If you run a veterinary practice, you've probably heard a client, a vendor, or even your own front desk mention "HIPAA compliance" at some point. It's a reasonable assumption to make. You handle sensitive records, you take payments, you store personal information about your clients. The problem is that assumption is wrong, and believing it can leave your practice less protected, not more.
Does HIPAA actually apply to a veterinary practice?
No. HIPAA governs protected health information for humans, and a covered entity under the law is specifically a health plan, a health care clearinghouse, or a health care provider who transmits health information electronically for a regulated transaction. The U.S. Department of Health and Human Services defines that scope directly: if an organization doesn't meet the definition of a covered entity or business associate, it has no obligation to comply with the HIPAA Rules at all (HHS.gov). A veterinary practice, no matter how sophisticated its recordkeeping or how much personal client information it holds, does not treat human patients and does not bill health insurers for medical claims. That takes it outside HIPAA's reach entirely.
This surprises a lot of practice owners, understandably. The language of veterinary medicine borrows heavily from human medicine: patient charts, medical history, treatment plans, prescriptions. It feels like it should be covered. It isn't, and no amount of internal policy will change that legal fact.
So what actually applies to your clinic?
The absence of HIPAA doesn't mean the absence of regulation. It means the rules that do apply come from a different set of sources, and most practice owners have never had them laid out clearly in one place.
State confidentiality and breach notification law. The majority of states have their own statutes covering veterinary record confidentiality, and separately, most states require notification when client data is breached, regardless of industry. Virginia and North Carolina both have breach notification statutes that apply to any business holding personal information, veterinary practices included. If a ransomware attack exposes client names, addresses, and payment details, that's very likely a reportable breach under state law even though it has nothing to do with HIPAA.
DEA recordkeeping for controlled substances. If your practice is registered to handle Schedule II through V drugs, which most full-service clinics are, federal law requires an accurate, current inventory of everything on hand, an initial inventory when you start handling controlled substances, and a new inventory at least every two years. Records have to be kept at the registered location and made available for inspection. This is spelled out directly in the DEA's own recordkeeping regulation (21 CFR § 1304.11). A messy or inaccessible digital logbook is a compliance problem long before it's a cybersecurity problem, and the two are more connected than most practices realize.
PCI DSS for card payments. Any practice that accepts credit or debit cards, which is essentially all of them now, has a contractual obligation to its payment processor to protect cardholder data under the Payment Card Industry Data Security Standard. This isn't optional and isn't tied to practice size in the way people assume.
Professional ethics and AVMA guidance. The American Veterinary Medical Association maintains privacy principles that, while voluntary, set the professional expectation for how client and patient information should be handled. Several state veterinary boards have folded similar language directly into licensing requirements.
Put together, a veterinary practice usually has real, enforceable obligations from three or four different directions, just not the one everyone assumes.
Why cybersecurity still matters even without a HIPAA mandate
Here's the part that gets lost in the "HIPAA doesn't apply to us" conversation: the absence of a federal mandate doesn't reduce the actual risk sitting on your network. A veterinary practice management system holds client names, addresses, phone numbers, payment history, and pet medical records, more than enough for identity theft or a targeted phishing campaign, and controlled substance logs are an attractive target in their own right.
Ransomware doesn't check whether you're a HIPAA covered entity before it encrypts your server. A veterinary clinic that loses access to its practice management software loses the ability to pull up a patient's surgical history mid-appointment, process payment, or refill a prescription safely. That's an operational crisis regardless of which regulation technically governs the data involved.
There's also a trust dimension that has nothing to do with law. Clients hand over personal financial information and detailed history about an animal they consider family. A data breach, even one that creates no HIPAA liability whatsoever, damages that relationship and your reputation in a tight-knit local market where word travels fast.
What Hampton Roads and Northern NC vet practices should actually do
Given the real mix of obligations above, a practical security baseline looks less like "become HIPAA compliant" and more like this:
- Secure the controlled substance log itself. Whether it's paper or digital, make sure access is restricted, the records are backed up, and the biennial inventory requirement is actually being met on schedule.
- Segment and back up your practice management system. Regular, tested backups mean a ransomware incident becomes a recovery problem instead of a shutdown.
- Enforce multi-factor authentication on email, your PMS, and any remote access tools, since compromised credentials are still the most common way attackers get in.
- Know your state's breach notification clock. Virginia and North Carolina both set specific timelines for notifying affected individuals, and finding that out during an actual incident is the wrong time to learn it.
- Confirm your payment processor's PCI DSS requirements apply correctly to however you're currently taking card payments, especially if you've added online booking or a client portal recently.
None of this requires pretending a law applies to you that doesn't. It requires treating client and patient data with the seriousness the actual regulatory landscape, and plain common sense, already demands.
If you're not sure where your practice actually stands against these requirements, that's exactly what a proper risk assessment is for. Crossguard Cyber's free assessment walks through your current setup in three steps and gives you a clear picture of where the real gaps are, not the ones a compliance myth pointed you toward.