Frequently Asked Questions about the FTC's "Red Flags" Rule and Veterinary Practices

Frequently asked questions about the FTC's "Red Flags" Rule and veterinary practices
Updated August 13, 2009

On July 29, the FTC announced it will delay enforcement of the "Red Flags" Rule until November 1, 2009. The Rule is still in effect, but the FTC is allowing additional time for creditors to develop and implement written identity theft prevention programs before the Rule is enforced. We will update these pages as additional information becomes available.

A:We should ALL be worried about identity theft. It's growing, and it's a very lucrative crime. Unlike stolen cash, stereos or drugs, identities can be sold over and over again. People whose identities are stolen spend countless hours and dollars trying to fix their credit rating and reestablishing their reputations. Often, irreparable damage is done to the victim's identity. Many people believe identity theft is only financial in nature, but this is not true. It actually can include any aspect of your identity, including your medical, driver's license, Social Security, professional, criminal and financial identities.

As a respected member of the veterinary profession and a business owner, you have ethical and legal responsibilities to protect your clients' and employees' personal information as much as possible. You don't want it to happen to you, and you certainly don't want to be blamed for the theft of a client's identity.

A:The "Red Flags" Rule is basically a regulation issued by the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions Act (FACTA), a federal law passed in 2003 to strengthen protection against identity theft.

A:Simply put, the "Red Flags" Rule requires you to develop and implement a written identity theft prevention program which is updated as needed; train all employees to implement the program; and oversee your vendors and service providers to ensure they also provide sufficient precautions to prevent, detect and mitigate identity theft.

The rule also identifies 26 "Red Flags" that are indicators of the risk of identity theft. Not all of the red flags will apply to your practice, and you may identify additional red flags as you evaluate your practice.

A:Any veterinary practice that receives payment after services are provided, even if it's collected in full after the animal is discharged from the hospital, is considered a "creditor" under the law. On the other hand, requiring payment before or at the time of service, or simply accepting credit cards as a form of payment at the time of service, do not make you a creditor under the rule. The "Red Flags" Rule establishes new protocols for creditors to take additional steps to prevent, detect and mitigate identity theft.

A:Providing CareCredit® application brochures and accepting CareCredit® as payment for services does not make you a creditor. According to the FTC site, if practitioners simply make brochures available to patients that the Red Flags would not be triggered; however if practitioners actively arrange the credit for the patient that it would. The site states, "You�re not a creditor if you merely provide advertising brochures for third-party financing or tell your customers about third-party financing without referring them to lenders."

A:Not likely. Odds are you're already taking many of the recommended measures, so the training and documentation will be the main things you'll need to do.

A:The FTC had planned to enforce the rule on May 1, 2009, but has announced a delay in enforcement until November 1, 2009.

A:Compliance with the Rule means developing a written document that thoroughly details the measures your practice will take to protect the personal identifying information of its employees and clients. As always, a written plan is worthless unless all of the staff understand and implement the plan; therefore, all staff must be trained and sign documents that confirm they have been trained. Last, but not least, all vendors and service providers who have physical or electronic access to sensitive information (e.g., insurance agents, accountants, copier companies, cleaning services, etc.) should be contacted and notified that you also expect them to comply with the Rule and take all reasonable measures to protect the practice's information as well as those of the clients. Documentation in writing of your program is critical; not just the policy and its updates, but also the training and notifications.

A:You have several options for training to help you comply with the Rule. One, you can sign up for the online training sessions. These sessions are provided by a certified, independent consultant, and offered at a discount to veterinarians as part of an agreement with the AVMA. You can view more information at http://www.avma.org/issues/FTC_red_flags_rule.asp. Several Webinars were offered in advance of May 1 to provide you with an introduction to the issue and an overview of what to expect from the online training sessions. Additional webinars will be scheduled and announced on that Web page. A primary advantage of the online training and the accompanying written documents is that they are tailored to veterinarians.

Two, you can consult your own attorney or hire a consultant knowledgeable about risk management, identity theft and the "Red Flags" Rule to help you develop your compliance plan. The AVMA has provided a list of consultants who have expressed willingness to help veterinarians comply with the Rule.

Or three, you can try it on your own. The third option comes with a fair amount of risk and a potentially significant investment of your time. However, the AVMA and the FTC have provided step-by-step guidance to help you develop your practice's plan.

A:There isn't really a "one size fits all" template that is applicable to all veterinary practices, because the red flags may vary from practice to practice, depending on the business practices used.

A:No, the FTC's not going to come knocking on your door on November 2 to take you to jail or impose fines. In fact, very little is likely to happen...unless an identity theft incident occurs that may involve your practice. As the FTC investigates the incident, they will evaluate your practice for compliance with the Rule. If you are not in compliance, it is too late to develop and implement a program, and you will likely open up your liability to law suits in addition to government sanctions.

A: If an incident occurs and the FTC's investigation reveals your practice did not act reasonably to prevent the identity theft, you will be in violation of federal law. You may be subject to civil liability, business-to-business liability, government civil liability, and state and federal criminal liability suits. Fines and jail time may be involved.

In addition, don't overlook the potential damage to your business and your reputation. Some of this damage may be irreparable.

A:The AVMA first became aware of the "Red Flags" Rule's possible impact on veterinary medicine in 2008, and established contact with the FTC. On March 19, 2009, the FTC confirmed veterinarians are subject to the "Red Flags" Rule. Since that time, the AVMA has remained in contact with the FTC and has been developing resources for veterinarians to assist with compliance.

A:The AVMA's approach to the "Red Flags" Rule has involved several different actions. First of all, the AVMA has been in communication with the FTC regarding clarification of the Rules and how they affect the veterinary profession. The AVMA requested veterinarians be exempt from the Rule, but this request was denied by the FTC. AVMA joined the American Medical Association and the American Dental Association to successfully advocate for a delay in enforcement of the Red Flags Rule to August 1, 2009. Continued communication with the FTC has resulted in a postponement until November 1, 2009.

Second, the AVMA has contracted with an independent consultant to develop a training program tailored to veterinarians. Although the program is not being administered or maintained by the AVMA, and the AVMA is not financially profiting from the program, AVMA staff members provided input to structure the content of the program and the program is being offered at a discount to veterinarians as a professional courtesy. A number of free Webinars have been offered and will be scheduled in the future to provide basic information on the Rule and the online training program.

Third, the AVMA has distributed information to the profession about the Rule and how it will affect veterinary practices. The AVMA's home page has featured the "Red Flags" Rule resources, and all of the state veterinary medical associations and allied veterinary organizations were notified of the available resources.

As more resources are developed, or if changes occur that affect veterinary practices' compliance with the "Red Flags" Rule, the AVMA's Web site will be updated.