Red Flag Identity Theft Prevention Program: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
(Created page with "POLICY NO: '''6011'''<br /> EFFECTIVE DATE: '''01/13/10'''<br /> REVISED DATE:<br /> REVIEWED DATE:<br /> == Basis for Policy == Regents Policy 6.6.12, Red Flag Identit...")
 
No edit summary
 
(31 intermediate revisions by 4 users not shown)
Line 1: Line 1:
POLICY NO: '''6011'''<br />
<table style="background:#F8FCFF; text-align:center" width="100%" cellspacing="0" cellpadding="0" border="0">
EFFECTIVE DATE: '''01/13/10'''<br />
<tr>
REVISED DATE:<br />
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Human Resources]]</td>
REVIEWED DATE:<br />
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
 
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Safety/Security]] </td>
   
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Research Compliance]] </td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:white; line-height:0.95em; border:solid 2px #A3B1BF; border-bottom:0; font-weight:bold;" width="20">[[Compliance]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Privacy/Information Security]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Business Operations]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Intellectual Property]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF" width="20">[[Faculty]]</td>
</tr>
</table>
<br />
[[Compliance Program]] | [[Compliance Hotline]] | [[Investigations by Third Parties]] | [[Research Integrity]] | [[Export Control]] | [[Code of Conduct]] | [[Use of Human Anatomical Material]] | [[Clinical Research and Clinical Trial Professional and Technical Fee Billing]] | [[Contracts]] | [[Conflict of Interest]] | [[Red Flag Identity Theft Prevention Program]] | [[Principles of Financial Stewardship]] | [[Human Tissue Use and Transfer]] | [[Disclosing Foreign Support and International Activities]] | [[Health Care Vendor Interactions]] | [[Credit Hour Definition]] | [[Whistleblower]] | [[Electronic Digital Signatures and Records]]<br />
<br />
Policy No.: '''8011'''<br />
Effective Date: '''01/13/10'''<br />
Revised Date: '''07/09/24'''<br />
Reviewed Date: '''07/09/24'''<br />
<br />
'''<big>Red Flag Identity Theft Prevention Program</big>'''
== Basis for Policy ==
== Basis for Policy ==
 
Regents Policy 6.6.12, Red Flag Identity Theft Prevention Program; UNMC Policy No. 6055, [[Fraud]]
Regents Policy 6.6.12, Red Flag Identity Theft Prevention Program; UNMC Policy No. 6055, Fraud.
   
== Purpose ==
== Purpose ==
The University of Nebraska Medical Center Red Flag Identity Theft Prevention Program is designed to reduce the risk of identity theft through detection, prevention and mitigation of patterns, practices or activities related to covered accounts ("Red Flags") that could be indicative of potential identity theft. The Fair and Accurate Credit Transactions Act (FACTA) contains program requirements at 16 CFR 681.<br /><br />
The University of Nebraska Medical Center Red Flag Identity Theft Prevention Program is designed to reduce the risk of identity theft through detection, prevention and mitigation of patterns, practices or activities related to covered accounts ("Red Flags") that could be indicative of potential identity theft. The Fair and Accurate Credit Transactions Act (FACTA) contains program requirements at 16 CFR 681.<br /><br />
 
The Vice Chancellor for Business, Finance and Business Development is responsible for implementing the Red Flag Identity Theft Prevention Program and has delegated day-to-day management to the Chief Compliance Officer.
The Vice Chancellor for Business and Finance is responsible for implementing the Red Flag Identity Theft Prevention Program and has delegated day-to-day management to the Compliance Officer.
   
== Definitions ==
== Definitions ==
''Covered Account'' means
#''Covered Account'' means          
           
#* an account UNMC offers or maintains primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions and
* an account that UNMC offers or maintains primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions and
#* any other account UNMC offers or maintains for which there is a reasonably foreseeable risk of identity theft to the customer (i.e. students and/or patients).
*             any other account that UNMC offers or maintains for which there is a reasonably foreseeable risk of identity theft to the customer (i.e. students and/or patients).<br />
#''Creditor'' means any person or organization that extends, renews, or continues credit, including UNMC, who accepts multiple payments over time for services rendered.
''Creditor'' means any person or organization that extends, renews, or continues credit, including UNMC, who accepts multiple payments over time for services rendered.<br />
#''Customer'' means a student, patient or other individual receiving UNMC services.
''Customer'' means a student, patient or other individual receiving UNMC services.<br />
#''Identity theft'' means fraud that involves stealing money or getting other benefits by using the identifying information of another person.
''Identity theft'' means fraud that involves stealing money or getting other benefits by using the identifying information of another person.<br />
#''Notice of an address discrepancy'' means a notice a credit bureau sends to UNMC when UNMC has ordered a credit report about a consumer. Mail returned because of improper address is not a Notice under this policy.
''Notice of an address discrepancy'' means a notice that a credit bureau sends to UNMC when UNMC has ordered a credit report about a consumer. Mail returned because of improper address is not a Notice under this policy.<br />
#''Red flag'' means a pattern, practice or specific activity that could indicate identity theft.
''Red flag'' means a pattern, practice or specific activity that could indicate identity theft.<br />
#''Service Provider'' means a vendor that provides services directly to UNMC related to Covered Accounts.
''Service Provider'' means a vendor that provides services directly to UNMC related to Covered Accounts. <br />
   
== Covered Accounts ==
== Covered Accounts ==
 
Covered accounts maintained by UNMC include but are not limited to the following:
Covered accounts maintained by UNMC include but are not limited to the following:<br />
# Student loans
       
# Student accounts
* Student loans
# Patient accounts
*        Student accounts
*        Patient accounts
 
== Identifying Red Flags ==
== Identifying Red Flags ==
 
UNMC shall identify and respond to Red Flags which may indicate potential identity theft. Red Flags include but are not limited to the following:      
UNMC shall identify and respond to Red Flags which may indicate potential identity theft. Red Flags include but are not limited to the following:<br />
# Alerts, notifications or warnings from a consumer reporting agency, including notices of credit freezes, notices of address discrepancies, and receipts of consumer reports showing patterns of activities that are inconsistent with the history and usual pattern of activity of the account holder.
       
# Address discrepancies that cannot be explained.
* Alerts, notifications or warnings from a consumer reporting agency, including notices of credit freezes, notices of address discrepancies, and receipts of consumer reports showing patterns of activities that are inconsistent with the history and usual pattern of activity of the account holder.
# Suspicious documents, including:          
*        Address discrepancies that cannot be explained.
#*photographs or physical descriptions inconsistent with the individual presenting the document; or
*        Suspicious documents, including:
#*incomplete, altered, forged, or inauthentic documents; or
           
#*other personal identifying information inconsistent with information on file with the University.         
::photographs or physical descriptions that are inconsistent with the individual presenting the document;
# Complaints or questions from customers about charges to a covered account for goods/services they claim were never received.
::            incomplete, altered, forged, or inauthentic documents; or
# Suspicious activity related to a Covered Account, including:
::            other personal identifying information that is inconsistent with information on file with the University.
#*unusual use of accounts that have been previously inactive for a lengthy period of time,
#*mail being returned as undeliverable although transactions continue to be conducted in connection with the covered account;
          
#*unauthorized account changes or transactions.      
* Complaints or questions from customers about charges to a covered account for goods/services they claim were never received.
# Notice from customers, victims of identity theft, law enforcement authorities or other individuals regarding possible identity theft in connection with UNMC Covered Accounts.
*        Suspicious activity related to a Covered Account, including:
           
::unusual use of accounts that have been previously inactive for a lengthy period of time,
::            mail being returned as undeliverable although transactions continue to be conducted in connection with the covered account;
::            unauthorized account changes or transactions.
       
* Notice from customers, victims of identity theft, law enforcement authorities or other individuals regarding possible identity theft in connection with UNMC Covered Accounts.
   
== Detecting Red Flags ==
== Detecting Red Flags ==
 
#The following actions will be taken as appropriate to confirm the identity of customers when they open and/or access Covered Accounts:          
The following actions will be taken as appropriate to confirm the identity of customers when they open and/or access Covered Accounts:
#* Obtain appropriate personal identifying information (e.g. photo identification, date of birth, academic status, username and password, address, etc.) prior to opening or allowing access to a covered account; or prior to issuing a new or replacement ID card.
           
#* When certain changes are made to Covered Accounts online, the account holder shall receive notification to confirm the change is valid.
* Obtain appropriate personal identifying information (e.g. photo identification, date of birth, academic status, user name and password, address, etc.) prior to opening or allowing access to a covered account; or prior to issuing a new or replacement ID card.
#* Verify the accuracy of changes made to Covered Accounts that appear to be suspicious.
*             When certain changes are made to Covered Accounts online, the account holder shall receive notification to confirm the change is valid.
#Information systems containing Covered Account information shall be monitored by the Chief Information Security Officer to detect any unusual user activity that could indicate improper access to and/or use of consumer information.
*             Verify the accuracy of changes made to Covered Accounts that appear to be suspicious.<br /><br />
Information systems containing Covered Account information shall be monitored by the appointed information system custodian/administrator to detect any unusual user activity that could indicate improper access to and/or use of consumer information.  
   
== Responding to Red Flags ==
== Responding to Red Flags ==
Any staff member encountering a Red Flag shall assess the situation to determine if potential identity theft exists. The assessment may determine no risk of identity theft is present (i.e. a mistake has occurred or the occurrence is readily explainable). If, after preliminary investigation, the employee suspects identity theft may have occurred, they shall notify the Chief Compliance Officer at 402-559-9576 or 402-559-6767.<br /><br />


Any staff member encountering a Red Flag shall assess the situation to determine if potential identity theft exists. The assessment may determine that no risk of identity theft is present (i.e. a mistake has occurred, or the occurrence is readily explainable). If, after preliminary investigation, the employee suspects identity theft may have occurred, he/she shall notify the Compliance Officer.<br /><br />
The Chief Compliance Officer shall further investigate the matter, implementing the Information Security Incident Reporting and Response and/or the Privacy Incident Response Plan Procedures as appropriate. If identity theft is confirmed, the following actions will be taken in coordination with the department managing the Covered Account to mitigate harm, as appropriate, based on the individual circumstances:      
 
# Notify campus security
The Compliance Officer shall further investigate the matter, implementing the Information Security Incident Reporting and Response and/or the Privacy Incident Response Plan Procedures as appropriate. If identity theft is confirmed, the following actions will be taken in coordination with the department managing the Covered Account to mitigate harm, as appropriate, based on the individual circumstances:<br /><br />
# Notify Information Technology
       
# Notify the Covered Account holder if the holder is the identity theft victim
* Notify campus security
# Notify the lending institution for student loans or the appropriate UNMC department that awards student aid loans to students/third party student loan service providers
*        Notify the Covered Account holder if the holder is the identity theft victim
# Notify the campus billing office and third party payers for patient accounts
*        Notify the lending institution for student loans or the appropriate UNMC department that awards student aid loans to students/third party student loan service providers
# Notify consumer reporting agency about address discrepancies associated with credit reports received
*        Notify the campus billing office and third party payers for patient accounts
# Notify the State Patrol
*        Notify consumer reporting agency about address discrepancies associated with credit reports received
# File a report with the local police department
*        Notify the State Patrol
# Correct any erroneous information associated with the account. For patients, notify the Health Information Management (HIM) Operations Manager so medical information can be adjusted if necessary.
*        File a report with the local police department
# Establish Red Flag alerts to notify relevant employees of suspected identity theft (i.e. notes in Covered Account information systems or files, etc.)
*        Correct any erroneous information associated with the account. For patients, notify the Health Information Management Department Manager of Information Logistics so medical information can be adjusted if necessary.
# Request additional information as required to verify identity.
*        Establish Red Flag alerts to notify relevant employees of suspected identity theft (i.e. notes in Covered Account information systems or files, etc.)
# Change passwords and security codes as appropriate to further secure access to the account.
*        Request additional information as required to verify identity
# Reopen a covered account with a new account number, close an existing account, and decline to open a new covered account as appropriate.
*        Change passwords and security codes as appropriate to further secure access to the account.
# Attempt to identify the source of the Red Flag and take appropriate steps to prevent additional identity thefts.
*        Reopen a covered account with a new account number, close an existing account, and decline to open a new covered account as appropriate
*        Attempt to identify the source of the Red Flag and take appropriate steps to prevent additional identity thefts.
   
== Oversight of Service Providers ==
== Oversight of Service Providers ==
UNMC may contract with vendors to provide services related to Covered Accounts. The contracting department shall maintain written certification from the vendor stating it complies with FACTA Red Flag Rule regulations. The department shall investigate any service provider occurrences indicating a potential lack of compliance, and take any necessary actions to mitigate potential risk.
UNMC may contract with vendors to provide services related to Covered Accounts. The contracting department shall maintain written certification from the vendor stating it complies with FACTA Red Flag Rule regulations. The department shall investigate any service provider occurrences indicating a potential lack of compliance, and take any necessary actions to mitigate potential risk.
   
== Program Education ==
== Program Education ==
All departments managing Covered Accounts shall provide education to current staff members and new hires on this policy and any internal department procedures created to implement it.
All departments managing Covered Accounts shall provide education to current staff members and new hires on this policy and any internal department procedures created to implement it.
   
== Program Assessment and Reporting ==
== Program Assessment and Reporting ==
A Red Flag Identity Theft Prevention Program report shall be forwarded through the Vice Chancellor for Business, Finance and Business Development to the University of Nebraska Internal Audit Department no later than May 10th of each year for the previous one-year period beginning April 1st through March 30th. The report shall contain:
# a summary of Red Flag Rule monitoring activities;
# a description of any identity theft incidents that have occurred and the response to them; and
# any recommended Red Flag Identity Theft Program changes.
The University of Nebraska Internal Audit Department shall report information from the administrative units to the Audit Committee of the Board of Regents annually as required by the FACTA regulations. The Board of Regents shall approve material changes to the Red Flag Identity Theft Prevention program.
==Additional Information==
*[mailto:sarah.glodencarlson@unmc.edu Chief Compliance Officer], 402-559-9576 or 402-559-6767
*UNMC Policy No. 6055, [[Fraud]]
*Regents Policy 6.6.12, Red Flag Identity Theft Prevention Program


A Red Flag Identity Theft Prevention Program report shall be forwarded through the Vice Chancellor of Business and Finance to the University of Nebraska Internal Audit Department not later than May 10th of each year for the previous one year period beginning April 1st through March 30th. The report shall contain: <br /><br />
This page maintained by [mailto:mhurlocker@unmc.edu mh].
       
* a summary of Red Flag Rule monitoring activities;
*        a description of any identity theft incidents that have occurred and the response to them; and
*        any recommended Red Flag Identity Theft Program changes.<br /><br />
 
The University of Nebraska Internal Audit Department shall report information from the administrative units to the Audit Committee of the Board of Regents annually as required by the FACTA regulations. The Board of Regents shall approve material changes to the Red Flag Identity Theft Prevention program. <br /><br />
 
For additional information, please contact Compliance Officer.<br /><br />
 
This page maintained by dkp.

Latest revision as of 09:03, July 11, 2024

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Compliance Program | Compliance Hotline | Investigations by Third Parties | Research Integrity | Export Control | Code of Conduct | Use of Human Anatomical Material | Clinical Research and Clinical Trial Professional and Technical Fee Billing | Contracts | Conflict of Interest | Red Flag Identity Theft Prevention Program | Principles of Financial Stewardship | Human Tissue Use and Transfer | Disclosing Foreign Support and International Activities | Health Care Vendor Interactions | Credit Hour Definition | Whistleblower | Electronic Digital Signatures and Records

Policy No.: 8011
Effective Date: 01/13/10
Revised Date: 07/09/24
Reviewed Date: 07/09/24

Red Flag Identity Theft Prevention Program

Basis for Policy

Regents Policy 6.6.12, Red Flag Identity Theft Prevention Program; UNMC Policy No. 6055, Fraud

Purpose

The University of Nebraska Medical Center Red Flag Identity Theft Prevention Program is designed to reduce the risk of identity theft through detection, prevention and mitigation of patterns, practices or activities related to covered accounts ("Red Flags") that could be indicative of potential identity theft. The Fair and Accurate Credit Transactions Act (FACTA) contains program requirements at 16 CFR 681.

The Vice Chancellor for Business, Finance and Business Development is responsible for implementing the Red Flag Identity Theft Prevention Program and has delegated day-to-day management to the Chief Compliance Officer.

Definitions

  1. Covered Account means
    • an account UNMC offers or maintains primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions and
    • any other account UNMC offers or maintains for which there is a reasonably foreseeable risk of identity theft to the customer (i.e. students and/or patients).
  2. Creditor means any person or organization that extends, renews, or continues credit, including UNMC, who accepts multiple payments over time for services rendered.
  3. Customer means a student, patient or other individual receiving UNMC services.
  4. Identity theft means fraud that involves stealing money or getting other benefits by using the identifying information of another person.
  5. Notice of an address discrepancy means a notice a credit bureau sends to UNMC when UNMC has ordered a credit report about a consumer. Mail returned because of improper address is not a Notice under this policy.
  6. Red flag means a pattern, practice or specific activity that could indicate identity theft.
  7. Service Provider means a vendor that provides services directly to UNMC related to Covered Accounts.

Covered Accounts

Covered accounts maintained by UNMC include but are not limited to the following:

  1. Student loans
  2. Student accounts
  3. Patient accounts

Identifying Red Flags

UNMC shall identify and respond to Red Flags which may indicate potential identity theft. Red Flags include but are not limited to the following:

  1. Alerts, notifications or warnings from a consumer reporting agency, including notices of credit freezes, notices of address discrepancies, and receipts of consumer reports showing patterns of activities that are inconsistent with the history and usual pattern of activity of the account holder.
  2. Address discrepancies that cannot be explained.
  3. Suspicious documents, including:
    • photographs or physical descriptions inconsistent with the individual presenting the document; or
    • incomplete, altered, forged, or inauthentic documents; or
    • other personal identifying information inconsistent with information on file with the University.
  4. Complaints or questions from customers about charges to a covered account for goods/services they claim were never received.
  5. Suspicious activity related to a Covered Account, including:
    • unusual use of accounts that have been previously inactive for a lengthy period of time,
    • mail being returned as undeliverable although transactions continue to be conducted in connection with the covered account;
    • unauthorized account changes or transactions.
  6. Notice from customers, victims of identity theft, law enforcement authorities or other individuals regarding possible identity theft in connection with UNMC Covered Accounts.

Detecting Red Flags

  1. The following actions will be taken as appropriate to confirm the identity of customers when they open and/or access Covered Accounts:
    • Obtain appropriate personal identifying information (e.g. photo identification, date of birth, academic status, username and password, address, etc.) prior to opening or allowing access to a covered account; or prior to issuing a new or replacement ID card.
    • When certain changes are made to Covered Accounts online, the account holder shall receive notification to confirm the change is valid.
    • Verify the accuracy of changes made to Covered Accounts that appear to be suspicious.
  2. Information systems containing Covered Account information shall be monitored by the Chief Information Security Officer to detect any unusual user activity that could indicate improper access to and/or use of consumer information.

Responding to Red Flags

Any staff member encountering a Red Flag shall assess the situation to determine if potential identity theft exists. The assessment may determine no risk of identity theft is present (i.e. a mistake has occurred or the occurrence is readily explainable). If, after preliminary investigation, the employee suspects identity theft may have occurred, they shall notify the Chief Compliance Officer at 402-559-9576 or 402-559-6767.

The Chief Compliance Officer shall further investigate the matter, implementing the Information Security Incident Reporting and Response and/or the Privacy Incident Response Plan Procedures as appropriate. If identity theft is confirmed, the following actions will be taken in coordination with the department managing the Covered Account to mitigate harm, as appropriate, based on the individual circumstances:

  1. Notify campus security
  2. Notify Information Technology
  3. Notify the Covered Account holder if the holder is the identity theft victim
  4. Notify the lending institution for student loans or the appropriate UNMC department that awards student aid loans to students/third party student loan service providers
  5. Notify the campus billing office and third party payers for patient accounts
  6. Notify consumer reporting agency about address discrepancies associated with credit reports received
  7. Notify the State Patrol
  8. File a report with the local police department
  9. Correct any erroneous information associated with the account. For patients, notify the Health Information Management (HIM) Operations Manager so medical information can be adjusted if necessary.
  10. Establish Red Flag alerts to notify relevant employees of suspected identity theft (i.e. notes in Covered Account information systems or files, etc.)
  11. Request additional information as required to verify identity.
  12. Change passwords and security codes as appropriate to further secure access to the account.
  13. Reopen a covered account with a new account number, close an existing account, and decline to open a new covered account as appropriate.
  14. Attempt to identify the source of the Red Flag and take appropriate steps to prevent additional identity thefts.

Oversight of Service Providers

UNMC may contract with vendors to provide services related to Covered Accounts. The contracting department shall maintain written certification from the vendor stating it complies with FACTA Red Flag Rule regulations. The department shall investigate any service provider occurrences indicating a potential lack of compliance, and take any necessary actions to mitigate potential risk.

Program Education

All departments managing Covered Accounts shall provide education to current staff members and new hires on this policy and any internal department procedures created to implement it.

Program Assessment and Reporting

A Red Flag Identity Theft Prevention Program report shall be forwarded through the Vice Chancellor for Business, Finance and Business Development to the University of Nebraska Internal Audit Department no later than May 10th of each year for the previous one-year period beginning April 1st through March 30th. The report shall contain:

  1. a summary of Red Flag Rule monitoring activities;
  2. a description of any identity theft incidents that have occurred and the response to them; and
  3. any recommended Red Flag Identity Theft Program changes.

The University of Nebraska Internal Audit Department shall report information from the administrative units to the Audit Committee of the Board of Regents annually as required by the FACTA regulations. The Board of Regents shall approve material changes to the Red Flag Identity Theft Prevention program.

Additional Information

  • Chief Compliance Officer, 402-559-9576 or 402-559-6767
  • UNMC Policy No. 6055, Fraud
  • Regents Policy 6.6.12, Red Flag Identity Theft Prevention Program

This page maintained by mh.