All official Centura Health policies are maintained ...



All official Centura Health policies are maintained electronically and are subject to change from time to time. No printed policy should be taken as the official policy except to the extent it is consistent with the current policy that is electronically maintained.

|Policy Title: Red Flag Rules-Identity Theft/Victim of Crime Prevention Policy |

|Department: Compliance, Revenue Management, Patient Access and Health Information Management |

|Unit: Compliance, Revenue Management, Patient Access and Health Information Management |

|Effective Date: 11/01/06 |

|Date Last Reviewed: 03/01/07, 10/01/08, 07/01/09, 10/16/09, 7/30/11 |

|Last Revised Date: 03/01/07, 10/01/08, 07/01/09, 10/16/09, 7/30/11 |

|Initiated By: Legal, Compliance, Revenue Management, Patient Access, Health Information Management |

|Approved By (Person & title): Angela Cox, VP Revenue Management |

STATEMENT OF POLICY: Centura Health will implement an Identity Theft Prevention Program designed to identify, detect, protect against, and mitigate Identity Theft of a patient’s identity especially with regard to their identifying information contained in the patient clinical or billing record.

After appropriate investigation and depending on the circumstances, Centura Health facilities may report criminal activity relating to the theft of services or a patient’s identity to appropriate authorities, and shall take appropriate steps to mitigate harm to any person whose name or other Identifying Information is reasonably believed by Centura Health to have been used unlawfully or inappropriately.

PURPOSE: To develop and implement a written identity theft prevention program designed to identify, detect, protect against, and mitigate identity theft in connection with a patient’s clinical or billing record.

STAKEHOLDERS: Administration, Compliance, Legal, Patient Access, Health Information Management (HIM), Revenue Management, Self Pay Vendors and Information Technology

SCOPE: All Centura Facilities, Avista Adventist, St. Anthony North, St. Anthony, Summit Medical Center, Porter Adventist, Littleton Adventist, Parker Adventist, Penrose St. Francis, St. Francis Medical Center, St. Mary Corwin, St. Thomas More, and Castle Rock Adventist( 9/11) and Mercy Regional Medical Center (11/11) including all clinics and urgent care sites that register into Meditech.

DEFINITIONS:

1. A “Covered Account” is an account primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions, or any other account for which there is a reasonably foreseeable risk to patients or a Centura Health Facility from Identity Theft, including financial, operational, compliance, reputation or litigation risks. A “Covered Account” includes a patient’s clinical or billing record.

2. “Identity Theft” refers to a fraud that is committed or attempted using a person’s identifying information without authority.

3. “Identifying Information” means any name or number that may be used alone, or in conjunction with other information, to identify a specific person. Identifying information includes: (1) name, social security number, date of birth, official state or government issued driver’s license or identification number, government passport number, employer or taxpayer identification number; (2) unique biometric data such as fingerprint, voiceprint, retina or iris image, or other unique physical representation; (3) unique electronic identification number, address, or routing code; (4) telecommunication identifying information or access device.

4. “Red Flags” are indicators of a pattern, practice or specific activity that indicates the possible existence of Identity Theft.

5. “Service Provider” means a person that provides a service directly to a Centura Health facility. This may include consultants, independent contractors and subcontractors who provide services directly to a Centura Health facility.

Requirements

1. Identifying Covered Accounts. Centura Health shall develop procedures to identify Covered Accounts in that region or facility. Covered Accounts include:

▪ A patient’s clinical record

▪ A patient’s billing record

2. Identifying Red Flags. Centura Health shall develop procedures to identify factors that could be Red Flags to possible Identity Theft in that facility. Some common examples of Red flags include, but are not limited to:

▪ Obvious alteration of identification documents

▪ Obviously inconsistent photos

▪ Social Security Number is the same as another patient

▪ Identifying Information provided is inconsistent with information on file with no apparent reason for the difference

▪ Suspicious activity related to a patient’s clinical or billing record

▪ Notification of Identity Theft or Identity Theft concerns by a patient, law enforcement, or any other person acting on behalf of a patient

3. Detecting Red Flags. Centura Health shall develop procedures to authenticate the patient’s identity, monitor Covered Account transactions, and verify the validity of change-of-address requests. Such procedures may include but are not limited to 1) requiring the patient to produce identifying information to verify his or her identity when establishing a Covered Account or when a patient presents for service at the facility, provided that such verification does not delay access to an emergency medical screening exam and stabilization; 2) monitoring attempts by unauthorized users to access a Covered Account.

4. Responding to Red Flags. Centura Health shall develop procedures that provide for appropriate responses for preventing and mitigating Identity Theft. At a minimum, procedures should address:

▪ Responsibility for the Identity Theft prevention program

▪ Who will investigate Red Flags and recommend action (may vary depending on the Red Flag)

▪ How Centura Health facilities will respond to Identity Theft alerts from patients, law enforcement or others

▪ How patients’ Covered Accounts are monitored

▪ How and when Centura Health facilities will contact the patient when questions or concerns arise or when changing passwords or security codes is required

▪ How a patient’s clinical record will be corrected when necessary

▪ Circumstances when Centura Health will refrain from collecting on a Covered Account or sending a Covered Account to collection

▪ When law enforcement or other agencies should be notified.

5. Periodic Updating. Identity theft policies and procedures shall be updated periodically to reflect changing risks from Identity Theft, changes in methods used to detect and prevent Identity Theft and changes in business unit structures, should these occur.

6. Oversight of Service Provider Relationships. If a Centura Health facility engages a Service Provider to perform any activity related to a Covered Account, Centura Health shall establish a procedure to educate the Service Provider on its procedures to identify, detect, and respond to Identity Theft, or the Service Provider will be required by contract to have Identity Theft policies and procedures in place and to report possible Identity Theft to Centura Health.

7. Employee Training. Centura Health shall educate employees on Centura Health’s Identity Theft Prevention Program to ensure understanding of and compliance with Identity Theft Prevention Program requirements. Centura Health facilities shall document the provision of such education and maintain records regarding such education for at least six years.

8. Oversight of System Identity Theft Program. Compliance and Revenue Management departments shall have responsibility for preparing and delivering an annual report on the development, implementation, and administration of the Identity Theft Prevention Program to the Centura Health Board of Directors. Such report will include an assessment of the effectiveness of policies and procedures that address the risk of Identity Theft, Service Provider oversight and compliance, significant incidents of Identity Theft and management’s response to these incidents, and recommendations for material changes to the program.

References:

Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule. Available at:

Colorado Revised Statutes § 18-13-124 (Dissemination of false information to obtain hospital admittance or care); §§ 18-5-901 through 18-5-905 (Identity theft)

PROCEDURE: The guidelines below must be used when a consumer, internal department, credit agency, attorney, or other entity notifies Centura Health that they have information regarding an identity that has been used by another person, without consent, to receive medical services.

1. The consumer will be advised to file a formal police report and asked to provide a copy of the police report to the facility or Revenue Management.

2. Upon the consumer’s arrival at the facility or Revenue Management, a designated representative (appointed by each location) will take a copy of the following documents:

a. The police report

b. Obtain copies of two forms of ID (something that shows name and physical address, e.g. utility bill), one of which must be a photo ID (driver’s license).

3. The designated representative of the facility or Revenue Management will request that the consumer sign his/her name three times on a sheet of paper.

4. The designated representative of the facility or Revenue Management will request that the consumer complete the ID Theft Affidavit.

5. Once the police report, 2 forms of ID, including a photo ID and signatures are collected, the designated representative will advise the consumer that the account will be placed on hold for 45 days while an investigation is performed.

6. The internal investigation will include:

a. Comparing the sample signatures provided to the consent form from scanned documents or HIM.

b. Contacting the primary care provider (PCP) office for verification of the consumer’s identity, if applicable.

c. Investigate if the consumer has other Centura visits with any similar occurrences.

7. The designated representative will be responsible for documenting the investigation in the Meditech system (B/AR comments).

8. If the consent form signature comparison is inconclusive, the designated representative will be responsible for requesting copies of the Discharge Form from HIM.

9. Once the signed Medical Consent/Discharge forms are obtained, the designated representative will compare the signatures on the driver’s license and the signature sample taken against the signature on the Consent/Discharge Form(s).

a. Signature Match – Inform the consumer of the findings, explaining the balance is due in full. Update the outside billing vendor if applicable, releasing the account hold and document the results of the account investigation in Meditech. Inform additional billing providers, such as Pathologists, ER Physician, Radiologist, and Physicians on record.

b. Signatures Do Not Match – Inform the consumer of the findings. Apply the appropriate administrative adjustment (FCFR – Identity Theft/ Fraud), and document the results of the account investigation in Meditech. Inform additional billing providers, such as Pathologists, ER Physician, Radiologist, and Physicians on record.

In the event that the designated representative can not conduct the notification of the other providers listed above, inform the consumer that he or she may need to notify relevant other providers and inform them of the decision made by Centura Health.

10. The designated representative should change the erroneous account:

a. If the designated representative can determine the patient to whom the account belongs – perform a “switch” function under the correct medical record number.

b. If the designated representative cannot determine the patient to whom the account belongs - perform a “switch” function with a new medical record number using XXXX as the patient name. Protection, ID Facility Abbreviation DOS Example: Protection, ID SC (011011)

i. Process an Administrative Adjustment to remove the charges.

11. The designated representative should correct all of the information on the consumer’s account. Scan the appropriate documents that show the correct information. Place a critical indicator on the account to always obtain the consumer’s driver’s license when the consumer presents for services.

12. After the investigation is completed an Identity Theft Account Completed form is to be placed in the victim’s medical record for any future correspondence.

FORMS

Attachment A- Prevention, Mitigation and Resolution Procedures

Addendum A - Potential Identity Theft Red Flags

Attachment B - Identity Theft Notification Form

Identity Theft Fraud Affidavit Form

The SVP of Revenue Management shall develop, publish and maintain the policies, instructions and procedures necessary for the implementation and continuance of this policy. This policy shall supersede all other applicable policies. Centura Health should review this policy annually or when changes are made with all associates listed as stakeholders.

Attachment A

Relevant Identity Theft Red Flags Mitigation and Resolution Procedures

|Identity Theft Red Flag |Prevention/ Mitigation Procedure |Resolution of Red Flag (Suggestions) |

|Documents provided for identification appear to have |Scan the provided information and ask for additional |Additional identification is received. Change the |

|been altered or forged |identification. Apply the CCI PA- See Notes- Memo Tab |information as appropriate and note the account(s) |

| |and note the account in Meditech | |

|Personal identifying information provided by the |Scan the provided information and ask for additional |Additional information is received. If appropriate, |

|customer is not consistent with other personal |identification. Apply the CCI PA- See Notes- Memo Tab|create a new unit number. Change/ Update the |

|identifying information provided by the patient. For |and note the account in Meditech |information as appropriate and note the account(s) |

|example, there is a lack of correlation between the | | |

|Social Security Number (SSN) range and date of birth. | | |

|The SSN provided is the same as that submitted by |Ask for additional documentation with SSN information.|Additional documentation must be provided to resolve |

|other persons opening an account or other customers. |Use the default SSN until proof is provided. Apply the|discrepancy |

| |CCI SS- Verify SSN and note the account in Meditech | |

|Patient has an insurance number but never produces an |Ask for documentation. If unable to verify the |Additional documentation must be provided to resolve |

|insurance card or other physical documentation of |insurance using the automated system, enter as Self |discrepancy |

|insurance |Pay and note the account in Meditech with the provided| |

| |information | |

|Records showing medical treatment that is inconsistent|Clinical associates should investigate complaint, |Patient Access should investigate and initiate an |

|with a physical examination or with a medical history |alert Patient Access management, and review previous |Error Correction SWAT Team as applicable. |

|as reported by the patient (e.g., inconsistent blood |files for potential inaccurate records. Items to |Investigation could result in creating a new record or|

|type). |consider include: blood type, age, race, and other |re-verifying identifying information with patient. |

| |physical descriptions may be evidence of medical | |

| |identify theft. |Refer to EMR Error Identification and Resolution |

| | |Process Map- Real Time Error-Correction by SWAT Team |

| | | |

| | |MODULE INTEGRATION |

| | | |

|Complaint/inquiry from an individual based on receipt |Investigate complaint, interview individuals as |Place the account on hold until identity has been |

|of: |appropriate. Follow the Red Flag Rules Identify Theft/|accurately resolved. |

|a bill for another individual |Victim of Crime Prevention Policy | |

|a bill for a product or service that the patient | |If the result of the investigation do not indicate |

|denies receiving | |fraud, all contact and identifying information is |

|a bill from a health care provider that the patient | |re-verified with patient. |

|never patronized | | |

|a notice of insurance benefits (or Explanation of | | |

|Benefits) for health services never received. | | |

|Complaint/ inquiry from a patient about information |Investigate complaint, interview individuals as |Place the account on hold until identity has been |

|added to a credit report by a health care provider or |appropriate. Follow the Red Flag Rules Identify Theft/|accurately resolved. |

|insurer |Victim of Crime Prevention Policy | |

| | |If the result of the investigation do not indicate |

| | |fraud, all contact and identifying information is |

| | |re-verified with patient. |

|Complaint or question from a patient about the receipt|Investigate complaint, interview individuals as |Place the account on hold until identity has been |

|of a collection notice from a bill collector. |appropriate. Follow the Red Flag Rules Identify Theft/|accurately resolved. |

| |Victim of Crime Prevention Policy | |

| | |If the result of the investigation do not indicate |

| | |fraud, all contact and identifying information is |

| | |re-verified with patient. |

|Patient or insurance company report that coverage for |Investigate complaint, interview individuals as |Additional documentation must be provided to resolve |

|legitimate hospital stays is denied because insurance |appropriate. Follow the Red Flag Rules Identify Theft/|discrepancy and continue admission/billing process. |

|benefits have been depleted or a lifetime cap has been|Victim of Crime Prevention Policy |Contact insurance company as necessary. |

|reached | | |

| | |If the result of the investigation do not indicate |

| | |fraud, all contact and identifying information is |

| | |re-verified with patient. |

| | | |

|Hospital is notified by a customer, a victim of |Investigate to determine if wrong individual has been |Additional documentation must be provided to resolve |

|identity theft, a law enforcement authority, or any |billed. |discrepancy and continue admission/billing process. |

|other person that it has opened a fraudulent account | |Contact insurance company as necessary. |

|for a person engaged in identity theft. | | |

| | |If the result of the investigation do not indicate |

| | |fraud, all contact and identifying information is |

| | |re-verified with patient. |

| | | |

|Personal identifying information provided by the |Investigate complaint, interview individuals as |Additional documentation must be provided to resolve |

|patient is associated with known fraudulent activity |appropriate. Ask for additional information as |discrepancy and continue admission/billing process. |

|as indicated by internal or third-party sources used |appropriate. | |

|by the Hospital. For example: | |If the result of the investigation do not indicate |

|The address on an application is the same as the |Follow the Red Flag Rules Identify Theft/ Victim of |fraud, all contact and identifying information is |

|address provided on a fraudulent application; or |Crime Prevention Policy |re-verified with patient. |

|The phone number on an application is the same as the | | |

|number provided on a fraudulent application. | | |

Addendum A

Potential Identity Theft Red Flags

Suspicious Documents

1. A patient has an insurance number but never produces an insurance card or other physical documentation of insurance. Bear in mind that there may be legitimate reasons why a patient may not have an insurance card with them.

2. A patient presents documents for identification that appear obviously altered or forged.

3. A photograph or physical description on a patient’s identification is inconsistent with the appearance of the patient. Be respectful of the fact that while generally race and gender will not change, the appearance of some patients may change dramatically due to illness.

4. Other information on identification is inconsistent with information provided by the patient and there is no apparent reason for the discrepancy.

Suspicious Personal Information

5. Records show medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient. Examples include but are not limited to records that show substantial differences in age, race and other physical descriptions.

6. Clinical indicators do not match. For example, a patient presents with a blood type that is inconsistent with existing records for that patient.

7. Personal identifying information provided by the patient is inconsistent with other personal identifying information previously provided by the patient. Be respectful of the fact that some of our patients may have medical conditions where they have difficulty remembering information that was provided previously.

8. A Social Security Number provided matches that of another patient or patients.

9. A Social Security Number provided is not valid. The SSN consists of three fields: the area number (first three digits), group number (fourth and fifth digits), and serial number (last four digits). No valid SSN will have a group number of 00 or a serial number of 0000. The area numbers 666, 772, or above in the 700, 800, or 900 series are also invalid.

10. An address or phone number provided matches that supplied by a large number of patients.

Notices from Victims

11. A patient contacts us with questions because the patient has received:

• A bill for another individual

• A bill for a product or service that the patient denies receiving

• A bill from a health care provider that the patient never patronized, or

• An Explanation of Benefits or other notice for health services that the patient denies receiving.

12. A patient contacts us with questions because the patient has received a collection notice from a bill collector for services the patient denies receiving.

13. A patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.

14. A patient contacts us with questions about information added to a credit report by a health care provider or insurer.

15. A patient contacts us to dispute a bill and claims to be the victim of any type of identity theft. The patient should be asked whether a police report has been filed.

Other

16. A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency is received. For example, fraudulent billing by a physician could result in false information in a health record that may affect the treatment of patients. Another example is hospital or clinic employees using their legitimate access to health files to commit identity theft.

17. Law enforcement or another reliable source reports that personal identifying information provided to Centura Health is associated with known fraudulent activity.

Name_____________________________________ Phone Number_________________

IDENTITY THEFT AFFIDAVIT

1) My full legal name is ________________________________________________________________

(First) (Middle) (Last) (Jr., Sr, III)

2) (If different from above) When the events described in the affidavit took place, I was known as

3) ________________________________________________________________________________

(First) (Middle) (Last) (Jr., Sr., III)

4) Name of my Primary Care Physician (PCP)______________________ Phone ( ) NA( )

5) My date of birth is __________________________

(Day/Month/Year)

6) My Social Security number is_________________________________________

7) My driver’s license or identification card state and number are_____________________________

8) My current physical address is___________________________________________________

City_______________________________ State________________ Zip Code_________________

9) I have lived at this address since________________________

(Month/Year)

(10) (If different from above) When the events described in this affidavit took place, my physical address was_____________________________________________________________________________

City______________________________ State_____________________ Zip Code___________

(11) I lived at the address in Item 8 from _____________ until _____________

(Month/Year) (Month/Year)

(12) My daytime telephone number is (___) _____________________

My evening telephone number is (___) _____________________

My cell phone number is (___) ____________________________

(13) Who may we leave a message with other than yourself?

Name___________________________________

Phone Number (___) _______________________

Name_____________________________________ Phone Number_________________

Check all that apply for items 14-19

(14) I did not authorize anyone to use my name or personal information to seek the money, credit, loans,

goods or services described in this report.

(15) I did not receive any benefit, money, goods or services as a result of the events described in this report.

(16) My identification documents (for example, credit cards; birth certificate; driver’s license; Social

Security card; etc.) were stolen lost on or about _________________________________.

(Day/Month/Year)

(17) To the best of my knowledge and belief, the following person(s) used my information (for example, my

name, address, date of birth, existing account numbers, Social Security number, mother’s maiden name, etc.) or identification documents to get money, credit loans, goods or services without my knowledge or authorization:

_______________________________ ________________________________________

Name (if known) Name (if known)

_______________________________ ________________________________________

Address (if known) Address (if known)

_______________________________ ________________________________________

Phone number(s) (if known) Phone number(s) (if known)

_______________________________ ________________________________________

Additional information (if known) Additional information (if known)

(18) I do NOT know who used my information or identification documents to get money, credit, loans,

goods or services without my knowledge or authorization.

(19) Additional Comments: (For example, description of the fraud, which documents or information were

used or how the identity thief gained access to your information.)

________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

(Attach additional pages as necessary.)

Name_____________________________________ Phone Number_________________

(20) (Check one) I am am not willing to assist in the prosecution of the person(s) who committed

this fraud.

(21) (Check one) I am am not authorizing the release of this information to law enforcement for the

purpose of assisting them in the investigation and prosecution of the person(s) who committed this fraud.

(22) (Check all that apply) I have have not reported the events described in this affidavit to the

police or other law enforcement agency. The police did did not write a report. In the event you have contacted the police or other law enforcement agency, please complete the following:

_________________________________ _______________________________________

(Agency #1) (Officer/Agency personnel taking report)

_________________________________ _______________________________________

(Date of report) (Report number, if any)

_________________________________ _______________________________________

(Phone number) (email address, if any)

_________________________________ _______________________________________

(Agency #2) (Officer/Agency personnel taking report)

_________________________________ _______________________________________

(Date of report) (Report number, if any)

_________________________________ _______________________________________

(Phone number) (email address, if any)

Please indicate the supporting documentation you are able to provide to the companies you plan to notify. Attach copies (NOT originals) to the affidavit before sending it to the companies.

(23) A copy of a valid government-issued photo-identification card (for example, your driver’s license,

state-issued ID card or your passport).

(24) Proof of residency during the time the disputed bill occurred, the loan was made or the other event

took place (for example, a rental/lease agreement in your name, a copy of a utility bill or a copy of

of an insurance bill.)

Name_____________________________________ Phone Number_________________

(25) A copy of the report you filed with the police or sheriff’s department. If you are unable to obtain a

report or report number from the police, please indicate that in Item (22). Some companies only need

the report number, not a copy of the report. You may want to check with each company.

I certify that, to the best of my knowledge and belief, all the information on and attached to this affidavit is true, correct, and complete and made in good faith. I also understand that this affidavit or the information it contains may be made available to federal, state, and/or local law enforcement agencies for such action within their jurisdiction as they deem appropriate. I understand that knowingly making any false or fraudulent statement or representation to the government may constitute a violation of 18 U.S.C. 1001 or other federal, state or local criminal statutes, and may result in imposition of a fine or imprisonment or both.

____________________________________________ _________________________________

(Signature) (Date Signed)

Please have one witness (non-relative) sign below that you completed and signed this affidavit.]

Witness:

________________________________________________ _____________________________

(Signature) (Printed name)

_________________________________________________ _____________________________

(Date) (Telephone number)

Attachment B

Identity Theft/ Victim of Crime

As set forth in the accompanying policy and procedure, Attachment B needs to be completed as part of the investigation of identity theft. Once the investigation is finalized this form should be used to correct the information.

We recently received notification from ___________________ (Name of Consumer) that his/her identity was used fraudulently by another individual to obtain services at __________________ (Name of Provider).

|Medical Record Number: |Date of Service: |

|Account Number: | |

| |Registered Information |Corrected Information |

|Patient Name | | |

|Date of Birth | | |

|Social Security Number | | |

|Address | | |

|Phone Number | | |

|Physician | | |

|Insurance | | |

|Medical Record Number | | |

|Account Number | | |

Proof of Identity

Has the consumer provided Centura Health with proof of his or her identity? □ Yes □ No

o Yes, attach a copy to this form as part of the investigation

o No, was the consumer advised he/she will need to provide proof of identity?

Proof of identity includes any government issued identification, including driver’s license, identification card, military ID, social security card, or passport (one must include a picture)

Police Report

Has the consumer filed a police report testifying that identity theft has in fact occurred? □ Yes □ No

o Yes, request a copy and attach it to this form as part of the investigation

o No, was the consumer advised that he/she will need to file a police report testifying to the identity theft? □ Yes □ No

Notarized Fraud Affidavit

Has the consumer executed a notarized and/or witnessed fraud affidavit testifying that identity theft has in fact occurred, specifically listing the account(s) in question? □ Yes □ No

o Yes, attach a copy to this form as part of the investigation

o No, was the consumer advised that he/she will need to execute and notarize a fraud affidavit testifying that he account(s) in question are a direct result of the fraudulent use of his/her identity? □ Yes □ No

Has the consumer been provided with a blank fraud affidavit? □ Yes □ No

If no, please provide the consumer with a copy of the attached fraud affidavit.

|Completed by: |

|Date: |Phone Number: |

-----------------------

VICTIM INFORMATION

HOW THE FRAUD OCCURRED

VICTIM’S LAW ENFORCEMENT ACTIONS

DOCUMENTATION CHECKLIST

SIGNATURE

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download