Risk Management

Policies and Procedures

Red Flags Policy and Procedures - Health Care Clinics

Purpose

Due to growing Identity Theft concerns, the Federal Trade Commission (FTC) has issued "Red Flag Rules" to assist entities in detecting, preventing, and mitigating Identity Theft. To comply with the FTC Rules, NSU has adopted the following Identity Theft Prevention Policy for the Nova Southeastern University system. It is the responsibility of NSU Health Care Clinic employees to familiarize themselves with the Red Flag examples and follow the procedures outlined below.

Policy

It is the policy of Nova Southeastern University to comply with the FTC Red Flag Rules in its healthcare clinical operations. All employees working in healthcare clinical operations will be familiar with the Red Flag Rules.

Covered Patient Accounts

The Red Flag Policy applies to “covered accounts,” which includes Patient Accounts maintained by NSU Health Care Clinics.

The following are examples of Covered Patient Accounts at NSU Health Care Clinics:

  • NSU Health Care Provider patient payment plan accounts
  • NSU Health Care Provider non-emergency patient billing accounts

Procedure

I. Identification of Red Flags

There are several categories of Red Flags. Although some Red Flags can appear harmless on their own, they may signal identity theft when paired with one or more others.

The following are relevant Red Flags, in each of the listed categories, which NSU Health Care Clinic employees should be aware of and diligent in monitoring for when dealing with covered patient accounts:

  1. Suspicious Documents
    • Identification document or card that appears to be forged, altered or inauthentic;
    • Identification document or card on which a person’s photograph or physical description is not consistent with the person presenting the document;
    • Other information on the identification is not consistent with information provided by the person opening a new covered patient account or patient presenting the identification;
    • Other information on the identification is not consistent with readily accessible information that is on file with the municipality, such as a signature card or a recent check; and
    • Application for service that appears to have been altered or forged or gives the appearance of having been destroyed and reassembled.
  2. Suspicious Personal Identifying Information
    • Identifying information presented that is inconsistent with other information the patient provides (example: inconsistent birth dates);
    • Photograph or physical description on the identifying information is not consistent with the appearance of the patient presenting the information;
    • Identifying information presented that is inconsistent with other sources of information (for instance, an address not matching an address on a credit report);
    • Identifying information presented that is the same as information shown on other applications that were found to be fraudulent;
    • Identifying information presented that is consistent with fraudulent activity, such as
      • The phone number is invalid or is associated with a pager or answering service
      • The billing address is fictitious, a mail drop, or a prison
    • Social security number presented that is the same as one given by another patient; has not been issued or is listed on the Social Security Administration’s Death Master file;
    • An address or phone number presented that is the same as that of another person/patient;
    • A patient fails to provide complete personal identifying information on an application when opening the covered patient account or in response to a notification that the application is incomplete
    • A patient’s identifying information is not consistent with the information that is on file for the patient;
    • When using security questions (e.g., mother’s maiden name or high school mascot), the patient opening the covered patient account cannot provide identifying information beyond that which is usually contained in a wallet or found in a consumer report;
    • A request to mail information contained in a covered patient account is to mail to an address not listed on file
  3. Suspicious Account Activity or Unusual Use of Account
    • Change of address for an account followed by a request to change the account holder's name;
    • Change of address for an account followed by a request for new, additional, or replacement services, or for the addition of authorized users on the account;
    • A covered patient account is used that has been inactive for a lengthy period of time, taking into consideration the type of account, the expected pattern of usage, and other relevant factors;
    • Payments stop on an otherwise consistently up-to-date account;
    • Account used in a way that is not consistent with prior use, for example:
      • very high activity;
      • nonpayment when there is no history of late or missed payments;
      • a material change in purchasing or usage patterns
    • Mail sent to the account holder/patient is repeatedly returned as undeliverable;
    • Notice to an NSU Health Care Clinic that a patient is not receiving mail or account statements sent by NSU;
    • Notice to an NSU Health Care Clinic that an account has unauthorized activity;
    • Breach in an NSU Health Care Clinic’s computer system security; and
    • Unauthorized access to or use of patient account information.
  4. Alerts from Others
    • Notice to an NSU Health Care Clinic from a patient, victim of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered patient accounts.
  5. Additional Red Flags Specific to NSU Health Care Clinics
    • Documents provided for identification appear to have been altered or forged
    • Personal identifying information provided by the patient is not consistent with other personal identifying information provided by the patient. (i.e., Social Security Number (SSN) range does not correlate with date of birth)
    • The Social Security Number provided is the same as that submitted by other new patients opening an account or existing patients
    • A patient who has an insurance number but has never produced an insurance card or other physical documentation of insurance;
    • Records showing medical treatment that are inconsistent with a physical examination or medical history as reported by the patient
    • Complaint/inquiry from an individual based on receipt of:
      • A bill for another individual
      • A bill for a product or service that the patient denies receiving
      • A bill from NSU Health Care provider that the patient never patronized
      • A notice of insurance benefits or Explanation of Benefits for health services never received
    • A fraud or identity theft related complaint or question from a patient about the receipt of a collection notice from a collection service
    • A patient or insurance company report that coverage for legitimate service is denied because insurance benefits have been depleted or a lifetime cap has been reached
    • A complaint or question from a patient about information added to a credit report by a NSU Health Care Clinic provider or insurer;
    • A notice or inquiry from an insurance fraud investigator for a private insurance company of a law enforcement agency;
    • Mail sent to the patient is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the patient’s covered account
    • An NSU Health Care Clinic is notified by a patient, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
    • Personal identifying information provided by the patient is associated with known fraudulent activity as indicated by internal or third-party sources used by NSU Health Care Clinics. For example, the name, address or phone number on the application is the same as the address provided on a fraudulent application

II. Detecting Red Flags

The following protocol must be followed for opening new patient accounts, maintaining existing patient accounts, and accessing covered patient accounts:

  1. New Patient Accounts
    In order to detect any of the Red Flags identified above associated with the opening of a new patient account, NSU Health Care Clinic employees must take the following steps to obtain and verify the identity of the patient opening the account:
    • Require identifying information, including name, date of birth, residential or business address, driver's license or other photo identification;
    • Verify the patient’s identity (for instance, review a driver's license or other I.D. card);
    • Independently contact the patient to verify the new patient account;
  2. Existing Patient Accounts
    In order to detect any of the Red Flags identified above for an existing account, NSU Health Care Clinic employees must take the following steps to monitor transactions with an account:
    • Verify the identification of patient if they request information (either in person, via telephone, via facsimile, or via email by asking them to provide the identifying information on file);
    • Verify the validity of requests to change billing addresses with the patient; and
    • Verify changes in banking information given for billing and payment purposes.
  3. Methods to Access Patient Accounts
    • Disbursement of information contained in patient accounts obtained in person requires provision of photo identification
    • Disbursement of information contained in patient accounts by mail can only be mailed to the address on file under the patient account
    • Refunds of credit balances can only be mailed to an address on file or picked up in person by showing photo identification.
    • Credit card information used in association with patient accounts must be maintained in accordance with NSU’S Credit Card Processing Controls in Clinical Business Sites Policy.

III. Responding to Red Flags

When a potentially fraudulent activity is detected, NSU must act quickly as appropriate to protect patients. In the event an NSU Health Care Clinic employee detects any of the identified Red Flags, the following steps shall be taken to respond to and mitigate identity theft:

  1. Stop the billing/admissions process and require provision of additional documentation to resolve the discrepancy. Reporting employee shall notify his/her supervisor or designated authority of discrepancy for further instruction.
    1. DCO Clinical Collections Services will be notified and instructed to place a hold and flag suspected patient accounts in the appropriate clinical information system.
    2. DCO Clinical Information Systems Support will be notified to lock suspicious patient account in the appropriate clinical information systems.
  2. The supervisor or designated authority will complete additional authentication to determine whether the attempted transaction based upon information available at that time could be fraudulent or authentic.
    1. If discrepancy is resolved, re-verify information with the patient and continue with the billing/admissions process.
    2. If discrepancy is not resolved, all related documentation should be gathered and a description of the situation should be written utilizing the NSU Health Care Clinics Red Flag Report Form. This information should be presented to a supervisor or designated authority for further instruction. The employee detecting the Red Flag must fill out and complete the Red Flag Report Form. The supervisor or designated authority must fill out the initial action taken.
  3. The supervisor or designated authority will open a file on suspicious account which is to be submitted to the Program Administrator for further investigation. For purposes of health care clinic reporting, the file must include the following information:
    1. Copy of any and all documentation from clinical departments supporting the report of suspicious account/patient/individual
    2. A completed NSU Health Care Clinics Red Flag Report Form
    3. Identification of any third party payor sources for the affected patient, including but not limited to federal health programs, which may be affected by the suspicious activity. This information is to include patient name, account number, and third party payor contact information.
  4. The Program Administrator or authorized designee will conduct investigation to determine whether the attempted transaction was fraudulent or authentic. Depending on the nature and degree of risk posed by the Red Flag, the Program Administrator or authorized designee authority will:
    1. Instruct the supervisor or designated authority to continue to monitor an account for evidence of Identity theft;
    2. Other appropriate responses and actions may include:
      1. Determining that no response is warranted under the particular circumstances;
      2. Canceling the transaction;
      3. Terminating treatment or credit until the discrepancy is resolved;
      4. Contacting the patient against whom the fraud has been attempted;
      5. Changing any passwords or other security devices that permit access to accounts;
      6. Not opening a new patient account;
      7. Closing an existing patient account;
      8. Reopening a patient account with a new account number;
      9. Notifying and cooperating with appropriate law enforcement;
      10. Determining the extent of liability of NSU or damage to NSU; and
      11. Notifying any appropriate insurers or third party payors.
    3. If a consumer report includes an initial fraud alert or an active duty alert regarding a patient account, NSU Health Care Clinic employees must provide additional services to be billed to the patient account for which the fraud alert was issued, unless the employee forms a reasonable belief that the user he/she knows the identity of the patient making the request and obtains authority from his/her supervisor.
    4. The Program Administrator or authorized designee must complete the remainder of the Red Flag Report Form.
  5. A copy of the Form must be maintained on file with the supervisor or designated authority and the Program Administrator.