Federal Law defines medical identity theft as, "a fraud committed or attempted using the identifying information of another person without authority to obtain medical services or goods, or when someone uses the person’s identity to obtain money by falsifying claims for medical services and falsifying medical records to support those claims."
Policy
In accordance with the Identify Theft Red Flags and Address Discrepancies issued by the Federal Trade Commission, Capital Health Plan strives to:
- Prevent the intentional or inadvertent misuse of member names, identities, and medical records
- Report criminal activity relating to identity theft and theft of services to the appropriate authorities
- Take steps to correct and/or prevent further harm to any person whose name or other identifying information is used unlawfully or inappropriately
Purpose
A Red Flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft. Red Flag regulations require health care entities to have a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft. The purpose of this policy is to set guidelines for Capital Health Plan management and staff to use in an ongoing effort to detect, prevent, and mitigate identity theft.
Procedure
Detect: Capital Health Plan’s workforce should report to the Compliance and Privacy Officer any triggers that may indicate possible identity theft, including but not limited to:
- Complaints or questions from a member based on the member’s receipt of:
- A bill for another individual
- A bill for a service that the member denies receiving
- A bill from a health care doctor/provider that the member never patronized
- An Explanation of Benefits or other notice for health care services not received
- Records showing medical treatment that is inconsistent with a physical examination or medical history as reported by the member
- Refusal to provide requested identification, lack of identification, or a mismatch between recorded picture identification and the person presenting for care
- Dispute of a bill by a member who claims to be the victim of any type of identity theft
- A member who never has evidence of an insurance card or who appears not to be the same person that staff recall from prior visits
- Multiple requests for new identification cards in the same year
- A notice or inquiry from an insurance fraud investigator or law enforcement agency
- A complaint or question to Member Services that may indicate an investigation is needed regarding a possible misinterpretation or error in billing
- A complaint or question raised by a member that is communicated to the clinical staff regarding possible identity theft or services given to a person other than member
Prevent and Mitigate: Capital Health Plan has several processes in place to protect our members: Specific procedures are in place, under the HIPAA policies, based on state and federal requirements, which allow members to review their medical records and request amendments The NextGen® Electronic Medical Record has a template customizable for addendums and modifications, including documentation in a wrong chart, whether inadvertent or otherwise Specific information security policies and procedures to protect computer applications and access management, using role-based access, passwords, anti-spam software, and encryption technologies Train and Educate: Capital Health Plan ensures staff, members, and affiliate doctors/providers are aware of the Red Flag Rules and the Identification Theft Prevention Principles at least annually, or when there changes are implemented. Program Administration: Oversight of the program comes from the Information Security Officer, the Chief Information Officer, and the Compliance and Privacy Officer. They are responsible for:
- Assigning of specific responsibility for training
- Reviewing reports prepared by staff
- Approving material changes to the program to address evolving identity theft risks
- Investigating complaints reported by Member Services, clinical staff, Patient Accounting staff, members, Network Doctors/Providers, facilities or any other means of communication
- Taking appropriate action, including notification of law enforcement and the victim when identity theft is discovered
Approved by Compliance Committee 6/2/2009 Reviewed and Approved by Senior Managers Date: 4/ 9/2009, Revised 11/15/2011, Reviewed 5/21/13, Reviewed 8/19/2014, Reviewed 8/25/2015, Reviewed 5/24/2016.