Protecting the confidentiality and security of practice data, which includes patient and client data, should be a priority for every practice. Regardless of the fact that HIPAA does not apply to pet medical records, pet records are protected by state law (AVMA recently summarized these laws), as is client personally identifiable information.
The responsibility of securing practice data falls solely on the practice. Fulfilling this obligation involves taking action inside the practice as well as with respect to third parties that may have access to the data, including the practice management software vendor. We’ll review best practices for managing security within the practice in a future article. In this article, we’ll review three questions every practice should be asking of its practice management software vendor.
- Who owns the data?
2. Who has access to the data?
3. What happens to the data back when you want to switch?
Nobody likes to think about what happens if things go wrong with a relationship. However, when it comes to security, this situation cannot be ignored. This question can be broken down into two parts – how do you get the data back, and when does the data get deleted. If the practice owns the data, then the answer to how to get the data back should be straightforward. In other words, the data should be provided back without any condition, and without a fee. Our practice is to provide the data back to the practice in a database format for free twice. If the practice does not own the data, then the situation often gets complicated (and often involves a fee).
The same is true for the deletion of the data. If the practice owns the data, then the vendor should have no reason to keep the data after the relationship ends, barring a reasonable amount of time to complete the deletion after the data is returned. Our practice is to delete all practice data 30 days after the end of the relationship.