§ 36.03 IDENTIFICATION OF RED FLAGS.
   (A)   RED FLAG is a pattern, practice or specific activity that indicates the possible existence of identity theft. In other words, a red flag is a warning sign regarding the possibility of identity theft.
   (B)   In identifying red flags relevant to its operations, provider has:
      (1)   Reviewed the examples of red flags found in the red flag rules (see the supplement to the guidelines), including fraud or active duty alerts, notice of credit freeze, notice of address discrepancy from a consumer reporting agency;
      (2)   Considered the factors specified in § 36.02 above; and
      (3)   Incorporated red flags from sources such as changes in identity theft risks of which provider becomes aware and applicable regulatory guidance.
   (C)   Based on the process specified in the § 36.03 above, provider has identified the following situations as red flags that should alert provider personnel to the possibility of identity theft:
      (1)   A patient submits a driver's license, insurance card or other identifying information that appears to be altered or forged;
      (2)   The photograph on a driver's license or other government-issued photo I.D. submitted by a patient does not resemble the patient;
      (3)   Information on one form of identification submitted by a patient is inconsistent with information on another form of identification, or with information already in provider's records or information obtained from other sources such as a consumer credit data base;
      (4)   A patient has an insurance member number but no insurance card;
      (5)   The Social Security Number (SSN) or other identifying information furnished by a patient is the same as identifying information in provider's records furnished by another patient;
      (6)   The SSN furnished by a patient has not been issued, is listed on the Social Security's Administration's death master file, or is otherwise invalid. The following numbers are always invalid:
         (a)   The first three digits are in the 800, 900 or 000 range, or in the 700 range above 772, or are 666;
         (b)   The fourth and fifth digits are 00; or
         (c)   The last four digits are 0000;
      (7)   The address given by a patient does not exist or is a post office box, or is the same address given by an unusually large number of other patients;
      (8)   The phone number given by the patient is invalid or is associated with a pager or an answering service, or is the same telephone number submitted by an unusually large number of other patients;
      (9)   The patient refuses to provide identifying information or documents;
      (10)   Personal identifying information given by a patient is not consistent with personal identifying information in Provider's records, or with information provided by another source such as an insurance company or consumer credit database;
      (11)   A patient's signature does not match the signature on file in Provider's records;
      (12)   A patient contacts provider or provider's billing service and indicates that he or she has received an invoice, explanation of benefits or other document reflecting a transport that the patient claims was never received;
      (13)   Mail correspondence is returned to provider or provider's billing service despite continued activity associated with that mailing address;
      (14)   Provider or provider's billing service receives a warning, alert or notification from a credit reporting agency, law enforcement or other credible source regarding a patient or a patient's insurance information;
      (15)   Provider or a service provider has suffered a security breach, loss of unprotected data or unauthorized access to patient information;
      (16)   An insurer denies coverage due to a lifetime benefit limit being reached or due to an excessive volume of services;
      (17)   A discrepancy exists between medical or demographic information obtained by provider from the patient and the information found in health facility records;
      (18)   Attempts to access an account by persons who cannot provide authenticating information.
   (D)   Provider shall update the foregoing list of red flags as part of its annual update of the program.
   (E)   All provider personnel have an affirmative obligation to be vigilant for any evidence of a red flag and to notify their immediate supervisor, or the program compliance officer, to report the red flag.
(Ord. 2416, passed 7-13-2010)