Responsibility for developing, implementing and updating this Program lies with the Piedmont University Information Technology. Service Provider Arrangements. In the event the University engages a service provider to perform an activity in connection with one of more Covered Accounts, the University will take the following steps to ensure the service provider performs its activity in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.
Non-disclosure of Specific Practices. For the effectiveness of this program, knowledge about specific Red Flag identification, detection, mitigation and prevention practices will be limited to those employees with a need to know them. Section 3 - General Policies. Policies and Procedures Manual - Catalog Search. Catalog Home All Catalogs. Print this page Select a Catalog.
Each program must contain reasonable policies and procedures to: Identify relevant Red Flags for new and existing covered accounts; Incorporate business practices to detect Red Flags; Prevent and mitigate identity theft with an appropriate response; and Ensure the Program is updated periodically to reflect changes in risks to students or to the safety and soundness of the student from identity theft. Alerts from Others Notice to the University from a student, identity theft victim, law enforcement or other person that the University has opened or is maintaining a fraudulent account for a person engaged in identity theft.
Existing Accounts: in order to detect any of the Red Flags identified above for an existing covered account, University personnel will take the following steps to monitor transactions on an account: Detect Verify the identification of students if they request information in person, via telephone, via facsimile, via email ; Verify the validity of request to change billing addresses by mail or email and provide the student a reasonable means of promptly reporting incorrect billing address changes; Verify changes in banking information given for billing and payment purposes; and Review and scrutinize all documents for identification of any possible Red Flags upon any receipt of electronic or non-electronic transmission containing student, parent or guarantor identifying information.
Existing Covered Accounts In order to detect any of the Red Flags identified above for an existing Covered Account, University personnel will take the following steps to monitor transactions on an account: 1. Consumer Report Requests When a user of any consumer credit report receives a notice of address discrepancy from any of the consumer credit reporting agencies, the user must: 1.
Preventing and Mitigating Identity Theft In the event University personnel detect any identified Red Flags, such personnel shall take one or more of the following steps, depending on the degree of perceived risk posed by such Red Flag s : A. Prevent and Mitigate 1. Continue to monitor a Covered Account for evidence of Identity Theft; 2. Change any password or other security devices that permit access to such Covered Accounts; 3. Notify law enforcement; 5.
Notify the Customer who is the account holder; or 6. Determine that no response is warranted under the particular circumstances. Ensure that its websites are secure and that appropriate data is encrypted; 2. Ensure that system access to Covered Account information is password protected; and 3. Maintain appropriate Employee training as outlined below. Program Administration A. Employee Training and Reports Under the direction of the Program Administrator, documentation shall be created to train appropriate Employees in the detection of Red Flags and the responsible steps to be taken when a Red Flag is detected.
Provided by Finance. You may be using programs to monitor transactions, identify behavior that indicates the possibility of fraud and identity theft, or validate changes of address.
If so, incorporate these tools into your program. When you spot a red flag, be prepared to respond appropriately. Your response will depend on the degree of risk posed. It may need to accommodate other legal obligations, like laws about providing and terminating service.
The facts of a particular case may warrant using one of these options, several of them, or another response altogether. Consider whether any aggravating factors raise the risk of identity theft.
The Rule recognizes that new red flags emerge as technology changes or identity thieves change their tactics, and requires periodic updates to your program.
Factor in your own experience with identity theft; changes in how identity thieves operate; new methods to detect, prevent, and mitigate identity theft; changes in the accounts you offer; and changes in your business, like mergers, acquisitions, alliances, joint ventures, and arrangements with service providers. Your Board of Directors — or an appropriate committee of the Board — must approve your initial plan.
The Board may oversee, develop, implement, and administer the program — or it may designate a senior employee to do the job. Remember that employees at many levels of your organization can play a key role in identity theft deterrence and detection.
In administering your program, monitor the activities of your service providers. One way to make sure your service providers are taking reasonable steps is to add a provision to your contracts that they have procedures in place to detect red flags and either report them to you or respond appropriately to prevent or mitigate the crime.
Other ways to monitor your service providers include giving them a copy of your program, reviewing the red flag policies, or requiring periodic reports about red flags they have detected and their response. As a result, the Guidelines are flexible about service providers using their own programs as long as they meet the requirements of the Rule. The person responsible for your program should report at least annually to your Board of Directors or a designated senior manager.
The Red Flags Rule is published at 16 C. See also 72 Fed. The preamble B pages 63,, — discusses the purpose, intent, and scope of coverage of the Rule. The text of the FTC rule is at pages 63,, The Rule includes Guidelines B Appendix A, pages 63,, — intended to help businesses develop and maintain a compliance program. The Supplement to the Guidelines — page 63, — provides a list of examples of red flags for businesses and organizations to consider incorporating into their program.
See 16 C. Recoveries from suspect. Accounting for inappropriate disclosures of protected health information. When patient misidentification occurs. Documenting identity theft or patient misidentification.
The Department of Human Resources will ensure that all new members of the workforce partake in Identity Theft Prevention training within one month after the person joins the workforce. School or Unit Privacy Liaisons will ensure retraining of the workforce whose functions are affected by a material change in the policies and procedures within a reasonable period after the change becomes effective.
The Chairpersons and Dean shall be responsible for communicating and enforcing the above policy as it relates to persons involved in patient contact. The Clinical Affairs and Deans, shall be responsible for communicating and enforcing the above policy as it relates to persons involved in Faculty Practice and patient care. The Director of Purchasing or his or her successors shall be responsible for communicating and enforcing the above policy as it relates to contractors, agents, business associates, and others associated with or supporting RowanSOM.
The program is subject to periodic audit. Documentation Documentation evidencing implementation of the Identify Theft Prevention Program, including complaints, training, sanctions, auditing, etc. Enforcement: The Deans, Vice Presidents and Directors, with the assistance of the Department of Human Resources, will enforce the sanctions appropriately and consistently.
Computer network intrusion 2. Hospital-based providers — data compromise by hospital employee 3. Hospital-based providers — data compromise by company employee 4.
Patient credit card payments — employee theft of credit card information 9. Practice paper records billing company office — mishandled or stolen [see above] Patient telephone inquiry to practice — alleges services not theirs, provider unknown, etc. Insurer inquiry to practice — insured address does not match their records Insurer inquiry to billing company — insured address does not match their records Collection agency reports inconsistencies in address, SSN, phone , employment, etc.
Patient or Guarantor calls to report their identity has been compromised Contact from Credit Bureau s about a patient who has reported identity theft Suspicious activity within an on-line payment portal — hosted by the practice Suspicious activity within an on-line payment portal — hosted by the billing company or vendor No labels.
Powered by Atlassian Confluence 7. Patient credit card payments — employee theft of credit card information.
Practice paper records billing company office — mishandled or stolen [see above]. Insurer inquiry to practice — insured address does not match their records.
Insurer inquiry to billing company — insured address does not match their records. Patient or Guarantor calls to report their identity has been compromised.
0コメント