br />
• Notices from Patients, Victims of Identity Theft, Law Enforcement Authorities, or<br />
O<strong>the</strong>r Bus<strong>in</strong>esses About Possible Identity Theft<br />
• Alerts, Notifications, or Warn<strong>in</strong>gs from a Consumer Report<strong>in</strong>g Agency or <strong>Health</strong><br />
Plan<br />
• Suspicious Documents<br />
• Suspicious Personally Identify<strong>in</strong>g Information – Such as a Suspicious Address<br />
• Unusual Use of, or Suspicious Activity Relat<strong>in</strong>g to, a Covered Account<br />
• Observations by Workforce Members of Suspicious Activity Related to Covered<br />
Accounts or related to Patient Verification (e.g., at <strong>the</strong> Time of Registration or<br />
Dur<strong>in</strong>g Account Activity)<br />
• The Program Manager has determ<strong>in</strong>ed that certa<strong>in</strong> <strong>Red</strong> <strong>Flag</strong>s identified by <strong>the</strong><br />
World Privacy Forum are relevant to <strong>the</strong> Organizations. Those <strong>Red</strong> <strong>Flag</strong>s are<br />
<strong>in</strong>corporated <strong>in</strong>to this Policy as Attachment C.<br />
Identification of<br />
“Covered Accounts”<br />
A “Covered Account” is an account that a creditor offers or ma<strong>in</strong>ta<strong>in</strong>s, primarily for<br />
personal, family, or household purposes that <strong>in</strong>volves or is designed to permit<br />
multiple payments or transactions; or, any o<strong>the</strong>r account that <strong>the</strong> creditor offers or<br />
ma<strong>in</strong>ta<strong>in</strong>s for which <strong>the</strong>re is a reasonably foreseeable risk of identity <strong>the</strong>ft. 3<br />
The Organizations have <strong>the</strong> Follow<strong>in</strong>g Types of “Covered Accounts”:<br />
1. Individual Accounts for Purposes of Payment by Patients/Guarantors for<br />
<strong>Health</strong>care Services Rendered.<br />
2. Credit Agency Accounts for Purposes of Payment and/or Debt Collection.<br />
3. Occupational <strong>Health</strong> Services Accounts – Group Accounts (directly between<br />
provider/employer-sponsor focus<strong>in</strong>g on services such as drug screens, etc.).<br />
Validation Steps for Open<strong>in</strong>g/Ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g “Covered Accounts” Include:<br />
1. Individual Accounts: Methods/processes for open<strong>in</strong>g accounts – validation<br />
steps. Individual Accounts are opened and processed through <strong>the</strong><br />
3 16 C.F.R. § 681.2(b)(3)(i)<br />
© Copyright 2009 Nancy Davis and Chrisann Lemery Sample Plan/Policy – Identity Theft Prevention Program<br />
Page 2