Red Flag Identity Theft Prevention Program: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 18: Line 18:
<br />
<br />


[[Compliance Program]] | [[Compliance Hotline]] | [[Investigations by Third Parties]] | [[Research Integrity]] | [[Copyright]] | [[Export Control]] | [[Code of Conduct]] | [[Use of Human Anatomical Material]] | [[Clinical Trial Fee Billing Procedures]] | [[Contracts Policy]] | [[Conflict of Interest]] | [[Red Flag Identity Theft Prevention Program]] | [[Principles of Financial Stewardship]] | [[Human Tissue Use & Transfer]]
[[Compliance Program]] | [[Compliance Hotline]] | [[Investigations by Third Parties]] | [[Research Integrity]] | [[Export Control]] | [[Code of Conduct]] | [[Use of Human Anatomical Material]] | [[Clinical Trial Fee Billing Procedures]] | [[Contracts]] | [[Conflict of Interest]] | [[Red Flag Identity Theft Prevention Program]] | [[Principles of Financial Stewardship]] | [[Human Tissue Use & Transfer]] | [[International Research Policy]] | [[Health Care Vendor Interactions]] | [[Internal Audit]]
<br /><br />
<br /><br />
POLICY NO: '''6011'''<br />
Policy No.: '''6011'''<br />
EFFECTIVE DATE: '''01/13/10'''<br />
Effective Date: '''01/13/10'''<br />
REVISED DATE:<br />
Revised Date:<br />
REVIEWED DATE:<br />
Reviewed Date:<br />
<br /><br />
<br />
<big>Red Flag Identity Theft Prevention Program</big>  
'''<big>Red Flag Identity Theft Prevention Program</big>'''
== Basis for Policy ==
== Basis for Policy ==
Regents Policy 6.6.12, Red Flag Identity Theft Prevention Program; UNMC Policy No. 6055, Fraud.
Regents Policy 6.6.12, Red Flag Identity Theft Prevention Program; UNMC Policy No. 6055, Fraud.
Line 31: Line 31:
== Purpose ==
== Purpose ==
The University of Nebraska Medical Center Red Flag Identity Theft Prevention Program is designed to reduce the risk of identity theft through detection, prevention and mitigation of patterns, practices or activities related to covered accounts ("Red Flags") that could be indicative of potential identity theft. The Fair and Accurate Credit Transactions Act (FACTA) contains program requirements at 16 CFR 681.<br /><br />
The University of Nebraska Medical Center Red Flag Identity Theft Prevention Program is designed to reduce the risk of identity theft through detection, prevention and mitigation of patterns, practices or activities related to covered accounts ("Red Flags") that could be indicative of potential identity theft. The Fair and Accurate Credit Transactions Act (FACTA) contains program requirements at 16 CFR 681.<br /><br />
The Vice Chancellor for Business and Finance is responsible for implementing the Red Flag Identity Theft Prevention Program and has delegated day-to-day management to the Compliance Officer.
The Vice Chancellor for Business and Finance is responsible for implementing the Red Flag Identity Theft Prevention Program and has delegated day-to-day management to the Compliance Officer.
   
== Definitions ==
== Definitions ==
#''Covered Account'' means             
#''Covered Account'' means             
Line 44: Line 42:
#''Red flag'' means a pattern, practice or specific activity that could indicate identity theft.
#''Red flag'' means a pattern, practice or specific activity that could indicate identity theft.
#''Service Provider'' means a vendor that provides services directly to UNMC related to Covered Accounts.
#''Service Provider'' means a vendor that provides services directly to UNMC related to Covered Accounts.
== Covered Accounts ==
== Covered Accounts ==
Covered accounts maintained by UNMC include but are not limited to the following:
Covered accounts maintained by UNMC include but are not limited to the following:
Line 50: Line 47:
# Student accounts
# Student accounts
# Patient accounts
# Patient accounts
== Identifying Red Flags ==
== Identifying Red Flags ==
 
UNMC shall identify and respond to Red Flags which may indicate potential identity theft. Red Flags include but are not limited to the following:      
UNMC shall identify and respond to Red Flags which may indicate potential identity theft. Red Flags include but are not limited to the following:
       
# Alerts, notifications or warnings from a consumer reporting agency, including notices of credit freezes, notices of address discrepancies, and receipts of consumer reports showing patterns of activities that are inconsistent with the history and usual pattern of activity of the account holder.
# Alerts, notifications or warnings from a consumer reporting agency, including notices of credit freezes, notices of address discrepancies, and receipts of consumer reports showing patterns of activities that are inconsistent with the history and usual pattern of activity of the account holder.
# Address discrepancies that cannot be explained.
# Address discrepancies that cannot be explained.
Line 67: Line 61:
#*unauthorized account changes or transactions.         
#*unauthorized account changes or transactions.         
# Notice from customers, victims of identity theft, law enforcement authorities or other individuals regarding possible identity theft in connection with UNMC Covered Accounts.
# Notice from customers, victims of identity theft, law enforcement authorities or other individuals regarding possible identity theft in connection with UNMC Covered Accounts.
== Detecting Red Flags ==
== Detecting Red Flags ==
#The following actions will be taken as appropriate to confirm the identity of customers when they open and/or access Covered Accounts:             
#The following actions will be taken as appropriate to confirm the identity of customers when they open and/or access Covered Accounts:             
#* Obtain appropriate personal identifying information (e.g. photo identification, date of birth, academic status, user name and password, address, etc.) prior to opening or allowing access to a covered account; or prior to issuing a new or replacement ID card.
#* Obtain appropriate personal identifying information (e.g. photo identification, date of birth, academic status, user name and password, address, etc.) prior to opening or allowing access to a covered account; or prior to issuing a new or replacement ID card.
Line 75: Line 67:
#* Verify the accuracy of changes made to Covered Accounts that appear to be suspicious.
#* Verify the accuracy of changes made to Covered Accounts that appear to be suspicious.
#Information systems containing Covered Account information shall be monitored by the appointed information system custodian/administrator to detect any unusual user activity that could indicate improper access to and/or use of consumer information.
#Information systems containing Covered Account information shall be monitored by the appointed information system custodian/administrator to detect any unusual user activity that could indicate improper access to and/or use of consumer information.
== Responding to Red Flags ==
== Responding to Red Flags ==
Any staff member encountering a Red Flag shall assess the situation to determine if potential identity theft exists. The assessment may determine that no risk of identity theft is present (i.e. a mistake has occurred, or the occurrence is readily explainable). If, after preliminary investigation, the employee suspects identity theft may have occurred, he/she shall notify the Compliance Officer.<br /><br />
Any staff member encountering a Red Flag shall assess the situation to determine if potential identity theft exists. The assessment may determine that no risk of identity theft is present (i.e. a mistake has occurred, or the occurrence is readily explainable). If, after preliminary investigation, the employee suspects identity theft may have occurred, he/she shall notify the Compliance Officer.<br /><br />


The Compliance Officer shall further investigate the matter, implementing the Information Security Incident Reporting and Response and/or the Privacy Incident Response Plan Procedures as appropriate. If identity theft is confirmed, the following actions will be taken in coordination with the department managing the Covered Account to mitigate harm, as appropriate, based on the individual circumstances:<br /><br />
The Compliance Officer shall further investigate the matter, implementing the Information Security Incident Reporting and Response and/or the Privacy Incident Response Plan Procedures as appropriate. If identity theft is confirmed, the following actions will be taken in coordination with the department managing the Covered Account to mitigate harm, as appropriate, based on the individual circumstances:      
       
# Notify campus security
# Notify campus security
# Notify the Covered Account holder if the holder is the identity theft victim
# Notify the Covered Account holder if the holder is the identity theft victim
Line 95: Line 84:
# Reopen a covered account with a new account number, close an existing account, and decline to open a new covered account as appropriate
# Reopen a covered account with a new account number, close an existing account, and decline to open a new covered account as appropriate
# Attempt to identify the source of the Red Flag and take appropriate steps to prevent additional identity thefts.
# Attempt to identify the source of the Red Flag and take appropriate steps to prevent additional identity thefts.
== Oversight of Service Providers ==
== Oversight of Service Providers ==
UNMC may contract with vendors to provide services related to Covered Accounts. The contracting department shall maintain written certification from the vendor stating it complies with FACTA Red Flag Rule regulations. The department shall investigate any service provider occurrences indicating a potential lack of compliance, and take any necessary actions to mitigate potential risk.
UNMC may contract with vendors to provide services related to Covered Accounts. The contracting department shall maintain written certification from the vendor stating it complies with FACTA Red Flag Rule regulations. The department shall investigate any service provider occurrences indicating a potential lack of compliance, and take any necessary actions to mitigate potential risk.
   
== Program Education ==
== Program Education ==
All departments managing Covered Accounts shall provide education to current staff members and new hires on this policy and any internal department procedures created to implement it.
All departments managing Covered Accounts shall provide education to current staff members and new hires on this policy and any internal department procedures created to implement it.
   
== Program Assessment and Reporting ==
== Program Assessment and Reporting ==
 
A Red Flag Identity Theft Prevention Program report shall be forwarded through the Vice Chancellor of Business and Finance to the University of Nebraska Internal Audit Department not later than May 10th of each year for the previous one year period beginning April 1st through March 30th. The report shall contain:  
A Red Flag Identity Theft Prevention Program report shall be forwarded through the Vice Chancellor of Business and Finance to the University of Nebraska Internal Audit Department not later than May 10th of each year for the previous one year period beginning April 1st through March 30th. The report shall contain: <br /><br />
       
# a summary of Red Flag Rule monitoring activities;
# a summary of Red Flag Rule monitoring activities;
# a description of any identity theft incidents that have occurred and the response to them; and
# a description of any identity theft incidents that have occurred and the response to them; and
# any recommended Red Flag Identity Theft Program changes.<br /><br />
# any recommended Red Flag Identity Theft Program changes.
 
The University of Nebraska Internal Audit Department shall report information from the administrative units to the Audit Committee of the Board of Regents annually as required by the FACTA regulations. The Board of Regents shall approve material changes to the Red Flag Identity Theft Prevention program.  
The University of Nebraska Internal Audit Department shall report information from the administrative units to the Audit Committee of the Board of Regents annually as required by the FACTA regulations. The Board of Regents shall approve material changes to the Red Flag Identity Theft Prevention program. <br /><br />
==Additional Information==
 
Contact the [mailto:tscrogin@unmc.edu Compliance Officer]
For additional information, please contact [mailto:swrobel@unmc.edu Compliance Officer].<br /><br />


This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:dpanowic@unmc.edu dkp].