200-29: Identity Theft Prevention and Response Policy

Questions? Contact Campus Administrative Policies


Ensure compliance with federal laws pertaining to Identity Theft and to set forth guidelines for establishing the UCSF Identity Theft Prevention and Response Programs.


The purpose of this policy is to ensure compliance with federal laws pertaining to Identity Theft and to set forth guidelines for establishing the UCSF Identity Theft Prevention and Response Programs pursuant to the Federal Trade Commission's “Red Flags Rule” which implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). The goals of the programs are to identify, detect, and respond to Red Flags in Covered Accounts as part of the UCSF protection of information and identity of patients, employees, faculty, students, and visitors in accordance with state and federal laws and regulations.


(i) Any account that UCSF offers or maintains primarily for personal family or household purposes, that involves multiple payments or transactions, including one or more deferred payments, one in which a patient, employee, faculty, student and/or visitor may receive a bill, and any time credit is extended; and (ii) any other account that UCSF identifies as having a reasonably foreseeable risk to customers or to the safety and soundness of UCSF from Identity Theft. Not all accounts handled by business operations are “covered accounts.” An account established for a single transaction, for example, is not a Covered Account.

A pattern, practice, or specific activity that indicates the possible existence of Identity Theft.


It is the policy of UCSF to take all reasonable steps to protect identity information, including medical identity information, for students, staff, patients and others for whom UCSF maintains identity information. In particular, in operations in which UCSF is involved in extending credit, which includes any operation in which any UCSF department allows for the deferment of payment, or arranges for the extension of credit, the department extending such credit is responsible for taking the appropriate steps to detect and prevent identity theft for those individuals involved. In addition, for patients receiving care from UCSF, similar caution is required to protect patient information from Identity Theft.


UCSF department heads are responsible for establishing and maintaining an Identity Theft Prevention and Response Program for each Covered Account within their respective areas in accordance with this policy. A template model program is attached as Appendix A as an example, along with a blank template as a resource for department heads to use to document the program elements. The unfilled template is attached as Appendix B.

The following are the essential components to be addressed by each UCSF Identity Theft Prevention and Response Program:

A. Inventory of Covered Accounts

Each department head will develop and maintain an inventory of all Covered Accounts and complete a risk assessment for each loan account for which UC is the creditor. All Covered Accounts are to be identified and inventoried; however, upon management assessment of the level of risk posed by each specific Covered Account, management has the discretion to tailor each program to fit the assessed level of risk, i.e., Covered Accounts determined to be “high risk” for possible identity theft will implement a program with more rigorous policies and procedures to detect, prevent and mitigate identity theft for a specific Covered Account than a Covered Account assessed to be at a lower risk level.

B. Development and Identification of Relevant Red Flags

Departments and operating units are responsible for reviewing current policies, procedures, and systems to identify relevant Red Flags for each Covered Account to incorporate into the Identity Theft program for each Covered Account, with a key focus on verifying identity, authenticating customers and monitoring transactions.

Departments and operating units also are responsible for incorporating and documenting selected relevant Red Flags into operational policies and procedures.

C. Mechanisms for Detection of Red Flags

Processes and mechanisms for detection of Red Flags for new and existing Covered Accounts will, at minimum, address:

i) Processes

Processes implemented by departments or operating units to enable continuous review of Covered Accounts where Red Flags have been identified

ii) Documentation

Documentation of steps and processes to follow when Red Flags incorporated into operating unit processes have been triggered

D. Employee Training

Operational departmental managers shall ensure that management and staff responsible for Covered Accounts are trained at the department level through their normal compliance training efforts related to their specific processes for the prevention, detection and response to issues.

E. Vendor/Contractor Identity Theft Program and Training

While vendors and contractors providing services are responsible for ensuring that they establish and maintain their own identity theft prevention programs, UCSF will establish the processes, including developing appropriate contract language, for ensuring that the vendors and contractors perform their activities in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. The policies and procedures will include ensuring that their employees receive appropriate training through their normal compliance training efforts related to their specific processes for the prevention, detection and response to identity theft issues.

F. Program Administration

i) Maintenance and Review to Prevent and Mitigate

The inventory of Covered Accounts will be updated and maintained by the UCSF enterprise Red Flag Work Group (Work Group), which is appointed by the Chief Ethics and Compliance Officer (CECO) and is made up of representatives from each campus and Medical Center control points. The Work Group is charged with ensuring the information in the inventory is accurate and current and will work with campus departments and organizations to ensure they understand, and have appropriate technical assistance to comply with, this policy.

ii) Compliance Monitoring

The Work Group will monitor compliance by conducting an annual review of operational and unit specific implementation plans to ensure they appropriately identify new or changed risks to our relevant constituents. The Work Group's review and findings will be reported to the Campus Ethics and Compliance Board on an annual basis and should include a summary and recommendation on any aspects of their review that suggests significant concerns or weaknesses in regard to compliance with this policy.


Regulatory References:

Federal Trade Commission Identity Theft Prevention Red Flags Rule (16 CFR § 681.2-Duties regarding the detection, prevention and mitigation of identity theft)

Appendix A to Part 681- Interagency Guidelines on Identity Theft Detection, Prevention and Mitigation

Federal Register 72(217): 63718-63775, November 9, 2007.

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education

Gramm-Leach-Bliley Act (GLBA), Safeguard Rule CFR, Part 314 Under the Gramm-Leach-Bliley Act, the Safeguards Rule, enforced by the Federal Trade Commission, requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information

Additional Resources:

UCOP Policies and Procedures http://hipaa.ucsf.edu/policies/ucop.html

Identity Theft Prevention “Red Flags Rule” Overview and Frequently Asked Questions

Red Flags Rule—Quick Reference for Covered Accounts

Appendix A: Example of Model Program

Appendix B: Template for departmental use in documenting elements of a covered account