Policy Number: 182

Identity Theft

Subject:

Identity Theft

Scope:

Administrators, Faculty, Researchers, Staff, Students

Date Reviewed: March 2009

Responsible Office: Office of Institutional Compliance

Responsible Executive: Assistant Vice President and Chief Compliance Officer

I.     POLICY AND GENERAL STATEMENT

The University of Texas Health Science Center at Houston ("university") strives to detect, prevent and mitigate identity theft through its Identity Theft Prevention Program in accordance with the Federal Trade Commission's Red Flag and Address Discrepancy Rule.

II.     DEFINITIONS

Account: any continuing relationship between the university and an Account Holder that permits the Account Holder to obtain a product or service for personal, family, household or business purposes. It may involve the extension of credit for the purchase of a product or service, or a deposit account.

Account Holder: Student, Employee, Retired Employee, Patient or other person that has a Covered Account held by or on behalf of the University.

Covered Account: an Account the university offers or maintains or is offered or maintained by a vendor or other third party on behalf of the university primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and any other Account the university offers or maintains for which there is a reasonably foreseeable risk to an Account Holder or to the safety and soundness of the university from Identity Theft, including financial, operational, compliance, reputation, or litigation risks. Examples of Covered Accounts include, but are not limited to: student loan and tuition accounts; patient medical service accounts; accounts associated with employee benefits; student debit cards; and meal plans.

Identity Theft: any use or attempt by an individual to use another person's individual identifying information to obtain a thing of value including: money, credit, items, or services, such as medical care or education services, to which the individual is not entitled.

Individual Identifying Information: any information that may be used alone or with other information to identify an individual, including, but not limited to: (1) name, social security number, date of birth, telephone/cell number, government issued driver's license or identification number, alien registration number, passport number, employer or taxpayer identification number, credit/debit/banking account numbers; (2) unique biometric data such as fingerprint, voice print, retina or iris image or other unique physical representation; or (3) unique electronic identification number; address or routing code; IP or other computer identifying address; or telecommunication identifying information or other access device.

Red Flag: suspicious patterns or practices, or specific activities that indicate the possibility that identity theft may occur or is occurring in connection with the university's Covered Accounts.

Designated Official: Appropriate senior officer or employee with sufficient training, experience and authority to develop, maintain, and oversee compliance with this policy within their respective school or unit.

III.     PROCEDURE

The Office of Institutional Compliance shall develop and maintain a list of all operating units identified as holding Covered Accounts that are subject to the Program and the respective Designated Officials for oversight, compliance and periodic risk assessment to keep the Program up to date and to keep the department or office in compliance with the Program and the Red Flag Rules.

The Designated Officials at operating units will annually conduct a risk assessment to determine what university accounts are considered Covered Accounts. The risk assessment must take into consideration the method the university provides to open its accounts; the method the university provides to access its accounts; and the university's previous experiences with identity theft.

Designated Officials are responsible for maintaining the university's Identity Theft Program and for reporting at least annually to the Office of Institutional Compliance on the university's compliance with Federal Trade Commission's Red Flag and Address Discrepancy Rule. Annual reports should update the "red flags" determined to be relevant to reflect changes in the risks to patients and students based on:

Designated Officials shall identify and detect the relevant "red flags" for the covered accounts that the unit maintains and incorporate those into the program. Possible "red flags" may include:

Possible methods of detection of "red flags" may include:

Upon the detection of "red flags," Designated Officials shall respond appropriately to detected red flags to prevent and mitigate identity theft. Depending on the circumstances, mitigation may take on different forms, including:

To the extent the university utilizes a third party who receives information related to university's Covered Accounts or who otherwise handles university's Covered Accounts, the university will require via written agreement that the third party:

The university will provide initial training and periodic additional training to all appropriate university employees as necessary to implement and enforce the Program effectively.

The Office of Institutional Compliance shall report to the university President at least annually on compliance with the Program. The report shall address material matters related to the Program and evaluate issues such as:

IV.     CONTACTS

ContactTelephoneEmail/Web Address
Office of Institutional Compliance 713-500-3294 http://www.uthouston.edu/compliance/