Guide for Veterinary Practices to Comply with FTC Red Flags Rule
Created June 2009
Updated January 2011
Note that the guide provided here is informational only, has not been approved by the FTC and does not constitute legal advice. Each business, practice or clinic should consult with its own attorney where specific legal questions arise.
This guide provides a step-by-step plan to prepare and implement the requirements of the Red Flags Rule, issued by the Federal Trade Commission (FTC) on November 9, 2007. The Rule requires "creditors" and "financial institutions" to develop written plans to prevent and detect identity theft. The Rule is a section of the Fair and Accurate Credit Transaction Act ("FACT Act") of 2003, a federal law which requires the establishment of guidelines for financial institutions and creditors regarding identity theft. The Rule was developed in response to the growing problem of credit cards, social security numbers, driver's licenses and other personal identifying information used to cause serious financial and legal problems for victims.
The AVMA has been closely following the development of FTC's position on the Red Flags Rule as applicable to veterinarians. The FTC had ruled that, health care professionals, including veterinarians, fall into the category of "creditors" if they do not receive payment in full from their clients at the time of treatment. Following several enforcement delays by the FTC, and lobbying efforts by AVMA and other professional associations, President Obama signed into law S. 3987 on December 18, 2010. This legislation removes certain businesses including most veterinary practices and other health care practices from the FTC's "Red Flags Rule." The bill defines the term "creditor" more narrowly than the FTC had, with the intent of exempting small businesses and other service providers who do not receive payment in full from their clients at the time they provide their services.
Definition and Examples of "Red Flags"
A "red flag" is anything that indicates possible identity theft. In other words, it is something that makes you suspicious the person is not who they claim to be. It could be a single document, an event or suspicious action, suspicious information or a transaction that just seems "off."
There are 26 "red flags" identified by the FTC, but not all of them apply to a typical veterinary practice. The following are some of the "red flags" a veterinary practice might encounter:
- An individual falsely claiming to be someone else who is known to the office staff;
- A discrepancy between the address contained in the client's consumer credit report and the address provided by the patient;
- An individual who refuses to provide identification or contact information;
- A report by a client that he or she has been the victim of identity theft;
- A report of fraud, credit freeze, address discrepancy, or other activity inconsistent with the creditors' history is received from a consumer reporting agency or service provider;
- Documents provided for identification appear to have been altered or forged;
- The photograph or physical description on the identification is not consistent with the appearance of the applicant or client presenting the identification;
- Information provided is inconsistent with the medical record and/or previously obtained information;
- A job or credit application appears to have been altered or forged, or appears to have been destroyed and reassembled;
- The address or telephone number provided is the same as or similar to the information provided by another client, but the clients are neither related nor do they know each other;
- The client refuses or fails to provide all personal identifying information after they have been informed the information is needed;
- Undeliverable mail or returned checks;
- Any known or suspected security breaches (office break-ins, computer theft, etc.).
Why Some Veterinary Practices May be Covered by the "Red Flags" Rule
A veterinary practice is covered by the Red Flags Rule if it is considered a "creditor" and it has at least one "covered account." S. 3987 defines a creditor a person or organization that regularly and in the ordinary course of business--
(i) obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction;
(ii) furnishes information to consumer reporting agencies, as described in section 623, in connection with a credit transaction; or
(iii) advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person;
The legislation exempts those who advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person, which cover the vast majority of veterinary practices.
What accounts in a veterinary practice are considered "covered accounts"?
Any account that contains information that could allow someone to steal a client's identity is a "covered account." In other words, any account that contains personal identifying information is a covered account. The medical records meet this definition because they include the owner's name and address and may contain payment information (such as credit card numbers, etc.). If the client pays by personal check and you have a copy of their driver's license in the file, it is a covered account. Even prescription information in a file can present a risk of identity theft because it contains the client's personal identifying information.
Complying with the Rules
To comply with the "Red Flags" Rules and protect the identities of your clients and employees, veterinary clinics must adopt a written policy and procedures that are designed to prevent, detect and mitigate identity theft.
The plan should identify the "red flags" relevant to the practice and include descriptions of the following:
- how the "red flags" will be detected by staff;
- the procedures that will be implemented to respond to "red flags";
- how the staff will be trained (and documentation that the staff has received the training);
- established review and evaluation intervals for the program to allow updates and revision.
Below are step-by-step procedures for developing an identity theft detection and response policy.
Step One: Identifying Red Flags
Review the list of the "red flags" issued by the FTC in Supplement A to the Rule, available at ftc.gov/redflagsrule, and identify those that are relevant to your practice. In addition, as you review your files, you may identify other "red flags" not on the list but still relevant to your practice.
Step Two: Detecting and Addressing Red Flags
Once you have identified and documented the "red flags" relevant to your practice, you need to develop and document the procedures you and your staff will take to address those "red flags" if they are encountered.
When responding to Red Flags keep in mind that other laws may impose legal obligations on the practice, such as the ADA's patient privacy protections, and professional ethics considerations. The practice should consult with its own attorney where specific legal questions arise.
These procedures may include actions such as
- contacting the client to verify or report the information;
- requesting additional identifying information;
- monitoring the account for suspicious activity;
- refusing to provide services to that client, or refusing to hire the applicant;
- notifying the appropriate authorities;
- concluding that no action is necessary at that time.
Some examples of "red flags" that may be encountered by veterinary clinics, and their possible responses, are listed below.
Red flag: A new client comes to the clinic with their pet. According to the address information they provided, they live three houses down from your receptionist's house. However, your receptionist reports to you that they know the owners of the house have not moved.
Response: Refuse services to the new client (if they have not already been provided), notify the person whose identity has been (or may have been) taken, and notify the authorities if necessary.
Red flag: A client comes into your clinic for medical treatment of their dog's injury. They present a Care Credit® application form that appears to have been taped back together.
Response: Refuse services (if they have not already been provided) until the person can adequately identify to confirm they are the same person as described on the application, ask them to complete a new application without access to the suspicious application (ie, so they can't just copy the information), notify the person whose identity has been (or may have been) taken, and notify the authorities if the person cannot provide confirmation of their identity.
Red flag: A new client comes into the practice and does not present adequate identification. When the receptionist asks them for proof of identification, the client tells her they are "going to their car" to get the identification but they do not return or they return and tell her they left their wallet at home.
Response: Refuse services (if they have not already been provided) until the person can adequately identify to confirm they are the same person as described on the application, notify the person whose identity has been (or may have been) taken, and notify the authorities if the person cannot provide confirmation of their identity.
Red flag: The client's bill is returned as undeliverable to the address provided.
Response: Make sure the bill was sent to the address on file and call the client to verify the address.
In addition to the "red flags" you identify, the FTC requires specific responses for two "red flags" that must be included in your written program:
1. Red flag: You obtain a consumer credit report for a client that contains a discrepancy between the address provided by the client and the address contained in the credit report.
Response: You must make a reasonable attempt to verify the correct address. If that address is different from the address in the credit report, you must report this to the credit agency.
2. Red flag: You receive notice of an actual identity theft relating to one of your client's accounts.
Response: You must immediately cease any collection efforts against the alleged victim of the theft.
Step Three: Formalizing and Administering the Red Flags Program
Responsibility for the plan
The practice owner is ultimately responsible for implementing and administering the identity theft prevention plan. A practice manager, office manager, associate or other staff member can be designated Program Administrator, but the practice owner retains oversight and approval of any revisions to the program.
Program Administrator duties
The Program Administrator should be notified immediately when any "red flags" are detected, and should oversee the response. The identification of and response to "red flags" must be documented in a log dedicated to that purpose.
Training the staff
All staff should be trained to recognize, report and respond (where appropriate) to "red flags" encountered by your practice. The training program should provide the following information:
- the purpose of the program;
- identification of "red flags" your practice may encounter;
- the proper procedures for reporting and responding to "red flags."
All staff should receive a copy of the actual written program, and should sign a form that acknowledges and documents that they have read the program and received the training. Copies of these signed forms should be kept in an administrative file.
Interacting with service providers
Don't overlook your agreements with veterinary consulting services, veterinary laboratories, drug and equipment suppliers, credit card companies and credit organizations, and any other service providers that may store the personal identifying information of the practice's staff or clients. Check your agreements with these providers to make sure they positively state that they protect against identity theft. If the agreement does not specifically state this, you should confirm their protections against identity theft. You may choose to ask for a new agreement including such a statement, or you may opt to decline further interactions with that provider.
Reviewing and evaluating the plan
Don't forget that periodic review and evaluation of your practice's written identity theft prevention plan is required by the Rule. The program should be reviewed and modified as needed annually at a minimum and more frequently if needed.