It is the policy of Cardiology Medical Group to follow all federal and state laws and reporting requirements regarding identity theft. This policy outlines how Cardiology Medical Group identifies, detects, and responds to “red flags.” A “red flag” as defined by this policy includes a pattern, practice, or specific account or record activity that indicates positive identity theft.
Identifying red flags
In the course of caring for patients, Cardiology Medical Group may encounter inconsistent or suspicious documents, information, or activity that may signal identity theft. Cardiology Medical Group identifies the following as potential red flags:
•A complaint or question from a patient based on the patient’s receipt of:
•A bill for another individual.
•A bill for a product or service that the patient denies receiving.
•A bill from a physician that the patient never patronized.
•A notice of insurance benefits or explanation of benefits for health care services never received.
•Records showing medical treatment that is inconsistent with a physical examination or with medical history as reported by the patient.
•A complaint or question from a patient about the receipt of a collection notice from a bill collector.
•A patient or health insurer report coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.
•A complaint or question from a patient about information added to a credit report by a physician or health insurer.
•A dispute of a bill by a patient who claims to be a victim of any type of identity theft.
•A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.
•A notice or inquiry from an insurance fraud investigator for a private health insurer or a law enforcement agency, including but not limited to a Medicare or Medicare fraud agency.
Detecting red flags
Cardiology Medical Group practice staff will be alert for discrepancies in documents and patient information that suggest risk of identity theft or fraud. Cardiology Medical Group will verify patient identity, address, and insurance coverage at the time of patient registration/check-in.
1. When a patient calls to request an appointment, the patient (or patient’s guardian) is asked to bring the following at the time of the appointment:
•Driver’s license or another photo ID.
•Current health insurance card.
•Utility bills or other correspondence showing current residence if the photo ID does not show the patient’s current address.
2. When the patient arrives for the appointment, the patient is asked to produce the information listed above. This requirement may be waived for patients who have visited the practice within the last six months.
3. If the patient has not completed the registration form within the last six months, registration staff verifies current information on file and, if appropriate, update the information.
4. Staff should be alert for the possibility of identity theft in the following situations:
•The photograph on a driver’s license or other photo ID submitted by the patient does not resemble the patient.
•The patient submits a driver’s license, insurance card, or other identifying information that appears to be altered or forged.
•Information on one form of identification the patient submitted is inconsistent with information on another form of identification or with information already in the practice records.
•An address or telephone number is discovered to be incorrect, non-existent, or fictitious.
•The patient fails to provide identifying information or documents.
•The patient’s signature does not match a signature in the practice records.
•The social security number or other identifying information the patient provided is the same identifying information in the practice’s records provided by another individual, or the social security number is invalid.
Responding to red flags
If an employee of Cardiology Medical Group detects fraudulent activity or if a patient claims to be a victim of identity theft, Cardiology Medical Group will respond to and investigate the situation. If the fraudulent activity involves protected health information (PHI) covered under HIPAA security standards, Cardiology Medical Group will also apply its existing HIPAA security policies and procedures to the response.
If potentially fraudulent activity (a red flag) is detected by an employee of Cardiology Medical Group:
1. The employee gathers all documentation and reports the incident to his or her immediate supervisor or designated compliance officer/privacy official.
2. The supervisor or designated compliance officer/privacy official determines whether the activity is fraudulent or authentic.
3. If the activity is determined to be fraudulent, office should take immediate action, including:
•Cancel the transaction.
•Notify appropriate law enforcement.
•Notify the affected patient.
•Notify affected physicians.
•Assess impact to practice.
If a patient claims to be a victim of identity theft:
1. Encourage the patient to file a police report for identity theft.
2. Encourage the patient to complete the Identity Theft Affidavit developed by the Federal Trade Commission (FTC), along with any supporting documentation.
3. Office compares the patient’s documentation with personal information in the office’s records.
4. After investigating, if it appears the patient has been a victim of identity theft, office determines and performs further remedial action and notifications as required.
5. The physician reviews the affected patient’s medical record to confirm whether documentation was made in the patient’s medical record that resulted in inaccurate information in the record. If inaccuracies due to identity theft exist, add a notation to the record to indicate the identity theft.
6. Staff members determine whether any other records and/or ancillary service providers are linked to inaccurate information, remove additional files containing information relevant to the identity theft, and takes appropriate action.
7. The office informs the patient that they are responsible for contacting ancillary service providers.