On guard: Threats to personal, business and client privacy can come from all directions

On guard: Threats to personal, business and client privacy can come from all directions

Threats to personal, business and client privacy can come from all directions
Nov 01, 2011

NATIONAL REPORT — The Internet has opened up a vast array of new tools to conduct business and just as many concerns as it relates to data privacy and client confidentiality.

As veterinary practice vendors and software programs in accounting and billing look to create a better user experience through Internet-based tools, it creates new vulnerabilities to practice data—whether it's hacked or shared with other third parties unbeknownst to veterinarians. In some cases, the result can put the veterinary practitioner at risk of violating client-confidentiality agreements.

"When you post information on the Internet, it's basically like writing it on the back of a postcard. You have to assume that way," says Greg Dennis, a Kansas-based attorney specializing in veterinary law.

When asked if there are safeguards veterinarians can put in place to keep Internet-based information private, Dennis was doubtful.

"Other than using the old method of pen and paper? Nope," he says. "Once there's a stream flowing, you don't know where it might be ending."

Dennis remembers comparable problems in the 1980s and 1990s when veterinarians first were required to provide local governments with verifications of rabies vaccinations. Marketing companies and vendors would simply file a public records request with authorities and use the data to see when a patient was due for its next vaccine. They would then take the data and send targeted marketing to the client.

"How secure is this stuff? And are the statements being made that the information would not be available to anyone else be something veterinarians can rely on?" asks Dennis. "It does put a question in your mind."

Dennis recalls a case years ago, during a settlement with an insurance agency, where records about a practice were released only to show up eight years later somewhere else. The confidential information was released to a single source, but somehow got out, possibly through a hacked database.

"Once it's out the door, you can't control it," he says. "Even if you can get to a court and get it ordered back, with the Internet, you can't ever completely purge it."

Third-party access to information about clients, as well as patient medical histories, employee records or a practice's financial records is a valid concern, agrees Charlotte Lacroix, DVM, JD, owner of the legal and business consulting firm Veterinary Business Advisors in New Jersey. Usually, web-based programs, or disc-based programs dialed into the web give access to some type of vendor, she says.

In fact, questions emerged about this issue following VCA's $150 million acquisition this summer of MediMedia's VetStreet, which offers home delivery of medications. Data security as it relates to competitive practice information was being actively discussed. VCA asserts its contracts with its customers prohibit VCA from inspecting individual practice data. Vetstreet customer contracts also mandate that the company strip all information about clients, patients and veterinary practices before selling any data.

According to Lacroix, "It becomes important for veterinary practitioners to be sensitive to their agreement with vendors." Practice owners need to be aware what information a program vendor has access to, and how they might use it.

Neither Dennis nor Lacroix have had clients report major privacy breaches, but they say there is always the possibility information will go where it wasn't meant to. If you need an example, just look at the banking industry. And once a channel is open, the risk of computer hacking increases too.

"Have (the vendor) sign a confidentiality agreement, and then if the information gets divulged on their end, and you're the one that gets sued, they pay for your damages," Lacroix recommends.

But finding out what kind of information is being opened up to a vendor isn't the only privacy concern practice owners should be aware of, Lacroix says.

"If they do intend on using it, and you are open to it, do you need to get the client's consent in order for them to use it?" she asks.