ABOUT THIS SERIES
The first article in this series discussed reasons veterinarians should keep their private practice private (May, 2007). Last
month, the topic was why privacy makes good business sense. This final article outlines a program on making sure sensitive
data about employees and customers is protected. To access previous articles, go to
You can determine the best ways to secure sensitive data only after you've traced how it flows through your veterinary practice.
Start by creating an Information Privacy Map (IPM) that shows how you receive personal information, where it goes and who
has or could have access to it.
Here are some details to consider:
What types of personal data do you collect from staff and clients?
- Credit/debit card account numbers
- Bank-account information
- Staff members' Social Security numbers
- Staff members' driver's license numbers
Where do you keep the information you collect?
- Computer database
- File cabinets
- Employer's home
Who has or could have access to this information?
- Staff members
- Contractors working in your practice
- Third-party sharing – payroll services, radiation-detection services
How does your business receive personal information?
The Federal Trade Commission (FTC) requires an effective security program for any company that holds private information.
To the FTC, failure to develop and implement such a program constitutes an unfair trade practice. To meet this requirement,
your security program must include these six steps:
Step 1: Name a security administrator
Designate a senior member of your staff to coordinate and implement the security program. His or her job will be to construct
liabilities for noncompliance.
Step 2: Create a written policy
Your policy should address basic questions that only you and your staff can answer:
- What federal and state laws regulate handling of private information?
- What private information is used in your practice?
- How do you secure private data?
- Where do you lock down (locking file cabinets or perhaps a safe) paper information?
- How do you encrypt and password-protect digital information?
- With whom do you discuss private information?
- How do you dispose of sensitive documents? Do you shred paper and physically destroy all information on digital storage devices
when they are taken out of service (e.g., computers, faxes and copiers)?
Step 3: Train employees
Your information-privacy plan may look great on paper, but it's only as strong as the staff members who implement it.
It is your responsibility to see that all of your staff understands how private information is collected, stored and protected.
Take time to explain that to your staff, and train them to spot security weaknesses.
Periodic training emphasizes the importance you place on meaningful information-security practices.
Update staff members as you find out about new risks and vulnerabilities.
Train staff to recognize and report suspicious activity and publicly reward those who alert you to vulnerabilities.