Identity Theft Prevention Policy
This policy1 requires that all university account administrators (employees who routinely deal with student, patient or other consumer accounts) respond appropriately (as provided in this policy) to "red flags" involving a student, patient or other consumer account. A "red flag" is an event or activity that indicates possible identity theft or an attempt to use identifying information belonging to another person without permission.
I. Examples of Red Flags. The following red flag examples should be considered by account administrators when opening, maintaining or administering patient or student accounts:
Reports from credit reporting agencies containing fraud alert, credit freeze, active duty alert, address discrepancy; or other unusual activity.II. Detecting Red Flags
In order to detect red flags, account administrators should verify the identity of the persons opening accounts by requiring identifying information such as name, date of birth, academic records, home address or other identification as appropriate; and by verifying the student or patient's identity at time of issuance of student or patient identification card (review of driver's license or other government-issued photo identification).
In order to detect red flags for an existing account, administrators should verify the identification of students and patients if they request information and they should verify the validity of requests to change billing addresses and changes in banking information given for billing and payment purposes.
Any time a credit report is sought in connection with student, patient or other accounts (such as prospective employees), administrators should require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency. In the event of notice of an address discrepancy in a credit report, administrators should verify whether the report pertains to the individual for whom the report was requested and if it is determined that the address provided by the credit reporting agency is inaccurate, report to the credit reporting agency an address that the university has confirmed is accurate.
III. Preventing and Minimizing Identity Theft
In the event of red flags, account administrators should take one or more of the following steps, depending on the circumstances:
1. Continue to monitor the student or patient account for evidence of identity theft;IV. Patient Accounts and Records
All university account administrators who deal with patient accounts and patient records in Johns Hopkins Medicine should review and follow the procedures outlined in "Identity Theft Prevention Program Johns Hopkins Medicine" coordinated by the Johns Hopkins HIPAA Office.
V. Questions, Reporting and Training
Questions about policy compliance and training should be directed to the following program supervisors:
Patient Accounts and Records in Johns Hopkins Medicine: HIPAA Office (Senior Counsel for HIPAA) at 410-735-6502.Account administrators should report to the appropriate program supervisor when they become aware of an incident of identity theft, or if they wish to suggest changes to the program.
GO TO JOHNS HOPKINS UNIVERSITY POLICIES
GO TO JHUNIVERSE
© 2009 The Johns Hopkins University.
Baltimore, Maryland. All rights reserved.