Home News Issues My AVMA Jobs Animal Health Public Health AVMA@Work
Search Tips | Advanced Search
  
Search within Issues only.

Animal Welfare



Antimicrobial use



Biosecurity



Drugs



Ethics



Food Supply Veterinary Medicine



Identity theft



Internet Pharmacies



Microchip / Electronic ID



Policy



Vaccination
 

AVMA Member area = AVMA/SAVMA  Members Only
Get Adobe reader

Some files on this page require Adobe Reader software. Click on the image above to download it for free from the Adobe site.



Issues > FTC's "Red Flags Rule" summary > Guide for veterinary practices
 

Guide for veterinary practices to comply with FTC "Red Flags" Rule
Created June 2009
Updated August 13, 2009

Note that the guide provided here is informational only, has not been approved by the FTC and does not constitute legal advice. Each business, practice or clinic should consult with its own attorney where specific legal questions arise.

This guide provides a step-by-step plan to prepare and implement the requirements of the Red Flags Rule, issued by the Federal Trade Commission (FTC) on November 9, 2007. The Rule requires "creditors" and "financial institutions" to develop written plans to prevent and detect identity theft. The Rule is a section of the Fair and Accurate Credit Transaction Act ("FACT Act") of 2003, a federal law which requires the establishment of guidelines for financial institutions and creditors regarding identity theft. The Rule was developed in response to the growing problem of credit cards, social security numbers, driver's licenses and other personal identifying information used to cause serious financial and legal problems for victims.

The AVMA has been closely following the development of FTC's position on the Red Flags Rule as applicable to veterinarians. According to the FTC, health care professionals, including veterinarians, fall into the category of "creditors" if they do not receive payment in full from their clients at the time of treatment. On January 30, 2009, the AVMA Governmental Relations Division sent a letter to the FTC requesting that veterinarians be excluded from the Rule. On March 19, 2009, the FTC responded to the AVMA, stating that veterinarians and other health care providers will be subject to the Rule.

The FTC initially suspended enforcing the Red Flags Rule until May 1, 2009. The AVMA held meetings on Capitol Hill to raise awareness about FTC's plans to apply Red Flags to veterinarians. As a result of this effort, in concert with other professional associations, the FTC voted on April 30, 2009 to delay enforcement to August 1, 2009 to allow creditors additional time to develop and implement written identity theft prevention programs. However, the Rule is still in effect and veterinarians are still expected to comply.

FTC staff has indicated that the Red Flags Rule is intended to be "flexible" and a written plan should address those circumstances that a veterinary practice actually encounters. FTC staff also indicated that the agency may issue written guidance to assist "low risk" environments into which most small practices probably fall. However, the FTC did not provide a timeline for issuing this guidance.

Definition and Examples of "Red Flags"

A "red flag" is anything that indicates possible identity theft. In other words, it is something that makes you suspicious the person is not who they claim to be. It could be a single document, an event or suspicious action, suspicious information or a transaction that just seems "off."

Most veterinary practices will rarely encounter a red flag, but the FTC does expect veterinarians and other health professionals to comply with the rules. There are 26 "red flags" identified by the FTC, but not all of them apply to a typical veterinary practice. The following are some of the "red flags" a veterinary practice might encounter:

  1. An individual falsely claiming to be someone else who is known to the office staff;
  2. A discrepancy between the address contained in the client's consumer credit report and the address provided by the patient;
  3. An individual who refuses to provide identification or contact information;
  4. A report by a client that he or she has been the victim of identity theft;
  5. A report of fraud, credit freeze, address discrepancy, or other activity inconsistent with the creditors' history is received from a consumer reporting agency or service provider;
  6. Documents provided for identification appear to have been altered or forged;
  7. The photograph or physical description on the identification is not consistent with the appearance of the applicant or client presenting the identification;
  8. Information provided is inconsistent with the medical record and/or previously obtained information;
  9. A job or credit application appears to have been altered or forged, or appears to have been destroyed and reassembled;
  10. The address or telephone number provided is the same as or similar to the information provided by another client, but the clients are neither related nor do they know each other;
  11. The client refuses or fails to provide all personal identifying information after they have been informed the information is needed;
  12. Undeliverable mail or returned checks;
  13. Any known or suspected security breaches (office break-ins, computer theft, etc.).

Why Veterinary Practices May be Covered by the "Red Flags" Rule

A veterinary practice is covered by the Red Flags Rule if it is considered a "creditor" and it has at least one "covered account."

When does a veterinary practice qualify as a creditor?

The Red Flags Rule's broad definition of "creditor" makes many veterinary practices subject to its requirements. For example, if your practice bills clients for partial or full payment for services rendered, you are considered a creditor. If you allow clients to pay on an installment plan, you are considered a creditor. With the growing number of clients obtaining pet insurance to cover their pet's medical costs, accepting pet insurance where the client is ultimately responsible for payment makes you a creditor.

The only way to avoid qualifying as a creditor under the Rule seems to be to always require payment at the time the service is provided.

What accounts in a veterinary practice are considered "covered accounts"?

Any account that contains information that could allow someone to steal a client's identity is a "covered account." In other words, any account that contains personal identifying information is a covered account. The medical records meet this definition because they include the owner's name and address and may contain payment information (such as credit card numbers, etc.). If the client pays by personal check and you have a copy of their driver's license in the file, it is a covered account. Even prescription information in a file can present a risk of identity theft because it contains the client's personal identifying information.

Complying with the Rules

To comply with the "Red Flags" Rules and protect the identities of your clients and employees, veterinary clinics must adopt a written policy and procedures that are designed to prevent, detect and mitigate identity theft.

The plan should identify the "red flags" relevant to the practice and include descriptions of the following:

  1. how the "red flags" will be detected by staff;
  2. the procedures that will be implemented to respond to "red flags";
  3. how the staff will be trained (and documentation that the staff has received the training);
  4. established review and evaluation intervals for the program to allow updates and revision.

Below are step-by-step procedures for developing an identity theft detection and response policy.

Step One: Identifying Red Flags

Review the list of the "red flags" issued by the FTC in Supplement A to the Rule, available at ftc.gov/redflagsrule, and identify those that are relevant to your practice. In addition, as you review your files, you may identify other "red flags" not on the list but still relevant to your practice.

Step Two: Detecting and Addressing Red Flags

Once you have identified and documented the "red flags" relevant to your practice, you need to develop and document the procedures you and your staff will take to address those "red flags" if they are encountered.

When responding to Red Flags keep in mind that other laws may impose legal obligations on the practice, such as the ADA's patient privacy protections, and professional ethics considerations. The practice should consult with its own attorney where specific legal questions arise.

These procedures may include actions such as

  • contacting the client to verify or report the information;
  • requesting additional identifying information;
  • monitoring the account for suspicious activity;
  • refusing to provide services to that client, or refusing to hire the applicant;
  • notifying the appropriate authorities;
  • concluding that no action is necessary at that time.

Some examples of "red flags" that may be encountered by veterinary clinics, and their possible responses, are listed below.

Red flag: A new client comes to the clinic with their pet. According to the address information they provided, they live three houses down from your receptionist's house. However, your receptionist reports to you that they know the owners of the house have not moved.
Response: Refuse services to the new client (if they have not already been provided), notify the person whose identity has been (or may have been) taken, and notify the authorities if necessary.

Red flag: A client comes into your clinic for medical treatment of their dog's injury. They present a Care Credit® application form that appears to have been taped back together.
Response: Refuse services (if they have not already been provided) until the person can adequately identify to confirm they are the same person as described on the application, ask them to complete a new application without access to the suspicious application (ie, so they can't just copy the information), notify the person whose identity has been (or may have been) taken, and notify the authorities if the person cannot provide confirmation of their identity.

Red flag: A new client comes into the practice and does not present adequate identification. When the receptionist asks them for proof of identification, the client tells her they are "going to their car" to get the identification but they do not return or they return and tell her they left their wallet at home.
Response: Refuse services (if they have not already been provided) until the person can adequately identify to confirm they are the same person as described on the application, notify the person whose identity has been (or may have been) taken, and notify the authorities if the person cannot provide confirmation of their identity.

Red flag: The client's bill is returned as undeliverable to the address provided.
Response: Make sure the bill was sent to the address on file and call the client to verify the address.

In addition to the "red flags" you identify, the FTC requires specific responses for two "red flags" that must be included in your written program:

1. Red flag: You obtain a consumer credit report for a client that contains a discrepancy between the address provided by the client and the address contained in the credit report.
Response: You must make a reasonable attempt to verify the correct address. If that address is different from the address in the credit report, you must report this to the credit agency.

2. Red flag: You receive notice of an actual identity theft relating to one of your client's accounts.
Response: You must immediately cease any collection efforts against the alleged victim of the theft.

Step Three: Formalizing and Administering the Red Flags Program

Responsibility for the plan
The practice owner is ultimately responsible for implementing and administering the identity theft prevention plan. A practice manager, office manager, associate or other staff member can be designated Program Administrator, but the practice owner retains oversight and approval of any revisions to the program.

Program Administrator duties
The Program Administrator should be notified immediately when any "red flags" are detected, and should oversee the response. The identification of and response to "red flags" must be documented in a log dedicated to that purpose.

Training the staff
All staff should be trained to recognize, report and respond (where appropriate) to "red flags" encountered by your practice. The training program should provide the following information:

  • the purpose of the program;
  • identification of "red flags" your practice may encounter;
  • the proper procedures for reporting and responding to "red flags."

All staff should receive a copy of the actual written program, and should sign a form that acknowledges and documents that they have read the program and received the training. Copies of these signed forms should be kept in an administrative file.

Interacting with service providers
Don't overlook your agreements with veterinary consulting services, veterinary laboratories, drug and equipment suppliers, credit card companies and credit organizations, and any other service providers that may store the personal identifying information of the practice's staff or clients. Check your agreements with these providers to make sure they positively state that they protect against identity theft. If the agreement does not specifically state this, you should confirm their protections against identity theft. You may choose to ask for a new agreement including such a statement, or you may opt to decline further interactions with that provider.

Reviewing and evaluating the plan
Don't forget that periodic review and evaluation of your practice's written identity theft prevention plan is required by the Rule. The program should be reviewed and modified as needed annually at a minimum and more frequently if needed.
 
American Veterinary Medical Association
Copyright © 2010