Updated January 31, 2011
On November 9, 2007, the Federal Trade Commission (FTC) issued the "Red Flags" (Rule, 16 C.F.R. § 681.2) that requires "creditors" and "financial institutions" to develop written plans to prevent and detect identity theft. Based on the FTC's interpretation of the Rule, health care professionals, including veterinarians, fell into the category of "creditors" because they do not always receive payment in full from their clients at the time of service, and were subject to comply with the provisions of the "Red Flags" Rule. During the years that followed, the FTC delayed enforcement of the rule five times as they encountered challenges to the Rule's interpretation from a number of professions.
On Dec. 18, 2010, President Obama signed into law S. 3987, a bill that removes certain businesses including most veterinary practices and other health care practices from the FTC's "Red Flags Rule." The bill defines the term "creditor" more narrowly than the FTC had, with the intent of exempting small businesses and other service providers who do not receive payment in full from their clients at the time they provide their services. The AVMA was part of a coalition of professional associations lobbying for this legislation, which will save veterinary practices compliance expense and time.
Q: Why should I be worried about identity theft?
A: We should ALL be worried about identity theft. It's growing, and it's a very lucrative crime. Unlike stolen cash, stereos or drugs, identities can be sold over and over again. People whose identities are stolen spend countless hours and dollars trying to fix their credit rating and reestablishing their reputations. Often, irreparable damage is done to the victim's identity. Many people believe identity theft is only financial in nature, but this is not true. It actually can include any aspect of your identity, including your medical, driver's license, Social Security, professional, criminal and financial identities.
As a respected member of the veterinary profession and a business owner, you have ethical and legal responsibilities to protect your clients' and employees' personal information as much as possible. You don't want it to happen to you, and you certainly don't want to be blamed for the theft of a client's identity.
Q: What is the "Red Flags" Rule?
A: The "Red Flags" Rule is basically a regulation issued by the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions Act (FACTA), a federal law passed in 2003 to strengthen protection against identity theft.
Q: What are the basic aspects of the "Red Flags" Rule?
A: Simply put, the "Red Flags" Rule requires you to develop and implement a written identity theft prevention program which is updated as needed; train all employees to implement the program; and oversee your vendors and service providers to ensure they also provide sufficient precautions to prevent, detect and mitigate identity theft.
The rule also identifies 26 "Red Flags" that are indicators of the risk of identity theft. Not all of the red flags will apply to your practice, and you may identify additional red flags as you evaluate your practice.
The 26 identified "Red Flags" fall into 5 categories:
Q: How is my practice affected by the "Red Flags" Rule?
A: The "Red Flags" Rule establishes new protocols for creditors to take additional steps to prevent, detect and mitigate identity theft. Before S.3987 was signed into law, the FTC's interpretation was that any veterinary practice that receives payment after services are provided, even if it's collected in full after the animal was discharged from the hospital, was considered a "creditor" under the law.
The impact of S. 3987, legislation that took effect immediately upon signing, is that almost all veterinary practices will be exempt from the Red Flags Rule requirements. The new law exempts from the definition of "creditor" small businesses and other service providers who do not receive payment in full from their clients at the time they provide their services. The rule still applies to individuals and entities that "regularly and in the ordinary course of business" obtain or use consumer reports in connection with a credit transaction, furnish information to consumer reporting agencies, or extend credit.
Q: My practice allows clients to pay for services with CareCredit®. Does that make us creditors?
A: Providing CareCredit® application brochures and accepting CareCredit® as payment for services does not make you a creditor. According to the FTC site, if practitioners simply make brochures available to patients that the Red Flags would not be triggered; however if practitioners actively arrange the credit for the patient that it would. The site states, "You're not a creditor if you merely provide advertising brochures for third-party financing or tell your customers about third-party financing without referring them to lenders."
Q: When does the "Red Flags" Rule take effect?
A: After five extensions to the enforcement deadline, the rule took effect on January 1, 2011 for those persons and organizations not exempted by S. 3987.
Q: How do I comply with the "Red Flags" Rule?
A: Based on the new law, the majority of veterinary practices will be exempt from complying with the "Red Flags" Rule. If your practice does fall into the definition of "creditor," compliance with the Rule means developing a written document that thoroughly details the measures your practice will take to protect the personal identifying information of its employees and clients. As always, a written plan is worthless unless all of the staff understand and implement the plan; therefore, all staff must be trained and sign documents that confirm they have been trained. Last, but not least, all vendors and service providers who have physical or electronic access to sensitive information (e.g., insurance agents, accountants, copier companies, cleaning services, etc.) should be contacted and notified that you also expect them to comply with the Rule and take all reasonable measures to protect the practice's information as well as those of the clients. Documentation in writing of your program is critical; not just the policy and its updates, but also the training and notifications.
Q: Where can I get the training and information I need for my practice to protect against identity theft?
A: While the enactment of S. 3987 means that most veterinary practices will not be subject to the requirements of the Red Flags Rule, protecting your clients and employees from identity theft remains a sound business and risk management practice. You should review your practice's procedures and protocols to make sure that confidential and sensitive information such as credit card and social security numbers are protected, and employees are trained in this area.
To help you learn more about protecting your practice from identity theft, we have posted a number of resources at http://www.avma.org/PracticeManagement/Administration/Pages/Identity-Theft-FTCs-Red-Flags-Rule-Summary.aspx, including the AVMA and the FTC's step-by-step guidance to help you develop your practice's plan if you choose to do so. Alternatively, you may retain the services of a consultant knowledgeable about risk management and identity theft. A list of firms and individuals who have contacted AVMA about offering their services to veterinarians is available at http://www.avma.org/PracticeManagement/Administration/Pages/The-following-individuals-and-firms-are-offering-Red-Flags-Rule-compliance-training-to-veterinarians.aspx .
Q: I would still like to develop a plan for my practice. Is there a template I can use for my practice's plan?
A: There isn't really a "one size fits all" template that is applicable to all veterinary practices, because the red flags may vary from practice to practice, depending on the business practices used.
Q: Is there a step-by-step guide that will help me develop my practice's plan?
A: Yes. The AVMA has developed a guide with examples, and the FTC has released a "Do-It-Yourself Program for Businesses at Low Risk for Identity Theft" document to provide guidance.
Q: When did the AVMA find out about the "Red Flags" Rule?
A: The AVMA first became aware of the "Red Flags" Rule's possible impact on veterinary medicine in 2008, and established contact with the FTC. On March 19, 2009, the FTC stated that veterinarians are subject to the "Red Flags" Rule. Since that time, the AVMA lobbied the agency and Congress extensively in order to exempt veterinary practices from the rule, an effort that led to the enactment of S. 3987 on December 18, 2010.
Q: What is the AVMA doing about this?
A: The AVMA's approach to the "Red Flags" Rule has involved several different actions. First of all, the AVMA was in communication with the FTC regarding clarification of the Rules and how they affect the veterinary profession. The AVMA requested veterinarians be exempt from the Rule, but this request was denied by the FTC. Consequently, the AVMA joined with 27 other health care and business groups to advocate for Congressional legislation exempting small businesses and health care practices from the rule's requirements. This effort resulted in Congress passing and the President signing into law S. 3987 in late 2010.
While there was uncertainty about the applicability of the Red Flags Rule, the AVMA contracted with an independent consultant to develop a training program tailored to veterinarians. Although the program was not being administered or maintained by the AVMA, and the AVMA did not financially profiting from the program, AVMA staff members provided input to structure the content of the program and the program was offered at a discount to veterinarians as a professional courtesy. A number of free Webinars were offered as well.
Third, the AVMA distributed information to the profession about the Rule and how it may affect veterinary practices. The AVMA's home page has featured the "Red Flags" Rule resources, and all of the state veterinary medical associations and allied veterinary organizations were notified of the available resources.
As more resources are developed, or if changes occur that affect veterinary practices' compliance with the "Red Flags" Rule, the AVMA's Web site will be updated.