The Johns Hopkins University: University Policies
The Johns Hopkins University

Johns Hopkins University
Identity Theft Prevention Policy

This policy1 requires that all university account administrators (employees who routinely deal with student, patient or other consumer accounts) respond appropriately (as provided in this policy) to "red flags" involving a student, patient or other consumer account. A "red flag" is an event or activity that indicates possible identity theft or an attempt to use identifying information belonging to another person without permission.

I. Examples of Red Flags. The following red flag examples should be considered by account administrators when opening, maintaining or administering patient or student accounts:

Reports from credit reporting agencies containing fraud alert, credit freeze, active duty alert, address discrepancy; or other unusual activity.

Suspicious documents that appear to be altered, inauthentic or which include a photographs or physical descriptions inconsistent with the person presenting the identification, or which are inconsistent with existing student or patient records (documents with differing birth dates, an address not matching an address on a loan application);

Information presented that is consistent with fraudulent activity (such as an invalid phone number or fictitious billing address);

Social security number that is the same as one given by another student or patient;

Patient or student fails to provide complete personal identifying information on an application when reminded to do so.

Unusual account activity such as: Change of address for an account followed by a request to change the student's or patient's name; Payments stop on an otherwise consistently up-to-date account; Account used in a way that is not consistent with prior use; Mail sent to the student is repeatedly returned as undeliverable; Notice to the university that a student is not receiving mail sent by the university; notice to the university that an account has unauthorized activity; Breach in the university's computer system security; and unauthorized access to or use of student account information.

Alerts from a student, patient, consumer, law enforcement or other person that a student or patient account may be subject to identity theft.

II. Detecting Red Flags

In order to detect red flags, account administrators should verify the identity of the persons opening accounts by requiring identifying information such as name, date of birth, academic records, home address or other identification as appropriate; and by verifying the student or patient's identity at time of issuance of student or patient identification card (review of driver's license or other government-issued photo identification).

In order to detect red flags for an existing account, administrators should verify the identification of students and patients if they request information and they should verify the validity of requests to change billing addresses and changes in banking information given for billing and payment purposes.

Any time a credit report is sought in connection with student, patient or other accounts (such as prospective employees), administrators should require written verification from any applicant that the address provided by the applicant is accurate at the time the request for the credit report is made to the consumer reporting agency. In the event of notice of an address discrepancy in a credit report, administrators should verify whether the report pertains to the individual for whom the report was requested and if it is determined that the address provided by the credit reporting agency is inaccurate, report to the credit reporting agency an address that the university has confirmed is accurate.

III. Preventing and Minimizing Identity Theft

In the event of red flags, account administrators should take one or more of the following steps, depending on the circumstances:

1. Continue to monitor the student or patient account for evidence of identity theft;
2. Contact the student or patient;
3. Change any passwords or other security devices that permit access to the account;
4. Not open a new account;
5. Provide the student or patient with a new identification number;
6. Notify the program supervisor (see below) for determination of the appropriate step(s) to take;
7. Notify law enforcement;
8. File or assist in filing a Suspicious Activities Report ("SAR"); or
9. Determine that no response is warranted under the particular circumstances.
IV. Patient Accounts and Records

All university account administrators who deal with patient accounts and patient records in Johns Hopkins Medicine should review and follow the procedures outlined in "Identity Theft Prevention Program Johns Hopkins Medicine" coordinated by the Johns Hopkins HIPAA Office.

V. Questions, Reporting and Training

Questions about policy compliance and training should be directed to the following program supervisors:

Patient Accounts and Records in Johns Hopkins Medicine: HIPAA Office (Senior Counsel for HIPAA) at 410-735-6502.

Student Accounts: Appropriate Director of Financial Aid or Student Accounts.

Other types of Accounts: Chief Information Security Officer.

Account administrators should report to the appropriate program supervisor when they become aware of an incident of identity theft, or if they wish to suggest changes to the program.

1This policy complies with the Federal Trade Commissionís Red Flags Rule, which implements Section 114 of the Fair and Accurate Credit Transactions Act of 2003.


© 2009 The Johns Hopkins University. Baltimore, Maryland. All rights reserved.
Last updated 28Apr09 by