While enforcement has been delayed multiple times, equine practitioners still need to be aware and ready for the “Red Flags” Rule. Quite simply, the Red Flags Rule is a regulation issued by the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions Act (FACTA), a federal law passed in 2003 to strengthen protection against identity theft. The Red Flags Rule requires certain businesses and organizations—including many doctors’ offices, hospitals and other health care providers—to develop a written program to spot the warning signs—or “red flags”—of identity theft. As such, any veterinary practice that receives payment after services are provided is considered a “creditor” under the law. On the other hand, requiring payment before or at the time of service, or simply accepting credit cards as a form of payment at the time of service, does not make you a creditor under the rule. It’s another reason to collect your fees at the time of service as often as you can.
The Red Flags Rule establishes new protocols for creditors to take additional steps to prevent, detect and mitigate identity theft. In short, the Red Flags Rule requires you to develop and implement a written identity theft prevention program, to be updated as needed; train all employees to implement the program; and oversee your vendors and service providers to ensure they also provide sufficient precautions to prevent, detect and mitigate identity theft. The rule also identifies 26 “red flags” that are indicators of the risk of identity theft. Not all of the red flags will apply to your practice, and you may identify additional red flags as you evaluate your practice. The 26 identified “red flags” fall into 5 categories:
• Alerts, notifications or warnings from a consumer reporting
• Suspicious documents
• Suspicious personally identifying information, such as a suspicious address
• Unusual use of—or suspicious activity relating to—a covered account
• Notices from customers, victims of identity theft, law enforcement authorities or other businesses about possible identity theft in connection with covered accounts.
Definition and Examples of “Red Flags”
A “red flag” is anything that indicates possible identity theft. In other words, it is something that makes you suspicious the person is not who he claims to be. It could be a single document, an event or suspicious action, suspicious information or a transaction that just seems “off.”
Most veterinary practices will rarely encounter a red flag, but the FTC does expect veterinarians and other health professionals to comply with the rules. There are 26 “red flags” identified by the FTC, but not all of them apply to a typical veterinary practice. According to the AVMA, the following are some of the “red flags” a veterinary practice might encounter:
1. An individual falsely claiming to be someone else who is known to the office staff;
2. A discrepancy between the address contained in the client’s consumer credit report and the address provided by the patient;
3. An individual who refuses to provide identification or contact information;
4. A report by a client that he or she has been the victim of identity theft;
5. A report of fraud, credit freeze, address discrepancy or other activity inconsistent with the creditors’ history is received from a consumer reporting agency or service provider;
6. Documents provided for identification appear to have been altered or forged;
7. The photograph or physical description on the identification is not consistent with the appearance of the applicant or client presenting the identification;
8. Information provided is inconsistent with the medical record and/or previously obtained information;
9. A job or credit application appears to have been altered or forged, or appears to have been destroyed and reassembled;
10. The address or telephone number provided is the same as or similar to the information provided by another client, but the clients are neither related nor do they know each other;
11. The client refuses or fails to provide all personal identifying information after he has been informed the information is needed;
12. Undeliverable mail or returned checks;
13. Any known or suspected security breaches (office break-ins, computer theft, etc.).
Why Veterinary Practices May be Covered by the Red Flags Rule
A veterinary practice is covered by the Red Flags Rule if it is considered a “creditor” and it has at least one “covered account.” The Red Flags Rule’s broad definition of “creditor” makes many veterinary practices subject to its requirements. For example, if your practice bills clients for partial or full payment for services rendered, you are considered a creditor. If you allow clients to pay on an installment plan, you are considered a creditor. Many practices fall into the “creditor” category because they arrange for clients to obtain credit to pay for services through a financing company such as CareCredit®. With the growing number of clients obtaining pet insurance to cover their pet’s medical costs, accepting pet insurance where the client is ultimately responsible for payment makes you a creditor.
The only way to avoid qualifying as a creditor under the rule seems to be to always require full payment at the time the service is provided.
What accounts in a veterinary practice are considered “covered accounts”?
Any account that contains information that could allow someone to steal a client’s identity is a “covered account.” In other words, any account that contains personal identifying information is a covered account. Medical records meet this definition because they include the owner’s name and address and may contain payment information (such as credit card numbers, etc.). If the client pays by personal check and you have a copy of his driver’s license in the file, it is a covered account. Even prescription information in a file can present a risk of identity theft because it contains the client’s personal identifying information.
Complying with the rules: Develop a written document that thoroughly details the measures your practice will take to protect the personal identifying information of its employees and clients. As always, a written plan is ineffective unless all of the staff understands and implements the plan. Therefore, all staff members must be trained and must sign documents that confirm they have been trained. Last, but not least, all vendors and service providers who have physical or electronic access to sensitive information (e.g., insurance agents, accountants, copier companies, cleaning services, etc.) should be contacted in writing and notified that you also expect them to comply with the rule and to take all reasonable measures to protect the practice’s information as well as those of its clients. Documentation in writing of your program is critical; not just the policy and its updates, but also the training and notifications. To summarize, here are the four steps a practice must take to ensure compliance with the Red Flags Rule:
1. Develop a written document that thoroughly details the measures your practice will take to protect the personal identifying information of its employees and clients
2. Explain your process for detecting “red flags,” including training all staff members on the purpose of the program; identify the potential “red flags” your practice may encounter; and provide a copy of the “red flags” program to each team member
3. Describe how you’ll respond to “red flags” to prevent and mitigate identity theft
4. Spell out how you’ll keep your program current, including notifying all vendors and service providers who have physical or electronic access to sensitive information.
Martin H. (Marty) Miller heads up the newly formed Human Resources Consulting Practice with Veterinary Business Advisors, Inc., a consulting firm that counsels veterinary practice owners, hospital managers and veterinarians nationwide on business and legal issues.