How to develop and maintain an effective privacy-protection plan


The first article in this series discussed reasons veterinarians should keep their private practice private (May, 2007). Last month, the topic was why privacy makes good business sense. This final article outlines a program on making sure sensitive data about employees and customers is protected.


The first article in this series discussed reasons veterinarians should keep their private practice private (May, 2007). Last month, the topic was why privacy makes good business sense. This final article outlines a program on making sure sensitive data about employees and customers is protected. To access previous articles, go to

You can determine the best ways to secure sensitive data only after you've traced how it flows through your veterinary practice. Start by creating an Information Privacy Map (IPM) that shows how you receive personal information, where it goes and who has or could have access to it.

Here are some details to consider:

What types of personal data do you collect from staff and clients?

  • Credit/debit card account numbers

  • Bank-account information

  • Staff members' Social Security numbers

  • Staff members' driver's license numbers

Where do you keep the information you collect?

  • Computer database

  • File cabinets

  • Employer's home

Who has or could have access to this information?

  • Staff members

  • Contractors working in your practice

  • Third-party sharing – payroll services, radiation-detection services

How does your business receive personal information?

  • Mail

  • Fax

  • E-mail

  • Telephone

The Federal Trade Commission (FTC) requires an effective security program for any company that holds private information. To the FTC, failure to develop and implement such a program constitutes an unfair trade practice. To meet this requirement, your security program must include these six steps:

Step 1: Name a security administrator

Designate a senior member of your staff to coordinate and implement the security program. His or her job will be to construct a privacy policy that is clear and enforceable. Mandatory staff-training meetings should cover the policy, and the risks and liabilities for noncompliance.

Step 2: Create a written policy

At its core, your privacy policy will be a simple statement of how you will handle, use and store employee/client information. Your policy should address basic questions that only you and your staff can answer:

  • What federal and state laws regulate handling of private information?

  • What private information is used in your practice?

  • How do you secure private data?

  • Where do you lock down (locking file cabinets or perhaps a safe) paper information?

  • How do you encrypt and password-protect digital information?

  • With whom do you discuss private information?

  • How do you dispose of sensitive documents? Do you shred paper and physically destroy all information on digital storage devices when they are taken out of service (e.g., computers, faxes and copiers)?

Step 3: Train employees

Your information-privacy plan may look great on paper, but it's only as strong as the staff members who implement it.

It is your responsibility to see that all of your staff understands how private information is collected, stored and protected. Take time to explain that to your staff, and train them to spot security weaknesses.

Periodic training emphasizes the importance you place on meaningful information-security practices.

Update staff members as you find out about new risks and vulnerabilities.

Train staff to recognize and report suspicious activity and publicly reward those who alert you to vulnerabilities.

A well-trained workforce is the best defense against identity theft and data breaches. Create a "culture of security" with regular staff training.

Step 4: Enforcement

It's not that you don't trust your staff, but obviously the more people with access to customer information, the greater chance there is that someone will slip up. No one can eliminate mistakes completely, but you can minimize them.

  • Check references or do background checks before hiring employees who will have access to sensitive data.

  • Ask every staff member to sign an agreement to follow your company's confidentiality and security standards.

  • Be certain your staff understands that abiding by your security plan is an essential part of their duties.

  • Regularly remind staff of the privacy policy and any legal requirements to keep client and employee information confidential.

  • Know which staff members have access to clients' sensitive information.

  • Be sure anyone leaving the practice doesn't have access to sensitive data. Collect their keys and change their passwords.

  • Make sure training includes everyone, even seasonal and temporary help and those at satellite locations.

  • If staff members don't attend training, consider blocking their access to private information.

  • Require staff members to notify you immediately if there is a potential security breach, such as a lost or stolen check.

  • Display your written policy in your reception area and on your Web site.

Step 5: Find and correct weak spots

  • Where is the database? Is it in a locked room with restricted access controls?

  • Could an intruder gain access to the data?

  • Do you allow access to consumer information by some who have no real need for it? Do you have limits on access?

  • Is your database protected by a firewall and other state-of-the-art security hardware and software?

  • Where are backup copies of your database? Are they erased when they are no longer useful?

  • Do you have deadbolt locks on your doors, locks on all of your windows and locking file cabinets?

Step 6: Handling security breaches

Here's how to reduce the impact on your business, your employees and your customers should a security breach occur despite your best efforts:

  • Have a plan in place to respond to security incidents.

  • If a computer is compromised, disconnect it immediately from the Internet.

  • Investigate security incidents immediately and take steps to close off vulnerabilities or threats.

  • Consider whom to notify in the event of an incident, both inside and outside your practice.

  • Consult your attorney.

By following these six steps you will create an "Identity Safe Zone" that will help give you a competitive edge over the competition by raising the trust and confidence clients and staff have in your practice.

Assured that you will safeguard their information, they will be more likely to share it with you.

James Iafe, VMD, is a Certified Identity Theft Risk Management Specialist (CITRMS). He practices at North Boros Veterinary Hospital in the suburbs of Pittsburgh.

Surviving identity fraud

By Daniel R. Verdon


WALLAND, TENN. — For Rhea Morgan, DVM, the first clue that something was amiss was a call from her credit-card company. Then came the correspondence from a collection agency.

Eventually, police reports were needed to solve this case of identity fraud.

Morgan learned that a credit card was taken out in her name, with her Social Security number, and issued to an address some 860 miles away in Fort Lauderdale, Fla. A modest $1,700 buying binge ensued. Just as quickly, the culprits vanished.

"They had no hope of catching these folks," she tells DVM Newsmagazine. "With the police reports it was removed from my credit report and the collection agency, so they would stop coming after me."

Four months earlier, Morgan received a letter from her credit-card company notifying her of a breach to its computer system — the only way thieves could have gained access to her Social Security number, she says. "I don't put my Social Security number on anything. It's not on my driver's license, either."

While the theft could have been far worse, the time it takes to repair damaged credit because of fraud rates is the most frustrating aspect to her ordeal, she says.

According to a new report from the Council of Better Business Bureaus and Javelin Strategy and Research, it took victims 40 hours, on average, to resolve cases of identity theft. The average fraud amount increased from $5,249 to $6,383 over the last two years. As a result, the total one-year cost of identity fraud in the United States remained relatively flat between 2003 and 2006, increasing from $53.2 billion to $56.6 billion. Like Morgan, most victims (68 percent) don't incur out-of-pocket expenses.

Morgan's advice: Get an annual credit report and shred documents with your name and account information.

Identity thieves gather credit-card applications and wait until they have enough information on their victims.

For more information, contact these credit report agencies:

  • Equifax Consumer Fraud Assistance Dept. (800) 525-6285

  • TransUnion Fraud Victim Assistance Dept. (800) 680-7289

  • Experian Consumer Fraud Assistance Dept. (888) 397-3742.

Related Videos
© 2023 MJH Life Sciences

All rights reserved.