SAMPLE IDENTITY THEFT POLICY:

A portion of the policy is displayed below, click here to download the full text in PDF.

---

		SUBJECT:  Identity Theft / Patient Misidentification POLICY NUMBER:   Page 1 of 16
		GENERATED BY: Integrity Compliance Office
		APPROVED BY:
ISSUED:  11/7/0X	REVISED: 3/16/0X; 5/6/0X (web reference updates only)	REVIEWED:	REFERENCE:

---

Scope

All XXXXX XXXXX operations

Purpose

To describe the measures to be followed when health care is obtained under a fictitious name or in another person’s name.  This includes situations when a person intentionally misrepresents himself/herself and when a person gives his/her real name, but the hospital or other facility accesses the wrong medical record so that the medical records of two patients are commingled.    

Policy

XXXXX XXXXX entities strive to prevent the intentional or inadvertent misuse of patient names, identities, and medical records; to report criminal activity relating to identity theft and theft of services to appropriate authorities; and to take steps to correct and/or prevent further harm to any person whose name or other identifying information is used unlawfully or inappropriately.

Procedure

1. Request Identification at Registration/Intake Points.  Hospital emergency departments and all other registration/intake areas should review and include in each patient’s file a photo ID issued by a local, state, or federal government agency (e.g., a driver’s license; passport; military ID, etc.).  In the event the patient does not have photo ID, ask for two forms of nonphoto ID, one of which has been issued by a state or federal agency (e.g., Social Security card and a utility bill or company or school identification).  When the patient is under 18 or if the patient is unable due to their condition to produce identification, the responsible party’s identification shall be requested.  Each time a patient visits, check whether the identification provided is valid, copy the identification provided, and match any photo to the patient/responsible party.  During the registration process, if an identity alert flag appears in the XXXXX XXXXX Master Patient Index call the Registration Supervisor or the applicable Privacy Officer for resolution. 

• A. Emergency Care—NO DELAY.  Providing identification is not a condition for obtaining emergency care.  The process of confirming a patient’s identity must never delay the provision of an appropriate medical screening examination or necessary stabilizing treatment for emergency medical conditions.   
• B. Responding to Questions.  If asked the reason for the identifying procedures, explain that the procedures are “for patient protection to prevent identity theft and theft of services.”   Politely remind questioners this is the same process used to cash a check, make a large credit card purchase, or board a plane.
• C. Refusal to Provide or Lack of Identification.  No one should be refused care because they do not have acceptable identification with them.  Patients should be asked to bring appropriate documents to their next visit and registration staff may offer to take a photograph of the patient in accordance with any approved registration staff photograph policy.  Refer to Photo Identification of Patients Policy.
  

2. Signs of Possible Identity Theft.  Employees should be alert for cases of possible identity theft.  Potential signs of identity theft include: (1) any patient appearing and giving an identity that has been flagged in XXXXX XXXXX’s master-patient index or Identity Theft Database, (2) a patient providing photo ID that does not match the patient, (3) a patient giving a social security number different than one used on a previous visit, (4) a patient giving information that conflicts with information in the patient’s file or received from third parties, such as insurance companies, and (5) family members/friends calling the patient by a name different than that provided by the patient at registration.  If an employee reasonably believes identity theft has occurred or may be occurring, immediately notify the Registration Supervisor or the facility Privacy Officer.  The Registration Supervisor/Privacy Officer will involve Security on an as-needed basis (e.g., to perform background checks, to contact the person believed to be a victim of the identity theft, and if medical circumstances allow, to interview the patient, etc.).  

3. When Identity Theft Is Alleged by a Patient.  Advise the patient to report the identity theft incident to law enforcement and indicate that paperwork will be forwarded for the patient to complete.  Complete and send the letter attached as Exhibit A with a copy of the FTC Identity Theft affidavit, attached hereto as Exhibit B, also available at http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf.  Unless there is actual knowledge that identity theft has occurred at the facility, the facility must receive a properly completed and signed FTC Identity Theft Affidavit before correcting medical or payment records or proceeding with other victim assistance steps under this policy.  Once the identity theft allegation is supported by an FTC Identify Theft Affidavit, the facility must flag the account of the patient alleging identity theft so that medical personnel are alert to the issue that the medical record may contain inaccurate information about the patient.  The facility then can proceed with the remainder of the steps set out in this policy. 

4. When Identity Theft Occurs.     If a person obtains or uses the personal identifying information of another to obtain (or to attempt to obtain) medical services or information in the name of such other person without consent or lawful authority, the facility shall take the following steps:

• A. Notifications.  When identity theft is reasonably suspected or is known to have occurred by an employee (e.g., by receipt of a properly completed and signed FTC Identity Theft Affidavit), the employee must immediately complete the Identity Alert reporting form attached as Exhibit C and route copies of the same to the entity Privacy Officer, HIM Director, Security Director, Registration Director, Patient Account Director, and the XXXXX XXXXX Integrity-Compliance office.  Attach a copy of the relevant photo ID.  If the incident occurs on a weekend, reporting should occur the next business day.  The Integrity-Compliance Office will review and make decisions on the finding and make all external reporting and notification decisions.  External notification and reporting will occur only as directed by the Integrity-Compliance Office.
  

• i. Reporting Medicaid Fraud.  When there is actual knowledge of Medicaid fraud (e.g., a patient uses another person’s Medicaid information to obtain medical care), the fraud must be reported immediately to the Medicaid OIG: 1-800-###-####. 
  
• ii. Mail Theft. For incidents involving mail theft, the U.S. Postal Inspection Service will be contacted.
  
• iii. Security Breach.  If the identity theft involves unauthorized access of unencrypted computerized data containing a person’s first name or first initial and last name and (1) a social security number, (2) driver’s license number, or (3) financial account number (including a credit or debit card number) in combination with any required security code, access code, or password that would permit access to an individual's financial account, the Integrity Compliance Office will direct reporting in accordance with <State> Code Ann.§  <Section> to any resident of <State> whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. Such reporting will be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.
  
• iv. Coordinating with Area Health Care Providers.  The victim’s written authorization generally will be obtained prior to alerting non-XXXXX XXXXX health care providers about the possibility of identity theft in connection with the victim’s identifying information.  See XXXXX XXXXX HIPAA Policy, “Authorization to Release Information.”  However, in the event circumstances indicate that the identity thief may imminently use the victim’s information to defraud a non-XXXXX XXXXX health care provider (e.g., identity thief is “shopping” area emergency departments for medication) and such circumstances do not allow enough time to obtain the victim’s written authorization to disclose the victim’s name and address to the non-XXXXX XXXXX provider to prevent further fraudulent activity in connection with the victim’s identifying information, the Integrity-Compliance office  may disclose (or direct disclosure) to a non-XXXXX XXXXX provider information about the identity theft victim to allow the unrelated provider to determine whether it has an existing or past relationship with the victim.  The information disclosed shall be limited to the minimum necessary to determine whether the victim has an existing or past relationship with the area health care provider (e.g., victim’s name and address; photograph of identity theft suspect).  If the non-XXXXX XXXXX provider confirms it has an existing or past relationship with the victim, the minimum necessary information regarding the identity theft incident may be disclosed so that the provider is alert to the potential for fraudulent activity related to the victim’s identifying information.  In the event the identity theft victim does not have an existing or past relationship with the non-XXXXX XXXXX provider, the victim’s written authorization must be obtained prior to releasing any identifying information about the victim to a non-XXXXX XXXXX provider.    
   
• B. Accounts on Hold.  The Patient Accounts Director will put all patient accounts affected by the identity theft on hold pending the outcome of the investigation.
  
  
• C. Security Department; Reports to Law Enforcement; Reporting Medicaid Fraud.            The entity Security Department will provide any necessary assistance with determining the identity of the patient and provide feedback to the Registration Director, Patient Accounts Director, and the Integrity-Compliance office.  If the Integrity-Compliance office together with the entity believe in good faith that identity theft or theft of services has occurred on the entity’s premises, and the value of the services in question exceeds or may exceed $500, the Integrity-Compliance office will instruct the entity’s Security Department to report the incident to the law enforcement agency in the city or county in which the facility is located.  In order to facilitate reporting and efficient prosecution of identity theft crimes, the entity should prepare a summary of the information that the entity believes in good faith constitutes evidence of criminal conduct that occurred on the entity’s premises (e.g., information provided by the victim and the suspect; any fingerprint, photo, and copies of security films taken of the suspect; a statement of the value of services obtained by the suspect, etc.).  The Security Department will make reasonable efforts to limit the disclosure of protected health information to the minimum necessary to report the suspected identity theft, and the information disclosed will not directly or indirectly identify any patient as a mental health services recipient.  The Security Department must obtain the investigating officer’s name and phone number, consult with law enforcement about the timing and the content of any victim notification (to ensure notification does not impede a law enforcement investigation), and explain that the investigating officer’s name and phone number will be shared with the identity theft victim in any victim notification.

• i.     Substance Abuse Treatment Facilities.  Reporting by a federally-funded substance abuse program should be limited to the circumstances of the incident, including the patient status of the individual committing or threatening to commit identity theft, that individual's name and address, and that individual's last known whereabouts.  No other information may be provided.
  
  
• D. Notifying Victims of Identity Theft When the Patient Does Not Know Identity Theft Has Occurred.  After consultation with law enforcement about the timing and the content of any victim notification (to ensure notification does not impede a law enforcement investigation), victims of identity theft will be notified by the HIM department as directed by the Integrity-Compliance office.  The letter attached to this Policy as Exhibit D may be used as a form to notify a victim of identity theft.  Victims of identity theft should be encouraged to cooperate with law enforcement in identifying and prosecuting the suspected identity thief.  Encourage the victim to complete the FTC Identity Theft Affidavit attached hereto as Exhibit B and available at    http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf.