Identity Theft: FTC's "Red Flags Rule" Summary


Get answers to frequently asked questions about the FTC "Red Flags" Rule, including:

Is there a step-by-step guide that can help my veterinary practice comply with the "Red Flags" Rule?

Why should I be worried about identity theft?

What is the "Red Flags" Rule?

How is my practice affected by the "Red Flags" Rule?

» See all FAQs

On December 18, 2010, President Obama signed into law S. 3987, a bill that removes certain businesses including veterinary practices and other health care practices from the FTC's "Red Flags Rule."

The bill defines the term "creditor" more narrowly than the FTC had, with the intent of exempting small businesses and other service providers who do not receive payment in full from their clients at the time they provide their services. The AVMA was part of a coalition of professional associations lobbying for this legislation, which will save veterinary practices compliance expense and time.

The FTC had delayed enforcement of the rule five times, most recently until December 31, 2010.

Background: Veterinarians and the "Red Flags Rule"

On November 9, 2007, the Federal Trade Commission (FTC) issued a rule that may affect your veterinary practice. The "Red Flags" Rule, 16 C.F.R. § 681.2, requires "creditors" and "financial institutions" to develop written plans to prevent and detect identity theft. The rule is a section of the Fair and Accurate Credit Transaction Act ("FACT Act") of 2003, a federal law which requires the establishment of guidelines for financial institutions and creditors regarding identity theft. Based on the FTC's interpretation of the Rule, health care professionals, including veterinarians, fell into the category of "creditors" because they do not always receive payment in full from their clients at the time of service, and were subject to comply with the provisions of the "Red Flags" Rule.

Full text of the "Red Flags" Rule

On January 30, 2009, the AVMA Governmental Relations Division (GRD) sent a letter to the FTC requesting that veterinarians be excluded from the Rule. On March 19, 2009, the FTC responded to the AVMA, stating that veterinarians and other health care providers will be subject to the "Red Flags" Rule. However, the FTC indicated a willingness to continue dialog to ensure that compliance with the Rule would not place undue burdens on the veterinary profession.

The FTC initially suspended enforcing the "Red Flags" Rule until May 1, 2009. The AVMA Government Relations Divisions held meetings on Capitol Hill to raise awareness about FTC's plans to apply the Rule to veterinarians. As a result of these meetings, Rep. Nadia M. Velazquez (D-NY-12), Chair of the House Small Business Committee, wrote a letter to the FTC expressing her concern about the impact of the "Red Flags" Rule on health professionals. She urged the FTC to, at the very least, delay implementation of the rule. Very importantly, she encouraged the FTC to issue a revised proposed rule and provide veterinarians as well as other health care providers an opportunity to formally comment on any economic burdens the rule would impose on their businesses.

Partly in response to Rep. Velazquez's entreaty, the FTC voted several times to delay enforcement to allow creditors additional time to develop and implement written identity theft prevention programs in compliance with the Rule. The fifth (and last) delay moved the enforcement deadline to December 31, 2010.

Read the FTC's statement, "The 'Red Flags' Rule: What Health Care Providers Need to Know About Complying with New Requirements for Fighting Identity Theft"

On May 12, 2009, Representative John Adler (D-NJ) introduced legislation to provide for an exclusion from the "Red Flags" Rule for small healthcare practices.

On October 20, 2009, the U.S. House of Representatives passed H.R. 3763, which exempted certain businesses (including veterinarians) with less than 20 employees from having to comply with the "Red Flags" Rule. This bill replaced H.R. 2345 and was passed to the U.S. Senate on October 21.Twenty-nine healthcare organizations, including the AVMA, signed a letter of support for the legislation.

On January 27, 2010, the AVMA joined the American Dental Association (ADA), American Medical Association (AMA) and American Osteopathic Association (AOA) in petitioning the FTC to exclude health professionals from its "Red Flags" Rule. The letter, addressed to FTC Chairman Jon Leibowitz, pointed out that the agency's interpretation of the regulation imposed an unjustified, unfunded mandate on health professionals for detecting and responding to identity theft.

In the letter, the four organizations requested that the FTC exempt health professionals for many of the same reasons stated by the U.S. District Court for the District of Columbia in a December 2009 ruling that attorneys are excluded from the Rule's requirements.

On May 25, 2010, Sens. John Thune (R-South Dakota) and Mark Begich (D-Alaska) introduced S. 3416, which would exempt physicians, dentists and veterinarians from the FTC's "Red Flags" Rule. The bill was referred to the Senate Banking, Housing and Urban Affairs Committee, and did not advance any further.

On November 30, 2010, Sen. Thune introduced the Red Flag Program Clarification Act of 2010, S. 3987, which the Senate approved quickly by unanimous consent. On December 7, 2010, the U.S. House of Representatives approved the bill and sent it to the president, who signed the legislation into law on December 18, 2010, making the legislative effective immediately.

Although S. 3987 does not specifically mention veterinarians or any other professionals, it exempts from the definition of "creditor" those businesses that merely advance funds on behalf of a person for expenses incidental to a service provided. This definition is narrower than that originally adopted by the FTC, with the intent of exempting small businesses and other service providers who do not receive payment in full from their clients at the time they provide their services.

Enactment of this legislation is the culmination of a successful advocacy effort that will save veterinary practices compliance expense and time. The AVMA and 27 other organizations, including the U.S. Chamber of Commerce, American Medical Association, American Dental Association, Ambulatory Surgery Center Association, and American Academy of Family Physicians, lobbied Congress and the FTC to stop implementation of the "Red Flags" Rule for smaller health care professional practices.

Read the full text of S. 3987.

Identity Theft Training and Consultants

While the enactment of S. 3987 means that most veterinary practices will not be subject to the requirements of the "Red Flags" Rule, protecting your clients and employees from identity theft remains a sound business and risk management practice. Veterinarians are advised to review their practices' procedures and protocols to make sure that confidential and sensitive information such as credit card and social security numbers are protected, and employees are trained in this area.

Many privacy consultants have expressed willingness to provide identity theft training and assistance to veterinarians. Click here to view the list of consultants. The AVMA has not evaluated any of the firms or individuals on this list, nor endorses or guarantees the quality of the services they provide.

Additional resources for identity theft prevention


Frequently asked questions

FAQs about the FTC's "Red Flags" Rule and veterinary practices