All official Centura Health policies are maintained electronically and are subject to change from time to time. No printed policy should be taken as the official policy except to the extent it is consistent with the current policy that is electronically maintained.

Policy Title: Red Flag Rules-Identity Theft/Victim of Crime Prevention Policy
Department: Compliance, Revenue Management, Patient Access and Health Information Management
Unit: Compliance, Revenue Management, Patient Access and Health Information Management
Effective Date: 11/01/06
Date Last Reviewed: 03/01/07, 10/01/08, 07/01/09, 10/16/09, 7/30/11
Last Revised Date: 03/01/07, 10/01/08, 07/01/09, 10/16/09, 7/30/11
Initiated By: Legal, Compliance, Revenue Management, Patient Access, Health Information Management
Approved By (Person & title): Angela Cox, VP Revenue Management

STATEMENT OF POLICY: Centura Health will implement an Identity Theft Prevention Program designed to identify, detect, protect against, and mitigate Identity Theft of a patient’s identity especially with regard to their identifying information contained in the patient clinical or billing record.

After appropriate investigation and depending on the circumstances, Centura Health facilities may report criminal activity relating to the theft of services or a patient’s identity to appropriate authorities, and shall take appropriate steps to mitigate harm to any person whose name or other Identifying Information is reasonably believed by Centura Health to have been used unlawfully or inappropriately.

PURPOSE: To develop and implement a written identity theft prevention program designed to identify, detect, protect against, and mitigate identity theft in connection with a patient’s clinical or billing record.

STAKEHOLDERS: Administration, Compliance, Legal, Patient Access, Health Information Management (HIM), Revenue Management, Self Pay Vendors and Information Technology

SCOPE: All Centura Facilities, Avista Adventist, St. Anthony North, St. Anthony, Summit Medical Center, Porter Adventist, Littleton Adventist, Parker Adventist, Penrose St. Francis, St. Francis Medical Center, St. Mary Corwin, St. Thomas More, and Castle Rock Adventist( 9/11) and Mercy Regional Medical Center (11/11) including all clinics and urgent care sites that register into Meditech.

DEFINITIONS:

1.  A “Covered Account” is an account primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, or any other account for which there is a reasonably foreseeable risk to patients or a Centura Health Facility from Identity Theft, including financial, operational, compliance, reputation or litigation risks. A “Covered Account” includes a patient’s clinical or billing record.

2.  “Identity Theft” refers to a fraud that is committed or attempted using a person’s identifying information without authority.

3.  “Identifying Information” means any name or number that may be used alone, or in conjunction with other information, to identify a specific person. Identifying information includes: (1) name, social security number, date of birth, official state or government issued driver’s license or identification number, government passport number, employer or taxpayer identification number; (2) unique biometric data such as fingerprint, voiceprint, retina or iris image, or other unique physical representation; (3) unique electronic identification number, address, or routing code; (4) telecommunication identifying information or access device.

4.  “Red Flags” are indicators of a pattern, practice or specific activity that indicates the possible existence of Identity Theft.

5.  “Service Provider” means a person that provides a service directly to a Centura Health facility. This may include consultants, independent contractors and subcontractors who provide services directly to a Centura Health facility.

Requirements

1.  Identifying Covered Accounts. Centura Health shall develop procedures to identify Covered Accounts in that region or facility. Covered Accounts include:

§  A patient’s clinical record

§  A patient’s billing record

2.  Identifying Red Flags. Centura Health shall develop procedures to identify factors that could be Red Flags to possible Identity Theft in that facility. Some common examples of Red flags include, but are not limited to:

§  Obvious alteration of identification documents

§  Obviously inconsistent photos

§  Social Security Number is the same as another patient

§  Identifying Information provided is inconsistent with information on file with no apparent reason for the difference

§  Suspicious activity related to a patient’s clinical or billing record

§  Notification of Identity Theft or Identity Theft concerns by a patient, law enforcement, or any other person acting on behalf of a patient

3.  Detecting Red Flags. Centura Health shall develop procedures to authenticate the patient’s identity, monitor Covered Account transactions, and verify the validity of change-of-address requests. Such procedures may include but are not limited to 1) requiring the patient to produce identifying information to verify his or her identity when establishing a Covered Account or when a patient presents for service at the facility, provided that such verification does not delay access to an emergency medical screening exam and stabilization; 2) monitoring attempts by unauthorized users to access a Covered Account.

4.  Responding to Red Flags. Centura Health shall develop procedures that provide for appropriate responses for preventing and mitigating Identity Theft. At a minimum, procedures should address:

§  Responsibility for the Identity Theft prevention program

§  Who will investigate Red Flags and recommend action (may vary depending on the Red Flag)

§  How Centura Health facilities will respond to Identity Theft alerts from patients, law enforcement or others

§  How patients’ Covered Accounts are monitored

§  How and when Centura Health facilities will contact the patient when questions or concerns arise or when changing passwords or security codes is required

§  How a patient’s clinical record will be corrected when necessary

§  Circumstances when Centura Health will refrain from collecting on a Covered Account or sending a Covered Account to collection

§  When law enforcement or other agencies should be notified.

5.  Periodic Updating. Identity theft policies and procedures shall be updated periodically to reflect changing risks from Identity Theft, changes in methods used to detect and prevent Identity Theft and changes in business unit structures, should these occur.

6.  Oversight of Service Provider Relationships. If a Centura Health facility engages a Service Provider to perform any activity related to a Covered Account, Centura Health shall establish a procedure to educate the Service Provider on its procedures to identify, detect, and respond to Identity Theft, or the Service Provider will be required by contract to have Identity Theft policies and procedures in place and to report possible Identity Theft to Centura Health.

7.  Employee Training. Centura Health shall educate employees on Centura Health’s Identity Theft Prevention Program to ensure understanding of and compliance with Identity Theft Prevention Program requirements. Centura Health facilities shall document the provision of such education and maintain records regarding such education for at least six years.

8.  Oversight of System Identity Theft Program. Compliance and Revenue Management departments shall have responsibility for preparing and delivering an annual report on the development, implementation, and administration of the Identity Theft Prevention Program to the Centura Health Board of Directors. Such report will include an assessment of the effectiveness of policies and procedures that address the risk of Identity Theft, Service Provider oversight and compliance, significant incidents of Identity Theft and management’s response to these incidents, and recommendations for material changes to the program.

References:

Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule. Available at: http://edocket.access.gpo.gov/2007/pdf/07-5453.pdf http://edocket.access.gpo.gov/2007/pdf/07-5453.pdf

Colorado Revised Statutes § 18-13-124 (Dissemination of false information to obtain hospital admittance or care); §§ 18-5-901 through 18-5-905 (Identity theft)

PROCEDURE: The guidelines below must be used when a consumer, internal department, credit agency, attorney, or other entity notifies Centura Health that they have information regarding an identity that has been used by another person, without consent, to receive medical services.

1.  The consumer will be advised to file a formal police report and asked to provide a copy of the police report to the facility or Revenue Management.

2.  Upon the consumer’s arrival at the facility or Revenue Management, a designated representative (appointed by each location) will take a copy of the following documents:

a.  The police report

b.  Obtain copies of two forms of ID (something that shows name and physical address, e.g. utility bill), one of which must be a photo ID (driver’s license).

3.  The designated representative of the facility or Revenue Management will request that the consumer sign his/her name three times on a sheet of paper.

4.  The designated representative of the facility or Revenue Management will request that the consumer complete the ID Theft Affidavit.

5.  Once the police report, 2 forms of ID, including a photo ID and signatures are collected, the designated representative will advise the consumer that the account will be placed on hold for 45 days while an investigation is performed.

6.  The internal investigation will include:

a.  Comparing the sample signatures provided to the consent form from scanned documents or HIM.

b.  Contacting the primary care provider (PCP) office for verification of the consumer’s identity, if applicable.

c.  Investigate if the consumer has other Centura visits with any similar occurrences.

7.  The designated representative will be responsible for documenting the investigation in the Meditech system (B/AR comments).

8.  If the consent form signature comparison is inconclusive, the designated representative will be responsible for requesting copies of the Discharge Form from HIM.

9.  Once the signed Medical Consent/Discharge forms are obtained, the designated representative will compare the signatures on the driver’s license and the signature sample taken against the signature on the Consent/Discharge Form(s).

a.  Signature Match – Inform the consumer of the findings, explaining the balance is due in full. Update the outside billing vendor if applicable, releasing the account hold and document the results of the account investigation in Meditech. Inform additional billing providers, such as Pathologists, ER Physician, Radiologist, and Physicians on record.

b.  Signatures Do Not Match – Inform the consumer of the findings. Apply the appropriate administrative adjustment (FCFR – Identity Theft/ Fraud), and document the results of the account investigation in Meditech. Inform additional billing providers, such as Pathologists, ER Physician, Radiologist, and Physicians on record.

In the event that the designated representative can not conduct the notification of the other providers listed above, inform the consumer that he or she may need to notify relevant other providers and inform them of the decision made by Centura Health.

10.  The designated representative should change the erroneous account:

a.  If the designated representative can determine the patient to whom the account belongs – perform a “switch” function under the correct medical record number.

b.  If the designated representative cannot determine the patient to whom the account belongs - perform a “switch” function with a new medical record number using XXXX as the patient name. Protection, ID Facility Abbreviation DOS Example: Protection, ID SC (011011)

i.  Process an Administrative Adjustment to remove the charges.

11.  The designated representative should correct all of the information on the consumer’s account. Scan the appropriate documents that show the correct information. Place a critical indicator on the account to always obtain the consumer’s driver’s license when the consumer presents for services.

12.  After the investigation is completed an Identity Theft Account Completed form is to be placed in the victim’s medical record for any future correspondence.

FORMS

Attachment A- Prevention, Mitigation and Resolution Procedures

Addendum A - Potential Identity Theft Red Flags

Attachment B - Identity Theft Notification Form

Identity Theft Fraud Affidavit Form

The SVP of Revenue Management shall develop, publish and maintain the policies, instructions and procedures necessary for the implementation and continuance of this policy. This policy shall supersede all other applicable policies. Centura Health should review this policy annually or when changes are made with all associates listed as stakeholders.

Attachment A

Relevant Identity Theft Red Flags Mitigation and Resolution Procedures

Identity Theft Red Flag / Prevention/ Mitigation Procedure / Resolution of Red Flag (Suggestions) /
Documents provided for identification appear to have been altered or forged / Scan the provided information and ask for additional identification. Apply the CCI PA- See Notes- Memo Tab and note the account in Meditech / Additional identification is received. Change the information as appropriate and note the account(s)
Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the patient. For example, there is a lack of correlation between the Social Security Number (SSN) range and date of birth. / Scan the provided information and ask for additional identification. Apply the CCI PA- See Notes- Memo Tab and note the account in Meditech / Additional information is received. If appropriate, create a new unit number. Change/ Update the information as appropriate and note the account(s)
The SSN provided is the same as that submitted by other persons opening an account or other customers. / Ask for additional documentation with SSN information. Use the default SSN until proof is provided. Apply the CCI SS- Verify SSN and note the account in Meditech / Additional documentation must be provided to resolve discrepancy
Patient has an insurance number but never produces an insurance card or other physical documentation of insurance / Ask for documentation. If unable to verify the insurance using the automated system, enter as Self Pay and note the account in Meditech with the provided information / Additional documentation must be provided to resolve discrepancy
Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient (e.g., inconsistent blood type). / Clinical associates should investigate complaint, alert Patient Access management, and review previous files for potential inaccurate records. Items to consider include: blood type, age, race, and other physical descriptions may be evidence of medical identify theft. / Patient Access should investigate and initiate an Error Correction SWAT Team as applicable. Investigation could result in creating a new record or re-verifying identifying information with patient.
Refer to EMR Error Identification and Resolution Process Map- Real Time Error-Correction by SWAT Team
MODULE INTEGRATION
Complaint/inquiry from an individual based on receipt of:
-  a bill for another individual
-  a bill for a product or service that the patient denies receiving
-  a bill from a health care provider that the patient never patronized
-  a notice of insurance benefits (or Explanation of Benefits) for health services never received. / Investigate complaint, interview individuals as appropriate. Follow the Red Flag Rules Identify Theft/ Victim of Crime Prevention Policy / Place the account on hold until identity has been accurately resolved.
If the result of the investigation do not indicate fraud, all contact and identifying information is re-verified with patient.
Complaint/ inquiry from a patient about information added to a credit report by a health care provider or insurer / Investigate complaint, interview individuals as appropriate. Follow the Red Flag Rules Identify Theft/ Victim of Crime Prevention Policy / Place the account on hold until identity has been accurately resolved.
If the result of the investigation do not indicate fraud, all contact and identifying information is re-verified with patient.
Complaint or question from a patient about the receipt of a collection notice from a bill collector. / Investigate complaint, interview individuals as appropriate. Follow the Red Flag Rules Identify Theft/ Victim of Crime Prevention Policy / Place the account on hold until identity has been accurately resolved.
If the result of the investigation do not indicate fraud, all contact and identifying information is re-verified with patient.
Patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached / Investigate complaint, interview individuals as appropriate. Follow the Red Flag Rules Identify Theft/ Victim of Crime Prevention Policy / Additional documentation must be provided to resolve discrepancy and continue admission/billing process. Contact insurance company as necessary.
If the result of the investigation do not indicate fraud, all contact and identifying information is re-verified with patient.
Hospital is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. / Investigate to determine if wrong individual has been billed. / Additional documentation must be provided to resolve discrepancy and continue admission/billing process. Contact insurance company as necessary.
If the result of the investigation do not indicate fraud, all contact and identifying information is re-verified with patient.
Personal identifying information provided by the patient is associated with known fraudulent activity as indicated by internal or third-party sources used by the Hospital. For example:
-  The address on an application is the same as the address provided on a fraudulent application; or
-  The phone number on an application is the same as the number provided on a fraudulent application. / Investigate complaint, interview individuals as appropriate. Ask for additional information as appropriate.
Follow the Red Flag Rules Identify Theft/ Victim of Crime Prevention Policy / Additional documentation must be provided to resolve discrepancy and continue admission/billing process.
If the result of the investigation do not indicate fraud, all contact and identifying information is re-verified with patient.

Addendum A