Veterinarians must comply with Red Flags Rule by May 1

Most practice owners already meet requirements, AVMA official says

April 22, 2009 (published)
By Jennifer Fiala

It’s official. The Federal Trade Commission’s (FTC) mandate requiring businesses to take steps to protect customers from identity theft applies to veterinary practices, and owners have until May 1 to get up-to-speed on the requirements. 

The American Veterinary Medical Association (AVMA) tried to get the profession exempted from what’s been dubbed the “Red Flags Rule,” but to no avail. Now the nation’s largest trade organization for DVMs has created an online landing page full of information on how practitioners can comply with the new regulations. The organization also has linked with a law firm offering free webinars designed to break down the mandate’s requirements. 

The rules, first published in November 2007, is an FTC regulation linked to the Fair and Accurate Credit Transactions Act, or FACTA, which passed in 2003 to strengthen protection against identity theft. The policy identifies 26 indicators, or red flags, associated with identity theft, which fall into five categories: alerts, notifications or warnings from a consumer reporting agency; suspicious documents; suspicious personally identifying information, such as suspect address; suspicious activity related to a covered account; notices from customers, identify theft victims or law enforcement about possible identity theft in connection with covered accounts. 

So what does this mean for veterinarians? According to AVMA, a practice that receives payments after services are rendered falls under the definition of “creditor”. And creditors, according to the Red Flags mandate, are required to develop and implement a written identify theft prevention program, train staff members to implement the program and make sure vendors and service providers provide sufficient precautions to prevent, detect and mitigate identity theft. 

“It’s a very broad definition,” says Adrian Hochstadt, JD, assistant director of state legislative and regulatory affairs in the AVMA Communications Division. “But I don’t think the rules are that onerous. In fact, I think most veterinarians already comply with them. It’s just a good business practice to be sure private information of your employees and clients are protected.” 

For those who are unsure about where their practices stand, Hochstadt recommends that they get familiar with the problem of identity theft and some of the ways to guard against it, regardless of the technical application of the rule. 

“This appears to be a standard of care for all businesses,” he says. “Of course, we provide access to these webinars, but you can find a consultant, get an attorney or try to do it yourself,” he says. 

While the new federal rule includes civil monetary penalties, some states might have even more stringent privacy laws that carry harsher consequences, Hochstadt explains. For now, enforcement likely will occur on a complaint-driven basis, he says. 

“It’s not like FTC inspectors will walk into your practice on May 1, and put you in jail for not complying by the deadline,” Hochstadt says. “I think the real potential harm (of failing to comply) is the cost to your business in terms of reputation or a lawsuit. Because the federal government has laid down this rule, it moves the issue to the forefront.” 

VIN News Service commentaries are opinion pieces presenting insights, personal experiences and/or perspectives on topical issues by members of the veterinary community. To submit a commentary for consideration, email

Information and opinions expressed in letters to the editor are those of the author and are independent of the VIN News Service. Letters may be edited for style. We do not verify their content for accuracy.