Trying to Comply With the Red Flags Rule?
Friday, October 23, 2009 9:33
When I was at my dentist’s the other day for my scheduled appointment, the receptionist asked me for my driver’s license and then made a copy of it. Curious about why they did that and concerned about protecting my personal information, I asked them why they needed a copy of my driver’s license. The lady explained that they were getting copies of all patient’s drivers’ licenses to comply with the FTC (Federal Trade Commission) Red Flags rule. Now I knew some about the Red Flags rule, and it just did not seem necessary to make and store a copy of all your patients drivers’ licenses. I discussed this issue with the dentist, who is also the owner of the practice, during my appointment, and I found out they were just going by information they had received as a member of the ADA (American Dental Association). The dentist really did not know much about the Red Flags rule but was just following what he had received from the ADA because he was worried about getting in trouble from the FTC if they ever investigated his business.
Collecting Drivers’ License Information
There are a couple of problems with collecting drivers’ license information. First, the dentist office is collecting personal identifying information that could be used to steal someone’s identity even though the purpose of the Red Flags rule is to identify possible fraud (ID Theft) when it is occurring or before it occurs. Furthermore, it violates one of the basic principles of data security which is to only collect and keep information you need for business purposes. In reality, collecting this information increases the liability risk of the dentist office. Also, collecting personal information requires the business to protect it.
The Red Flags rule does not require a business to check photo ID’s or keep copies of them to verify the identity of the customer. In the Red Flags Rule FAQ (Frequently Asked Questions), it states that keeping copies of photo ID’s can raise privacy and data security concerns. In my opinion, this should not have been done and is really not an effective method of addressing the issue of identity theft and fraud.
Complying with the Red Flags Rules
All creditors must comply with the Red Flags rule. My dentist only accepts four to five credit card payments a month, and under the Red Flags rule, accepting credit card payments by itself does not make a business a creditor. However, a creditor is a business, including a dentist office, which provides goods and services first and then allows the customer to pay later. There are cases where this dentist does allow patients to make payments over time for larger and more expensive services he provides. Because of that, this dentist appears to be a creditor under the Red Flags rule and would have to comply.
For costly procedures that the patient would have to pay over time or in installments, I would verify or authenticate (they are who they say they are) these patients first by requiring some form of photo ID along with gathering some additional information (what type would depend on the case) from the patient before doing the procedure. I would also verify this additional information before ever scheduling the procedure to make sure that payment would follow once the procedure was completed. Depending on the specifics of the business, there may be other measures to take, but for now I would at least implement these measures. This dentist office is in a small town, and he knows most of his patients personally so requirements for this dentist may be different than one located where they know very few of their patients personally.
The Red Flags rule require businesses that must comply with the rule to do four main things:
- Do an assessment and identify relevant red flags for their business.
- Detect red flags by setting up procedures that will detect the red flags in their business operation.
- Respond appropriately to any red flags that are detected to either prevent or mitigate identity theft.
- Periodically update the written program.
There are additional requirements in the rules, but these are the four main elements of the Red Flags rule requirements. Because it is a government regulation written by the government, it is easy to understand a business’s confusion in implementing it. Also, determining if you need to comply with the rules and if you have what is called a covered account is somewhat of a challenge. These issues, a general overview of the rule, and some additional resources that will assist you in complying with the rule will be covered in my next post on the Red Flags Rule.
Related posts: