With small-animal practitioners deferring payments and large-animal veterinarians billing their clients, there is no doubt that the "Red Flags" provision of the Fair and Accurate Credit Transactions Act (FACTA), which became effective May 1, applies to the veterinary profession.
The Red Flags Rule requires veterinary practices and other entities that defer payments or extend credit to develop, implement and administer a written Identity Theft Prevention Program.
This program must include the following four basic elements, which together create a framework to address the threat of identity theft:
The Red Flags Rule is an extension of your data-security plan that protects clients' and staff members' personal data.
The rule contains guidelines for setting up a program, but does not tell you specifically what to include. However, it does require that you address five key categories of red flags or warning signs:
1. Alerts, notifications and warnings from a credit reporting bureau
2. Suspicious documents
3. Suspicious personnel identifying information
4. Suspicious account activity
5. Notices from clients, victims of identity theft or law-enforcement authorities about possible identity theft.
Which categories apply to veterinary practices? (Answer: 2, 3, and 5)
Now let's look at how the Red Flags Rule applies to the following experiences many of us may have encountered in our practices:
1. A client moving from New York to Florida asks you to fax their pet's medical record to a veterinary practice in Florida. Any ID theft red flags here?
2. A client who can't pay a bill in full asks to make payments over time with multiple checks. What are the red flags?
3. A client's daughter brings in the family pet because of a urinary infection. Your diagnostic work-up and medical treatment exceed the amount of cash the client gave her daughter for the treatment. Your receptionist contacts the client, who gives her credit-card information over the phone. What are the red flags in this situation?
For instance, how can your receptionist be certain that the credit-card information truly belongs to the client? When accepting such data over the phone, you cannot validate authenticity of the card holder by checking signatures or a photo.
Another potential risk involves the written credit-card information the receptionist collects. After the transaction was processed, did the receptionist destroy the written card data?
4. An equine veterinarian performs a lameness exam on a Standardbred racehorse on Monday, May 15, then mails a bill to the horse owner at month's end. Are there any new federal rules this veterinarian must follow? Yes.
As of May 1, 2009, he or she must have a written program to prevent, detect and mitigate identity theft, one that is applicable to the practice. It must be supervised, and the staff must be trained on the provisions.
The Red Flags Rule presents new challenges to veterinary practices.
The profession met similar challenges in the past, such as when it established programs and training under OSHA rules. Now there is a new call to embrace change.
Veterinarians must develop the new identity-theft prevention programs and train their staffs — not just to be compliant with the Red Flags Rule but to help reduce the number of Americans whot fall victim each year to identity theft.
James Iafe, VMD, CITRMS (Certified Identity Theft Risk Management Specialist) is a "red flags" expert and founding partner of PrivacyEdge LLC in Pittsburgh, which designs identity-theft prevention programs exclusively for veterinarians. Contact him at (724) 816-7630 or by e-mail at