Identity Theft Prevention
It is the policy of Mid-Ohio Psychological Services to ensure that every effort be taken to avoid identity theft. To this end, Mid-Ohio Psychological Services will comply with Federal and State regulations and laws governing identity theft. It is the responsibility of the Executive Director and the Operations Director to develop and implement procedures to facilitate compliance with Federal and State regulations/laws to reduce the probability that identity theft can occur within the organization.
In these procedures, “staff” refers to all agency staff members including non-paid staff such as interns and volunteers.
Staff will ask clients to provide identification at the first session.
Staff will request documentation of identity and make copies of the documentation provided:
- Examples of evidence of identity include but are not limited to: Driver’s license, passport, or other government issued photo ID.
- If the photo ID does not have current address, staff will request a utility bill, lease, or other evidence of current address.
- Current insurance, Medicare, or Medicaid card.
Staff will verify that the ID photo looks like the client and that other descriptions in the ID, like height and weight, appear to be correct
Copies of this information shall be kept in the client’s file.
Clinical and Support Staff will be alert to and act on evidence of fraud.
Staff shall be alert to suspicious activity such as:
- Identification documents that appear altered or forged
- Information provided by the client is inconsistent e.g., information on one form of identification submitted is different from information on another form of identification (such as age, address, occupation)
- Suspicious change of address notice (for example a move from an expensive to an inexpensive neighborhood)
- Evidence that paper or electronic records may have been compromised, for example, you discover that a staff member accessed client files without authorization, or that locked client files haven been broken into.
Staff shall act upon suspicious activities or evidence of identity theft as appropriate by:
- Checking with other members of the agency regarding suspicious events. For example, if staff receives a suspicious change of address notice, staff will ask the clinical staff treating that client to consider whether such a change is consistent with information the client has reported in treatment.
- Contacting the client to verify suspicious information
- If there is still a suspicion of identity theft after taking the verification steps above, contacting local law enforcement after obtaining the client’s permission.
- Changing password on electronic record accounts that may have been compromised
- Notifying clients where it appears that they may have been victims of identity theft.
The agency will respond to reports of identity theft by reporting concerns to clients, law enforcement, and others as appropriate.
The agency will ensure that support and clinical staff are trained on implementing the policies,
- Support and clinical staff will be trained in the implementation of these policies
- Support and clinical staff will be required to review this policy and procedure annually
The agency will have business associates Red Flag Agreements. The agency will determine whether it has business associate who handles client information, e.g., billing services, collection agencies, accountants, It will ask those business associates to do one of the following:
- Sign an addendum to the business associates contract that the agency already has in place as part of HIPAA Privacy Rule/Security Rule compliance; or if no business associates contract is in place,
- Sign a standalone agreement, or
- Provide a copy of its own Red Flags Program and state that such Program meets the requirements of the Federal Red Flag Rules.
The agency will re-evaluate these procedures periodically. The agency will annually re-evaluate whether these policies and procedures are effective and appropriate for detecting and preventing identify theft in light of the agency’s actual experience with actual or suspected identity theft and in light of any new information learned by the agency regarding identity theft risks.