Red Flags Rule
By now, most of you have probably heard there is a new "Red Flags Rule" that the Federal Trade Commission has decided you must comply with in order to protect your clients from identity theft. However, like so many governmental laws, regulations and rules you may be confused or even fearful as to what you need to do in order to be in compliance with the law.
Recently, my office has been besieged by doctors having questions regarding the so-called "Red Flags Rule". Therefore, it seemed prudent to devote an article in my newsletter to cover some of the more frequently asked questions.
Simply stated, veterinarians are not exempt from the "Red Flags Rule" and you must formulate a reasonable written policy and update that policy in order to be in compliance with the law. Your written policy must identify certain "Red Flags" of identity theft that your practice may run into on a daily basis.
"Red Flags" are suspicious patterns or behaviors that should send a signal to you and your staff that identity theft may be taking place. Typical "Red Flags" that you could encounter in your practice are credit cards being used by an individual that is not the same as the person whose name appears on the card. A "Red Flag" could be a signature on a credit card slip that does not resemble the name on the back of a credit card. Many of the "Red Flags" are common sense issues that your practice may already be watching for, but have not actually formulated a written plan for.
If your practice is operating as a corporation your "Red Flags Rule" program must be adopted by your board of directors. For many solo professional corporations the board of directors will consist of just one doctor, but nonetheless you will need to formally adopt the program. If you are practicing as a Limited Liability Company then your program will need to be adopted by the management of the Limited Liability Company. Finally for those practices operating as a sole proprietorship, some person in senior management will need to adopt the program.
Your written policy must tell your employees specifically what steps they need to take when they see "Red Flags". And further, because identity theft is constantly evolving, your program must be periodically re-evaluated for its effectiveness. Unfortunately, the law does not define what periodically is, but if the management were to review the policy once a quarter and sooner if a new "Red Flag" is detected that must certainly meet the requirement that your plan is "reasonable".
What will happen if your practice does not comply with the "Red Flags Rule"? While it is doubtful the Federal Trade Commission has the resources or a plan to audit your practice's compliance you will no doubt be found out if one of your clients is the victim of identity theft and that said theft originated in your practice. In addition to being technically in compliance with this new law you owe it to your clients to protect them from identity theft.
Because so many businesses have been caught off guard with the "Red Flags Rule" the compliance date for this new law has been extended to August 1, 2009. And because so many of you have been calling my office for recommendations on how to comply with the "Red Flags Rule" I have written a compliance manual that can be edited to suit your personal needs. Copies of the compliance manual can be purchased directly from Nate Lynch & Associates LLC for the nominal price of $49.95 by written request (download the order form here), or by phoning 800-567-1264.