Pet insurance companies, as a rule, do not fall under the category of HIPAA covered entities because they do not provide health care to humans, nor do they process human medical claims or maintain human medical records. HIPAA protections extend only to protected health information (PHI) that relates to the health of an individual human and is held by a covered entity or its business associate.
Veterinary records, including those processed by pet insurance companies, are not considered PHI under HIPAA, as animals are not recognized as patients under this law. A nuanced situation arises when owner information is embedded within veterinary records, as owner data can sometimes be included in free-text fields or documentation, making anonymization challenging.
The current state of data handling, which reflects how it might not be optimal for PHI security is illustrated in Jamia Open ‘Veterinary informatics: forging the future between veterinary medicine, human medicine, and One Health initiatives’, “Current limitations in the field of veterinary informatics include limited sources of training data for developing machine learning and artificial intelligence algorithms, siloed data between academic institutions, corporate institutions, and many small private practices, and inconsistent data formats that make many integration problems difficult.”
If a pet insurance company were to collect, store, or process health information about the human owner that is directly related to the owner’s health care (for example, if the pet’s health is linked to the owner’s medical condition or therapy, such as in the case of service animals or emotional support animals), and if this information is handled by a HIPAA covered entity, then HIPAA protections could theoretically be triggered. In practice, this is rare, as most pet insurance companies operate outside the HIPAA bubble.
In the context of U.S. law and medical practice, animals are not legally considered “patients” in the same sense as humans. Veterinary records are managed with far fewer legal restrictions, and only a few states have specific regulations regarding the confidentiality of veterinary medical records. The boundaries between human and animal healthcare are increasingly blurred, particularly as the One Health and One Welfare frameworks gain traction.
According to a study using the above mentioned frameworks, ‘The Impact of the Social Determinants of Human Health on Companion Animal Welfare,’ “One Health focuses on the integration of these sectors for human health outcomes... One Welfare is an extension of the One Health framework, incorporating animal welfare by emphasising positive interactions between humans and animals.”
These frameworks recognize that human and animal health are interconnected, especially in shared environments, zoonotic disease transmission, and the social determinants of health. For example, the welfare of a companion animal can directly influence, and be influenced by, the health and well-being of its human guardian. During crises such as natural disasters or pandemics, human healthcare decisions are often made with consideration for animal welfare, as some individuals may forgo medical care to avoid separation from their pets.
PHI is strictly defined as individually identifiable health information that relates to the health status, provision of health care, or payment for health care of a human individual, and is created or received by a covered entity. An example of HIPAA’s purview is noted in a Journal of Digal Imaging study, “Sharing such images requires informed consent by the patient and robust removal of protected health information (PHI) from the images” On the other hand, information about a pet owner does not relate to the owner’s health status or medical care unless it is specifically linked to a human health service.
The owner's information is instead governed by general data privacy laws, which may define personal data as any information that can identify an individual, such as names, addresses, phone numbers, or even IP addresses. In veterinary records, owner information is often included for administrative purposes, but unless the record contains information about the owner’s health, it does not meet the criteria for PHI.
Overlap between human PHI and pet insurance is uncommon but can occur in specific circumstances where information about a human’s health is collected or processed in connection with pet insurance. This might happen, for example, when a pet is designated as a service animal or emotional support animal, and the insurance company requires documentation of the owner’s medical condition to validate the animal’s role.
The above-mentioned Animals study provides the additional insight, “Given that humans share their social, political and physical environments with companion animals, it is reasonable to conclude that because these environments affect humans, they would also directly affect animals.”
In this case, the owner may submit medical records or a physician’s letter to the pet insurance company, potentially creating a dataset that includes both veterinary and human health information. If the pet insurance company is not a HIPAA-covered entity, this information is not protected by HIPAA, even though it contains human PHI.
In the rare chance a HIPAA covered entity discloses human PHI to a pet insurance company, it must do so in compliance with HIPAA’s privacy and security rules. The risk of overlap is further heightened if owner health information is inadvertently included in veterinary records, especially in free-text fields or communications between veterinarians and pet owners.
The Americans with Disabilities Act (ADA) explicitly covers service animals (SAs) and psychiatric service animals (PSAs) but excludes emotional support animals (ESAs) because ESAs are not individually trained to perform specific tasks related to a person’s disability. This exclusion means ESAs do not have the same legal protections or access rights under the ADA, such as entry into public places including restaurants, stores, or public transportation.
According to a Professional Psychology: Research and Practice study, ‘Emotional Support Animal Assessments: Toward a Standard and Comprehensive Model for Mental Health Professionals,’ “A major difficulty with most ESA certifications involves a general lack of awareness regarding ESA laws on the part of many mental health professionals writing certification letters, as well as a lack of consistent standards for performing appropriate assessments.”
The ADA’s focus is on preventing discrimination against individuals with disabilities by ensuring access through trained service animals, which ESAs do not meet due to their lack of specialized training and task performance. The ADA does not provide a legal framework for regulating the use or certification of ESAs, nor does it govern the handling of data related to ESA owners.
While mental health professionals who evaluate individuals for ESA certification may be HIPAA covered entities, the ESA itself and pet insurance or animal-related organizations are not. The data related to ESAs and their owners, especially when managed outside of healthcare providers, falls outside HIPAA’s jurisdiction. The ESA certification processes also lacks standardized guidelines, and mental health professionals may collect personal and health-related information that is not uniformly protected under HIPAA when shared with non-covered entities.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Not under HIPAA because it’s not human PHI.
Not directly, but indirectly, yes. In cases of zoonotic disease surveillance (e.g. rabies, avian flu), if a veterinarian works with public health departments and shares owner information, then those disclosures may trigger public health exemptions under HIPAA.
No. HIPAA doesn’t cover them, so there’s no legal liability under HIPAA for breaches involving animal medical data.