Handbook of Operating Procedures

Identity Theft

Policy Number: 182

Subject:

Identity Theft

Scope:

Administrators, Faculty, Researchers, Staff, Students

Date Reviewed:
March 2009
Responsible Office:
Office of Institutional Compliance
Responsible Executive:
Assistant Vice President and Chief Compliance Officer

I. POLICY AND GENERAL STATEMENT

The University of Texas Health Science Center at Houston ("university") strives to detect, prevent and mitigate identity theft through its Identity Theft Prevention Program in accordance with the Federal Trade Commission's Red Flag and Address Discrepancy Rule.

II. DEFINITIONS

Account: any continuing relationship between the university and an Account Holder that permits the Account Holder to obtain a product or service for personal, family, household or business purposes. It may involve the extension of credit for the purchase of a product or service, or a deposit account.

Account Holder: Student, Employee, Retired Employee, Patient or other person that has a Covered Account held by or on behalf of the University.

Covered Account: an Account the university offers or maintains or is offered or maintained by a vendor or other third party on behalf of the university primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and any other Account the university offers or maintains for which there is a reasonably foreseeable risk to an Account Holder or to the safety and soundness of the university from Identity Theft, including financial, operational, compliance, reputation, or litigation risks. Examples of Covered Accounts include, but are not limited to: student loan and tuition accounts; patient medical service accounts; accounts associated with employee benefits; student debit cards; and meal plans.

Identity Theft: any use or attempt by an individual to use another person's individual identifying information to obtain a thing of value including: money, credit, items, or services, such as medical care or education services, to which the individual is not entitled.

Individual Identifying Information: any information that may be used alone or with other information to identify an individual, including, but not limited to: (1) name, social security number, date of birth, telephone/cell number, government issued driver's license or identification number, alien registration number, passport number, employer or taxpayer identification number, credit/debit/banking account numbers; (2) unique biometric data such as fingerprint, voice print, retina or iris image or other unique physical representation; or (3) unique electronic identification number; address or routing code; IP or other computer identifying address; or telecommunication identifying information or other access device.

Red Flag: suspicious patterns or practices, or specific activities that indicate the possibility that identity theft may occur or is occurring in connection with the university's Covered Accounts.

Designated Official: Appropriate senior officer or employee with sufficient training, experience and authority to develop, maintain, and oversee compliance with this policy within their respective school or unit.

III. PROCEDURE

The Office of Institutional Compliance shall develop and maintain a list of all operating units identified as holding Covered Accounts that are subject to the Program and the respective Designated Officials for oversight, compliance and periodic risk assessment to keep the Program up to date and to keep the department or office in compliance with the Program and the Red Flag Rules.

The Designated Officials at operating units will annually conduct a risk assessment to determine what university accounts are considered Covered Accounts. The risk assessment must take into consideration the method the university provides to open its accounts; the method the university provides to access its accounts; and the university's previous experiences with identity theft.

Designated Officials are responsible for maintaining the university's Identity Theft Program and for reporting at least annually to the Office of Institutional Compliance on the university's compliance with Federal Trade Commission's Red Flag and Address Discrepancy Rule. Annual reports should update the "red flags" determined to be relevant to reflect changes in the risks to patients and students based on:

  • the experiences of the unit with identity theft;
  • changes in methods of identity theft;
  • changes in the type of accounts that the unit maintains; and
  • changes in methods to detect, prevent and mitigate identity theft

Designated Officials shall identify and detect the relevant "red flags" for the covered accounts that the unit maintains and incorporate those into the program. Possible "red flags" may include:

  • a complaint or question from a patient or student based on the patient or student's receipt of:
    • a bill for another individual
    • a bill for a product or service that the patient or student denies receiving
    • a bill from a health care provider that the patient never patronized or
    • a notice of insurance benefits (or Explanation of Benefits) for health services never received.
  • records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.
  • a complaint or question from a patient or student about the receipt of a collection notice from a bill collector.
  • a patient or insurance company report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.
  • a complaint or question from a patient or student about information added to a credit report by a health care provider or insurer.
  • a dispute of a bill by a patient or student who claims to be the victim of any type of identity theft.
  • a patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.
  • a notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency.
  • a statement from the patient or student that a bill or Explanation of Benefits was never received and the address on file is incorrect.

Possible methods of detection of "red flags" may include:

  • asking the patient or student for photo identification at each encounter, and in the case of patients, for a copy of the insurance card at each encounter. Note: This detection method may not be appropriate for minors, indigent patients with no insurance, and emergency cases. Each unit should determine in the risk assessment if requesting identification is unduly burdensome on its patient population in light of the risk of identity theft on that population.
  • thoroughly following up each billing inquiry from patients and students, especially inquiries regarding services that were not received, bills for individuals not covered by the policies held, or bills from other health care providers that the patient never saw.
  • periodically auditing medical records to ensure that treatment is consistent on a single individual.

Upon the detection of "red flags," Designated Officials shall respond appropriately to detected red flags to prevent and mitigate identity theft. Depending on the circumstances, mitigation may take on different forms, including:

  • placing an alert on the record to make all relevant employees aware that there may be a problem. In some cases, an alert may be requested by the patient or student.
  • correcting erroneous demographic information in the account record.
  • file extraction. If fraud or medical identity theft can be substantiated, the victim's file is purged (to the extent possible) of all information that was entered as a result of the fraudulent activity and is left with a brief cross-reference and explanation of the deletion. The purged information is then placed into a new dummy file if the thief is unknown or an identified patient's file if the thief is known to preserve the medical information.
  • closing the billing account for the patient or student and opening a new one with a new account number.
  • calling the University of Texas Police - Houston to respond to the crime.
  • determining that no response is warranted under the particular circumstances.

To the extent the university utilizes a third party who receives information related to university's Covered Accounts or who otherwise handles university's Covered Accounts, the university will require via written agreement that the third party:

  • has a written Program in place that ensures compliance by the third party with the Red Flag Rules with respect to all university Covered Accounts; or
  • adopts and complies with the university's Program with respect to all university Covered Accounts.

The university will provide initial training and periodic additional training to all appropriate university employees as necessary to implement and enforce the Program effectively.

The Office of Institutional Compliance shall report to the university President at least annually on compliance with the Program. The report shall address material matters related to the Program and evaluate issues such as:

  • the effectiveness of the policies and procedures in addressing the risk of Identity Theft in connection with the opening of Covered Accounts and with respect to existing Covered Accounts;
  • third party service provider agreements relating to Covered Accounts;
  • significant incidents involving identity theft including management's response;
  • recommendations for material changes to the Program.

IV. CONTACTS

ContactTelephoneEmail/Web Address
Office of Institutional Compliance 713-500-3294 http://www.uthouston.edu/compliance/