Use this guide to protect your clients-and stay in the clear with the FTC after Nov. 1, 2009.
A client enters your clinic, frantic. She thinks her identity was stolen from your practice when she provided sensitive information on a credit application. Now she's out thousands of dollars. You're more than willing to help her fix the problem, but how did it happen in the first place? And what do you do now?
You'll need to find answers to these questions by Aug. 1. That's when the Federal Trade Commission begins enforcing its "Red Flags Rule," a series of regulations designed to help small businesses detect the warning signs, or "red flags," of identity theft. The hope is that by identifying red flags in advance, businesses will be better equipped to spot suspicious patterns and take steps to prevent costly episodes of identity theft.
The Red Flags Rule applies to financial institutions and creditors, but the FTC defines "creditors" as "businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later." Most likely, your veterinary hospital must comply.
So what does all this mean to you? In order to comply with the law you must do four things:
1. Know the red flags. Determine the identity theft warning signs you're likely to come across in your veterinary practice—suspicious patterns, practices, or activities that indicate someone may have stolen an identity. For example, a client may present a credit card you suspect is stolen or provide an address on a credit application you're pretty sure doesn't exist. Or maybe you've received an alert about a client from a consumer reporting agency. You must make a comprehensive list of potential red flags to make detection and prevention easier.
2. Be ready to detect red flags. Establish procedures to detect real-life red flags in your day-to-day operations. For example, you'll want to verify the identity of anyone who pays with a check or applies for credit (be sure to use several sources). And you'll need to create a process that helps you spot fake, forged, or altered information.
3. Prevent and mitigate identity theft. If you spot the red flags you've identified, respond appropriately to avert or minimize the damage. Your program must spell out the steps you'll take in these situations.
4. Keep your program current. The risks of identity theft can change rapidly, so it's important to keep up with trends, update your program regularly, and educate your team.
But simply putting a program on paper won't reduce the risk of identity theft. The Red Flags Rule also outlines requirements for incorporating your program into your daily operations. Your board of directors (or a committee of the board) has to approve your first written program. If you don't have a board, approval is up to a committee, the practice owner, or a senior-level employee. Your program must state who's responsible for implementing and administering the program. Because your employees play an important role in preventing and detecting identity theft, your program also must include appropriate team training. If you outsource parts of your practice operations that would be covered by the rules, your program also must address how you'll monitor your contractors' compliance.
In addition to creditors, the Red Flags Rule applies to businesses that offer two types of "covered accounts." The first is a consumer account offered to clients for personal, family, or household purposes that permits multiple payments or transactions. The second is "any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to the customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks." How's that for a broad definition? Most veterinary hospitals will offer one type of covered account to clients.
So how will your practice comply with the Red Flags Rule? You have two choices: Develop the program in-house or outsource it. For example, I know of a company that charges $150 to provide you with:
The training doesn't have to be completed all at once, so a practice owner could sign in for a half-hour at a time to complete the training as he or she has time during the first 45 days after buying the program. Employees you hire after the initial training period will cost an additional $15 to train. This particular program is designed for smaller practices of around 15 employees and may cost more for larger practices. Because there's a lot at stake with this law (you could be fined if you're not in compliance by the enforcement deadline), I suggest that you hire an outside source to help you set up and implement your program.
The Red Flags Rule may be a burden for your veterinary practice, but it's a well-intentioned law that could save your clients from the heartache and hassle of identity theft. The sooner you begin planning, the more prepared you'll be Nov. 1 when the FTC begins enforcing the law. Develop a program for complying with the Red Flags Rule and you'll do more than just abide by the laws—you'll show clients you care about their finances and well-being.
Veterinary Economics Editorial Advisory Board member Mark Opperman owns VMC Inc. in Evergreen, Colo. Opperman will speak on a host of topics ranging from inventory control to financial management at CVC Kansas City Aug. 29 to Sept. 1. For more information, visit TheCVC.com.