Although the Health Insurance Portability and Accountability Act (HIPAA) may not apply to animals, it does not mean that a veterinary practice should ignore cyber security best practices. Many veterinary owners believe that their practices will never be subject to the cyber security threats that we so often hear about in the news. However, many veterinary clinics and hospitals are precisely the type of companies that are the most targeted and vulnerable. Hackers and other cyber criminals may believe that most small businesses do not have proper security measures in place, which makes them easy targets. Unfortunately, the hackers are often correct. Veterinary clinics and hospitals often maintain credit card information and background information about pet owners that can be very enticing to cyber criminals.
As more aspects of operating and managing a business move online, cyber security is becoming increasingly more important. There are no federal laws that specifically govern veterinary practices. Instead, each state is governed by its own board of veterinary medicine. However, the American Veterinary Medical Association provides educational resources and guides for promulgating state rules, including the Model Veterinary Practice Act (MVPA). The MVPA serves as a guideline for those in the veterinary field and many states use the MVPA as a guide in enacting laws governing veterinarians and clinics.
The majority of states have not enacted laws regarding a cyber-security breach in a veterinary practice. However, most states have enacted laws with respect to maintaining confidentiality of animal records. For example, in New Jersey, a licensed veterinarian is required to keep patient records confidential unless one of four specific exceptions applies. These exceptions include: 1) being required by law to release the records, 2) the New Jersey Board of Veterinary Medical Examiners (Board) requests the records, 3) the client authorizes a veterinarian to release the records (the authorization must be at the time that the services were rendered), or 4) necessity to protect the health of the animal in question, a person, or another animal. Florida similarly has a statute governing confidentiality of veterinary records. Patient records and the medical condition of an animal may not be discussed with or released to anyone other than the client, the client’s lawyer, or another veterinarian involved in the care or treatment of the patient. Again, several exceptions exist if: 1) the client provides written authorization, 2) a subpoena has been issued in any civil or criminal action, 3) the data is needed for statistical and scientific research (as long as the identity of the patient and client are protected), or 4) a medical negligence action or administrative proceeding has been filed against a veterinarian.
If the laws governing confidentiality are violated, a veterinarian or other employee will very likely be subject to discipline. Cyber-security breaches are a relatively new issue and the issue has not frequently arisen in the veterinary field so penalties and other consequences have not been clearly outlined. Most state laws leave the question of penalties and discipline to the discretion of the state board that oversees veterinary medicine. In New Jersey, for example, the Board has a wide range of options in imposing discipline stemming from violations of confidentiality within a veterinary practice. These options include, but are not limited to, civil penalties, a letter of warning, revocation or suspension of a license, or taking corrective actions. Similarly, in Florida, the consequences include revocation or suspension of a license, a fine up to $5,000 for each violation, a reprimand, or imposing new education requirements. Although this is an emerging field of law within the veterinary field, cyber security has already had a major impact on many other industries. We will likely receive more guidance through case law and new legislation in the near future. While there may not be a developed body of cases on the issue, this does not mean that veterinary clinics and hospitals have not experienced cyber security breaches. Many of the breaches experienced by veterinary hospitals and clinics likely go unreported or do not result in published news articles or cases.
It is imperative that all veterinary clinics and hospitals take basic measures to proactively protect data and implement a plan of action in the event of a security breach. Simple measures such as strong passwords, implementing firewalls and encrypting sensitive data will go a long way toward maintaining strong cybersecurity.
Michael Salad is an attorney in Cooper Levenson’s Business & Tax and Cyber Risk Management practice groups. He concentrates his practice on estate planning, business transactions, mergers and acquisitions, tax matters and cyber risk management. Michael holds an LL.M. in Estate Planning and Elder Law. Michael is licensed to practice law in New Jersey, Florida and the District of Columbia. Michael represents several veterinary hospitals and clinics and regularly advises clients about cyber-security. Michael may be reached at 609.572.7616 or via e-mail at msalad@cooperlevenson.com.