Identity Theft Prevention Policy Responds to “Red Flags Rule”
The Fair and Accurate Credit Transactions Act of 2003, an amendment to the Fair Credit Reporting Act, required rules regarding identity theft protection to be promulgated. Those rules (known as the “Red Flags Rule”), which became effective November 1, 2008, require creditors, including healthcare providers, to implement an identity theft prevention program and policy.
Philadelphia Health & Education Corporation, d/b/a Drexel University College of Medicine has adopted a policy for identity-related information, which it has determined to be in the best interest of the College of Medicine and its patients. The Identity Theft Prevention Policy is a component (Policy IM-22) of the HIPAA Privacy and Security Program and Policies, and addresses the specific issue of identity theft prevention. The policy became effective on February 17, 2009.
The College of Medicine adopted this policy to enhance our existing privacy and security programs to detect, prevent and mitigate identity theft and to help protect patients, students, and employees of the College of Medicine from damages related to the loss or misuse of identity-related information. Training will be developed to enable members of the College community to recognize the red flags that indicate potential identity theft and to respond effectively.
The risk to the College of Medicine, its patients, students, and employees from data loss and identity theft is of significant concern to the College and can be reduced only through the combined efforts of every employee, student, contractor, and business associate.
Encryption and the Use of Minimum Necessary Protected Health Information
We appropriately place a priority on protecting the health information of our patients in the ongoing production and use of medical records. To assist all in protecting patient information we have deployed the Voltage encryption tool for email security of internal- and external-bound email containing such protected health information.
A sure way each of us can reduce the risk of a compromise to our valuable information security posture is to both encrypt and follow the HIPAA “minimum necessary” principle and our Privacy Program Policy IM-02. The minimum necessary principle states that the minimum amount of information necessary to complete a task should be utilized to limit disclosure of unnecessary protected health information. Simply stated, one should never create spreadsheets, logs, or lists for administrative tracking, review, or analysis that contain personally identifiable patient information. Key data elements including the Social Security number, birth date and diagnoses should be dropped from data requests and erased from initial downloads if not required for the work being completed. Individual access to protected information should not be above the level needed to effectively perform assigned job responsibilities.
The extension of risk in the electronic and digital age has moved beyond breach of patient confidentiality of healthcare information. Identity theft has come to include the theft of healthcare services by one criminally assuming the identity of another to use stolen insurance information. State laws now also protect the individual when a data breach occurs. The healthcare provider and support staff are a key link in the ever vigilant chain providing identity theft protection from time of information collection through use and appropriate destruction when due.
Be sure to review your daily processes and identify areas where the use of encryption and a reduction in the use of protected information could increase the level of information protection. Use of encryption and the minimum necessary information to complete the task is our best defense against loss of protected information. |