Does your practice have a written identity theft program?

With small-animal practitioners deferring payments and large-animal veterinarians billing their clients, there is no doubt that the "Red Flags" provision of the Fair and Accurate Credit Transactions Act (FACTA), which became effective May 1, applies to the veterinary profession.

The Red Flags Rule requires veterinary practices and other entities that defer payments or extend credit to develop, implement and administer a written Identity Theft Prevention Program.

This program must include the following four basic elements, which together create a framework to address the threat of identity theft:

• FIRST, your program must include reasonable measures to identify the "red flags" of identity theft that you may run across in your day-to-day operations. Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft. For example, if a client is paying for services with a check, you may ask for his or her driver's license in order to validate physical appearance, address and signature.

• SECOND, your program must be designed to detect the red flags you've identified. For example, if you've identified fake ID's as a red flag, you must have measures in place to detect possible fake, forged or altered identifications.

• THIRD, your program must spell out the actions you'll take when you detect red flags. For example, if a staff member discovers a client's check carelessly placed in the medical record, they must follow the red-flag directives to address the threat and safeguard the check. And they must report the violation to the senior staff member in charge of the program.

• FOURTH, because identity theft is an ever-changing threat, you must address how you will re-evaluate your program yearly to address new risks.

The Red Flags Rule is an extension of your data-security plan that protects clients' and staff members' personal data.

The rule contains guidelines for setting up a program, but does not tell you specifically what to include. However, it does require that you address five key categories of red flags or warning signs:

1. Alerts, notifications and warnings from a credit reporting bureau

2. Suspicious documents

3. Suspicious personnel identifying information

4. Suspicious account activity

5. Notices from clients, victims of identity theft or law-enforcement authorities about possible identity theft.

Which categories apply to veterinary practices? (Answer: 2, 3, and 5)

Now let's look at how the Red Flags Rule applies to the following experiences many of us may have encountered in our practices:

1. A client moving from New York to Florida asks you to fax their pet's medical record to a veterinary practice in Florida. Any ID theft red flags here?

• If there is any private personal information, such as driver's license number, checking information or credit/debit card information about the client within the pet's medical record, then you must first remove this information before faxing the record.

2. A client who can't pay a bill in full asks to make payments over time with multiple checks. What are the red flags?

• Because this is a form of deferred payment the rule covers, you must take steps to safeguard the checks during the "holding process."

3. A client's daughter brings in the family pet because of a urinary infection. Your diagnostic work-up and medical treatment exceed the amount of cash the client gave her daughter for the treatment. Your receptionist contacts the client, who gives her credit-card information over the phone. What are the red flags in this situation?

• Although accepting payment by credit card does not fall under the Red Flags Rule per se, there are potential identity-theft risks with this scenario.

For instance, how can your receptionist be certain that the credit-card information truly belongs to the client? When accepting such data over the phone, you cannot validate authenticity of the card holder by checking signatures or a photo.

Another potential risk involves the written credit-card information the receptionist collects. After the transaction was processed, did the receptionist destroy the written card data?

4. An equine veterinarian performs a lameness exam on a Standardbred racehorse on Monday, May 15, then mails a bill to the horse owner at month's end. Are there any new federal rules this veterinarian must follow? Yes.

As of May 1, 2009, he or she must have a written program to prevent, detect and mitigate identity theft, one that is applicable to the practice. It must be supervised, and the staff must be trained on the provisions.

The Red Flags Rule presents new challenges to veterinary practices.

The profession met similar challenges in the past, such as when it established programs and training under OSHA rules. Now there is a new call to embrace change.

Veterinarians must develop the new identity-theft prevention programs and train their staffs — not just to be compliant with the Red Flags Rule but to help reduce the number of Americans whot fall victim each year to identity theft.

James Iafe, VMD, CITRMS (Certified Identity Theft Risk Management Specialist) is a "red flags" expert and founding partner of PrivacyEdge LLC in Pittsburgh, which designs identity-theft prevention programs exclusively for veterinarians. Contact him at (724) 816-7630 or by e-mail at jiafe@docomply.com