Identity Theft is one of the fastest growing crimes in the U.S. Identity theft occurs when a person obtains key pieces of personal identifying information about another individual (such as a Social Security number or a driver's license) and uses the information for their own personal gain. It can start with a lost or stolen wallet, pilfered mail, a data breach, computer virus, phishing, a scam, or paper documents thrown out by the individual or a business (dumpster diving). It may take hundreds of hours and several months for an individual to clear their good name after becoming a victim of identity theft. The cost to businesses left with unpaid bills for services or goods provided to perpetrators of identity theft is staggering.
Medical identity theft occurs when someone uses a person's name and sometimes other parts of their identity -- such as social security number or insurance information -- without the person's knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim's name. Medical insurance companies report billions of dollars are annually lost to health insurance fraud, often the result of medical identity theft. The Federal Trade Commission (FTC) reports that as many as nine million Americans have their identities stolen each year.
As part of the Fair and Accurate Credit Transactions Act of 2003, the FTC issued final rules commonly referred to as the “Red Flag Rules” that require that any financial institution or creditor that regularly extends, renews, or continues credit to implement an identity theft prevention program that includes policies and procedures for detecting, preventing, and mitigating identity theft. The Red Flags Rule was effective November 1, 2008. Due to confusion regarding whether or not these regulations applied to non- profit organizations, such as healthcare providers and colleges/universities, the FTC postponed the “enforcement” date for the Red Flags Rule from May 1st to to August 1, 2009, to allow more time for these organizations to develop a written Identity Theft Prevention Program.
Vanderbilt University is subject to the FTC Red Flags Rule as a creditor on both the University and the Medical Center side of business. The Vanderbilt University Identity Theft Compliance Program calls for each operating unit that offers or maintains covered accounts to develop policies and procedures to prevent, detect, and mitigate identity theft.
Vanderbilt University Medical Center (VUMC) has a written policy for Identity Theft Prevention and Response. The policy includes a table of the Red Flags that are most relevant in the work flow and operational processes associated with creating, renewing, and maintaining applicable accounts covered by the regulations. At VUMC covered accounts include:
Identity Theft Prevention and Response - IM 10-30.04: defines the medical center policy and procedures to identify, detect, and respond to red flags that might signal possible identity theft.
Table of Red Flags - Detection and Mitigation Steps: provides details about trigger events and the expected response and mitigation steps.