Six steps to complying with the Red Flags Rule.
It's time to clear up the confusion about the Red Flags Rule.
Technically, the rule has been in effect since Jan. 1, 2008, but the Federal Trade Commission (FTC) issued a series of enforcement delays, the latest of which is scheduled for June 1, 2010. (See story, p. 26.)
Veterinarians are asking their associations whether they must comply, and associations are asking the FTC whether the rule applies to veterinary practices.
The FTC's short answer: Yes — if your practice behaves as a creditor.
Under the rule's broad definition, a creditor is any business that defers payment. A deferred payment is one that is received sometime beyond the day when products or services are provided.
Keep in mind that veterinary practices defer payment when they bill clients or when they accept installment payments (i.e., hold checks). Another form of deferred payment occurs when a practice hospitalizes a patient, performs tests and procedures each day but doesn't receive payment until after the patient is discharged. Because full payment wasn't received on the day of service, it's considered a deferred payment. The Red Flags Rule applies.
Veterinary practices also become creditors when they arrange credit for their clients. Simply accepting Care Credit as a form of payment does not make you a creditor, but when you process an application for Care Credit on behalf of a client you are considered a creditor.
Now that we have established that most veterinary practices must comply with the Red Flags Rule, what steps must they take to do so? The rule demands that practices meet the following six requirements:
1 Develop a written identity-theft-prevention program.
2 Obtain program approval by the practice owner, board of directors or a senior level staff member.
3 Appoint an administrator, one who is responsible to oversee the implementation of the plan.
4 Train all staff members to follow the program.
5 Create a service-provider agreement, which must be signed by every organization with whom you share clients' personal information.
6 Update your program annually.
The key to a successful ID theft-prevention program depends on its contents and how well you train your staff.
The written program is your procedures manual. It should be well-organized, easily understood and easy to use.
It should provide the right information to make decisions quickly about handling private personal data to prevent or reduce the likelihood of identity theft.
Your written program must show how you will spot an identity thief who is using someone else's information to steal your practice's products and services. In that respect it is similar to your Material Safety Data Sheets (MSDS). If a chemical spill occurs, you would refer to the appropriate MSDS for the correct steps to clean up the spill and protect your staff and clients.
How would your written ID theft-prevention program instruct your staff to handle the following situation?
A client's 20-year-old son, Tom, enters your practice to pick up the family pet and pay the bill for services rendered that morning. Tom hands the receptionist his mother's credit card for payment. Under the Red Flags Rule, there are issues to consider before processing this payment. For example:
A. If your staff knows Tom and his mother by name and physical appearance, you may process the transaction because you have verified Tom's authenticity by facial recognition, eliminating the threat of identity theft.
B. If your staff doesn't know Tom personally, a verification effort is needed. For example, the receptionist could call Tom's mother to verify that she sent him with her credit card. Then you could process the transaction.
C. If your staff doesn't recognize Tom, the receptionist can explain to him that a new federal law prevents the practice from accepting his mother's credit card and ask Tom to use his own card or pay in cash.
It is noteworthy that, in this scenario, the Payment Card Industry-Data Security Standard (PCI–DSS) does not allow anyone to use someone else's credit card. We recommend that you examine your merchant card agreement to learn more about your contractual requirements.
Your written ID-theft program must include guidance for staff members to manage situations like the one discussed.
Training is the trigger that launches your program into action. Without proper training, the program is nothing more than words on paper.
A successful training program changes staff members' thinking, actions and habits, giving them the skills to safeguard private personal data and to recognize the illegal use of personal information.Don't focus merely on the letter of the law, but on the intent of the law, which is to develop workable, effective programs and training that protect your clients from becoming victims of identity theft.
Dr. Iafe is a Certified Identity Theft Risk Management Specialist (CITRMS), a Red Flags expert and founding partner of PrivacyEdge LLC in Pittsburgh, which offers a complete identity-theft prevention program designed for veterinarians. Contact him at (724) 473-1176 or e-mail jiafe@ThePrivacyEdge.com