American Academy of Family Physicians
Home Page > Practice Mgmt > Regulatory Compliance > Identity Theft Red Flags Rule > Protecting Yourself & Your Staff From ID Theft

Search
 
Advanced Search

About UsNews & PublicationsMembersCME CenterClinical & ResearchPractice MgmtPolicy & AdvocacyCareers

Printer-friendly Version

Email this Page

Protecting Yourself & Your Staff From ID Theft

While considering how to detect red flags of ID theft from outside the practice, think about the internal risks of identity theft for physicians and staff within your practice. Though it may not be pleasant to contemplate, many physicians and practices have found themselves victim to misuse or theft of information by an employee or associate who had access to personally identifying information. While such instances cannot always be prevented, development and enforcement of policies and procedures for handling of such information shows the practice's commitment to safeguarding information and deterring careless or wrongful acts.

Below are a couple of policy examples that may be considered and/or adapted for your practice. Other policy considerations may be handling and security of payroll, accounts payable, and contractual agreement records.

Policy - Handling of Forms or Records of Practice Staff or Applicants

Personnel records shall be accessed only by the practice manager and administrative physician. Paper records will be secured in a locking file cabinet. Electronic records will be password protected with passwords only issued to practice manager and administrative physician. Any applications or other forms received by mail, fax, or direct from an applicant will be treated as confidential by any staff member who handles the forms and delivered promptly to the practice manager. Persons handling such forms will take precautions against accidental disclosure of personally identifiable information, such as placing forms containing personally identifying information into an envelope and delivering directly to the practice manager as soon as possible.

Policy - Physician Credentialing and Personal Information

Physician credentialing materials often contain enough information to create a risk of theft or misuse of the physician’s personal information. Access to and use of such information will be limited to practice manager and administrative physician except as specifically assigned to other staff for purposes of credentialing process activities. All paper records will be secured in locking file cabinet. Electronic records will be password protected with passwords only issued to practice manager and administrative physician. Any materials received from a hospital, payer, or other entity containing the personally identifying information of a physician will be treated as confidential and delivered promptly to the practice manager.

Staff will not release personal information of physicians without permission of the physician or practice manager.

Other Resources Related to Preventing & Mitigating ID Theft

Here are just a couple of the many resources for learning more about identity theft prevention and mitigation.

OnGuardOnline Identity Theft Games -- This government site provides quick games for testing your knowledge about identity theft, pfishing, laptop security, and more.
FTC Facts for Consumers -- Quick facts for protecting your ID and avoiding scams.

Copyright © 2009 American Academy of Family Physicians
Home | Privacy Policy | Contact Us | My Academy
Members | Residents | Students | Patients | Media Center
RSS RSS | POD Podcasts

Identity Theft Red Flags Rule

AAFP Red Flags Rule Presentation

Are all physicians subject to the Identity Theft Red Flags Rule?

What is the purpose of the Red Flags Rule?

What is a Red Flag?

What is required to comply with the Red Flags Rule?

Should I purchase a manual for the Red Flags Rule?

Protecting Yourself & Your Staff From ID Theft

Other Red Flags Resources

Shop Catalog