The one aspect of veterinary medicine that I hope to change is the belief in this single phrase.
“I don’t have any valuable data. Why would anyone want to hack me??”
I recently wrote on the impacts that regulations like the GDPR and the CCPA are going to have on the way we manage our data. For most practice owners and managers that I’ve spoken with, they have no clue what these regulations are and what they mean. While I talked in depth about the GDPR in my last post. Today we will dig into some regulations that currently exist and how these current regulations will change as we see the GDPR and CCPA type of regulations move across the US.
Confidentiality of veterinary patient records
While we don’t have to worry about HIPAA requirements in veterinary medicine. Each state in the U.S. has different regulations on how to maintain the confidentiality of veterinary patient records. The state veterinary medical board has the authority to interpret and enforce provisions of veterinary practice acts. If you have a question about how a particular state law provision applies to individual circumstances in that state, please contact the state’s veterinary medical board. Let’s look at an example and how GDPR would affect or impact your practice.
California
Let’s start with the great state of California. As they have already rolled out their own version of the GDRP. The CCPA. The California Consumer Protection Act. Currently the CA Veterinary Medical Board states:
Prohibits disclosure of records unless client consent, court order or subpoena or compliance with state or federal law. Sharing medical information between veterinarians or facilities is allowed for treatment or diagnosis. Disclosure of records is also allowed when a client files a civil or criminal complaint that places the veterinarian’s care at issue. There are criminal penalties for an unauthorized release of records. The section states that it shall not interfere with the sharing of veterinary medical information between veterinarians, peace officers, and humane society officers.
The law also provides that a summary of an animal’s medical records shall be made available to the client within five (5) days or sooner, depending on the condition of the animal, upon his or her request.
Let’s say you’re one of the many practice owners out there that doesn’t take your cyber security seriously. You still have the mindset above. Your practice is located in California and one day you are unfortunately the victim of the multi-stage ransomware attack. The hacker got into your network, collected and harvested over 2000 patient records and then encrypted your data. Now the hacker is threatening to sell and or release all your client data if you don’t give them a $450,000 ransom.
Threats both legally and financially
Under the current practice act in California the release of all your client’s data could be considered an unlawful disclosure. Now your practice is under threat from your CA medical board. But what about the CCPA? If the information is released you would likely have to notify all of your clients of the data breach and what information was made public about them. Your clients would then have the right to sue you if the following combination of items were disclosed in the breach.
Items required to file suit under the CCPA
First Name & Last Name + any of the following
Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person’s identity
Your financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
Your medical or health insurance information
Your fingerprint, retina or iris image, or other unique biometric data used to identify a person’s identity (but not including photographs unless used or stored for facial recognition purposes)
The question in this case would be, does the state of CA consider the veterinary records of your pet, medical records? The State board prohibits the disclosure of these records without client consent. Thus it would be up to the courts to determine what potential impacts the release of the client’s pet medical records has on the client. And were reasonable measures taken to prevent this unauthorized disclosure.
Don’t let this happen to you!
What’s the best way to prevent yourself from getting a DUI? DON’T DRINK AND DRIVE! The reason I use that example is that the best way to protect yourself from having to deal with your local state board as well as any new data protection laws, is to not get caught out in the dark in the first place. Realize that everyone outside of the Veterinary industry realizes the value of your data but you! Depending upon where you live there are 50 reasons for you to take your data seriously. If you take reasonable measures to protect yourself and your clinics data. This goes a long way in protecting you from the potential legal ramifications.