Maintaining medical record confidentiality and client privacy in the era of big data: ethical and legal responsibilities

Anthony P. Aaron 1Ice Miller LLP, One American Sq, Ste 2900, Indianapolis, IN 46082.

Search for other papers by Anthony P. Aaron in
Current site
Google Scholar
Martha L. Kohlstrand 2Ice Miller LLP, 2300 Cabot Dr #455, Lisle, IL 60532.

Search for other papers by Martha L. Kohlstrand in
Current site
Google Scholar
Link V. Welborn 3Veterinary Study Groups Inc, 6455 E Johns Crossing, Ste 125, Johns Creek, GA 30097.

Search for other papers by Link V. Welborn in
Current site
Google Scholar
, and
Stephen T. Curvey 3Veterinary Study Groups Inc, 6455 E Johns Crossing, Ste 125, Johns Creek, GA 30097.

Search for other papers by Stephen T. Curvey in
Current site
Google Scholar

Veterinary practice employees spend substantial amounts of time recording patient medical and medication information, managing callbacks and reminders, ordering medication and supplies, and performing a myriad of other tasks that add to the information that practices have about their patients and clients. In the past, veterinary practices would collect and maintain this information in paper format. Nowadays, of course, such information is more commonly stored electronically in a practice management or practice support software system.

This electronic practice information can be quite valuable. It can, for example, be used to improve patient care, increase practice efficiency, create new business opportunities, and allow practices to compete with online retailers. However, it can also create business challenges and risks that veterinarians may not have considered. Most importantly, when collecting, maintaining, and using practice data, particularly patient medical records, veterinarians must comply with multiple veterinary ethical principles and state and federal laws and regulations, which sometimes overlap or conflict. Although these requirements may seem overwhelming or impossible to satisfy, obtaining proper client consent can address many of the biggest concerns.

With the ongoing digitization of veterinary practices, veterinarians should be aware of the value associated with their practice data and should understand why vendors and software providers might be keenly interested in obtaining access to or the right to use that data. They should also appreciate their legal obligations under their state's veterinary practice act and local, state, and federal consumer protection laws.

Types of Practice Data

In the course of routine practice, veterinarians acquire and create many types of data, including patient data (eg, name, sex, age, breed, weight, diagnoses, test results, prescriptions, and treatment notes), client data (eg, name, address, email address, phone number, billing information, and payment history), and vendor data (eg, purchase history and laboratory test submissions and results).

These types of practice data are vitally important. Without them, veterinarians would not be able to track test results, diagnose diseases or treat patients, or locate critical health history information. Having access to patient and client data also improves the business of veterinary medicine by enabling practices to send reminders for upcoming appointments, assess vaccination rates, analyze marketing promotions, reduce inventory, compete with online retailers, and more. Practice data also represents the goodwill of the practice—the patient and client history that provides opportunities for future patient and client visits.

Big Data, Big Value

Data mining involves analyzing large data sets to discover patterns and draw conclusions. It is an amazing tool for predicting behavior and targeting marketing and has been going on for years. Data mining became particularly prominent in 2018 when it was revealed that Cambridge Analytica had harvested data from millions of Facebook users' profiles without their consent, analyzed that data to categorize users, and then used those categories to target users with political advertising. More benignly, in the human health-care field, data mining has been used to promote human health by, for example, identifying geographic regions to target for health awareness advertising or discovering language patterns associated with mental illness. In veterinary medicine, data mining can be useful for improving animal health by, among other things, determining disease patterns in certain geographic areas or assessing the efficacy of new treatments.

Many companies believe that aggregating data creates immense value. Of course, veterinary practices do not possess anywhere near the amount of data that, for example, Facebook does. Still, veterinary practice data is extremely targeted and specific to animal health, which makes it valuable and interesting to veterinary researchers, vendors, and competitors. For example, pharmaceutical companies and online retailers are likely interested in your data about patients that are chronically ill, receiving medications, or eating special diets.

Accessing Your Practice Data

How do researchers, vendors, and competitors obtain access to your data? Veterinary practices often unknowingly give away rights to their data when they license software, use online platforms, or enter into marketing, supply, or other agreements with vendors. Prior to using software or an online platform, a user must typically agree to an end-user license agreement, a privacy agreement (or privacy policy), or both. Many users either ignore these agreements or quickly scroll through them and click “OK.” However, such agreements may contain language permitting the company or its subcontractors to access or use your practice data in multiple ways. Most often, that access is to the practice's benefit, because it allows the company to provide a service. For example, a company offering a marketing program will require access to your practice data to send out mailings. In many cases, however, the company also obtains broad rights to use your practice data for its own purposes and may limit your access to your practice data.

License and privacy agreements may also allow companies to update their policies, including their data-sharing policies, simply by updating the company website without otherwise notifying end users. Even if the current policy restricts the company from sharing your practice data with third parties, the company may later change its policy, and if you miss the update, you would never know about the change. More concerning yet, if you learn about a change in policy and want to change software providers, the costs of implementing a new system may be prohibitive, giving you little choice other than to accept the change.

Examples of language you might find in licensing agreements include the following statements:

  • You grant us a nonexclusive, transferable, sublicensable, royalty-free, and worldwide license to host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works of your content.

  • We may share your information with marketing partners to present offers to you.

  • You grant us a license to analyze and aggregate your data; to use the data, including personally identifiable data, for our own business purposes; and to provide nonpersonally identifiable data to third parties.

  • Amendments are effective as of the date on which updated terms and conditions are posted to our website and continued use of our services constitutes your consent to those amendments.

  • You represent and warrant that you have obtained any consent from your clients required to disclose the information provided to us and will indemnify us from any damages arising out of your failure to obtain such consent.

Importantly, these licensing agreements are typically enforceable, even if the agreement prevents you from fully using or accessing your own data or allows the company the freedom to use your data in any manner.

Why Care About Data Access

Software companies and vendors often use your practice data to help you treat patients, and sometimes the data must be sent to a third party for a legitimate reason, such as to complete a credit card transaction or to send rabies vaccination information to a county. Those uses sound harmless, especially because the federal Health Insurance Portability and Accountability Act does not apply to animals. However, some states strictly regulate the disclosure of veterinary patient and client data without proper consent. Federal laws may also apply to the use of your practice data. For example, the Telephone Consumer Protection Act imposes stiff penalties for sending unsolicited text messages that contain marketing content, and alleged violations can lead to class-action lawsuits.

When you provide software companies and vendors a license to access and use your patient and client data, the data may be used in ways you never imagined, possibly without your knowledge. In addition, the company or vendor will often require you to ensure proper consent has been obtained, thereby attempting to pass liability for any violation from them to you.

Frequently, software companies and vendors obtain rights to access and use your practice data beyond those necessary to provide services to you. These rights may range from using aggregated and anonymized data for research and analysis, to using your data for their own marketing, to making your data available (for a fee) to third parties (eg, pharmaceutical companies, other service providers, or direct-to-consumer marketers), to limiting your rights to use your practice data or provide it to third parties.

Sometimes, software companies and vendors share your data with third parties that want to market their products and services to you or your clients. It may not bother you to receive marketing targeted at your practice, but you and your clients may not feel the same way if the marketing is targeted at your clients. And, you might actually be helping a competitor if one of your vendors were to sell your practice data to a direct-to-consumer marketer, such as an online pharmacy or pet food distributor.

Concerns can also arise if you become dissatisfied with a software company's or vendor's services and want to change providers or use another provider to augment those services. In some cases, licensing agreements may limit your rights to access your own practice data or may prohibit you from providing it to third parties or charge you a fee for doing so.

Even if a licensing agreement indicates that the software company or vendor will not sell individually identifiable data, the agreement may allow the company or vendor to aggregate your practice data with data from other veterinary practices and analyze, use, or sell the combined data set. Manufacturers and drug company researchers are frequently willing to pay substantial amounts for these combined data sets, but individual practices may not be compensated for the data they provide.

Finally, recent consumer data breaches have shown the complexity of protecting data and have made it clear that even good companies can make mistakes or have vulnerabilities. A software company or vendor could inadvertently send your practice data to the wrong place or a hacker could gain access to your data. If a data breach goes undetected for a long period, dozens or hundreds of your clients may be susceptible to identity theft. And, by requiring the practice to indemnify the software company or vendor, the licensing agreement you accepted may shift responsibility and liability from the software company or vendor to you. Although every situation is different, these obligations can be costly.

Understanding Your Risks

The first step in understanding the value of your practice's data and the legal and business risks you assumed by allowing software companies and vendors to access and use your data is to take an inventory of all the places where your practice data, particularly individualized patient and client information, is located. Practice data may reside in your practice management software, accounting system, client communications system, or elsewhere inside or outside of your veterinary practice.

Once you identify where your practice data resides, review your agreements with the vendors of those software systems to understand the rights you granted to your data, paying particular attention to the following concerns:

  • Whether you can obtain or retrieve your data.

  • How the company can use your data or provide it to a third party and whether there are limits on such use.

  • Whether there are limits on your use of your own data.

  • What rights to the data you retain.

  • Whether there are limits on your ability to permit third-party service providers to use your data on your behalf.

  • Where your data are stored and what security arrangements are in place.

  • Whether your data will be disposed of after use and the means of disposal.

  • Whether the vendor has a breach notification policy that is available for your review.

  • Whether the company will provide you notice concerning updates or changes to your agreement or its terms and conditions or to the company's privacy policy and how it will do so.

For software, often you can view and print a copy of the end-user licensing agreement from the software program. The licensing or other agreements may also be available on the vendor's website or by contacting the vendor's call center or technical support group or your sales contact.

Once you know the terms governing use of your practice data, you should consider whether these terms are acceptable and, if not, consider your options. As a practical matter, it may be difficult to reclaim rights to your existing data, but data ownership and control can become a consideration as you evaluate new systems or vendors. You can also discuss changing the terms with existing vendors or look for alternative vendors that offer acceptable terms. Although it may be a challenge for any single practice to change the terms of a licensing agreement, if companies hear the same concerns from many customers, they may respond.

Medical Records Confidentiality and Disclosure

Once you know what data you have and understand the terms governing the use of your practice data, the next step is to determine your responsibilities under veterinary ethical principles and state and federal laws and regulations.

Veterinary ethical principles

Confidentiality of veterinary medical records is a bedrock principle of the veterinary profession, and veterinarians have an ethical obligation to respect the confidentiality of their patients' and clients' information. The Principles of Veterinary Medical Ethics of the AVMA,1 for example, state that “[a] veterinarian shall respect the rights of clients, colleagues, and other health professionals, and shall safeguard medical information within the confines of the law.” They also state that “[t]he information within veterinary medical records is confidential” and that medical records information “must not be released except as required or allowed by law, or by consent of the owner of the patient.”

State veterinary practice acts

State veterinary practice acts reflect these ethical principles, and many states require that medical records be kept confidential. Unless incorporated into a state's practice act regulations, the Principles of Veterinary Medical Ethics do not have the force of law. However, violations of a state veterinary practice act can have a negative impact on the practice and its licensed employees. Many states regulate when or how certain types of client and patient data can be disclosed, but there is no national standard, and state laws range from strict to limited regulation of disclosures. In all states, however, disclosure of medical records or patient information is permitted if the client consents.

AVMA Model Veterinary Practice Act—The AVMA developed its Model Veterinary Practice Act as a “model set of guiding principles for those who are now or will be in the future preparing or revising a practice act under the codes and laws of an individual state.”2 The section in the Model Veterinary Practice Act on veterinarian-client confidentiality prohibits veterinarians from disclosing patient information without the client's express consent, except when required by a court order or subpoena; when disclosure is requested by a public health, animal health, animal welfare, wildlife, or agriculture governmental agency that has a legal or regulatory interest in the information; or when the owner of a patient initiates an administrative, civil, or criminal proceeding questioning the care or treatment of the patient. In addition, the act states that veterinarians can disclose “identifiable client and patient information to a third party so that the third party can use the information to provide services for or perform functions on behalf of the licensed veterinarian,” so long as the third party provides a written agreement to maintain confidentiality of the information. Finally, the act permits veterinarians to disclose medical information for research purposes so long as patients and clients are not identifiable.

Examples of specific state veterinary practice acts—As a leader in data privacy, California strictly regulates disclosure of veterinary medical records. Among other things, the California Business and Professions Code3 prohibits disclosure of any information related to a patient, a client, or the veterinary care a patient has received without informed client consent, unless required by court order or subpoena or as necessary for compliance with federal, state, county, or city laws or regulations. However, California specifically permits sharing of medical information between veterinarians or facilities for the purposes of treatment or diagnosis and allows for disclosure of information when a client files a civil or criminal complaint that places the veterinarian's care at issue. Notably, the California code does not specifically authorize disclosure of records to third parties providing services to a practice or disclosure of de-identified data without client consent and provides for potential criminal penalties for violations.

Indiana's statute,4 in contrast, reflects a middle-ground approach to regulating disclosure of veterinary medical records, but still requires client consent in most instances. Indiana prohibits release of an animal's veterinary medical records and medical condition without client consent, unless disclosure is required by law or for compliance with a subpoena or a request for information is made by a regulatory authority to protect the public health, by the veterinary board as part of an investigation, or by a law enforcement or governmental agency in connection with an investigation into animal abuse or a criminal investigation. Indiana also permits release of records without client consent to the Purdue University School of Veterinary Medicine, the Indiana Animal Disease Diagnostic Laboratory, or a state agency or commission; permits the state board of animal health to release records without client consent to help advance animal health or protect human health; and permits de-identified records to be released without client consent for statistical and scientific research. Notably, the Indiana code does not specifically authorize disclosure of records without client consent to third parties providing services to a practice and does not provide for criminal penalties for violations.

At the other extreme, Massachusetts does not appear to directly regulate disclosure of veterinary medical records, although it does state that, in response to an owner's request, a veterinarian must provide an animal's records to the owner or to another veterinarian.5 Massachusetts' Veterinary Practice Act does not have any apparent statutory restrictions on disclosing records to a third party or even on selling patient data or permitting patient data to be sold.

Federal consumer protection laws

Federal consumer protection laws also restrict how veterinary practices can use their data to communicate with clients. Veterinary practices that violate these laws can be exposed to class-action lawsuits and governmental investigations and may face potential liability for damages and civil penalties.

Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act of 2003—The CAN-SPAM Act6 applies to email communications and prohibits false or misleading email headers and deceptive subject lines, regardless of whether the email advertises or promotes a product or service or facilitates an already-agreed transaction (eg, reminding clients of existing appointments); requires a sender to conspicuously disclose if an email is an advertisement, include a physical address, and include an opt-out method that is honored within 10 business days if the “primary purpose” of an email is advertising or promotion of a product or service (eg, flea and tick products or dental month); and provides that you are liable for services undertaken on your behalf by third-party email providers.

Telephone Consumer Protection Act—The Telephone Consumer Protection Act7 likely does not come into consideration when a veterinary practice sends informational text messages, such as messages that remind clients of existing appointments. It does, however, apply to marketing communications that promote the commercial availability of goods or services (eg, vaccination reminders for pets that do not already have a vaccination appointment) a practice might send to clients by means of autodialed telephone calls, faxes, and text messages, including text messages from commercial texting platforms. The act also requires the recipient's “prior express written consent” to receive the messages.

Understanding the difference between marketing communications and nonmarketing communications is critical. A marketing text message is a “message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.”8 For example, a text message reminding a client that the client's pet has an appointment on Tuesday would not be a marketing text message because the pet already has the appointment and the message is only confirming the information. However, a text message reminding a client that the client's pet is due for a rabies vaccination would most likely be viewed as a marketing text message, because the message is encouraging the client to purchase a rabies vaccination for the pet.

Telemarketing Sales Rule—The Telemarketing Sales Rule9 governs telemarketers and established the National Do Not Call Registry. It is enforced by the Federal Communications Commission and Federal Trade Commission and prohibits telemarketers from calling a consumer before 8 am or after 9 pm; requires telemarketers to make specific disclosures of certain information, including the identity of the seller and that the call is a sales call; requires telemarketers to disclose all material information regarding the goods or services they are offering and the terms of the sale; prohibits telemarketers from lying about the terms of their offers; prohibits calls to a consumer on the National Do Not Call Registry; prohibits a recorded sales pitch in a cold call; and requires transmission of caller ID.

Importantly, a veterinary practice's telemarketing activities may also be regulated by state laws, which may be more stringent than the comparable federal laws. For example, Indiana adopted its own Do Not Call List and accompanying laws and regulations that are stricter than the Telemarketing Sales Rule.10

Regulatory support for the confidentiality of practice data

The confidentiality of veterinary medical records and practice data has been considered by at least 2 states. In both instances, officials upheld the principle that veterinarians should not be required to disclose confidential veterinary medical records. In 2015, the Texas Attorney General opined that veterinary medical records could not be released to “virtual adopters” of animals used in research laboratories because the owners (in this case, Texas A&M University) did not consent to the disclosure.

In another example, the New York State Gaming Commission proposed to require veterinarians to report all intra-articular corticosteroid injections performed on racehorses.11 The American Association of Equine Practitioners argued that under New York law, veterinary records are privileged and confidential and could only be released under court order or with the owner's consent. Ultimately, the New York State Gaming Commission resolved the conflict by requiring horse trainers, not veterinarians, to document and report injections.12

In both of these cases, the key issue was whether the owner consented to the veterinarian's disclosure of the information, and in both instances, officials upheld the principle that veterinary medical records cannot be disclosed by a veterinarian without client consent.

Best Practices for Compliance

When practice data was maintained in paper format, data protection meant storing confidential information in locked filing cabinets. When computerized records first came along, data protection meant keeping confidential information on password-protected computers. In today's age of big data and cloud storage, however, data protection demands more. Specific requirements for protecting practice data, including medical records and patient data, vary state-by-state. Still, the general legal and ethical obligations fall into 5 broad categories: disclosure, consent, ethics, self-compliance, and third-party compliance.


With regard to disclosure of medical records, including patient and client data, veterinary practices should consider implementing the following steps:

  • Develop a practice privacy policy that clearly explains in plain English how the practice uses and stores patient and client data, when information may be disclosed to third parties, and how those third parties may use the data.

  • Provide clients with a copy of the practice's privacy policy.

  • Ensure website visitors can easily access the privacy policy.

  • Avoid using false or misleading information in email headers and subject lines when sending email communications.

  • Include the practice name on all email and text communications and information on how recipients can opt out of receiving future communictions.


Obtaining client consent is the best method practices can use to protect themselves against claims of improper use of practice data. To ensure they obtain proper client consent, practices should consider the following steps:

  • Ask clients to sign (physically or electronically) a copy of the practice's privacy policy that acknowledges receipt and consents to the disclosures and uses outlined in the policy.

  • Obtain express written consent (physically or electronically) from clients prior to making autodialed telephone calls or sending text messages, emails, or faxes to them.

  • Ensure that the consent form states that text message and data rates may apply and indicates how frequently the recipient can expect to receive messages.

  • Maintain all consent records for at least 4 years (the statute of limitations for Telephone Consumer Protection Act lawsuits).


To ensure that their actions comply with the highest veterinary ethical standards, practices should take the following steps:

  • Remember that the Principles of Veterinary Medical Ethics and state veterinary practice acts protect the privacy rights of the practice's clients.

  • Be cautious when releasing medical records to any third party, including vendors such as companies that provide email reminder services on behalf of the practice, and ensure that such disclosure is allowed by law or that the clients have provided their express consent.

  • Be honest and transparent about the use of data and obtain prior written consent for all data-related activities.


Practices should undertake the following steps on an ongoing basis to ensure they remain in compliance:

  • Maintain all consent records for at least 4 years (the statute of limitations for Telephone Consumer Protection Act actions).

  • Do not use random lead lists of telephone numbers or email addresses.

  • Scrub your database regularly against the National Do Not Call Registry and any applicable state do-not-call lists if your practice makes telemarketing calls.

  • Provide clients with user-friendly, reasonable ways of opting out of communications (eg, by providing an unsubscribe link or a statement that the recipient can reply to stop receiving messages).

  • Immediately stop all future text and email communications to any client who opts out.

  • Do not call or text before 8 am or after 9 pm local time.

Third-party compliance

Remember that you and your practice may be liable for failures by software providers or vendors or their subcontractors or licensees to properly safeguard information or comply with state veterinary practice acts. Therefore, practices should take the following steps:

  • Ensure your contracts with software providers and vendors require them to properly safeguard your information or comply with state veterinary practice acts and indemnify you and your practice for any violations, whether by themselves or their subcontractors or licensees.

  • Review your vendor and third-party service provider contracts to determine how client data is used.

  • Ensure your privacy policy properly discloses this information to your clients.

Looking Behind, Looking Ahead

Veterinarians are often surprised to learn how much practice data they possess and frequently shocked to hear they are subject to a wide array of sometimes bewildering legal and ethical obligations to protect the confidentiality of that data and the privacy rights of clients. Although the obligations can be quite complex, many of them can be satisfied by developing a comprehensive practice privacy policy, obtaining informed client consent, and reviewing vendor contracts. Practices can develop their own privacy policy and client consent form, or they can use standard templates, such as those available from the Veterinary Study Groups.13 Compliance requires continued vigilance, including monitoring how third parties use your practice data. Because the requirements frequently change and compliance can be complex, you may also want to obtain the advice of an attorney. For better or worse, the era of big data is upon us, and the issues it raises will impact veterinary practices for decades to come.


The research for this article was supported by Veterinary Study Groups Inc as part of a broader research project concerning principles of ownership of veterinary practice data. Mr. Aaron and Ms. Kohlstrand are attorneys who represent Veterinary Study Groups Inc in various matters, including matters related to data ownership and use, and Dr. Welborn and Mr. Curvey are senior executives of Veterinary Study Groups Inc.

The authors appreciate the comments of Dr. Michael Thomas and other anonymous reviewers who provided their thoughts and comments on earlier versions of this article.


Contributor Notes

This article has not undergone external peer review.

Address correspondence to Mr. Aaron (