4.5.1 Identity Theft Prevention, Detection and Mitigation Program

A. Purpose

POLICY OVERVIEW

The University of Texas at Tyler will develop, maintain and update an Identity Theft Prevention, Detection and Mitigation Program (“Program”) to detect, prevent and mitigate identity theft in accordance with the 16 CFR 681.2, the Federal Trade Commission’s “Red Flag Rules.”

B. Persons Affected

All employees of The University of Texas at Tyler and third party service providers.

C. Definitions

Account: Any continuing relationship between the University and an Account Holder that permits the Account Holder to obtain a product or service for personal, family, household or business purposes. It may involve the extension of credit for the purchase of a product or service, or a deposit account.

Account Holder: Student, Employee, Retired Employee, Patient or other person that has a Covered Account held by or on behalf of the University.

Covered Account: An Account the University offers or maintains or is offered or maintained by a vendor or other third party on behalf of the University primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and any other Account the University offers or maintains for which there is a reasonably foreseeable risk to an Account Holder or to the safety and soundness of the University from Identity Theft, including financial, operational, compliance, reputation, or litigation risks. Examples of Covered Accounts include, but are not limited to: student loan and tuition accounts; patient medical service Accounts; Accounts associated with employee benefits; student debit cards; and meal plans.

Identity Theft: Any use or attempt by an individual to use another person’s individual identifying information to obtain a thing of value including: money; credit; items; or services, such as medical care or education services; to which the individual is not entitled.

Individual Identifying Information: Any information that may be used alone or with other information to identify an individual, including, but not limited to: (1) name; social security number, date of birth, telephone/cell number, government issued driver’s license or identification number, alien registration number, passport number, employer or taxpayer identification number, credit/debit/banking account numbers; (2) unique biometric data such as fingerprint, voice print, retina or iris image or other unique physical representation; or (3) unique electronic identification number; address or routing code; IP or other computer identifying address; or telecommunication identifying information or other access device.

Red Flag: Suspicious patterns or practices, or specific activities that indicate the possibility that identity theft may occur or is occurring in connection with the University’s Covered Accounts.

Responsible Party: Appropriate senior officer or employee with sufficient training, experience and authority to develop, maintain, and oversee compliance with the University’s Program.

D. Policy and Procedures

PROCEDURES

  1. Responsible Party

    The University President shall appoint a Responsible Party.

    The Responsible Party will develop a written Identity Theft Program that requires each department or office within the University to conduct a risk assessment to determine what university accounts, within the responsibility of the department or office, are considered covered accounts. The risk assessment must take into consideration the method the university provides to open its accounts; the method the University provides to access its accounts; and the University’s previous experiences with identity theft. The Responsible Party, as appropriate, may incorporate into the Program any existing policies and procedures that promote the purpose of the Program. The Responsible Party may also incorporate information security tools currently available at the University, to the extent these tools can assist with implementation of the Program. The

    University President must approve the initial Identity Theft Program.

  2. Elements of an Identity Theft Program 

    The Program must include:

    1. A list of all departments and offices identified as holding Covered Accounts that are subject to the Program, and the officer or employee responsible for oversight, compliance and periodic risk assessment to keep the Program up to date and to keep the department or office in compliance with the Program and the Red Flag Rules.

    2. Identification of the relevant "Red Flags" associated with the Covered Accounts within each department and office

    3. Practices and procedures designed to:

      1. detect the presence of Red Flags in connection with all covered accounts that the program incorporates;

      2. respond appropriately to detected red flags to determine if identity theft is occurring or may occur;

      3. prevent the occurrence or terminate the on-going identity theft if possible iv. mitigate any identity theft that has occurred;

    4. A requirement that all university departments and offices periodically, but no less than annually, conduct a risk assessment to determine if they have become responsible for Covered Accounts that require the department or office to be added to the Program.

    5. A requirement that the Program be reviewed and updated periodically, but no less than annually, to reflect changes in risk associated with Identity Theft by performing an assessment of the experiences of each department or office since the previous review with:

      1. incidents of Identity Theft occurring since the last review;

      2. changes in methods of identity theft;

      3. changes in the type of accounts that the department or office maintains; and

      4. changes in methods to detect prevent and mitigate identity theft.

    6. A requirement that the University must provide initial training and periodic additional training of all University staff as necessary to implement and enforce the Program effectively.

    7. A requirement that the Responsible Party make periodic reports to an appropriate officer or committee to ensure compliance with the Program.

  3. Possible Red Flags

    Possible "Red Flags" in connection with establishment of a Covered Account may include:

    1. Address discrepancies

    2. Presentation of suspicious documents

    3. Photograph or physical description on the identification that is not consistent with the appearance of the person presenting the identification

    4. Individual Identifying Information provided by a person to establish a Covered Account that is not consistent with other personal identifying information on file with the University

    5. Documents provided for identification that appear to have been altered or forged. Possible “red flags” in connection with an existing account may include:

    6. Any unusual or suspicious activity related to Covered Accounts

    7. Notification from account holders, law enforcement, or service providers of unusual activity related to a Covered Account

    8. Notification from a credit bureau of fraudulent activity regarding a Covered Account

    9. A complaint or question from an Account Holder based on the Account Holder’s receipt of:

      1. a bill for another individual

      2. a bill for a product or service that the Account Holder denies receiving

      3. a bill from a health care provider that the Account Holder denies patronizing; or

      4. a notice of health plan benefits or other third party payor payments made on behalf of an Account Holder (such as an Explanation of Benefits) for health services the Account Holder never received.

    10. Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the Account Holder.

    11. A complaint or question from an Account Holder about the receipt of a collection notice from a bill collector.

    12. An Account Holder or third party payor report that coverage for legitimate hospital stays is denied because benefits have been depleted or a lifetime cap has been reached.

    13. A complaint or question from an Account Holder about information added to a credit report by a health care provider or third party payor.

    14. A dispute of a bill by an Account Holder who claims to be the victim of any type of Identity Theft.

    15. An Account Holder who claims to have a health plan or other third party coverage or eligibility but never produces an identity card or other physical documentation of the coverage or eligibility.

    16. A notice or inquiry from an insurance fraud investigator for a private insurance company or a state or federal regulatory or law enforcement agency.

    17. A statement from an account holder that a bill or Explanation of Benefits was never received and the address on file is incorrect.

    Possible methods of detection of "Red Flags” include:

    1. Requiring each Account Holder to provide photo identification at each “in person” encounter, and in the case of an Account Holder seeking medical services or products, requiring a copy of the third party payor identification card at each encounter. Note: This detection method may not be appropriate for minors, indigent patients with no insurance, and emergency cases. Each department or office should determine in the risk assessment if requesting identification is unduly burdensome on their account holder population in light of the risk of Identity Theft in that population.

    2. Requiring multi-factor identification before conducting any transaction relating to a Covered Account with an Account Holder over the telephone.

    3. Requiring that on-line transactions come through a secure, password protected portal or in the case of a University employee, a verifiable, secure password protected University e-mail account.

    4. Thoroughly following up on each billing inquiry from Account Holders, especially inquiries regarding care that was not received, bills for individuals not covered by the Covered Account or policies held, or bills from other health care providers that the Account Holder never visited.

    5. Periodically auditing medical records to ensure that treatment is consistent for a single individual.

  4. Prevention and Mitigation

    Appropriate responses to prevent or mitigate identified possible or actual Identity Theft may include:

    1. Placing an alert on the record to make all applicable University employees aware that there may be a problem. In some cases, an alert may be requested by the Account Holder.

    2. Change any passwords or other authenticating codes related to the Covered Account

    3. Notification of the Account Holder of the possible or actual Identity Theft in situations where notification is necessary to or likely to permit the Account Holder to take action to protect him or herself from the consequences of the Identity Theft.

    4. Correcting erroneous demographic information in the Covered Account record.

    5. File extraction—purging the Account Holder’s file to the extent possible of all information that was entered as a result of the fraudulent activity, and replacing with a brief cross-reference and explanation of the deletion. The purged information is then placed into a new file.

    6. Closing the Covered Account for the Account Holder and opening a new one with a new account number.

    7. Contacting UTPD or other law enforcement agencies upon discovery of possible Identity Theft in connection with a Covered Account.

    8. Determining that no response is warranted under the particular circumstances. 

  5. Oversight of Third Party Service Providers

    To the extent University utilizes a third party who receives information related to University’s covered accounts or who otherwise handles University’s Covered Accounts, the University will require via written agreement that the third party:

    1. have a written Program in place that ensures compliance the third party with the Red Flag Rules with respect to all University Covered Accounts; or

    2. adopt and comply with the University’s Program with respect to all University Covered Accounts. 

  6. Reporting

    Responsible Party shall report to the University President at least annually on compliance with the Program. The report shall address material matters related to the Program and evaluate issues such as:

    1. the effectiveness of the policies and procedures in addressing the risk of Identity Theft in connection with the opening of Covered Accounts and with respect to existing Covered Accounts;

    2. third Party service provider agreements relating to Covered Accounts;

    3. significant incidents involving identity theft and management’s response;

    4. recommendations for material changes to the Program.

E. Responsibilities

 Information Security is responsible for this policy.

F. Review

This policy shall be reviewed by Information Security every three years or as laws and rules change. The identity theft program will be reviewed on an annual basis.

ORIGINALLY APPROVED:  04/22/2009