The URL can be used to link to this page

Backup Documents 01/26/2010 Item #16F2 ORIGINAL DOCUMENTS CHECKLIST & ROUTING SLiB4>ft Z TO ACCOMPANY ALL ORIGINAL DOCUMENTS SENT TO THE BOARD OF COUNTY COMMISSIONERS OFFICE FOR SIGNATURE Print on pink paper. Attach to original document. Original documents "hould be hand delivered to the Board Oflicc. The completed wuting slip and original documents are to he t()rwarded to the Board Ofiice onl\' !!olttr'the Board has tak~-n action on the item.) ROUTING SLIP Complete routing lines # I through #4 as appropriate for additional signatures, dates, and/or infonnation needed. If the document is already complete with the excention of the Chainnan's si~ature, draw a line throuel1 routinp: lines #1 throullh #4, comnlete the checklist, and forward to Sue Filson lineNS). Route to Addressee(s) Office Initials Date (List in roUtinD order) 1. 2. 3. 4. 5. Ian Mitchell, Supervisor Board of County Commissioners ~ y 2&>(,0 6. Minutes and Records Clerk of Court's Office PRIMARY CONTACT INFORMATION (The primary contact is the holder of the original-documCIIt pending Bee approval. Normally the primary rontact is the person who createdlprepared1he executive summary. Primary contact information is needed in the event one of the addressees above, including Sue Filson, need to contact staff for additional or missing information. All original docwnents needing the BeC Chairman's signature are to be delivered to the BCe office only after the BeC has acted to approve the item.) Name of Primary Stafr Artie Bay Phone Number 252-3740 Contact Agenda Date Item was 1126110 Agenda Item Number 16F2 Aooroved bv the BCC Type of Document Identity Theft Prevention & Mitigation Number of Original I Attached Provram Documents Attached I. INSTRUCTIONS & CHECKLIST Initial the Yes column or mark "NI A" in the Not Applicable column, whichever is a 0 'ate. Original document has been signed/initialed for legal sufficiency. (All documents to be signed by the Chairman, with the exception of most letters, must be reviewed and signed by the Office of the County Attorney. This includes signature pages from ordinances, resolutions, etc. signed by the County Attorney's Office and signature pages from contracts, agreements, etc. that have been fully executed by all parties except the BCC Chairman and Clerk to the Board and ossibl State Officials. All handwritten strike-through and revisions havc been initialed by the County Attorney's Office and all other ies exce t the BCC Chairman and the Clerk to the Board The Chairman's signature line date has been entered as the date of BCe approval ofthe document or the finaI ne otiated contract date whichever is a licable. "Sign here" tabs are placed on the appropriate pages indicating where the Chairman's si lure and initials are r uired. In most cases (some contracts are an exception), the original document and this routing slip should be provided to Sue Filson in the BCC office within 24 hours of BCC approval. Some documents are time sensitive and require forwarding to Tallahassee within a certain time frame or the BCC's actions are nullified. Be aware of our deadlines! The document was approved by the BeC on_1126110_(enter date) and all changes made during the meeting have been incorporated in the attached document. The Coun Attome's Ofl'tce has reviewed tbe chan es, if a Ikable. (iP tfl 2. 3. 4. 5. 6. I: FonnsJ County Fonns/ Bce Forms/ Original Documents Routing Slip wws Original 9.03.04, Revised] .26.05, Revised 2.24.05 16F 2 MEMORANDUM Date: January 27, 2010 To: Artie Bay EMS, Operations Analyst From: Martha Vergara, Deputy Clerk Minutes & Records Department Re: Identity Theft Prevention & Mitigation Attached please find one (1) copy of the original document referenced above, (Agenda Item #16F2) approved by the Collier County Board of County Commissioners on Tuesday, January 26, 2010. The original is being kept by Minutes and Records as a part of the Boards official records. If you have any questions, please call me at 252-7240. Thank you. 16F 2 IDENTITY THEFT PREVENTION AND MITIGATION PROGRAM FOR COLLIER EMSIFIRE I. PUfIlose and Overview A. The purpose of this PolicylProeedure ("Policy") is to assure that Collier EMSlFire ("Provider") maintains compliance with the requirements regarding the prevention, detection and mitigation of Identity Theft as set forth in the federal regulations known as the "Red Flag Rules.'" I. "Identity Theft" means a fraud committed or attempted using the identifYing information of another person without authority. This includes ""Medicalldentity Theft," i.e., Identity Theft committed for the purpose of obtaining medical services, such as the use of another person's insurance card or number. Although Medical Identity Theft may occur without the knowledge of the individual whose medical identity is stolen, in some cases the use of an individual's medical identity may occur with the knowledge and complicity of that individual. B. The Policy sets forth the steps Provider will take in implementing a program for detecting, preventing and mitigating Identity Theft (the "Program") in connection with Covered Accounts, as required by the Red Flag Rules. "Covered Account" means: I. An account that Provider offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and 2. Any other account that Provider offers or maintains for which there is a reasonably foreseeable risk to individuals or to the safety and soundness of Provider from identity theft, including financial, operational, compliance, reputation or litigation risks. C. Section 11 of this Policy describes the risk assessment Provider shall conduct at the inception of the Program and annually thereafter. Section 1Il sets forth the "Red Flags" (i.e., warning signs) that may alert Provider personnel to the possible existence of Identity Theft in the course of Provider's day to day operations. Section IV sets forth the procedure Provider will follow in attempting to detect those Red Flags. Section V sets forth the procedures Provider will follow in responding appropriately to Red Flags that are detected, in order to prevent and mitigate Identity Theft. Section VI sets forth the procedures Provider will take in responding to a claim by an individual that he has been a victim of , See 16 C.F .R. S 681.2, as supplemented by the Interagency Guidelines on Identity Theft Detection, Prevention and Mitigation set forth in Appendix A of 16 C.F .R. Part 681 ("Guidelines") and the Supplement thereto. 1 16F 2 Identity Theft. Section VII describes how Provider will administer the Program. Section VIll describes the annual updating of the Program. D. Questions regarding this Policy or the Program shall be directed to the Program Compliance Officer designated pursuant to Section VII. II. Risk Assessment A. Upon initial implementation of the Program, and annually thereafter as a part of the annual update described in Section VllI of this Policy, Provider shall determine whether it maintain Covered Accounts. As part of that determination, Provider shall conduct a risk assessment to determine whether it offers or maintains Covered Accounts that carry a reasonably foreseeable risk of Identity Theft, including financial, operational, compliance, reputation or litigation risks. The risk assessment shall take into consideration: I. The methods Provider provides to open its accounts; 2. The methods it provides to access it accounts; and 3. Its previous experiences with Identity Theft. Ill. Identification of Red Flags A. A "Red Flag" is a pattern, practice or specific activity that indicates the possible existence of Identity Theft. In other words, a Red Flag is a waming sign regarding the possibility ofldentity Theft. B. In identifying Red Flags relevant to its operations, Provider has: I. Reviewed the examples of Red Flags found in the Red Flag Rules (see the Supplement to the Guidelines); 2. Considered the factors specified in Section Il(A) above; and 3. Incorporated Red Flags from sources such as changes in Identity Theft risks of which Provider becomes aware and applicable regulatory guidance. C. Based on the process specified in Section llI(B) above, Provider has identified the following situations as Red Flags that should alert Provider personnel to the possibility of Identity Theft: I. A patient submits a driver's license, insurance card or other identifying information that appears to be altered or forged; 2. The photograph on a driver's license or other government-issued photo I.D. submitted hy a patient does not resemble the patient; 2 16F 2 3. Information on one form of identification submitted by a patient is inconsistent with information on another form of identification, or with information already in Provider's records or information obtained from other sources such as a consumer credit data base; 4. A patient has an insurance member number but no insurance card; 5. The Social Security Number ("SSN") or other identifYing information furnished by a patient is the same as identifYing information in Provider's records furnished by another patient; 6. The SSN furnished by a patient has not been issued, is listed on the Social Security's Administration's Death Master File or is otherwise invalid. The following numbers are always invalid: I . The first 3 digits are in the 800, 900 or 000 range, or in the 700 range above 772, or are 666; 2. The fourth and fifth digits are 00; or 3. The last four digits are 0000; 7. The address given by a patient does not exist or is a post office box, or is the same address given by an unusually large number of other patients; 8. The phone number given by the patient is invalid or is associated with a pager or an answering services, or is the same telephone number submitted by an unusually large number of other patients; 9. The patient refuses to provide identifYing information or documents; 10. Personal identifYing information given by a patient is not consistent with personal identifYing information in Provider's records, or with information provided by another source such as an insurance company or consumer credit database; II. A patient's signature does not match the signature on file in Provider's records; 12. A patient contacts Provider [or Provider's billing service] and indicates that he or she has received an invoice, explanation of benefits or other documents reflecting a transport that the patient claims was never received; 13. Mail correspondence is returned to Provider [or Provider's billing service] despite continued activity associated with that mailing address; 14. Provider [or Provider's billing service] receives a warning, alert or notification from a credit reporting agency, law enforcement or other credible source regarding a patient or a patient's insurance information; 3 16F 2 15. Provider or a Services Provider has suffered a security breach, loss of unprotected data or unauthorized access to patient information; 16. An insurer denies coverage due to a lifetime benefit limit being reached or due to an excessive volume of services; 17. A discrepancy exists between medical or demographic information obtained by Provider from the patient and the information found in health facility records; 18. Attempts to access an account by persons who cannot provide authentication information; 19. Other relevant indication of Identity Theft fraud; D. Provider shall update the foregoing list of Red Flags as part of its annual update of the Program. E. All Provider personnel have an affirmative obligation to be vigilant for any evidence of a Red Flag and to notify their immediate supervisor, or the Program Compliance Officer, to report the Red Flag. N. Procedures for Identifying Red Flags Provider personnel will follow the following procedures in order to detect the Red Flags indicated above, which indicate the possibility of Identity Theft. A. The process of confirming a patient's identity should never delay the delivery of urgent or emergently needed medical care. When a patient's condition permits collection of demographic information and documentation, medical transport crews shall request, in addition to an insurance card, a driver's license or other form of government issued photographic personal identification. If the patient lacks such photographic identification, medical transport personnel shall: I. Request other form of identification, such as a credit card; and/or 2. Ask a family member or other person at the scene who knows the patient to verify the patient's identity. B. Billing personnel, in the course of creating and processing claims, and verifying patient information, shall be alert for the existence of any of the Red Flags listed in Section III above. C. Before providing information regarding an account, or making any change to an address or other information associated with an account, the requester shall be required to provide the social security number, full name, date of birth and address of the patient. If the requester makes the request in person, a driver's license or other government issued photographic identification shall be requested. 4 16F 2 D. In the event medical transport personnel or billing encounter a Red Flag, the existence of the Red Flag shall be brought to the prompt attention of the individual's supervisor or the Program Compliance Officer so that it can be investigated and addressed, as appropriate, in accordance with the procedures set forth in Section V, below. V. ResDOnding to Red Flag.s A. When a Red Flag is detected, Provider personnel shall investigate the situation, as necessary, to determine whether there is a material risk that Identif'y Theft has occurred or whether there is a benign explanation for the Red Flag. The investigation shall be documented in accordance with Provider's incident reporting policy. If it appears that Identity Theft has not occurred, Provider may determine that no further action is necessary. B. Provider's response shall be commensurate with the degree of risk posed by the Red Flag. In determining an appropriate response, Provider shall consider aggravating factors that may heighten the risk of Identity Theft, such as a data security incident that results in unauthorized access to a patient's account records, or notice that a patient has provide information related to a Provider account to someone fraudulently claiming to represent Provider or to a fraudulent website. C. If it appears that Identity Theft has occurred, the following steps should be considered and taken, as appropriate: I. Except in cases where there appears to be obvious complicity by the individual whose identity was used, promptly notif'y the victim of Identity Theft, by certified mail, using the Identity Theft Patient Notice Letter developed by Provider. Notification may also be provided by telephone, to be followed by a mailed letter; 2. Place an Identity Theft Alert on all patient care reports ("PCRs") and financial accounts that may have inaccurate information as a result of the Identity Theft; 3. Discontinue billing in the account and/or close the account; 4. Reopen the account with appropriate modifications, including a new account number; 5. If a claim has been submitted to an insurance carrier or government program ("Payor") in the name of the patient whose identity had been stolen, notif'y the Payor, withdraw the claim and refund any charges previously collected from the Payor and/or the patient; 6. If the account has been referred to collection agencies or attorneys, instruct the collection agency or attorneys to cease collection activity; 5 16F 2 7. NotifY law enforcement and cooperate in any investigation by law enforcement; 8. Request that law enforcement notifY any health facility to which the patient using the false identity had been transported regarding the Identity Theft; 9. If an adverse report has been made to a consumer credit reporting agency regarding a patient whose identity had been stolen, notifY the agency that the account was not the responsibility of the individual; 10. Correct the medical record of any patient of Provider whose identity was stolen, with the assistance of the patient as needed; II. If the circumstances indicate that there is no action that would prevent or mitigate the Identity Theft, no action need to be taken. VI. Investigation of Reoort bv a Patient ofldentitv Theft A. If an individual claims to have been a victim of Identity Theft (e.g., the individual claims to have received a bill for a transport he did not receive), Provider [or its billing service] shall investigate the claim, Authentication of the claim shall require a copy of a Police Report and either: I. The Identity Theft affidavit developed by the FTC, including supporting documentation; or 2. An Identity Theft affidavit recognized under state law. B. Provider personnel shall review the foregoing documentation and any other information provided by the individual and shall make a determination as to whether the report of Identity Theft is credible. c. The individual who filed the report shall be informed in writing of Provider's conclusion as to whether Provider finds the report credible. D. If following investigation, it appears that the individual had been a victim of Identity Theft, Provider will take the appropriate actions as indicated in Section V of this Policy. E. If, following investigation, it appears the report of Identity Theft was not credible, the individual shall be notified and Provider may continue billing on the account, upon approval of the Program Compliance Officer. The account shall not be billed without such approval. 6 16F 2 VII. Administration of the Program A. The Program and all material changes thereto, shall be approved by Provider's Governing Board. (the "Oversight Body"). B. A designated employee at the level of senior management shall be designated by the Oversight Body as the Program Compliance Officer and shall be responsible for the oversight, development and implementation of the Program. C. Provider shall train staff, as needed, to effectively implement the Program. The following categories of personnel shall be trained in the implementation of the Program: I. All medical transport personnel; 2. All billing office personnel; 3. All management personnel. D. Initial training shall occur by April 10, 20 I 0, for all current personnel. Newly hired personnel shall be trained in the implementation of the Program as part of their standard compliance and HIP AA training. "Refresher" training shall be included in the annual compliance and HIP AA training given to Provider personnel, and may be given to specific employees from time to time on an "as needed" basis. E. Provider shall exercise appropriate and effective oversight of all arrangements involving a service provider whose duties include opening, monitoring or processing patient accounts, or performing other activities which place them in a position to prevent, detect or mitigate Identity Theft ("Service Providers"). Each Service Provider shall be required to execute an amendment or addendum to its service agreement or business associate agreement that requires it to: I . Implement a written Identity Theft Program that meets the requirement of the "Red Flag Rules;" 2. Provide a copy of such Program to Provider no later June 20, 20 I 0; 3. Provide copies of all material changes to such Program on an annual basis; and 4. Either report all Red Flags that it encounters to Provider, or take appropriate steps to prevent or mitigate the Identity Theft. F. The Program Compliance Officer shall report to the Oversight Body, on an annual basis, on compliance with the Program. The report shall address material matters related to the Program and evaluate issues such as: I. The effectiveness of the Program in addressing the risk of Identity Theft; 7 16F 2 2. Service Provider arrangements; 3. Significant incidents involving Identity Theft and Provider's response; 4. Recommendations for material changes to the Program. Vlll. Annual Update of the Program The program will be reviewed, revised and updated on an annual basis. In performing such update, Provider shall consider: A. Provider's experience with Identity Theft over the period since the last revision of the Program; B. Changes in methods of Identity Theft, or in methods to detect, prevent and mitigate Identity Theft; C. Changes in Provider's technology and operations, including any new electronic health records or financial software programs implemented by Provider; and D. Changes in business arrangements of Provider, including but not limited to changes in its relationships with Service Providers. Identity Theft Prevention Program Review and Approval: This plan and Program has been reviewed and adopted by the Board of County Commissioners of Collier County, Florida, on this c5:i( Q th day of January, 201(1. ATTEST: BOARD OF COUNTY COMMISSIONERS OF COLLIER COUNTY, FLORIDA DWIGH11E;BRf>,.,cK, CLERK ,~ '.' -. -~ /, ~.""", ~,.,., . . '~. . . ~ te~t(~~ toCM:..1.' l1QA4tur1r~~~)' . By: '1uJ-wc+ FRED W. COYLE, CHAIRMAN Approval as to form and legal r:i;e~ Deputy County Attorney 8