Red Flag Update
by Jeffrey L. Roth, JD
Covered businesses must have an Identity Theft Prevention Program (Program) in place in response to the requirements of Part 681 of Title 16 of the Code of Federal Regulations implementing Sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.
These regulations require veterinary practices having "covered accounts" to establish a Program designed to detect, prevent, and mitigate identity theft in connection with the opening of a “covered account,” an existing “covered account,” and to provide for continued administration of the Program in compliance with those requirements.
This "Red Flag Rule,” became effective November of last year, but enforcement was delayed until May 1, 2009, by the Federal Trade Commission (FTC), which again, delayed enforcement until August 1, 2009.
Under the definition set forth in the applicable regulations, "covered account" is one where a service provider extends credit to a client for personal, family, household, or business purposes, and the account is designed to permit multiple payments for transactions, or an ongoing relationship that has a foreseeable risk of identity theft that would affect either the client or the practice. The Federal Trade Commission has taken the position that veterinary practices are generally covered by the new rule.
The first step is for practices to identify major warning signs of identity theft, or red flags, that they come across in their line of work. Categories of warning signs include alerts from consumer reporting agencies; suspicious documents, personal information, or account activity; and notices from clients, victims of identity theft, law enforcement authorities, or other entities.
Each practice must write, implement, and administer an ongoing program to detect warning signs and respond appropriately to prevent or mitigate identity theft after finding a red flag. Responses to warning signs could include monitoring accounts or changing account numbers.
Finally, organizations should update their programs periodically to reflect changes in identity theft risks.
Additional information about how the rule applies to health care providers is available at www.ftc.gov/bcp/edu/pubs/articles/art11.shtm.
In addition, the FTC has published A Do-It-Yourself Prevention Program for Business at http://www.ftc.gov/bcp/edu/microsites/redflagsrule/RedFlags_forLowRiskBusinesses.pdf, which helps low risk businesses, like most veterinary practices, develop the key attributes of a compliant written program.
A sample Program drafted by Fess & Burgess, P.C., suitable for use by veterinary offices, can be found free of charge to ALVMA members at the following link: (http://www.feesburgess.com/red-flag-program-outline/)
In addition to this program, each practice should also have required additional programs or policies regarding the safeguard of employee data, computer and data security, client account information, access to practice records, and other electronically stored data. These additional programs or policies will also help a practice minimize any potential liability relating to inadvertent or improper disclosure of personally identifiable information, as well as other data required to be protected.