By Catherine Hubbard, CCH Washington Staff Writer

Much has been made in recent media reports about the new identity theft protections included in a congressional renewal of national credit reporting standards. But what, exactly, should you do if you believe that you are a victim of this growing problem, or that your company had its information breached?

According to industry experts, identity theft victims should report the crime to police as soon as they're aware of a privacy breach. That way, they can avoid being punished for the fraudsters' crimes. The recently enacted Fair and Accurate Credit Transactions Act requires credit reporting agencies to block or omit information resulting from an identity theft, as long as the consumer has filed a police report.

"It goes completely off the consumer's report and the dispute process is finished," according to Betsy Broder, assistant director for the Division of Planning and Information of the Federal Trade Commission's (FTC) Bureau of Consumer Protection. "The police report initiative simplifies a lot of the tasks consumers otherwise would have to take," she said during a December 2, 2003, teleconference sponsored by the Health Care Compliance Association.

She also recommended that victims obtain a copy of the police report. If a copy is not available, the victim should at least get the report number, said FTC officials.

Deal with ID Theft Head On

Broder said health care organizations also should contact their local police departments whenever a patient tells them his or her identity has been stolen. After all, she said, the breach might not be an isolated incident. "They may be part of a larger organization."

In addition, instead of sweeping a breach under the carpet, companies should use the incident as an opportunity to teach employees better privacy practices, said Broder. Often companies approach the FTC months after a breach, when an ID theft is reported in the press, she said. "The problems are so much worse then, from a public relations, law enforcement and consumer protection perspective," she said.

David Orbuch, executive vice president of compliance and public policy at Allina Hospitals & Clinics, Minneapolis, Minn., added that when Allina notifies people of a potential breech, they don't complain, but appreciate the warning.

Although the below guidelines are geared toward heath care organizations, much of the advice is applicable to the operations of any business, large or small. Broder advised organizations to:

• Direct victims to credit reporting agencies. "If someone contacts you and says your information was the source of ID theft or it has to do with health care treatment, you want to direct them to the credit reporting agencies," she said. "It's likely their information is being used in more than one place."
• Shred rather than discard important documents. "People easily go through your dumpsters and pull out a treasure trove of data," said Broder.
• Make personally identifiable information available only on a need-to-know basis. "Who are the employees who can look at health records and Social Security Numbers?" she asked.
• Instruct employees and individuals to use strong passwords on accounts (not mother's maiden name), secure personal information from others, keep virus software updated, use a firewall (especially with a 24/7 connection) and encrypt personal information before sending it over the Internet, using secure sites.
• Conduct background checks on employees. In once case an employee at an insurance company in Texas processed a health insurance claim of someone with the same name in Maryland. "She swiped that [Social Security] number and went to town," Broder said. "Employee security is of the utmost importance," she said.
• Be wary of phishing and pretexting. ID thiefs can pose as health care suppliers and ask to "confirm" names, account numbers and billing addresses, using the information for fraudulent purchases.
• Use the FTC's web site (www.ftc.gov) and hotline (877-ID-THEFT) as resources for preventing and responding to ID theft. She also advised companies to refer victims to the FTC's resources. "You want to direct them to the resources available through the FTC so they can immediately contact credit reporting agencies and see if other fraudulent accounts have been opened," she said.
• Download the standard form ID theft affidavit from the FTC site and have it on hand when a person says an identity thief is obtaining health care services under a false name. This form relieves consumers from having to file different forms for each institution affected, Broder said. "We have developed a standard form affidavit, which should be used to dispute accounts at each institution where fraudulent accounts have been opened." She noted that law enforcers and major creditors are using the form. "This ID theft affidavit will do the job."

Health Information Is Susceptible

"Health care organizations are at risk and are very susceptible to ID theft," said Jennifer O'Brien, director of corporate compliance with Allina Hospitals & Clinics, Minneapolis, who also participated in the call. "We're looking at how to safeguard patients' as well as employees' SSNs," she said. Allina is working to change reliance on SSNs as an identifier, she said. Patient SSNs are used for billing, insurance cards and registration, she said. Hospitals also collect the SSNs of employees for tax purposes, she noted.

Allina also regularly assesses employee access to patient health information, O'Brien said. "We're trying to make sure we're giving them the minimum amount of access that they need." Health care entities must make sure that when employees leave, their access is terminated. Likewise, when an employee changes jobs within the organization, their access should be reassessed, she said. O'Brien suggested providers review the access both temporary employees and volunteers have to health information and SSNs.

In the end, for all organizations, simple prevention measures go a long way toward avoiding more complicated recovery efforts and any resultant bad press that the security breach might cause.

Related items:

Fair and Accurate Credit Transactions Act Signed into Law

Senate Votes to Reauthorize Fair Credit Reporting Act

Legislation to Amend Fair Credit Reporting Act Clears House

Congress Likely To Reform National Credit Reporting Systems

Lawmakers Hope To Address ID Theft as Part of FCRA Reauthorization

Lawmakers Back Extension of FCRA Preemption Provisions