Protecting the confidentiality and security of practice data, which includes patient and client data, should be a priority for every practice. Regardless of the fact that HIPAA does not apply to pet medical records, pet records are protected by state law (AVMA recently summarized these laws), as is client personally identifiable information.
The responsibility of securing practice data falls solely on the practice. Fulfilling this obligation involves taking action inside the practice as well as with respect to third parties that may have access to the data, including the practice management software vendor. We’ll review best practices for managing security within the practice in a future article. In this article, we’ll review three questions every practice should be asking of its practice management software vendor.
- Who owns the data?
The answer to this question can be complicated as it relates to the practice and it’s clients. However, as it relates to the practice and its practice management software vendor, the answer is simple – the practice owns the data. Read the terms of use applicable to your use of your practice management to understand exactly what rights you retain in your data, and what rights are transferred to the vendor. Any assignment of ownership should be a red flag. Confusing or ambiguous “legalese” should also raise concerns. When it comes to our terms of use, the practice remains the sole owner of the data.
2. Who has access to the data?
Some access to practice data is required for the vendors to perform their obligations to the practice, including providing technical support or backing up the data. However, this kind of access should be limited to the extent access is needed, and in no event should any third party have access to the data without the practice’s consent. As the number of people or entities that have access to the data increases, the more difficult it is to ensure the security of the data. The terms of use should specifically restrict access to the data only to the vendor’s employees or contractors that need access in order to perform their obligations to the practice, and provide an outright ban on sharing of data with third parties without the practice’s consent.
When it comes to our practices, we limit access to practice data to a handful of our employees who have a need to access the data - specifically, our customer success team (when given permission from the practice), and our operations team (who manage backups). We also do not share data with third parties under any circumstance, except via our integrations, which require express practice consent by way of enabling the integration, and which are further limited by contractual terms that we have in place with these partners. You can read more about our practices in our privacy policy.
3. What happens to the data back when you want to switch?
Nobody likes to think about what happens if things go wrong with a relationship. However, when it comes to security, this situation cannot be ignored. This question can be broken down into two parts – how do you get the data back, and when does the data get deleted. If the practice owns the data, then the answer to how to get the data back should be straightforward. In other words, the data should be provided back without any condition, and without a fee. Our practice is to provide the data back to the practice in a database format for free twice. If the practice does not own the data, then the situation often gets complicated (and often involves a fee).
The same is true for the deletion of the data. If the practice owns the data, then the vendor should have no reason to keep the data after the relationship ends, barring a reasonable amount of time to complete the deletion after the data is returned. Our practice is to delete all practice data 30 days after the end of the relationship.
Photo by Jason Blackeye on Unsplash
