"We're extremely grateful that Capitol Hill understands that these costly regulations are inappropriate for small health care professionals like veterinarians."
Legislation removes federal requirement for practices to create programs to prevent identity theft
Almost all veterinarians are now exempt from compliance with the Red Flags Rule following multiple delays in enforcement, federal court cases, and bills in Congress.
The Federal Trade Commission issued the Red Flags Rule to require financial institutions and creditors to establish programs to detect and respond to warning signs of identity theft—or red flags. The FTC defined creditors as including businesses that bill customers after providing services, such as health care providers and other professionals.
Late last year, Congress passed the Red Flag Program Clarification Act to define creditors more narrowly, thereby exempting health care providers from the rule except for those that might offer direct loans to clients. The president signed the bill Dec. 18.
"We're extremely grateful that Capitol Hill understands that these costly regulations are inappropriate for small health care professionals like veterinarians," said Dr. Larry M. Kornegay, president of the AVMA.
The AVMA fought for the exemption for the past two years by appealing to Congress and the FTC, although the Association concurrently offered resources to help veterinarians create programs to prevent identity theft.
Fighting the rule
"The Red Flags Rule just went beyond what we thought was necessary, given the identity-theft risk presented to veterinary clinics versus the amount of burden on members in having to comply with these regulations," said Isham Jones, JD, the AVMA's general counsel.
The regulations stem from a provision of the Fair and Accurate Credit Transactions Act of 2003. The FACT Act directed the FTC to "establish and maintain guidelines for use by each financial institution and each creditor regarding identity theft with respect to account holders at, or customers of, such entities."
The FTC published the Red Flags Rule in 2007 to implement the provision, effective in November 2008. Only as the deadline approached did many smaller businesses realize that the FTC intended to apply the rule to them. In response to questions about the scope of the rule, the agency issued the first of a number of delays in enforcement.
In early 2009, the AVMA wrote a letter to the FTC arguing that the categorization of health care providers as creditors is not consistent with the intent of the FACT Act.
"The FTC made an interpretation, and we got caught up in a definition that we shouldn't have been caught up in," said Gina Luke, an assistant director of the AVMA Governmental Relations Division in Washington, D.C.
The AVMA joined a coalition of medical associations opposing the FTC's interpretation. Luke and other lobbyists met with congressional staff to ask that members of the House and Senate put pressure on the FTC and introduce legislation to exempt health care providers from the Red Flags Rule.
In May 2009, Rep. John Adler (D-NJ) introduced legislation in the House to exempt health care practices with 20 or fewer employees from the Red Flags Rule. In October 2009, he introduced a similar bill to also exempt accounting and legal practices with 20 or fewer employees. The House passed the latter bill, but the legislation stalled in the Senate.
Nevertheless, the potential for progress on the legislative front was a factor in the AVMA's decision to decline joining several other medical associations in pursuing a lawsuit against the FTC, Jones said.
In mid-2009, the American Bar Association filed its lawsuit against the FTC. According to the ABA, the FTC exceeded its statutory authority in applying the Red Flags Rule to attorneys. In late 2009, the U.S. District Court for the District of Columbia granted a summary judgment in favor of the ABA.
The AVMA and several other medical associations reviewed the case, Jones said. In January 2010, they sent a letter to the FTC asking that the agency not apply the Red Flags Rule to health care providers if the rule does not apply to lawyers. The FTC later appealed the decision in the ABA case.
Luke and other lobbyists started to push for legislation to provide a broad exemption from the Red Flags Rule for businesses with a relatively low risk of identity theft, regardless of the number of employees.
"Hill staff were generally receptive to our arguments and wanted to do something before enforcement began," Luke said. "They understood that their constituents would be adversely impacted."
In the fall of 2010, legislation took shape that would define creditors more narrowly under the Red Flags Rule. On Nov. 30, Sen. John Thune (R-SD) introduced the Red Flag Program Clarification Act in the Senate. The Senate passed the bill immediately. On Dec. 7, the House passed an identical bill. The president signed the legislation less than two weeks later.
The law defines creditors, for the purposes of the Red Flags Rule, as businesses that regularly obtain consumer reports in connection with credit transactions, furnish information to consumer reporting agencies in connection with credit transactions, or advance funds to, or on behalf of, a person.
Preventing identity theft
Even as the AVMA sought an exemption from the Red Flags Rule for veterinarians, the Association also assembled resources to help veterinarians create identity theft prevention programs that would be in compliance with the rule.
The AVMA organized free webinars with an outside consultant to brief members on the Red Flags Rule. The Association developed Web pages with updates about the rule and links to online training programs on identity theft, a guide for veterinary practices to comply with the Red Flags Rule, and a document with answers to frequently asked questions about the rule.
Adrian Hochstadt, JD, assistant director for state legislative and regulatory affairs in the AVMA Communications Division, helped organize the webinars and fielded questions from state veterinary associations about the Red Flags Rule.
"The training and resources we provided not only were designed to help with compliance with this federal rule, but perhaps more important, will help these practices protect themselves," Hochstadt said. "The federal compliance issue may go away now, but you still have a risk management issue. You still have the expectations that clients have that their private information will be protected."
Hochstadt noted that veterinarians should take measures to prevent identity theft not only from fear of civil litigation but also as a good business practice.