Identity Theft Prevention Policy
Julie Graves Moy, MD, MPH, PA

Identity theft prevention and detection

and Red Flags Rule compliance


It is the policy of Julie Graves Moy, MD, MPH, PA

to follow all federal and state laws and reporting requirements regarding identity theft. Specifically, this policy outlines how this practice will (1) identify, (2) detect and (3) respond to "red flags." A "red flag" as defined by this policy includes a pattern, practice, or specific account or record activity that indicates possible identity theft.

It is the policy of this practice

that this Identity theft prevention and detection and Red Flags Rule compliance program is approved by Julie Graves, MD, PhD as of July 27, 2009, and that the policy is reviewed and approved no less than annually.

It is the policy of this practice

that Dr. Julie Graves is assigned the responsibility of implementing and maintaining the Red Flags Rule requirements;  she also functions as the privacy officer for this practice.

It is the policy of this practice

 that, pursuant to the existing HIPAA Security Rule, appropriate physical, administrative and technical safeguards will be in place to reasonably safeguard protected health information and sensitive information related to patient identity from any intentional or unintentional use or disclosure.  We require our business associates must be contractually bound to protect sensitive patient information to the same degree as set forth in this policy. It is also the policy of this practice that business associates who violate their agreement will be dealt with first by an attempt to correct the problem, and if that fails by termination of the agreement and discontinuation of services by the business associate.

It is the policy of this practice

 that all members of our workforce have been trained by the August 1, 2009 compliance date on the policies and procedures governing compliance with the Red Flags Rule and that any new employees receive training on these matters within a reasonable time after they have started work. It is the policy of this practice to provide training should any policy or procedure related to the Red Flags Rule materially change. This training will be provided within a reasonable time after the policy or procedure materially changes. Furthermore, it is the policy of this practice that training will be documented, indicating participants, date and subject matter.


I. Identify red flags.

In the course of caring for patients, Dr. Graves may encounter inconsistent or suspicious documents, information or activity that may signal identity theft. This practice identifies the following as potential red flags, and this policy includes procedures describing how to detect and respond to these red flags below:

1.  A complaint or question from a patient based on the patient’s receipt of:

A bill for another individual;

A bill for a product or service that the patient denies receiving;

A bill from a health care provider that the patient never saw; or

A notice of insurance benefits (or explanation of benefits ) for health care services never received.

2. Records showing medical treatment that is inconsistent with a physical examination or with a medical history as reported by the patient.

3. A complaint or question from a patient about the receipt of a collection notice from a bill collector.

4. A patient or health insurer report that coverage for legitimate hospital stays is denied because insurance benefits have been depleted or a lifetime cap has been reached.

5. A complaint or question from a patient about information added to a credit report by a health care provider or health insurer.

6. A dispute of a bill by a patient who claims to be the victim of any type of identity theft.

7. A patient who has an insurance number but never produces an insurance card or other physical documentation of insurance.

8. A notice or inquiry from an insurance fraud investigator for a private health insurer or a law enforcement agency, including but not limited to a Medicare or Medicaid fraud agency.

II. Detect red flags.  Our practice staff will be alert for discrepancies in documents and patient information that suggest risk of identity theft or fraud. We will review the identity, address and insurance coverage at the time of the patient's first visit with Dr. Graves, after immediate health and safety issues have been addressed. 


1. At the time of the first hospital, office, or home visit, the patient will be asked to show the following:

Driver’s license or other photo ID;

Current health insurance card; and

Utility bills or other correspondence showing current residence if the photo ID does not show the patient’s current address. If the patient is a minor, the patient’s parent or guardian should bring the information listed above.


At each subsequent hospitalization, or after six months from the previous visit, the patient will be asked to update the information in item 1.

3. Staff should be alert for the possibility of identity theft in the following situations:

The photograph on a driver’s license or other photo ID submitted by the patient does not resemble the patient.

The patient submits a driver’s license, insurance card, or other identifying information that appears to be altered or forged.

Information on one form of identification the patient submitted is inconsistent with information on another form of identification or with information already in the practice’s records.

An address or telephone number is discovered to be incorrect, non-existent or fictitious.

The patient fails to provide identifying information or documents.

The patient’s signature does not match a signature in the practice’s records.

This practice intends to follow all current HIPAA laws and regulations.


If potentially fraudulent activity (a red flag) is detected by an employee of this practice:

1. The employee should gather all documentation and report the incident to Dr. Graves.

2. Dr. Graves will determine whether the activity is fraudulent or authentic.

3. If the activity is determined to be fraudulent, then the practice

 should take immediate action. Actions may include:

 Cancel the transaction;

 Notify appropriate law enforcement;

 Notify the affected patient; and

 Assess impact to practice.

If a patient claims to be a victim of identity theft:

1. The patient should be encouraged to file a police report for identity theft if he/she has not done so already.

2. The patient should be encouraged to complete the ID Theft Affidavit developed by the Federal Trade Commission, along with supporting documentation.

3. This practice

will compare the patient’s documentation with personal information in the practice’s records.

4. If following investigation, it appears that the patient has been a victim of identity theft, Dr. Graves' practice

 will promptly consider what further remedial act/notifications may be needed under the circumstances.

5. Dr. Graves will review the affected patient’s medical record to confirm whether documentation was made in the patient’s medical record that resulted in inaccurate information in the record. If inaccuracies due to identity theft exist, a notation should be made in the record to indicate identity theft.

6. Dr. Graves will determine whether any other records and/or ancillary service providers are linked to inaccurate information. Any additional files containing information relevant to identity theft will be removed and appropriate action taken.

7. If following investigation, it does not appear that the patient has been a victim of identity theft, Dr. Graves

 will take whatever action it deems appropriate.