The URL can be used to link to this page

Home My WebLink AboutCity of Tamarac Resolution R-2009-103TR11661 Page 1 July 8, 2009 CITY OF TAMARAC, FLORIDA RESOLUTION NO. R-2009 A RESOLUTION OF THE CITY COMMISSION OF THE CITY OF TAMARAC, FLORIDA ADOPTING TAMARAC FIRE RESCUE'S IDENTITY THEFT PREVENTION PROGRAM AS REQUIRED BY THE FAIR ACCURATE CREDIT TRANSACTIONS ACT OF 2003 UNDER THE CITY'S PROGRAM FOR REDUCING IDENTITY THEFT; PROVIDING FOR CONFLICTS; PROVIDING FOR SEVERABILITY; AND PROVIDING FOR AN EFFECTIVE DATE. WHEREAS, The City of Tamarac has provided high quality Emergency Medical Services (EMS), including emergency medical transportation, to the community since 1996; and WHEREAS, the City Commission desires to improve patient healthcare confidentiality for those individuals who use our EMS system; and WHEREAS, Tamarac Fire Rescue finds that identity theft is a serious problem for healthcare providers in the United States; and WHEREAS, in response to the risks posed by identity theft to consumers and to the financial soundness of businesses, the United States Congress enacted the Fair and Accurate Credit Transactions Act of 2003 (FACT Act); and WHEREAS, the Federal Trade Commission (FTC) along with federal bank regulators adopted regulations implementing the FACT Act (the Red Flag Rules) that require creditors to adopt a written Identity Theft Prevention Program; and WHEREAS, Tamarac Fire Rescue believes it is a creditor subject to the FTC's Red Flag Rules; and WHEREAS, Tamarac Fire Rescue has developed a written Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft (herein attached as Exhibit TR11661 Page 2 July 8, 2009 A); and WHEREAS, Advanced Data Processing, Inc. — Intermedix has provided notification and training regarding the development of an Identity Theft Prevention Program to the City and its Emergency Medical Services Division (herein attached as Exhibit B); and WHEREAS, the City Manager and the Interim Fire Chief recommend acceptance of this Theft Prevention Program. NOW, THEREFORE, BE IT RESOLVED BY THE CITY COMMISSION OF THE CITY OF TAMARAC, FLORIDA: Section 1: The foregoing "WHEREAS" clauses are HEREBY ratified and confirmed as being true and correct and are HEREBY made a specific part of this Resolution. All Exhibits attached hereto are incorporated herein and made a specific part of this Resolution. Section 2: The City Commission of the City of Tamarac HEREBY approves the Tamarac Fire Rescue Identity Theft Prevention Program (hereto attached as Exhibit A). Section 3: All Resolutions or parts of Resolutions in conflict herewith are HEREBY repealed to the extent of such conflict. Section 4: If any clause, section, other part or application of this Resolution is held by any court of competent jurisdiction to be unconstitutional or invalid, in part or in application, it shall not affect the validity of the remaining portion or applications of this Resolution. 1 F_ 1 1 TR11661 Page 3 July 8, 2009 Section 5: This Resolution shall become effective immediately upon its passage and adoption. PASSED, ADOPTED AND APPROVED this c�U day of r L , 2009. BETH FLANSBAUM-TALABISCO MAYOR ATTEST: MARION SWENSON, CMC CITY CLERK I HEREBY CERTIFY that I have approved this RESOLUTION as to form. SA U Elt S G EN TY A ORNEY RECORD OF COMMISSION VOTE: MAYOR FLANSBAUM-TALABISCO DIST 1: COMM BUSHNELL DIST 2: VM ATKINS-GRAD DIST 3: COMM GLASSER DIST 4: COMM. DRESSLER Till 1661 - Exhibit A Tamarac Fire Rescue Identity Theft Prevention Program Purpose Tamarac Fire Rescue, under the City of Tamarac's Identity Theft Prevention Program, is committed to providing all aspects of our service and conducting our business operations in compliance with all applicable laws and regulations. This policy sets forth our commitment to compliance with those standards established by the Federal Trade Commission under the Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transaction Act of 2003 ("the Red Flag Rules") at 16 C.F.R. §681.2, regarding the establishment of a written Identity Theft Prevention Program ("Program") that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. Scope This Program contains policies and procedures designed to identify, detect and respond appropriately to "Red Flags" for identity theft. It also contains policies and procedures for the periodic identification of covered accounts and for the general administration of the Program. This Program addresses our general approach to compliance with the Red Flag Rules. As a "creditor" with "covered accounts" under the Red Flag Rules, Tamarac Fire Rescue is required to: Periodically identify covered accounts; Establish a written Identity Theft Prevention Program; and Administer the Identity Theft Prevention Program. Definitions (a) "Account" means a continuing relationship established by a person with the Tamarac Fire Rescue to obtain services for personal, family, household or business purposes and includes an extension of credit, such as the purchase or services involving a deferred payment. (b) "Covered account" means: (i) An account that the Tamarac Fire Rescue offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and Tamarac Fire Rescue Identity Theft Prevention Program - Page 1 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit A (ii) Any other account that the Tamarac Fire Rescue offers or maintains for which there is a reasonably foreseeable risk to individuals or to the safety and soundness of Tamarac Fire Rescue from identity theft, including financial, operational, compliance, reputation, or litigation risks. (c) "Identity theft" means a fraud committed or attempted using the identifying information of another person without authority. (d) "Identifying information" means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any: (i) Name, social security number, date of birth, official state or government issued driver's license or identification number, alien registration number, government passport number or employer or taxpayer identification number; (ii) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (iii) Unique electronic identification number, address, or routing code; or (iv) Telecommunication identifying information or access device (as those terms are defined in 18 U.S.C. §1029(e)). (v) Medicare number. (vi) Health care claim number. (e) "Program" means this written Identity Theft Prevention Program developed and implemented by Tamarac Fire Rescue. (f) "Red Flag" means a pattern, practice, or specific activity that indicates the possible existence of identity theft. (g) "Service provider" means a person who provides a service directly to the Tamarac Fire Rescue and includes third party billing companies and other organizations that perform service in connection with Tamarac Fire Rescue's covered accounts. Tamarac Fire Rescue Identity Theft Prevention Program - Page 2 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 Till 1661 - Exhibit A Procedure 1. Identify Covered Accounts (a) Tamarac Fire Rescue will annually determine whether it offers or maintains covered accounts (see definition of "covered account" in this Program) and shall document that determination. (b) As part of this annual identification of covered accounts, Tamarac Fire Rescue shall conduct an annual risk assessment of its accounts to determine whether it offers or maintains accounts that carry a reasonably foreseeable risk to patients or to the safety and soundness of Tamarac Fire Rescue from identity theft, including financial, operational, compliance, reputation, or litigation risks. In determining whether Tamarac Fire Rescue offers or maintains such accounts, Tamarac Fire Rescue will conduct an annual risk assessment that takes into consideration: (i) The methods it uses to open its accounts; (ii) The methods it uses to access its accounts; and (iii) Its previous experiences with identity theft. (c) The annual identification of covered accounts should ideally be conducted by an evaluation or audit team acting under the direction of the Fire Chief or other individual in charge of Program administration. 2. Identify Red Flags (a) Once Tamarac Fire Rescue has identified its covered accounts, it shall identify Red Flags (see definition in this Program) for those accounts. This shall be conducted on an annual basis in conjunction with Tamarac Fire Rescue's identification of covered accounts. Tamarac Fire Rescue will also identify red flags as they arise and incorporate them into this Program. (b) Tamarac Fire Rescue shall consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate: (i) The types of covered accounts it offers or maintains; (ii) The methods it provides to open its covered accounts; Tamarac Fire Rescue Identity Theft Prevention Program - Page 3 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit A (iii) The methods it provides to access its covered accounts; and (iv) Any incidents of identity theft that Tamarac Fire Rescue has experienced. (c) Tamarac Fire Rescue shall also consider the examples of Red Flags listed in Supplement A to Appendix A to 16 C.F.R. Part 681. The Program shall include relevant Red Flags from the following categories, as appropriate: (i) Alerts, notifications, or other warnings received from consumer report agencies or service providers, such as fraud detection services; (ii) The presentation of suspicious documents; (iii) The presentation of suspicious personal identifying information, such as a suspicious address change; (iv) The unusual use of, or other suspicious address change; and (v) Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts. (d) Tamarac Fire Rescue shall also incorporate Red Flags from sources such as: (i) New and changing risks that Tamarac Fire Rescue has identified; and (ii) Any applicable supervisory guidance from the FTC or other appropriate sources. (e) The following are Red Flags identified for Tamarac Fire Rescue's covered accounts as of the most recent update to this Program: (i) Patterns of activity on payment accounts that are inconsistent with prior history; (ii) Increases in the volume of inquiries to an account; Tamarac Fire Rescue Identity Theft Prevention Program - Page 4 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit A (iii) The presentation of information that is inconsistent with other sources, e.g., the address, date of birth, or social security number listed for the patient does not match the address given or is inconsistent with other identifying information provided by the patient; (iv) Personal identifying information is identified by third -party sources as having been associated with known fraudulent activity; (v) Personal identifying information of a type commonly associated with fraudulent activity (e.g., fictitious address, use of mail drop, or phone number that is invalid or associated only with a pager or answering service); (vi) The social security number provided by the patient is a duplicate of that of other patients; (vii) The address or telephone numbers given are the same or similar to those of other patients, particularly recent ones; (viii) Attempts to access an account by persons who cannot provide authenticating information; (ix) Requests for additional authorized users on an account shortly following change of address; (x) Uses of an account that are inconsistent with established patterns of activity such as: nonpayment when there is no history of late or missed payments; (xi) Nonpayment of the first payment on the account; (xii) Inactivity on an account for a reasonably lengthy period of time; (xiii) Mail correspondence sent to the provided address is returned and mail is returned despite continued activity in the account; (xiv) Notification of Tamarac Fire Rescue of an unauthorized transaction by the patient; (xv) Notification of Tamarac Fire Rescue by the patient, a law enforcement authority, or other person, that it has opened a fraudulent account; Tamarac Fire Rescue Identity Theft Prevention Program - Page 5 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit A (xvi) A complaint or question from a patient based on the patient's receipt of: 1. A bill for another individual; 2. A bill for a service that the patient denies receiving; 3. A bill from a health care provider that the patient never utilized; 4. A notice of insurance benefits (or Explanation of Benefits) for health services never received; or 5. A patient or insurance company report that coverage for legitimate healthcare service is denied because insurance benefits have been depleted or a lifetime cap has been reached. (xvii) A complaint or question from a patient about information added to a credit report by a health care provider or insurer; (xviii) A dispute of a bill by a patient who claims to be the victim of any type of identity theft; (xix) A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance; (xx) A notice or inquiry from an insurance fraud investigator for a private insurance company or a law enforcement agency; (xxi) A security breach; (xxii) Unauthorized access to a covered account by personnel; (xxiii) Unauthorized downloading of patient files; (xxiv) Loss or theft of unencrypted data; (xxv) Inappropriate access of a covered account; (xxvi) A computer virus or suspicious computer program; (xxvii) Multiple failed log -in attempts on a workstation; Tamarac Fire Rescue Identity Theft Prevention Program - Page 6 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit A (xxviii) Theft of a password; (xxix) The presentation of an insurance card or form of identification that is clearly altered; and (xxx) Lost, stolen, or tampered facility equipment. 3. Detect Red Flags (a) Tamarac Fire Rescue shall adopt reasonable policies and procedures to address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as: (i) Obtaining identifying information about, and verifying the identity of, a person opening a covered account; and (ii) Authenticating patients, monitoring transactions, and verifying the validity of change of address requests. (b) The following procedures have been adopted by Tamarac Fire Rescue to address the detection of Red Flags as of the most recent update to this Program. (i) Suspicious Documents at the Time of Transport: Tamarac Fire Rescue personnel shall be on the alert for patients who present suspicious documents such as an insurance card or form of identification that appears to have been altered or does not match other information about the patient. Whenever possible, the crew shall attempt to verify the identity of the patient with someone who knows the patient and/or someone who has rendered care to the patient. Personnel shall not delay the provision of care when verifying this information and should obtain this information after the transport when it could delay the provision of care. (ii) ID Verification Before Discussing Patient Account Information or Change of Address: Before discussing any information related to a covered account with any individual, or making a change to address information in a covered account; Tamarac Fire Rescue personnel shall sufficiently ascertain the identity of the individual. If a patient or appropriate representative makes a Tamarac Fire Rescue Identity Theft Prevention Program - Page 7 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit A telephone inquiry or request regarding a patient account, Tamarac Fire Rescue personnel shall require the patient or appropriate representative of the patient to verify the date of birth, social security number (or at least the last 4 digits), and address of the patient to whom the account pertains. 2. If the patient or appropriate representative of the patient presents in person to the business office of Tamarac Fire Rescue, s/he shall be required to provide a valid government issued photo ID in addition to the date of birth, social security number (or last 4 digits), and address of the patient to whom the account pertains. 3. If the patient or appropriate representative of the patient is unable to provide the necessary information to verify the identity of the patient, Tamarac Fire Rescue staff shall make a notation of the inquiry or address change request in the patient account file and alert an appropriate supervisor without providing access or honoring the address change request. (iii) Under the HIPAA Privacy and Security Rules, Tamarac Fire Rescue is required to implement policies and procedures regarding the protection of protected health information and to implement administrative, physical and technical safeguards to protect electronic protected health information. The following policies and procedures from Tamarac Fire Rescue's HIPAA compliance program serve the dual purpose of detecting identity theft in connection with the opening of and existing covered accounts at Tamarac Fire Rescue and they are hereby incorporated in this Program by reference: (1) General Security of Electronic and Other Patient and Business Information (2) Patient Access, Amendment and Restriction On the Use of PHI (3) Levels of Access, "Minimum Necessary Standard" and Limiting Disclosure and Use of PHI and a -PHI (4) Procedure for Requesting Amendment of PHI (5) Access to the Information System and a -PHI (6) Physical Security of PHI and a -PHI (7) Electronic Information System Activity Review and Auditing Tamarac Fire Rescue Identity Theft Prevention Program - Page 8 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit A (8) Facility and Computer Access Point Controls (9) Encryption and Decryption (10) Use of Computer and Information Systems Equipment) a. Computer Hardware/Peripherals/Software Inventory b. City of Tamarac Administrative Policy (11) Use of Electronic Mail and Facsimile Transmissions a. City of Tamarac Electronic Mail Administrative Policy (12) Internet Access and Use a. City of Tamarac Administrative Policy b. Internet Administrative Policy 4. Responding to Red Flags (a) Tamarac Fire Rescue will respond to Red Flags when it becomes aware in a manner commensurate with the degree of risk posed by the Red Flag. In determining an appropriate response, Tamarac Fire Rescue will consider aggravating factors that may heighten the risk of identity theft. For example, notice to Tamarac Fire Rescue that a patient has provided information to someone fraudulently claiming to represent Tamarac Fire Rescue may suggest that identity theft is more likely. (b) Tamarac Fire Rescue shall assess whether the Red Flag detected poses a reasonably foreseeable risk of identity theft and if it does, respond appropriately. If Tamarac Fire Rescue determines that the Red Flag does not pose a reasonably foreseeable risk of identity theft, it shall have a reasonable basis choosing not to respond to the Red Flag. (c) If any personnel at Tamarac Fire Rescue believe identity theft has occurred or may be occurring, s/he shall immediately notify a supervisor. The supervisor will contact the designated Red Flag Rule compliance officer who will determine the appropriate response. (d) Appropriate responses may include the following: (i) Monitoring a covered account for evidence of identity theft; (ii) Contacting the patient; (iii) Changing any passwords, security codes, or other security devices that permit access to a covered account; (iv) Reopening a covered account with a new account number; Tamarac Fire Rescue Identity Theft Prevention Program - Page 9 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit A (v) Not opening a new covered account; (vi) Closing an existing covered account; (vii) Not attempting to collect on a covered account or not selling a covered account to a debt collector; (viii) Notifying law enforcement; or (ix) Determining that no response is warranted under the particular circumstances. (e) Patient Notification: If there is a confirmed incident of identity theft or attempted identity theft, Tamarac Fire Rescue will notify the patient after consultation with law enforcement about the timing and the content of such notification (to ensure notification does not impede a law enforcement investigation) via certified mail. Victims of identity theft will be encouraged to cooperate with law enforcement in identifying and prosecuting the suspected identity thief, and will be encouraged to complete the FTC Identity Theft Affidavit. (f) Investigation of Suspected Identity Theft: If an individual claims to be a victim of identity theft, Tamarac Fire Rescue will investigate the claim. The following guidelines apply: (i) The individual will be instructed to file a police report for identity theft. (ii) The individual will be instructed to complete the ID Theft Affidavit developed by the FTC, including supporting documentation; or an ID theft affidavit recognized under state law. (iii) The individual will be requested to cooperate with comparing his or her personal information with information in Tamarac Fire Rescue's records. (iv) If following investigation, it appears that the individual has been a victim of identity theft, Tamarac Fire Rescue will take the following actions: 1. Cease collection on open accounts that resulted from identity theft. If the accounts had been referred to collection agencies Tamarac Fire Rescue Identity Theft Prevention Program - Page 10 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit A or attorneys, the collection agencies/attorneys will be instructed to cease collection activity. 2. Cooperate with any law enforcement investigation relating to the identity theft. 3. If an insurance company, government program or other payor has made payment on the account, the provider will notify the payor and seek instructions to refund the amount paid. 4. If an adverse report had been made to a consumer reporting agency, the provider will notify the agency that the account was not the responsibility of the individual. (v) If following investigation, it does not appear that the individual has been a victim of identity theft, Tamarac Fire Rescue or the collection agency will give written notice to the individual that he or she is responsible for payment of the bill. The notice will state the basis for determining that the person claiming to be a victim of identity theft was in fact the patient. (g) Amendment of Records: Patient medical records and payment records must be corrected when identity theft has occurred. This is necessary to ensure that inaccurate health information is not inadvertently relied upon in treating a patient, and that a patient or a third -party payer is not billed for services the patient did not receive. Patient records will be corrected in consultation with the patient and the patient's treating health care provider(s), and in a manner consistent with the Tamarac Fire Rescue's HIPAA policy on amendments to medical records. (h) Disclosure/Unauthorized Access to Unencrypted Data: If there is a disclosure of, or an unauthorized access to, unencrypted computerized data containing a person's first name or first initial and last name and (1) a social security number, (2) driver's license number, or (3) financial account number (including a credit or debit card number), state law governing notification of patients will be followed. (i) The Presentation of Susvicious Documents at the Time of Transport: When a patient presents a suspicious document such as an insurance card or form of identification that is clearly altered or does not match other information about the patient, ambulance personnel shall: Tamarac Fire Rescue Identity Theft Prevention Program - Page 11 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit A 1. Note the nature of the incident and circumstances surrounding the incident in an incident report or other appropriate document so that the claim is "flagged" for review. 2. If possible, attempt to obtain identifying information about the patient from other sources such as individuals who know or have treated the patient. 3. Notify the individual in charge of Red Flag Rules compliance as soon as possible after the transport about the incident and the circumstances surrounding the incident. 4. Before opening a covered account under the name given, the Red Flag Rules compliance officer, or other designated individual, shall make attempts to verify the identity of the patient though any means possible. If it appears the patient has attempted to commit identity theft, the procedures for notification and investigation of the incident shall be followed. S. Update the Program (a) Tamarac Fire Rescue shall update this Program (including identifying Red Flags determined to be relevant) annually. (b) The update shall reflect changes in risks of identity theft to patients or to the safety and soundness of Tamarac Fire Rescue's information. The review and update will be based on factors such as: (i) The experiences of Tamarac Fire Rescue with identity theft; (ii) Changes in methods of identity theft; (iii) Changes in methods to detect, prevent, and mitigate identity theft; (iv) Changes in the types of accounts that Tamarac Fire Rescue offers or maintains; and (v) Changes in the business arrangements of Tamarac Fire Rescue, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements. Tamarac Fire Rescue Identity Theft Prevention Program - Page 12 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit A 6. Administer the Program (a) Program Oversight: The Fire Chief shall designate an individual who is in charge of Red Flag Rules compliance. This individual shall be involved in the oversight, development, and implementation and administration of the Program. The individual shall be responsible for: (i) Implementation of this Program; (ii) Reporting to the Fire Chief or an appropriate designated committee of the Fire Chief at least annually on compliance by Tamarac Fire Rescue with this Program. The report shall address material matters related to the Program and evaluate issues such as: 1. The effectiveness of the policies and procedures of Tamarac Fire Rescue in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; 2. Service provider arrangements; 3. Incidents involving identity theft and management's response; and 4. Recommendations for material changes to the Program. (b) After reviewing official annual reports, the Fire Chief or appropriate designated committee shall approve changes to this Identity Theft Prevention Program, as necessary. 7. Train Employees (a) Tamarac Fire Rescue will conduct a general training session for all personnel to provide them with a general overview of this Program. All new personnel shall undergo such training during their orientation process. Documentation of training, including copies of all rosters and sign -in sheets showing the training dates and the names of attendees, shall be maintained for at least four years. (b) All staff that are responsible for the administration of the Program and staff who regularly deals with covered accounts should be trained on an annual basis. Tamarac Fire Rescue Identity Theft Prevention Program - Page 13 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 T1311661 - Exhibit A 8. Oversee Service Provider Arrangements If Tamarac Fire Rescue engages a third party to perform an activity in connection with one or more covered accounts (e.g., billing companies, collection agencies), Tamarac Fire Rescue will: (a) Review the third party's policies for preventing, detecting, and mitigating identity theft and determine if those policies are acceptable to Tamarac Fire Rescue; or (b) Require the third party to comply with the applicable terms of this Program through contract or agreement. Tamarac Fire Rescue Identity Theft Prevention Program - Page 14 Implementation Date: August 1, 2009 Revision Date: July 7, 2009 TR11661 - Exhibit B April 30, 2009 Dear Tina Wheatley, V F�`Fcr intermedix As part of our continued commitment to compliance and quality client service, we are writing to inform you of our compliance with the new Red Flags Rules and our proactive approach to meeting proposed security regulatory changes. As you are aware, most ambulance suppliers will be required to identify, detect and respond appropriately to certain indicators of possible identity theft, including medical identity theft, under the Identity Theft Red Flag Rules promulgated under the Fair and Accurate Credit Transactions Act of 2003 ("Red Flag Rules") found at 16 C.F.R. Part 681. We have reviewed these Red Flag Rules and concluded that we are a "service provider" to your organization, much as we are your Business Associate under HIPAA. This is based on the assumption that the accounts for which we provide billing and collection services for your organization are "covered accounts" under the Red Flag Rules. We also believe that your organization is obligated under these Rules to ensure that, as a service provider, we provide our services for covered accounts in accordance with reasonable Red Flag program designed to help detect, prevent and mitigate identity theft. We have performed a risk analysis of our operations and identified potential risk areas involving the covered accounts of our clients. Based on this analysis, we have adopted a Red Flag program, including policy, procedure and training, to help detect, prevent and mitigate the risk of identity theft. Additionally, there have been significant HIPAA legislative revisions in the American Recovery and Reinvestment Act of 2009, including the HITECH Act, and new proposed FTC security rules. Once these regulations are finalized, we will provide you with an amended Business Associate Agreement for incorporation into our contractual agreement. In the interim, we have adopted new policies and procedures to enable us to proactively respond to these proposed new requirements. TR11661 - Exhibit B We have adopted the definitions of breach and unsecured protected health information (PHI) as currently defined by the HITECH Act. Breach means "the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom the information is disclosed would not reasonably have been able to retain such information." Unsecured PHI is "protected health information that is not secured by a technology standard that renders PHI unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute." This means that unsecured PHI is protected health information that is stored or electronically transmitted but has not been encrypted. We will formally notify you of any security breach or unauthorized use or disclosure of unsecured PHI, per the relevant HIPA requirements for business associates. If you have any questions, please contact your Intermedix Client Service Representative or me at 954-308-8714 or Jmccloskey@emsclaims.com. Thank you, f Joe McCloskey ADPI-Intermedix Compliance Officer 6451 N. Federal Highway, Suite 1002, Fort Lauderdale, FL 33308 Phone: 954-308-8714 Fax: 954-308-8725