(A) The program, and all material changes thereto, shall be approved by the City Administrator.
(B) A designated employee at the level of senior management shall be designated by the City Administrator as the Program Compliance Officer and shall be responsible for the oversight, development and implementation of the program.
(C) Provider shall train staff, as needed, to effectively implement the program. The following categories of personnel shall be trained in the implementation of the program:
(1) All medical transport personnel;
(2) All billing office personnel;
(3) All management personnel.
(D) Initial training shall occur no later than December 1, 2010 for all current personnel. Newly hired personnel shall be trained in the implementation of the Program as part of their standard compliance and HIPAA training. Refresher training shall be included in the annual compliance and HIPAA training given to provider personnel, and may be given to specific employees from time to time on an “as needed” basis.
(E) Provider shall exercise appropriate and effective oversight of all arrangements involving a service provider whose duties include opening, monitoring or processing patient accounts, or performing other activities which place them in a position to prevent, detect or mitigate identity theft (service providers). Each service provider shall be required to execute an amendment or addendum to its service agreement or business associate agreement which requires it to:
(1) Implement a written identity theft program that meets the requirements of the red flags rule;
(2) Provide a copy of such program to provider no later than December 1, 2010;
(3) Provide copies of all material changes to such program on an annual basis; and
(4) Either report all red flags which it encounters to provider, or take appropriate steps to prevent or mitigate identity theft itself.
(F) The Program Compliance Officer shall report to the City Administrator, on an annual basis, on compliance with the program. The report shall address material matters related to the program and evaluate issues such as:
(1) The effectiveness of the program in addressing the risk of identity theft;
(2) Service provider arrangements;
(3) Significant incidents involving identity theft and provider's response;
(4) Recommendations for material changes to the program.
(Ord. 2416, passed 7-13-2010)