HomeMy WebLinkAboutCity of Tamarac Resolution R-2009-103TR11661
Page 1
July 8, 2009
CITY OF TAMARAC, FLORIDA
RESOLUTION NO. R-2009
A RESOLUTION OF THE CITY COMMISSION OF THE CITY OF
TAMARAC, FLORIDA ADOPTING TAMARAC FIRE RESCUE'S
IDENTITY THEFT PREVENTION PROGRAM AS REQUIRED BY
THE FAIR ACCURATE CREDIT TRANSACTIONS ACT OF 2003
UNDER THE CITY'S PROGRAM FOR REDUCING IDENTITY
THEFT; PROVIDING FOR CONFLICTS; PROVIDING FOR
SEVERABILITY; AND PROVIDING FOR AN EFFECTIVE DATE.
WHEREAS, The City of Tamarac has provided high quality Emergency Medical
Services (EMS), including emergency medical transportation, to the community since 1996;
and
WHEREAS, the City Commission desires to improve patient healthcare confidentiality
for those individuals who use our EMS system; and
WHEREAS, Tamarac Fire Rescue finds that identity theft is a serious problem for
healthcare providers in the United States; and
WHEREAS, in response to the risks posed by identity theft to consumers and to the
financial soundness of businesses, the United States Congress enacted the Fair and
Accurate Credit Transactions Act of 2003 (FACT Act); and
WHEREAS, the Federal Trade Commission (FTC) along with federal bank regulators
adopted regulations implementing the FACT Act (the Red Flag Rules) that require creditors to
adopt a written Identity Theft Prevention Program; and
WHEREAS, Tamarac Fire Rescue believes it is a creditor subject to the FTC's Red
Flag Rules; and
WHEREAS, Tamarac Fire Rescue has developed a written Identity Theft Prevention
Program designed to detect, prevent, and mitigate identity theft (herein attached as Exhibit
TR11661
Page 2
July 8, 2009
A); and
WHEREAS, Advanced Data Processing, Inc. — Intermedix has provided notification
and training regarding the development of an Identity Theft Prevention Program to the City
and its Emergency Medical Services Division (herein attached as Exhibit B); and
WHEREAS, the City Manager and the Interim Fire Chief recommend acceptance of
this Theft Prevention Program.
NOW, THEREFORE, BE IT RESOLVED BY THE CITY COMMISSION OF THE CITY OF
TAMARAC, FLORIDA:
Section 1: The foregoing "WHEREAS" clauses are HEREBY ratified and confirmed as
being true and correct and are HEREBY made a specific part of this Resolution. All Exhibits
attached hereto are incorporated herein and made a specific part of this Resolution.
Section 2: The City Commission of the City of Tamarac HEREBY approves the
Tamarac Fire Rescue Identity Theft Prevention Program (hereto attached as Exhibit A).
Section 3: All Resolutions or parts of Resolutions in conflict herewith are HEREBY
repealed to the extent of such conflict.
Section 4: If any clause, section, other part or application of this Resolution is held by
any court of competent jurisdiction to be unconstitutional or invalid, in part or in application,
it shall not affect the validity of the remaining portion or applications of this Resolution.
1
F_
1
1
TR11661
Page 3
July 8, 2009
Section 5: This Resolution shall become effective immediately upon its passage and
adoption.
PASSED, ADOPTED AND APPROVED this c�U day of r L , 2009.
BETH FLANSBAUM-TALABISCO
MAYOR
ATTEST:
MARION SWENSON, CMC
CITY CLERK
I HEREBY CERTIFY that
I have approved this
RESOLUTION as to form.
SA U Elt S G EN
TY A ORNEY
RECORD OF COMMISSION VOTE:
MAYOR FLANSBAUM-TALABISCO
DIST 1: COMM BUSHNELL
DIST 2: VM ATKINS-GRAD
DIST 3: COMM GLASSER
DIST 4: COMM. DRESSLER
Till 1661 - Exhibit A
Tamarac Fire Rescue
Identity Theft Prevention Program
Purpose
Tamarac Fire Rescue, under the City of Tamarac's Identity Theft Prevention
Program, is committed to providing all aspects of our service and conducting our
business operations in compliance with all applicable laws and regulations. This
policy sets forth our commitment to compliance with those standards established by
the Federal Trade Commission under the Identity Theft Red Flags and Address
Discrepancies under the Fair and Accurate Credit Transaction Act of 2003 ("the Red
Flag Rules") at 16 C.F.R. §681.2, regarding the establishment of a written Identity
Theft Prevention Program ("Program") that is designed to detect, prevent, and
mitigate identity theft in connection with the opening of a covered account or any
existing covered account.
Scope
This Program contains policies and procedures designed to identify, detect
and respond appropriately to "Red Flags" for identity theft. It also contains policies
and procedures for the periodic identification of covered accounts and for the
general administration of the Program. This Program addresses our general
approach to compliance with the Red Flag Rules. As a "creditor" with "covered
accounts" under the Red Flag Rules, Tamarac Fire Rescue is required to:
Periodically identify covered accounts;
Establish a written Identity Theft Prevention Program; and
Administer the Identity Theft Prevention Program.
Definitions
(a) "Account" means a continuing relationship established by a person with
the Tamarac Fire Rescue to obtain services for personal, family,
household or business purposes and includes an extension of credit,
such as the purchase or services involving a deferred payment.
(b) "Covered account" means:
(i) An account that the Tamarac Fire Rescue offers or maintains,
primarily for personal, family, or household purposes, that
involves or is designed to permit multiple payments or
transactions; and
Tamarac Fire Rescue Identity Theft Prevention Program - Page 1
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit A
(ii) Any other account that the Tamarac Fire Rescue offers or
maintains for which there is a reasonably foreseeable risk to
individuals or to the safety and soundness of Tamarac Fire
Rescue from identity theft, including financial, operational,
compliance, reputation, or litigation risks.
(c) "Identity theft" means a fraud committed or attempted using the
identifying information of another person without authority.
(d) "Identifying information" means any name or number that may be used,
alone or in conjunction with any other information, to identify a specific
person, including any:
(i) Name, social security number, date of birth, official state or
government issued driver's license or identification number,
alien registration number, government passport number or
employer or taxpayer identification number;
(ii) Unique biometric data, such as fingerprint, voice print, retina or
iris image, or other unique physical representation;
(iii) Unique electronic identification number, address, or routing
code; or
(iv) Telecommunication identifying information or access device (as
those terms are defined in 18 U.S.C. §1029(e)).
(v) Medicare number.
(vi) Health care claim number.
(e) "Program" means this written Identity Theft Prevention Program
developed and implemented by Tamarac Fire Rescue.
(f) "Red Flag" means a pattern, practice, or specific activity that indicates
the possible existence of identity theft.
(g) "Service provider" means a person who provides a service directly to
the Tamarac Fire Rescue and includes third party billing companies
and other organizations that perform service in connection with
Tamarac Fire Rescue's covered accounts.
Tamarac Fire Rescue Identity Theft Prevention Program - Page 2
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
Till 1661 - Exhibit A
Procedure
1. Identify Covered Accounts
(a) Tamarac Fire Rescue will annually determine whether it offers or
maintains covered accounts (see definition of "covered account" in this
Program) and shall document that determination.
(b) As part of this annual identification of covered accounts, Tamarac Fire
Rescue shall conduct an annual risk assessment of its accounts to
determine whether it offers or maintains accounts that carry a
reasonably foreseeable risk to patients or to the safety and soundness
of Tamarac Fire Rescue from identity theft, including financial,
operational, compliance, reputation, or litigation risks. In determining
whether Tamarac Fire Rescue offers or maintains such accounts,
Tamarac Fire Rescue will conduct an annual risk assessment that takes
into consideration:
(i) The methods it uses to open its accounts;
(ii) The methods it uses to access its accounts; and
(iii) Its previous experiences with identity theft.
(c) The annual identification of covered accounts should ideally be
conducted by an evaluation or audit team acting under the direction of
the Fire Chief or other individual in charge of Program administration.
2. Identify Red Flags
(a) Once Tamarac Fire Rescue has identified its covered accounts, it shall
identify Red Flags (see definition in this Program) for those accounts.
This shall be conducted on an annual basis in conjunction with Tamarac
Fire Rescue's identification of covered accounts. Tamarac Fire Rescue
will also identify red flags as they arise and incorporate them into this
Program.
(b) Tamarac Fire Rescue shall consider the following factors in identifying
relevant Red Flags for covered accounts, as appropriate:
(i) The types of covered accounts it offers or maintains;
(ii) The methods it provides to open its covered accounts;
Tamarac Fire Rescue Identity Theft Prevention Program - Page 3
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit A
(iii) The methods it provides to access its covered accounts; and
(iv) Any incidents of identity theft that Tamarac Fire Rescue has
experienced.
(c) Tamarac Fire Rescue shall also consider the examples of Red Flags
listed in Supplement A to Appendix A to 16 C.F.R. Part 681. The
Program shall include relevant Red Flags from the following categories,
as appropriate:
(i) Alerts, notifications, or other warnings received from consumer
report agencies or service providers, such as fraud detection
services;
(ii) The presentation of suspicious documents;
(iii) The presentation of suspicious personal identifying information,
such as a suspicious address change;
(iv) The unusual use of, or other suspicious address change; and
(v) Notice from customers, victims of identity theft, law enforcement
authorities, or other persons regarding possible identity theft in
connection with covered accounts.
(d) Tamarac Fire Rescue shall also incorporate Red Flags from sources
such as:
(i) New and changing risks that Tamarac Fire Rescue has identified;
and
(ii) Any applicable supervisory guidance from the FTC or other
appropriate sources.
(e) The following are Red Flags identified for Tamarac Fire Rescue's
covered accounts as of the most recent update to this Program:
(i) Patterns of activity on payment accounts that are inconsistent
with prior history;
(ii) Increases in the volume of inquiries to an account;
Tamarac Fire Rescue Identity Theft Prevention Program - Page 4
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit A
(iii) The presentation of information that is inconsistent with other
sources, e.g., the address, date of birth, or social security
number listed for the patient does not match the address given
or is inconsistent with other identifying information provided by
the patient;
(iv) Personal identifying information is identified by third -party
sources as having been associated with known fraudulent
activity;
(v) Personal identifying information of a type commonly associated
with fraudulent activity (e.g., fictitious address, use of mail drop,
or phone number that is invalid or associated only with a pager
or answering service);
(vi) The social security number provided by the patient is a duplicate
of that of other patients;
(vii) The address or telephone numbers given are the same or similar
to those of other patients, particularly recent ones;
(viii) Attempts to access an account by persons who cannot provide
authenticating information;
(ix) Requests for additional authorized users on an account shortly
following change of address;
(x) Uses of an account that are inconsistent with established patterns
of activity such as: nonpayment when there is no history of late or
missed payments;
(xi) Nonpayment of the first payment on the account;
(xii) Inactivity on an account for a reasonably lengthy period of time;
(xiii) Mail correspondence sent to the provided address is returned
and mail is returned despite continued activity in the account;
(xiv) Notification of Tamarac Fire Rescue of an unauthorized
transaction by the patient;
(xv) Notification of Tamarac Fire Rescue by the patient, a law
enforcement authority, or other person, that it has opened a
fraudulent account;
Tamarac Fire Rescue Identity Theft Prevention Program - Page 5
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit A
(xvi) A complaint or question from a patient based on the patient's
receipt of:
1. A bill for another individual;
2. A bill for a service that the patient denies receiving;
3. A bill from a health care provider that the patient never
utilized;
4. A notice of insurance benefits (or Explanation of Benefits)
for health services never received; or
5. A patient or insurance company report that coverage for
legitimate healthcare service is denied because insurance
benefits have been depleted or a lifetime cap has been
reached.
(xvii) A complaint or question from a patient about information added
to a credit report by a health care provider or insurer;
(xviii) A dispute of a bill by a patient who claims to be the victim of any
type of identity theft;
(xix) A patient who has an insurance number but never produces an
insurance card or other physical documentation of insurance;
(xx) A notice or inquiry from an insurance fraud investigator for a
private insurance company or a law enforcement agency;
(xxi) A security breach;
(xxii) Unauthorized access to a covered account by personnel;
(xxiii) Unauthorized downloading of patient files;
(xxiv) Loss or theft of unencrypted data;
(xxv) Inappropriate access of a covered account;
(xxvi) A computer virus or suspicious computer program;
(xxvii) Multiple failed log -in attempts on a workstation;
Tamarac Fire Rescue Identity Theft Prevention Program - Page 6
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit A
(xxviii) Theft of a password;
(xxix) The presentation of an insurance card or form of identification
that is clearly altered; and
(xxx) Lost, stolen, or tampered facility equipment.
3. Detect Red Flags
(a) Tamarac Fire Rescue shall adopt reasonable policies and procedures to
address the detection of Red Flags in connection with the opening of
covered accounts and existing covered accounts, such as:
(i) Obtaining identifying information about, and verifying the
identity of, a person opening a covered account; and
(ii) Authenticating patients, monitoring transactions, and verifying
the validity of change of address requests.
(b) The following procedures have been adopted by Tamarac Fire Rescue
to address the detection of Red Flags as of the most recent update to
this Program.
(i) Suspicious Documents at the Time of Transport: Tamarac
Fire Rescue personnel shall be on the alert for patients who
present suspicious documents such as an insurance card or form
of identification that appears to have been altered or does not
match other information about the patient. Whenever possible,
the crew shall attempt to verify the identity of the patient with
someone who knows the patient and/or someone who has
rendered care to the patient. Personnel shall not delay the
provision of care when verifying this information and should
obtain this information after the transport when it could delay the
provision of care.
(ii) ID Verification Before Discussing Patient Account
Information or Change of Address: Before discussing any
information related to a covered account with any individual, or
making a change to address information in a covered account;
Tamarac Fire Rescue personnel shall sufficiently ascertain the
identity of the individual.
If a patient or appropriate representative makes a
Tamarac Fire Rescue Identity Theft Prevention Program - Page 7
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit A
telephone inquiry or request regarding a patient account,
Tamarac Fire Rescue personnel shall require the patient or
appropriate representative of the patient to verify the date
of birth, social security number (or at least the last 4
digits), and address of the patient to whom the account
pertains.
2. If the patient or appropriate representative of the patient
presents in person to the business office of Tamarac Fire
Rescue, s/he shall be required to provide a valid
government issued photo ID in addition to the date of
birth, social security number (or last 4 digits), and address
of the patient to whom the account pertains.
3. If the patient or appropriate representative of the patient
is unable to provide the necessary information to verify
the identity of the patient, Tamarac Fire Rescue staff shall
make a notation of the inquiry or address change request
in the patient account file and alert an appropriate
supervisor without providing access or honoring the
address change request.
(iii) Under the HIPAA Privacy and Security Rules, Tamarac Fire
Rescue is required to implement policies and procedures
regarding the protection of protected health information and to
implement administrative, physical and technical safeguards to
protect electronic protected health information. The following
policies and procedures from Tamarac Fire Rescue's HIPAA
compliance program serve the dual purpose of detecting
identity theft in connection with the opening of and existing
covered accounts at Tamarac Fire Rescue and they are hereby
incorporated in this Program by reference:
(1) General Security of Electronic and Other Patient and
Business Information
(2) Patient Access, Amendment and Restriction On the
Use of PHI
(3) Levels of Access, "Minimum Necessary Standard" and
Limiting Disclosure and Use of PHI and a -PHI
(4) Procedure for Requesting Amendment of PHI
(5) Access to the Information System and a -PHI
(6) Physical Security of PHI and a -PHI
(7) Electronic Information System Activity Review and
Auditing
Tamarac Fire Rescue Identity Theft Prevention Program - Page 8
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit A
(8) Facility and Computer Access Point Controls
(9) Encryption and Decryption
(10) Use of Computer and Information Systems Equipment)
a. Computer Hardware/Peripherals/Software
Inventory
b. City of Tamarac Administrative Policy
(11) Use of Electronic Mail and Facsimile Transmissions
a. City of Tamarac Electronic Mail Administrative
Policy
(12) Internet Access and Use
a. City of Tamarac Administrative Policy
b. Internet Administrative Policy
4. Responding to Red Flags
(a) Tamarac Fire Rescue will respond to Red Flags when it becomes aware
in a manner commensurate with the degree of risk posed by the Red
Flag. In determining an appropriate response, Tamarac Fire Rescue
will consider aggravating factors that may heighten the risk of identity
theft. For example, notice to Tamarac Fire Rescue that a patient has
provided information to someone fraudulently claiming to represent
Tamarac Fire Rescue may suggest that identity theft is more likely.
(b) Tamarac Fire Rescue shall assess whether the Red Flag detected poses
a reasonably foreseeable risk of identity theft and if it does, respond
appropriately. If Tamarac Fire Rescue determines that the Red Flag
does not pose a reasonably foreseeable risk of identity theft, it shall
have a reasonable basis choosing not to respond to the Red Flag.
(c) If any personnel at Tamarac Fire Rescue believe identity theft has
occurred or may be occurring, s/he shall immediately notify a
supervisor. The supervisor will contact the designated Red Flag Rule
compliance officer who will determine the appropriate response.
(d) Appropriate responses may include the following:
(i) Monitoring a covered account for evidence of identity theft;
(ii) Contacting the patient;
(iii) Changing any passwords, security codes, or other security
devices that permit access to a covered account;
(iv) Reopening a covered account with a new account number;
Tamarac Fire Rescue Identity Theft Prevention Program - Page 9
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit A
(v) Not opening a new covered account;
(vi) Closing an existing covered account;
(vii) Not attempting to collect on a covered account or not selling a
covered account to a debt collector;
(viii) Notifying law enforcement; or
(ix) Determining that no response is warranted under the particular
circumstances.
(e) Patient Notification: If there is a confirmed incident of identity theft or
attempted identity theft, Tamarac Fire Rescue will notify the patient
after consultation with law enforcement about the timing and the
content of such notification (to ensure notification does not impede a
law enforcement investigation) via certified mail. Victims of identity
theft will be encouraged to cooperate with law enforcement in
identifying and prosecuting the suspected identity thief, and will be
encouraged to complete the FTC Identity Theft Affidavit.
(f) Investigation of Suspected Identity Theft: If an individual claims to
be a victim of identity theft, Tamarac Fire Rescue will investigate the
claim. The following guidelines apply:
(i) The individual will be instructed to file a police report for
identity theft.
(ii) The individual will be instructed to complete the ID Theft
Affidavit developed by the FTC, including supporting
documentation; or an ID theft affidavit recognized under state
law.
(iii) The individual will be requested to cooperate with comparing
his or her personal information with information in Tamarac Fire
Rescue's records.
(iv) If following investigation, it appears that the individual has been
a victim of identity theft, Tamarac Fire Rescue will take the
following actions:
1. Cease collection on open accounts that resulted from identity
theft. If the accounts had been referred to collection agencies
Tamarac Fire Rescue Identity Theft Prevention Program - Page 10
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit A
or attorneys, the collection agencies/attorneys will be
instructed to cease collection activity.
2. Cooperate with any law enforcement investigation relating to
the identity theft.
3. If an insurance company, government program or other payor
has made payment on the account, the provider will notify the
payor and seek instructions to refund the amount paid.
4. If an adverse report had been made to a consumer reporting
agency, the provider will notify the agency that the account
was not the responsibility of the individual.
(v) If following investigation, it does not appear that the individual
has been a victim of identity theft, Tamarac Fire Rescue or the
collection agency will give written notice to the individual that he
or she is responsible for payment of the bill. The notice will state
the basis for determining that the person claiming to be a victim
of identity theft was in fact the patient.
(g) Amendment of Records: Patient medical records and payment
records must be corrected when identity theft has occurred. This is
necessary to ensure that inaccurate health information is not
inadvertently relied upon in treating a patient, and that a patient or a
third -party payer is not billed for services the patient did not receive.
Patient records will be corrected in consultation with the patient and
the patient's treating health care provider(s), and in a manner
consistent with the Tamarac Fire Rescue's HIPAA policy on
amendments to medical records.
(h) Disclosure/Unauthorized Access to Unencrypted Data: If there is a
disclosure of, or an unauthorized access to, unencrypted computerized
data containing a person's first name or first initial and last name and (1)
a social security number, (2) driver's license number, or (3) financial
account number (including a credit or debit card number), state law
governing notification of patients will be followed.
(i) The Presentation of Susvicious Documents at the Time of
Transport:
When a patient presents a suspicious document such as an insurance
card or form of identification that is clearly altered or does not match
other information about the patient, ambulance personnel shall:
Tamarac Fire Rescue Identity Theft Prevention Program - Page 11
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit A
1. Note the nature of the incident and circumstances surrounding
the incident in an incident report or other appropriate document
so that the claim is "flagged" for review.
2. If possible, attempt to obtain identifying information about the
patient from other sources such as individuals who know or have
treated the patient.
3. Notify the individual in charge of Red Flag Rules compliance as
soon as possible after the transport about the incident and the
circumstances surrounding the incident.
4. Before opening a covered account under the name given, the
Red Flag Rules compliance officer, or other designated
individual, shall make attempts to verify the identity of the
patient though any means possible. If it appears the patient has
attempted to commit identity theft, the procedures for
notification and investigation of the incident shall be followed.
S. Update the Program
(a) Tamarac Fire Rescue shall update this Program (including identifying
Red Flags determined to be relevant) annually.
(b) The update shall reflect changes in risks of identity theft to patients or
to the safety and soundness of Tamarac Fire Rescue's information. The
review and update will be based on factors such as:
(i) The experiences of Tamarac Fire Rescue with identity theft;
(ii) Changes in methods of identity theft;
(iii) Changes in methods to detect, prevent, and mitigate identity
theft;
(iv) Changes in the types of accounts that Tamarac Fire Rescue offers
or maintains; and
(v) Changes in the business arrangements of Tamarac Fire Rescue,
including mergers, acquisitions, alliances, joint ventures, and
service provider arrangements.
Tamarac Fire Rescue Identity Theft Prevention Program - Page 12
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit A
6. Administer the Program
(a) Program Oversight: The Fire Chief shall designate an individual who
is in charge of Red Flag Rules compliance. This individual shall be
involved in the oversight, development, and implementation and
administration of the Program. The individual shall be responsible for:
(i) Implementation of this Program;
(ii) Reporting to the Fire Chief or an appropriate designated
committee of the Fire Chief at least annually on compliance by
Tamarac Fire Rescue with this Program. The report shall address
material matters related to the Program and evaluate issues such
as:
1. The effectiveness of the policies and procedures of Tamarac
Fire Rescue in addressing the risk of identity theft in
connection with the opening of covered accounts and with
respect to existing covered accounts;
2. Service provider arrangements;
3. Incidents involving identity theft and management's
response; and
4. Recommendations for material changes to the Program.
(b) After reviewing official annual reports, the Fire Chief or appropriate
designated committee shall approve changes to this Identity Theft
Prevention Program, as necessary.
7. Train Employees
(a) Tamarac Fire Rescue will conduct a general training session for all
personnel to provide them with a general overview of this Program. All
new personnel shall undergo such training during their orientation
process. Documentation of training, including copies of all rosters and
sign -in sheets showing the training dates and the names of attendees,
shall be maintained for at least four years.
(b) All staff that are responsible for the administration of the Program and
staff who regularly deals with covered accounts should be trained on an
annual basis.
Tamarac Fire Rescue Identity Theft Prevention Program - Page 13
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
T1311661 - Exhibit A
8. Oversee Service Provider Arrangements
If Tamarac Fire Rescue engages a third party to perform an activity in
connection with one or more covered accounts (e.g., billing companies,
collection agencies), Tamarac Fire Rescue will:
(a) Review the third party's policies for preventing, detecting, and
mitigating identity theft and determine if those policies are acceptable
to Tamarac Fire Rescue; or
(b) Require the third party to comply with the applicable terms of this
Program through contract or agreement.
Tamarac Fire Rescue Identity Theft Prevention Program - Page 14
Implementation Date: August 1, 2009
Revision Date: July 7, 2009
TR11661 - Exhibit B
April 30, 2009
Dear Tina Wheatley,
V
F�`Fcr
intermedix
As part of our continued commitment to compliance and quality client service, we are
writing to inform you of our compliance with the new Red Flags Rules and our proactive
approach to meeting proposed security regulatory changes.
As you are aware, most ambulance suppliers will be required to identify, detect and
respond appropriately to certain indicators of possible identity theft, including medical
identity theft, under the Identity Theft Red Flag Rules promulgated under the Fair and
Accurate Credit Transactions Act of 2003 ("Red Flag Rules") found at 16 C.F.R. Part
681.
We have reviewed these Red Flag Rules and concluded that we are a "service provider"
to your organization, much as we are your Business Associate under HIPAA. This is
based on the assumption that the accounts for which we provide billing and collection
services for your organization are "covered accounts" under the Red Flag Rules. We also
believe that your organization is obligated under these Rules to ensure that, as a service
provider, we provide our services for covered accounts in accordance with reasonable
Red Flag program designed to help detect, prevent and mitigate identity theft.
We have performed a risk analysis of our operations and identified potential risk areas
involving the covered accounts of our clients. Based on this analysis, we have adopted a
Red Flag program, including policy, procedure and training, to help detect, prevent and
mitigate the risk of identity theft.
Additionally, there have been significant HIPAA legislative revisions in the American
Recovery and Reinvestment Act of 2009, including the HITECH Act, and new proposed
FTC security rules. Once these regulations are finalized, we will provide you with an
amended Business Associate Agreement for incorporation into our contractual
agreement.
In the interim, we have adopted new policies and procedures to enable us to proactively
respond to these proposed new requirements.
TR11661 - Exhibit B
We have adopted the definitions of breach and unsecured protected health information
(PHI) as currently defined by the HITECH Act. Breach means "the unauthorized
acquisition, access, use or disclosure of protected health information which compromises
the security or privacy of such information, except where an unauthorized person to
whom the information is disclosed would not reasonably have been able to retain such
information."
Unsecured PHI is "protected health information that is not secured by a technology
standard that renders PHI unusable, unreadable, or indecipherable to unauthorized
individuals and is developed or endorsed by a standards developing organization that is
accredited by the American National Standards Institute." This means that unsecured
PHI is protected health information that is stored or electronically transmitted but has not
been encrypted. We will formally notify you of any security breach or unauthorized use
or disclosure of unsecured PHI, per the relevant HIPA requirements for business
associates.
If you have any questions, please contact your Intermedix Client Service Representative
or me at 954-308-8714 or Jmccloskey@emsclaims.com.
Thank you,
f
Joe McCloskey
ADPI-Intermedix Compliance Officer
6451 N. Federal Highway, Suite 1002, Fort Lauderdale, FL 33308
Phone: 954-308-8714 Fax: 954-308-8725