Red Flag Identity Theft Prevention Program: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 23: Line 23:
Policy No.: '''8011'''<br />
Policy No.: '''8011'''<br />
Effective Date: '''01/13/10'''<br />
Effective Date: '''01/13/10'''<br />
Revised Date: '''02/07/18 '''<br />
Revised Date: '''08/18/21 '''<br />
Reviewed Date: '''08/12/20'''<br />
Reviewed Date: '''08/18/21'''<br />
<br />
<br />
'''<big>Red Flag Identity Theft Prevention Program</big>'''
'''<big>Red Flag Identity Theft Prevention Program</big>'''
Line 31: Line 31:
== Purpose ==
== Purpose ==
The University of Nebraska Medical Center Red Flag Identity Theft Prevention Program is designed to reduce the risk of identity theft through detection, prevention and mitigation of patterns, practices or activities related to covered accounts ("Red Flags") that could be indicative of potential identity theft. The Fair and Accurate Credit Transactions Act (FACTA) contains program requirements at 16 CFR 681.<br /><br />
The University of Nebraska Medical Center Red Flag Identity Theft Prevention Program is designed to reduce the risk of identity theft through detection, prevention and mitigation of patterns, practices or activities related to covered accounts ("Red Flags") that could be indicative of potential identity theft. The Fair and Accurate Credit Transactions Act (FACTA) contains program requirements at 16 CFR 681.<br /><br />
The Vice Chancellor for Business and Finance is responsible for implementing the Red Flag Identity Theft Prevention Program and has delegated day-to-day management to the Compliance Officer.
The Vice Chancellor for Business, Finance and Business Development is responsible for implementing the Red Flag Identity Theft Prevention Program and has delegated day-to-day management to the Chief Compliance Officer.
== Definitions ==
== Definitions ==
#''Covered Account'' means             
#''Covered Account'' means             
#* an account that UNMC offers or maintains primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions and
#* an account UNMC offers or maintains primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions and
#* any other account that UNMC offers or maintains for which there is a reasonably foreseeable risk of identity theft to the customer (i.e. students and/or patients).
#* any other account UNMC offers or maintains for which there is a reasonably foreseeable risk of identity theft to the customer (i.e. students and/or patients).
#''Creditor'' means any person or organization that extends, renews, or continues credit, including UNMC, who accepts multiple payments over time for services rendered.
#''Creditor'' means any person or organization that extends, renews, or continues credit, including UNMC, who accepts multiple payments over time for services rendered.
#''Customer'' means a student, patient or other individual receiving UNMC services.
#''Customer'' means a student, patient or other individual receiving UNMC services.
#''Identity theft'' means fraud that involves stealing money or getting other benefits by using the identifying information of another person.
#''Identity theft'' means fraud that involves stealing money or getting other benefits by using the identifying information of another person.
#''Notice of an address discrepancy'' means a notice that a credit bureau sends to UNMC when UNMC has ordered a credit report about a consumer. Mail returned because of improper address is not a Notice under this policy.
#''Notice of an address discrepancy'' means a notice a credit bureau sends to UNMC when UNMC has ordered a credit report about a consumer. Mail returned because of improper address is not a Notice under this policy.
#''Red flag'' means a pattern, practice or specific activity that could indicate identity theft.
#''Red flag'' means a pattern, practice or specific activity that could indicate identity theft.
#''Service Provider'' means a vendor that provides services directly to UNMC related to Covered Accounts.
#''Service Provider'' means a vendor that provides services directly to UNMC related to Covered Accounts.
Line 52: Line 52:
# Address discrepancies that cannot be explained.
# Address discrepancies that cannot be explained.
# Suspicious documents, including:             
# Suspicious documents, including:             
#*photographs or physical descriptions that are inconsistent with the individual presenting the document;
#*photographs or physical descriptions inconsistent with the individual presenting the document;
#*incomplete, altered, forged, or inauthentic documents; or
#*incomplete, altered, forged, or inauthentic documents; or
#*other personal identifying information that is inconsistent with information on file with the University.         
#*other personal identifying information inconsistent with information on file with the University.         
# Complaints or questions from customers about charges to a covered account for goods/services they claim were never received.
# Complaints or questions from customers about charges to a covered account for goods/services they claim were never received.
# Suspicious activity related to a Covered Account, including:
# Suspicious activity related to a Covered Account, including:
Line 68: Line 68:
#Information systems containing Covered Account information shall be monitored by the appointed information system custodian/administrator to detect any unusual user activity that could indicate improper access to and/or use of consumer information.
#Information systems containing Covered Account information shall be monitored by the appointed information system custodian/administrator to detect any unusual user activity that could indicate improper access to and/or use of consumer information.
== Responding to Red Flags ==
== Responding to Red Flags ==
Any staff member encountering a Red Flag shall assess the situation to determine if potential identity theft exists. The assessment may determine that no risk of identity theft is present (i.e. a mistake has occurred, or the occurrence is readily explainable). If, after preliminary investigation, the employee suspects identity theft may have occurred, he/she shall notify the Compliance Officer at 402-559-9576 or 402-559-6767.<br /><br />
Any staff member encountering a Red Flag shall assess the situation to determine if potential identity theft exists. The assessment may determine no risk of identity theft is present (i.e. a mistake has occurred or the occurrence is readily explainable). If, after preliminary investigation, the employee suspects identity theft may have occurred, they shall notify the Chief Compliance Officer at 402-559-9576 or 402-559-6767.<br /><br />


The Compliance Officer shall further investigate the matter, implementing the Information Security Incident Reporting and Response and/or the Privacy Incident Response Plan Procedures as appropriate. If identity theft is confirmed, the following actions will be taken in coordination with the department managing the Covered Account to mitigate harm, as appropriate, based on the individual circumstances:       
The Chief Compliance Officer shall further investigate the matter, implementing the Information Security Incident Reporting and Response and/or the Privacy Incident Response Plan Procedures as appropriate. If identity theft is confirmed, the following actions will be taken in coordination with the department managing the Covered Account to mitigate harm, as appropriate, based on the individual circumstances:       
# Notify campus security
# Notify campus security
# Notify the Covered Account holder if the holder is the identity theft victim
# Notify the Covered Account holder if the holder is the identity theft victim
Line 78: Line 78:
# Notify the State Patrol
# Notify the State Patrol
# File a report with the local police department
# File a report with the local police department
# Correct any erroneous information associated with the account. For patients, notify the Health Information Management Department Manager of Information Logistics so medical information can be adjusted if necessary.
# Correct any erroneous information associated with the account. For patients, notify the Health Information Management (HIM) Operations Manager so medical information can be adjusted if necessary.
# Establish Red Flag alerts to notify relevant employees of suspected identity theft (i.e. notes in Covered Account information systems or files, etc.)
# Establish Red Flag alerts to notify relevant employees of suspected identity theft (i.e. notes in Covered Account information systems or files, etc.)
# Request additional information as required to verify identity
# Request additional information as required to verify identity
Line 89: Line 89:
All departments managing Covered Accounts shall provide education to current staff members and new hires on this policy and any internal department procedures created to implement it.
All departments managing Covered Accounts shall provide education to current staff members and new hires on this policy and any internal department procedures created to implement it.
== Program Assessment and Reporting ==
== Program Assessment and Reporting ==
A Red Flag Identity Theft Prevention Program report shall be forwarded through the Vice Chancellor of Business and Finance to the University of Nebraska Internal Audit Department not later than May 10th of each year for the previous one year period beginning April 1st through March 30th. The report shall contain:  
A Red Flag Identity Theft Prevention Program report shall be forwarded through the Vice Chancellor for Business, Finance and Business Development to the University of Nebraska Internal Audit Department no later than May 10th of each year for the previous one-year period beginning April 1st through March 30th. The report shall contain:  
# a summary of Red Flag Rule monitoring activities;
# a summary of Red Flag Rule monitoring activities;
# a description of any identity theft incidents that have occurred and the response to them; and
# a description of any identity theft incidents that have occurred and the response to them; and