© 2023 MJH Life Sciences™ and dvm360 | Veterinary News, Veterinarian Insights, Medicine, Pet Care. All rights reserved.
On guard: Threats to personal, business and client privacy can come from all directions
Threats to personal, business and client privacy can come from all directions.
NATIONAL REPORT — The Internet has opened up a vast array of new tools to conduct business and just as many concerns as it relates to data privacy and client confidentiality.
As veterinary practice vendors and software programs in accounting and billing look to create a better user experience through Internet-based tools, it creates new vulnerabilities to practice data—whether it's hacked or shared with other third parties unbeknownst to veterinarians. In some cases, the result can put the veterinary practitioner at risk of violating client-confidentiality agreements.
"When you post information on the Internet, it's basically like writing it on the back of a postcard. You have to assume that way," says Greg Dennis, a Kansas-based attorney specializing in veterinary law.
When asked if there are safeguards veterinarians can put in place to keep Internet-based information private, Dennis was doubtful.
"Other than using the old method of pen and paper? Nope," he says. "Once there's a stream flowing, you don't know where it might be ending."
Dennis remembers comparable problems in the 1980s and 1990s when veterinarians first were required to provide local governments with verifications of rabies vaccinations. Marketing companies and vendors would simply file a public records request with authorities and use the data to see when a patient was due for its next vaccine. They would then take the data and send targeted marketing to the client.
"How secure is this stuff? And are the statements being made that the information would not be available to anyone else be something veterinarians can rely on?" asks Dennis. "It does put a question in your mind."
Dennis recalls a case years ago, during a settlement with an insurance agency, where records about a practice were released only to show up eight years later somewhere else. The confidential information was released to a single source, but somehow got out, possibly through a hacked database.
"Once it's out the door, you can't control it," he says. "Even if you can get to a court and get it ordered back, with the Internet, you can't ever completely purge it."
Third-party access to information about clients, as well as patient medical histories, employee records or a practice's financial records is a valid concern, agrees Charlotte Lacroix, DVM, JD, owner of the legal and business consulting firm Veterinary Business Advisors in New Jersey. Usually, web-based programs, or disc-based programs dialed into the web give access to some type of vendor, she says.
In fact, questions emerged about this issue following VCA's $150 million acquisition this summer of MediMedia's VetStreet, which offers home delivery of medications. Data security as it relates to competitive practice information was being actively discussed. VCA asserts its contracts with its customers prohibit VCA from inspecting individual practice data. Vetstreet customer contracts also mandate that the company strip all information about clients, patients and veterinary practices before selling any data.
According to Lacroix, "It becomes important for veterinary practitioners to be sensitive to their agreement with vendors." Practice owners need to be aware what information a program vendor has access to, and how they might use it.
Neither Dennis nor Lacroix have had clients report major privacy breaches, but they say there is always the possibility information will go where it wasn't meant to. If you need an example, just look at the banking industry. And once a channel is open, the risk of computer hacking increases too.
"Have (the vendor) sign a confidentiality agreement, and then if the information gets divulged on their end, and you're the one that gets sued, they pay for your damages," Lacroix recommends.
But finding out what kind of information is being opened up to a vendor isn't the only privacy concern practice owners should be aware of, Lacroix says.
"If they do intend on using it, and you are open to it, do you need to get the client's consent in order for them to use it?" she asks.
Client consent is a key protection, she adds. "Vendors most often will use client information to obtain product usage information so they can find out how pet owners are using a certain product, or they might want to obtain information to solicit those clients for marketing purposes," she says. "Client lists are worth a lot of money and (in these cases) veterinarians are the conduit, and it's pretty much unbeknownst to them."
If information is being released, practice owners should take great care to be sure only the permitted data is accessed, not things like client Social Security numbers or other financial information.
Veterinary practices should keep all computerized records password-protected and backed up on a remote, secure server, Lacroix says.
"These are basic security issues that should be in place," she says, explaining that even if a state's veterinary practice act doesn't outline a veterinarian's confidentiality responsibilities, that doesn't mean there is a free-for-all on client/patient data.
The most typical confidentiality problem that Lacroix says she has seen in veterinary practices revolves around the transfer of medical records.
"Do the medical records follow the patients, or do the medical records stay with the client who paid for the care?" she asks.
An owner who has acquired an animal from someone else may believe they have a right to that animal's medical records and request them from the veterinarian. But because animals are property, Lacroix says the records generally remain the property of the person who paid for the animal's veterinary care. A veterinarian who hands medical records over to a new owner without permission from their client may find themselves in a difficult situation—especially in cases where animals were sold for large sums of money like horses or livestock.
A good rule of thumb is to secure permission from the client in writing before releasing any medical records, Lacroix says. "If it's not in writing, it didn't happen."
But computerized records aren't the only threat, Dennis cautions. Educating staff is critical to keeping privacy in check.
Dennis remembers a case where a client gave consent to send her pet's medical records to another veterinarian for a consultation. A consent form was signed and instructions were given to someone on the veterinarian's staff to copy the file and send it along. But the employee copied everything on the file, including the client's confidential information.
"On the right side of the file were the veterinary records. On the left side was client information, including addresses, credit history, date of birth, etc.," Dennis says. The client later filed a complaint with the veterinarian's state board saying she never gave permission to have that information released to the other veterinarian.
In another case, a veterinarian got dragged into a divorce where one spouse ran off with the dog after the court awarded the animal to the other spouse. While heading across the country, the spouse who had taken the dog stopped at a veterinary office, paid for the service and left without a forwarding address. Through tracked credit-card records, the attorneys for the jilted spouse called the veterinarian asking to go through the practice's veterinary records to track the animal down.
"We got them to back off and explain that the person came in, service was provided and then left," he says.
Personal or practice identity theft is another risk to watch, says Dennis, who has been a victim of identity theft himself.
After making a purchase, he was alerted the next day about a mysterious transaction on the credit card he had used to pay his vendor.
"It turned out that the day after the transaction, I had dinner in Tokyo. I have never been to Japan. And what I'm really mad about it is they didn't even invite me to dinner!" Dennis says. "This was a transaction that happened in the United States, and within 24 hours that number's being used in a restaurant in Tokyo."
Veterinarians who find themselves—or their practices—victims of identity theft should immediately call the police and their bank to file reports, he says.