HIPAA applies to animals when information about an animal is stored in the same designated record set as Protected Health Information (PHI), and the information could be used to identify the human subject of the PHI. Examples include when a patient’s medical notes include information about their support dog or an emotional support animal.
In May 2004, NBC News ran a story implying that veterinarians, animal hospitals, and zoos were withholding “patient information” due to HIPAA. More than twenty years on, some people are still unsure does HIPAA apply to animals. The answer to the question is that HIPAA does not apply to animals as patients, but there are circumstances when HIPAA applies to information about an animal when the information could be used to identify the human subject of PHI.
When Does HIPAA Apply to Animals’ Information?
Under HIPAA, PHI is maintained in “designated record sets”. These are sets of information that are used by covered entities to make decisions about an individual’s healthcare or payment for healthcare. A covered entity may maintain one designated record set per individual or dozens. In addition, a designated record set can consist of a single item of PHI or thousands of items depending on what the sets are used for and the ease of applying access controls to each set.
Non-health information that is included in a designated set with PHI – for example, a contact phone number for a relative or a description of a patient’s car – assumes the same privacy and security protections as PHI if it could be used individually or with other elements of non-health information to identify the human subject of the PHI. In the context of does HIPAA apply to animals, this includes information about an animal if it could be used to identify its owner.
As an example that will resonate with fans of the sitcom Frasier, if a hacker accessed a designated record set maintained by a hospital in Seattle that contained deidentified PHI and a picture of a wire-haired Jack Russel Terrier named Eddie, it would not take much imagination to connect the deidentified PHI with the character Martin Krane. In this example, HIPAA would apply to the image of Eddie as it could be used to identify the human subject of the PHI.
The Growth of Animals as HIPAA Identifiers
According to the National Service Animal Registry, there are more than 240,000 service dogs and emotional support animals registered on their database. The number has doubled in recent years due to the pandemic and due to housing laws that require landlords with no-pet policies to accept tenants with emotional support animals (because emotional support animals are not considered pets by the law, but animals that provide assistance to people with disabilities).
However, to be registered as an emotional support animal, the animal’s owner must obtain an ESA letter from a healthcare professional or licensed therapist certifying that the owner has a mental health disability that is improved by the animal’s presence. Details of the emotional support animal are entered into the individual’s designated record set – which would not necessarily make it a HIPAA identifier if they were all black labradors. But they’re not.
In May 2023, CBS News ran a news story about the increasing variety of animals used for emotional support. The news story mentions skunks, squirrels, peacocks, and even a crocodile. Other news reports from around the Internet mention pigs, marmosets, and a kangaroo. The information about these animals, when entered into a designated record set, could easily by used to identify the human subject of PHI and, in these cases, HIPAA would apply to the animals’ information.