COMMUNICATIONS AND COMMITTEES                                                                                                                                      13-02-010

 

IDENTITY THEFT PREVENTION PROGRAM

  1. POLICY STATEMENT. 
    1. The Division of Veterans Healthcare Services (DVHS) requires each of the New Jersey Veterans Memorial Homes (VMH) to develop and implement an “Identity Theft Prevention Program”, to include Policies and Procedures, to comply with the Federal Trade Commission’s (FTC) “Identity Theft Prevention Red Flags Rule” (16 CFR § 681.2), that will identify, detect, and respond to patterns, practices, or specific activities that could indicate Identity Theft.
    2. This Program and these Policies and Procedures have been developed in consultation with the VMHs Administration, Nursing, Medical Records, Social Services, Information Technology, and Business Office staff members, after conducting an assessment of the risk of Identity Theft associated with certain “Covered Accounts” (as defined below) offered by the VMHs.
    3. The Program is composed of four basic elements: (1) Identify Red Flags; (2) Detect the Red Flags; (3) Prevent or Mitigate the Red Flags; and (4) Update the Program. Concurrently the program must also address the four elements of administering the program: (1) CEO approval; (2) committee oversight; (3) staff training, and (4) evaluation/tracking of the Program.
  2. PURPOSE.

    3. The purpose of this policy is to:

    1. Create and implement an “Identity Theft Prevention Program” utilizing guidelines set forth in the FTC’s 16 CFR § 681.2.
    2. Prevent Identity Theft for the VMH residents. The VMH recognizes the responsibility to safeguard residents’ personal information within the workplace.
    3. Identify the relevant “Red Flags” based on the risk factors associated with the VMHs covered accounts;
    4. Institute policies and procedures for detecting Red Flags;
    5. Identify steps the VMH staff will take to prevent and mitigate Identity Theft;
    6. Identify which staff members require training in the steps set forth by the VMH to detect, prevent and mitigate Identity Theft for VMH residents.
    7. Develop a training program for those staff members identified as requiring training.
    8. Create a system for regular updates and administrative oversight to the Identity Theft Prevention Program.
    9. Identify disciplinary measures for violation of this policy

     

  3. DEFINITIONS. 
    1. Covered Accounts: A consumer account that allows multiple payments or transactions, including one or more deferred payments; or any other account with a reasonably foreseeable risk to residents, or to the safety and soundness of the VMH, from Identity Theft. The VMHs have two types of covered accounts:
      1. Members Fiduciary Account: Are assets belonging to the resident. These can be viewed as a savings account.
      2. General Fund Revenue Account: Which are accounts representing bills owed to the State of New Jersey from the resident. These can be viewed as credit accounts.  
    2. Credit: An arrangement by which you defer payments of debts or accept deferred payments for the purchase of property or services. Delayed billing for medical services is a type of credit.
    3. Creditor: Any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.
    4. Customer: A resident of the Veteran Memorial Home and/or the resident’s responsible party.
    5. Identify Theft: Fraud committed using the identifying information of another person.
    6. Medical Identity Theft: A person seeks medical care using the name and/or insurance information of another person, which can result in both false billing and the potentially life-threatening corruption of a resident’s medical records.
    7. Red Flag: A pattern, practice, or specific activity that indicates the possible existence of Identity Theft. Distinct from data security (HIPPAA).

     

  4. PROCEDURE.
    1. Each VMH shall establish, in a written format, an Identity Theft Prevention Committee.
      1. This committee shall be chaired by the VMH’s Program Administrator (see paragraph 4e2 below)
      2. The committee members will be appointed by the CEO and the Program Administrator.
      3. The committee will have the responsibility to assist the Program Administrator in all elements of the Program.
    2. Identification of Red Flags.
      1. In identifying Red Flags for covered accounts  the following must be considered:
        1. The types of covered accounts the VMH maintains;
        2. The methods it provides to open its covered accounts;
        3. The methods it provides to access the covered accounts and its previous experiences with identity theft.
      2.  The Red Flags generally fall within one of the following general types that could potentially signal Identity Theft in the VMH:
        1. Suspicious Documents
        2. Suspicious Personally Identifying Information
        3. Suspicious or Unusual Use of Covered Accounts
        4. Notices from Victims of Identity Theft, Residents, Resident’s Family Members, Law Enforcement Officials, Insurance Companies, or Others.
    3. Detection of Red Flags.
      1.  The Program will address the procedures for detection of Red Flags in connection with the opening of covered accounts and in existing covered accounts.
      2. Part of the process will include obtaining identifying information about and verifying the identity of a resident opening a covered account and authenticating residents, monitoring transactions and verifying the validity of address requests pertaining to covered accounts.
      3.  In order to facilitate the detection of Red Flags, the Supervisor of Resident Accounts and the Supervisor of Accounts/Assistant Business Manager will be notified by any staff member or resident of a possible Red Flag. The Supervisor of resident Accounts and the Supervisor of Account/Assistant Business Manager will then begin to immediately take action(s) to prevent or mitigate the Red Flag as per Appendix 1 to this document.
    4. Preventing and Mitigating Identity Theft.
      1. In order to prevent and mitigate the effects of Identity Theft, appropriate responses to the Red Flags must be applied that are commensurate with the degree of risk posed.
      2. In determining an appropriate response, the VMH must consider aggravating factors that may heighten the risk of identity theft such as data security.
      3. Appropriate responses may include:
        1. Monitoring a covered account for evidence of identity theft
        2. Contacting the resident
        3. Changing any password, security codes, or other security devices that permit access to a covered account
        4. Reopening a covered account with a new account number
        5. Not opening a new covered account
        6. Closing as existing covered account
        7. Not attempting to collect on a covered account or not selling a covered account to a debt collector
        8. Notifying law enforcement
        9. Determining that no response is warranted under the particular circumstances
        10. Safeguarding Resident and Staff identifying information
        11. Safeguarding IT programs and sites
        12. Limiting access to files, file cabinets and file rooms
        13. Changing locks
        14. Safeguarding information placed on required forms to include personnel forms
    5. Program Administration.
      1. The Veteran Memorial Home CEO is responsible for developing, implementing, administering and updating the Program.
      2. The CEO may designate a senior level manager to administer the program.
      3. If a senior manager is to administer the program, that manager will present a formal briefing to the CEO annually, the date to be selected/scheduled by the CEO.
      4. The CEO will notify the Director, VHS of the date/time/location for the Annual  Briefing.
      5. The CEO will determine the content of the Annual Briefing; however the Evaluation Report and the Incident Log Report must be included in the presentation.
      6. Generally, the Annual Briefing should consider the overall effectiveness of the Program and the four elements of the Program. 
      7. Whenever the VMH engages a service provider to perform an activity in connection with one or more covered accounts, the VMH should take steps to ensure that the activity of the service provider is conducted IAW the reasonable policies outlined in the Red Flag regulations. This includes Unions that gather information on VMH employees.
    6. Staff Training.  
      1. The Nurse Instructor in conjunction with the assistant business manager will be responsible for developing a training program for staff program/presentation.
      2. Red Flag training will be conducted for selected employees annually and for all new employees as part of orientation training.
      3. A roster of those attending the training will be maintained.
    7. Evaluation of the Program.
      1. The Quality Improvement (Q/I) coordinator, in conjunction with the assistant business manager, will be responsible to periodically review the effectiveness of the Program and update the Program to reflect the addition or removal of Covered Accounts and changes and risks to residents/covered account holders from Identity Theft.
      2. The Evaluation Report will be part of the Annual Briefing presented to the CEO by the program administrator.
    8. Track Incidents
      1. Each VMH will establish a system for tracking incidents of Identity Theft and how these incidents were resolved.
      2. The Resident Account Manager will be responsible for maintaining this log.
      3. This Log will be part of the Annual Red Flag Brief to the CEO.
    9. Updating the Program.
      1. The VMHs shall update the Program periodically to reflect changes in risk to the residents or to the VMH itself.
      2. Updating the Program should be based on factors such as:
        1. Changes in methods of identity theft
        2. Changes in methods to detect, prevent and mitigate identity theft
        3. Changes in the types of accounts that pertain to the residents
        4. Changes in business arrangements or services rendered 

         

  5. DISCIPLINARY ACTIONS.
    1. Employees found in violations of this Program will receive disciplinary actions in accordance with (IAW) the NJ DMAVA Corrective and Disciplinary Action Handbook and will be reported to local authorities.
    2. Residents, resident responsible parties or non-facility persons found in violation of anti-theft laws will be reported to the local authorities immediately upon discovery of a Red Flag detection.
    3. Persons who attempt or commit Identity Theft will be prosecuted to the fullest extent of the law.

     

    APPENDICES.

 

Revised:   January 2011

 

« Communications/Committees Table of Contents