Identification, Detection of, and Response to Identify Theft
Procedure Number: OP_9110
Policy Manual Section:
Board of Directors
Compliance & Privacy/Security Official
Original Procedure Date:
Replaces Procedure Number:
I. Procedure Purpose/Statement of Intent/Background
Any entity that regularly arranges for the extension, renewal or continuation of credit.
Fraudulently using the identifying information of another person.
Any account that HealthPlus maintains primarily for personal family or household purposes, that involves multiple payments or transactions, including one or more deferred payments; and any other account HealthPlus identifies as having a reasonably foreseeable risk to customers or to the safety and soundness of HealthPlus from Identity Theft.
A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.
III. Procedure Statement [i] [ii] [iii] [iv] [v] [vi] [vii] [viii] [ix]
A. The Issuing Department(s) and all applicable staff involved in the implementation of this procedure shall follow the rules and regulations directed by federal and state laws and regulations, including, but not limited to the Federal Trade Commission’s Identity Theft Prevention Red Flag Rules, and directions set forth in the supporting HealthPlus Corporate policy.
B. Staff shall follow the steps outlined in this procedure for identifying, detecting, and mitigating risks of identity theft affecting HealthPlus members.
A. Identification [SH1] of Red Flags [x] [xi]
1. Activities involving Identity Theft fall within one of the following five general types of red flags:
a. Alerts, notifications, or warnings from a consumer reporting agency.
b. Suspicious documents.
c. Suspicious personal identifying information, such as a suspicious address.
d. Unusual use of – or suspicious activity relating to – a covered account.
e. Alerts from others (e.g. customer, identity theft victim, or law enforcement).
2. Based on consideration of various factors, HealthPlus will be on the alert for the following possible red flag situations:
a. A complaint or question from a member based on the member’s receipt of a:
i. Bill for another individual
c. A complaint or question from a member about the receipt of a collection notice from a bill collector.
d. A member or another health plan or insurance company report that coverage for legitimate health care services is denied because insurance benefits have been depleted or deductibles have been reached.
f. A member who has an insurance number but never produces an insurance card or other physical documentation of insurance.
g. A notice or inquiry from an insurance fraud investigator for another private insurance company or government agency.
h. Notification of a lost or stolen HealthPlus identification card.
B. Detection of Red Flags [xii] [xiii]
1. HealthPlus has adopted the following procedures to aid in the detection of red flags for identity theft:
a. New Member Accounts
i. Obtain appropriate identifying information and insurance information from individual, employer group or government agency. This could be in the form of:
b. Existing Member Accounts
i. During each return member enrollment, update the personal and insurance information listed above.
ii. Verify validity of requests for changes of billing addresses.
C. Prevention and Mitigation of Identity Theft [xiv] [xv] [xvi] [xvii]
1. In determining an appropriate response to a red flag or other threat of identity theft, HealthPlus will consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a member’s account records, or notice that a member has become aware of someone fraudulently claiming to obtain medical services in the name of the member.
2. Appropriate responses may include:
a. Monitoring a covered account for evidence of identity theft;
b. Contacting the member;
c. Changing any passwords, security codes, or other security devices that permit access to a covered account;
d. Reopening a covered account with a new account number;
e. Not opening a new covered account;
f. Closing an existing covered account;
g. Not attempting to collect on a covered account or not disclosing a covered account to a debt collector;
h. Notifying law enforcement; or
i. Determining that no response is warranted under the particular circumstances.
3. Staff shall refer to the processes outlined in Procedure #Compliance07: Fraud, Waste, and Abuse Compliance Program and in regard to the investigation and course of action processes pertaining to identity theft.
D. Updating the Program [xviii] [xix] [xx]
1. HealthPlus will evaluate the Program on an annual basis and will update the Program as necessary to reflect changes in risks to members or to HealthPlus from identity theft, based on factors such as:
a. The experiences of HealthPlus with identity theft;
b. Changes in methods of identity theft;
c. Changes in methods to detect, prevent, and mitigate identity theft;
d. Changes in the types of accounts that HealthPlus offers or maintains; and
e. Changes in the business arrangements of HealthPlus, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements. [xxi]
E. Program Administration [xxii] [xxiii]
a. The effectiveness of the Program in identifying and addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts;
b. Any third party arrangements relevant to covered accounts such as credit card charges;
c. Significant incidents involving identity theft and management’s response; and
d. Recommendations for material changes to the Program.
HealthPlus staff is responsible for establishing, publishing, and maintaining procedures and work rules to implement this procedure.
[i] Red Flag Rule - 16 CFR 681.1.d.1 - FWA - Red Flag Rules - Establishment of a written Identity Theft Program - Program Requirement
[ii] Federal Sentencing Guideline - Chpt 8, Pt B, 2.1.a.(1) - FWA - Prevent & Detect Criminal Conduct
[iii] Federal Sentencing Guideline - Chpt 8, Pt B, 2.1.b.(1) - FWA - Program - Procedures to Prevent & Detect Criminal Conduct
[iv] OIG - Federal Register #F - Policies/Procedures - Procedures to Prevent & Detect Criminal Conduct
[v] CMS - Part D Manual 126.96.36.199 - Policy/Procedure - Identification of FWA (policies/procedures)
[vi] MDCH – Medicaid - Section 6 Criterion 1.a - Detecting FWA - Policy/Procedure - that includes Detecting by employees, providers, and members
[vii] MDCH – Medicaid - Section 6 Criterion 1.c - Detecting FWA - Policy/Procedure - Preventing FWA by employees, providers, and members
[viii] MDCH – MIChild - Section 6 Criterion 1.a - FWA - Policy/Procedure - Comply with all federal and state business requirements
[ix] FEHPB/OPM - Section 1.9.a - Program - Procedures to Prevent & Detect Criminal Conduct
[x] Red Flag Rule - 16 CFR 681.1.d.2.i - FWA - Red Flag Rules - - Elements of the Program - P/P to identify Red Flags
[xi] Red Flag Rule – Part 334 – Appendix J - FWA - Red Flag Rules - 5 Categories of Red Flags (alerts/documents; unusual activity; notices from customers/victims/law)
[xii] Red Flag Rule - 16 CFR 681.1.d.2.ii - FWA - Red Flag Rules - Elements of the Program - PP Detect Red Flags
[xiii] CMS - Part C Chapter 11, 20.3 - Investigations - Monitor compliance through investigation of complaints; provider changes; enrollee satisfaction surveys; disenrollment surveys
[xiv] Red Flag Rule - 16 CFR 681.1.d.2.iii - FWA - Red Flag Rules - Elements of the Program - PP Responding to Red Flags
[xv] Federal Sentencing Guideline - Chpt 8, Pt B, 2.1.b.(7) - Response - Response to criminal conduct
[xvi] OIG - Federal Register #G - Response - Response to criminal conduct
[xvii] CMS - Part D Manual 188.8.131.52 - Response - Response to criminal conduct (policies/procedures)
[xviii] Red Flag Rule - 16 CFR 681.1.d.2.iv - FWA - Red Flag Rules - Elements of the Program - PP Program Updated Periodically
[xix] Red Flag Rule - 16 CFR 681.1.10.c - FWA - Red Flag Rules - Risk Assessment - Periodic assessment whether it offers or maintains covered accounts
[xx] Federal Sentencing Guideline - Chpt 8, Pt B, 2.1.c - Assessment - Program Assessment - periodic
[xxi] Red Flag Rule - 16 CFR 681.1.e.4 - FWA - Red Flag Rules - Administration of Program - exercise appropriate and effective oversight of service provider arrangements
[xxii] Red Flag Rule - 16 CFR 681.1.e.2 - FWA - Red Flag Rules - Administration of Program - Involve Board/Bd Committee/Sr. Management in oversight/development/implementation
[xxiii] Red Flag Rule - 16 CFR 681.1.e.1 - FWA - Red Flag Rules - Approval from Board or appropriate committee of the Board
[xxiv] Red Flag Rule - 16 CFR 681.1.e.3 - FWA - Red Flag Rules - Administration of Program - Train Staff to implement the program
[SH1]10/12/2009: HR does not utilize Credit Reports for verification of new employees; therefore, Address Discrepancy Rule does not apply to HPM.