(A) When a red flag is detected, provider personnel shall investigate the situation, as necessary, to determine whether there is a material risk that identity theft has occurred or whether there is a benign explanation for the red flag. The investigation shall be documented in accordance with provider's incident reporting policy. If it appears that identity theft has not occurred, provider may determine that no further action is necessary.
(B) Provider's response shall be commensurate with the degree of risk posed by the red flag. In determining an appropriate response, provider shall consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a patient's account records, or notice that a patient has provided information related to a provider account to someone fraudulently claiming to represent provider or to a fraudulent website.
(C) If it appears that identity theft has occurred, the following steps should be considered and taken, as appropriate:
(1) Except in cases where there appears to be obvious complicity by the individual whose identity was used, promptly notify the victim of identity theft, by certified mail, using the identity theft patient notice letter developed by provider. Notification may also be provided by telephone, to be followed by a mailed letter;
(2) Place an identity theft alert on all patient care reports (“PCRs”) and financial accounts that may have inaccurate information as a result of the identity theft;
(3) Discontinue billing on the account and/or close the account;
(4) Reopen the account with appropriate modifications, including a new account number;
(5) If a claim has been submitted to an insurance carrier or government program (payor) in the name of the patient whose identity has been stolen, notify the payor, withdraw the claim and refund any charges previously collected from the Payor and/or the patient;
(6) If the account has been referred to collection agencies or attorneys, instruct the collection agency or attorneys to cease collection activity;
(7) Notify law enforcement and cooperate in any investigation by law enforcement;
(8) Request that law enforcement notify any health facility to which the patient using the false identity has been transported regarding the identity theft;
(9) If an adverse report has been made to a consumer credit reporting agency regarding a patient whose identity has been stolen, notify the agency that the account was not the responsibility of the individual;
(10) Correct the medical record of any patient of provider whose identity was stolen, with the assistance of the patient as needed;
(11) If the circumstances indicate that there is no action that would prevent or mitigate the Identity Theft, no action need be taken.
(Ord. 2416, passed 7-13-2010)