More than the Red Flags Rule
Secure your clients' and team members' private information against identity theft and mitigate your own risk of future fines
Over the past year DVM Newsmagazine has done a great job raising awareness about the Red Flags Rule, a set of new guidelines to prevent consumer identity theft. After numerous delays, the Red Flags Rule takes effect in June.
Now it's time to step back and take a look at all the requirements and laws for information privacy being enforced at the federal, state and sometimes state-board levels. Veterinary practices have put some of the pieces of the compliance puzzle in place, but they still don't have a clear picture of what the finished puzzle should look like.
The purpose of these consumer protection laws is to reduce the risk of identity theft to your clients and staff members. Identity theft is a serious crime and has been steadily increasing each year. One study estimates that last year 11 million Americans were victims of identity theft. Could your hospital be contributing to the problem?
If you aren't in full compliance and a client or staff member becomes a victim of identity theft, your practice can face fines of up to $10,000 per incident. Financial punishment like that should be enough to motivate practice owners, but most still aren't fully complying. If this is you, it's time to take action and change the way you manage and process private personal information in your practice.
How do you implement requirements in your practice? What specifically do you need to do? Read on.
Instead of focusing on compliance, concentrate on risk mitigation. Let's start by digesting the sometimes-vague requirements of the consumer protection laws. Essentially, these laws require you to keep private personal information from falling into the wrong hands, making it harder for identity thieves to misuse that information in your practice.
You can start by taking an inventory of the private personal information you collect and keep about your clients and staff members. When you finish, you'll see know what you have, whose it is, and where it's located.
Next, conduct a risk assessment, and ask yourself:
- Does my practice need this information for day-to-day operations?
- Is this information at risk of getting into the wrong hands?
- Can someone use this information illegally at my practice?
- Do my staff members know how to safeguard private personal information?
Your risk assessment will help you see vulnerabilities in your current information management practices and then develop ways to mitigate risks. For example, let's say you find that clients' driver's license identification number are kept in pets' medical records, not in a secured locked filing cabinet. You've determined that the driver's license numbers are at risk.
A possible corrective action plan could require you to:
- Remove driver's license numbers and Social Security numbers from papers kept in pets' medical records
- Develop a new filing system for clients' private personal information
- Store the information in a locked filing cabinet or a safe
- Limit team members' access to the contents of the locked cabinet
After you've put your plan into action, you'll be prepared to develop written identity theft risk mitigation procedures. These are dos and don'ts for managing, safeguarding and securing private personal information. They should also make it harder for identity thieves to misuse consumers' information in your practice. These new procedures should be incorporated into your day-to-day work.
Below are some examples to follow when accepting payment by personal check:
- Verify the client's identity by looking at the driver's license or other picture ID.
- Verify the client's identity by comparing the signature on the driver's license with the signature on the check.
- Secure all checks that you may collect for payment. If you receive payment in installments as a form of deferred payment, then you must secure them in a locked drawer or safe.
- Write additional private personal information on the client's check.
- Leave checks in medical records or in places where others have easy access to them.
Further, make sure all your staff members are trained in identifying private personal information, following your risk-mitigation procedures and spotting and reporting instances when information is at risk. Local and state veterinary medical associations and privacy consultants can help.
Once you've put training in place, you'll want to reinforce your private personal information policies the same way you reinforce medical and client-communication procedures: regular reminders to staff, lunch-and-learns and more.
Your identity-theft–risk-mitigation program isn't a one-and-done process that collects dust on the shelf. Laws are always changing. Years ago, identity theft wasn't an issue — now it is. It's crucial that you assess your program and make changes in your procedures over time. Local and state veterinary medical associations are gearing up to keep track of the Red Flags Rule and its effects on their constituents.
The path to information privacy, security compliance and staying on the right side of the law is risk mitigation. You need step-by-step processes in your daily practice management procedures. Make it a priority, and never worry about running afoul of the identity-theft police again.
James Iafe, VMD, is a certified identity-theft risk-management specialist (CITRMS) and founding partner of PrivacyEdge LLC. He can be reached by phone at (724) 473-1176 and by e-mail at PEWebinars@ThePrivacyEdge.com.