United States Veterinary Clinic Compliance Guide

Scope, Assumptions, and How to Use This Guide

This guide covers the primary federal and state compliance areas that affect day-to-day operations at a United States veterinary clinic. It is organized around the regulatory domains most likely to create risk for a general-practice or specialty clinic: medical records, client communications, data privacy, controlled substances, telehealth, and public health reporting.

Assumptions: The clinic is a licensed veterinary facility operating in one or more US states. It uses a practice information management system (PIMS) for medical records and communicates with clients by phone, text, and email. It may dispense or prescribe controlled substances and may offer some form of telehealth or remote triage.

How to use this guide: Read each section to understand the regulatory baseline, then use the implementation blueprint at the end to build a compliance inventory and proof-artifact system for your practice. Where state-specific examples are given, they illustrate the range of variation; always check your own state's rules.

Medical Record Compliance

Who Sets the Rules

Veterinary medical record requirements are set primarily at the state level. Each state's veterinary practice act and the rules promulgated by its veterinary medical board define what a medical record must contain, how long it must be retained, and under what circumstances it can be released. There is no single federal medical record law equivalent to HIPAA for veterinary medicine. The American Veterinary Medical Association (AVMA) publishes model practice act guidelines, but these are advisory and do not carry the force of law.

Core Record Elements

Although exact requirements vary by state, the following elements appear in most state veterinary practice acts:

• Client name, address, and contact information
• Patient identification (species, breed, age, sex, color/markings, name)
• Date of each visit or service
• Presenting complaint or reason for visit
• Examination findings and diagnosis (or differential diagnoses)
• Treatment plan, procedures performed, and medications administered or prescribed
• Surgical and anesthesia records when applicable
• Laboratory results, imaging reports, and other diagnostic data
• Vaccination records including product, lot number, route, and site
• Informed consent documentation for procedures carrying material risk
• Referral and discharge summaries
• Identity of the veterinarian responsible for the patient's care

Retention and Release

Retention periods typically range from three to seven years depending on the state. Release of records to clients is generally required upon written request, though states differ on whether the clinic may charge a reasonable copying fee. Records must generally be provided within a reasonable time frame, often 10 to 30 business days. When a client transfers to another clinic, the originating practice typically must forward copies or summaries upon request.

State Examples

Practical Takeaways

• Default to the longest applicable retention period. If your clinic operates in multiple states or treats traveling clients, retain records for at least five years or the maximum period required by any state where you hold a license.
• Ensure electronic records are tamper-evident. Most boards expect that electronic medical records include audit trails showing who entered or modified data and when. Your PIMS should log all record modifications.
• Standardize record content across providers. Use templates or structured entry forms in your PIMS to ensure every visit note captures the minimum required elements regardless of which veterinarian is on duty.
• Have a written record-release policy. Document your process for handling client record requests including time frames, fees (if any), and the format in which records will be provided (electronic, paper, or both).

Telecom and Messaging Consent

TCPA / FCC Federal Baseline

The Telephone Consumer Protection Act (TCPA), enforced by the Federal Communications Commission (FCC), is the primary federal law governing how businesses contact consumers by phone and text message. The TCPA applies to veterinary clinics just as it applies to any other business that contacts consumers. Violations can result in statutory damages of $500 to $1,500 per message or call, and class-action lawsuits under the TCPA have produced multimillion-dollar settlements.

Text Messages as Covered Communications

The FCC treats text messages (SMS and MMS) as calls for purposes of the TCPA. Any text message sent using an autodialer or prerecorded/artificial voice to a mobile phone requires prior express consent. If the message contains marketing or advertising content, the standard rises to prior express written consent. This distinction matters because many veterinary communications -- appointment reminders, vaccination due notices, prescription refill alerts -- may fall into a gray area between informational and promotional.

Service vs. Marketing Messages

The FCC distinguishes between informational (service) messages and marketing messages. Service messages relate directly to an existing transaction or relationship -- for example, confirming a scheduled appointment or notifying a client that lab results are ready. Marketing messages promote products or services, encourage visits, or contain promotional offers. The consent threshold for marketing messages is higher: prior express written consent, which typically requires a clear disclosure and the consumer's signature (electronic signatures count).

For veterinary clinics, the safest approach is to obtain written consent for all automated text communications at the time of client intake. A well-drafted consent form can cover both service and marketing messages and satisfy the TCPA's written-consent requirement.

Do Not Call and Established Business Relationship

The FCC's Do Not Call (DNC) rules prohibit telemarketing calls to numbers on the National Do Not Call Registry unless the caller has the consumer's prior express written consent. An Established Business Relationship (EBR) previously provided an exemption for telemarketing calls for up to 18 months after the last transaction or 3 months after the last inquiry, but FCC rule changes have narrowed this exemption. As of 2025, the FCC requires one-to-one consent -- consent must be given directly to the specific caller, not obtained through a lead generator or third party.

Clinics should maintain an internal do-not-call list and honor opt-out requests within a reasonable time frame (the FCC standard is 30 days, though best practice is immediate upon receipt).

State Mini-TCPA Laws

Several states have enacted their own telecom consent statutes that impose requirements beyond the federal TCPA. Florida's Telephone Solicitation Act, for example, restricts the hours during which telemarketing calls and texts may be sent and requires specific disclosures. Oklahoma, Washington, and other states have similar statutes that may require additional consent language, restrict calling hours, or impose higher penalties. Clinics should check the rules in every state where they have clients who may receive automated calls or texts.

Evidence and Proof Artifacts

In any TCPA dispute, the burden of proving consent falls on the caller. Clinics should maintain:

• Consent records: Time-stamped evidence of how and when consent was obtained, including the specific language the client agreed to. Electronic consent (e-signatures, checkbox acknowledgments) is acceptable if the record is complete and retrievable.
• Message logs: Records of every automated message sent, including recipient number, date, time, and message content. Logs should be retained for at least five years.
• Opt-out records: Documentation of every opt-out request received and the date it was processed. The system should stop sending messages immediately upon receiving an opt-out, even if the formal processing window has not yet elapsed.

Privacy Policy and Data Security

Breach Notification Laws

All 50 US states, the District of Columbia, and US territories have enacted data breach notification laws. These laws generally require any business that holds personal information of residents to notify affected individuals when a security breach exposes their data. The definition of personal information, the notification timeline, and the notification method vary by state but typically include name plus one or more of the following: Social Security number, driver's license number, financial account number, or medical information.

For veterinary clinics, client contact information, payment card data, and in some cases pet insurance details can trigger breach notification obligations. Clinics should have a written incident response plan that identifies who is responsible for breach investigation, notification, and remediation.

California CCPA / CPRA

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to for-profit businesses that meet certain revenue or data-volume thresholds. A veterinary clinic that serves California residents and meets any of the following triggers is subject to CCPA: annual gross revenue exceeding $25 million; buying, selling, or sharing the personal information of 100,000 or more California residents or households; or deriving 50% or more of annual revenue from selling or sharing personal information.

Even clinics below these thresholds should be aware of CCPA principles because the law influences consumer expectations and may be adopted or extended by other states. Multi-location veterinary groups and corporate-owned practices are more likely to meet the thresholds.

Website Privacy Policies (CalOPPA)

The California Online Privacy Protection Act (CalOPPA) requires any commercial website or online service that collects personally identifiable information from California residents to post a conspicuous privacy policy. Because the internet is borderless, CalOPPA effectively requires a privacy policy on any US commercial website. The policy must describe the categories of information collected, how it is used, whether it is shared with third parties, and how consumers can request changes.

Veterinary clinic websites that offer online appointment booking, client portals, contact forms, or email newsletter signups should have a clear, up-to-date privacy policy that covers all data collection and use practices.

FTC Enforcement

The Federal Trade Commission (FTC) has broad authority to pursue businesses that engage in unfair or deceptive acts or practices, including misleading privacy representations or inadequate data security. Even without a sector-specific privacy law, the FTC can take action against a veterinary clinic that promises data protection in its privacy policy but fails to implement reasonable safeguards. The FTC's Health Breach Notification Rule may also apply to veterinary businesses that maintain health-related consumer data and experience a breach.

CAN-SPAM

The CAN-SPAM Act governs commercial email messages. Any email whose primary purpose is commercial (promoting a product, service, or the business itself) must include: a valid physical postal address; a clear and conspicuous opt-out mechanism; accurate header information (From, To, Reply-To); and a subject line that is not deceptive. Opt-out requests must be honored within 10 business days. Transactional or relationship emails (appointment confirmations, prescription notifications) are largely exempt but must still have accurate header information.

Controlled Substances and Pharmacy

DEA Federal Baseline

Any veterinary clinic that administers, dispenses, or prescribes controlled substances must hold a valid Drug Enforcement Administration (DEA) registration. The DEA classifies controlled substances into Schedules I through V based on potential for abuse and accepted medical use. Key federal requirements include:

• Biennial inventory: A complete inventory of all controlled substances on hand must be conducted every two years from the date of initial registration. The inventory must record the date, substance name, dosage form, strength, and quantity. Schedule II substances must be counted exactly; Schedule III through V substances may be estimated unless the container holds more than 1,000 units.
• Recordkeeping by schedule: Schedule II transactions require separate records (DEA Form 222 or electronic equivalent for purchases; a written, signed prescription for dispensing). Schedule III through V transactions must be documented but may be kept in the same filing system as other business records, provided they are readily retrievable.
• Storage and security: Controlled substances must be stored in a securely locked, substantially constructed cabinet or safe, or distributed throughout the inventory in a manner that prevents theft or diversion.
• Loss and theft reporting: Any significant loss or theft must be reported to the DEA on Form 106. The clinic should also report to local law enforcement.

State Overlays

States add their own controlled substance regulations on top of the federal baseline. These may include additional licensing (state-level controlled substance registration), more frequent inventory requirements, prescription monitoring program (PMP) reporting obligations, and restrictions on specific drugs. For example, Texas requires veterinarians to register with the Texas State Board of Pharmacy and report dispensing of controlled substances to the state's prescription monitoring program. Some states require veterinarians to check the PMP before prescribing certain schedules.

Clinics should review both DEA regulations and their state's pharmacy board and veterinary board rules to ensure full compliance. When state law is stricter than federal law, the stricter standard applies.

Telehealth, Telemedicine, and the VCPR

Veterinarian-Client-Patient Relationship (VCPR)

In the United States, a veterinarian may generally diagnose, treat, and prescribe only within the context of a valid veterinarian-client-patient relationship (VCPR). The AVMA model definition of a VCPR requires that the veterinarian has sufficient knowledge of the animal to initiate at least a preliminary diagnosis, which traditionally requires a physical examination. State practice acts define how a VCPR is established, and many states still require an in-person examination.

Federal VCPR for Drug Use

Federal law (21 CFR 530.3) defines a VCPR for purposes of extra-label drug use. Under the federal definition, the veterinarian must have recently examined the animal or made medically appropriate visits to the premises where the animal is kept, must be available for follow-up care, and the client must agree to follow the veterinarian's instructions. This federal definition governs when a veterinarian may prescribe drugs for extra-label use; the state VCPR definition governs the broader scope of veterinary practice.

Telehealth Practical Guidance

The regulatory landscape for veterinary telehealth is evolving rapidly. Some states now allow a VCPR to be established via telehealth (video consultation) while others still require an initial in-person examination. Clinics offering telehealth services should:

• Confirm whether their state allows VCPR establishment via telehealth or only permits telehealth within an existing VCPR.
• Document the telehealth encounter in the medical record with the same level of detail as an in-person visit, including the technology used and any limitations noted.
• Ensure the client is informed about the limitations of remote evaluation and provides consent for the telehealth consultation.
• Verify licensure requirements -- the veterinarian must be licensed in the state where the animal is located at the time of the consultation, not just where the veterinarian is physically present.

Public Health Reporting

Veterinary clinics have public health reporting obligations that vary by state and locality. The most common mandatory reporting requirements involve animal bites, rabies exposure, and certain notifiable diseases. Failure to report can result in fines, disciplinary action, or liability if a public health risk goes unaddressed.

Bite Reporting

Most states require that animal bites inflicted on humans be reported to local animal control or public health authorities. The reporting obligation may fall on the treating veterinarian, the animal owner, the human medical provider, or all three depending on the jurisdiction. Timelines range from immediate notification to written reports within 24 to 72 hours.

• Texas: Bite wounds must be reported to the local rabies control authority. The biting animal is typically subject to a 10-day quarantine observation period. Veterinarians who treat an animal involved in a bite incident have a reporting obligation.
• Illinois: Animal bites must be reported to the local health department. The Illinois Animal Control Act requires a quarantine period for the biting animal and mandates that veterinarians cooperate with animal control investigations.
• California: Health and Safety Code section 121685 requires any person, including a veterinarian, who knows or suspects that an animal has bitten a person to report the incident to the local health officer or animal control within 24 hours.

Reportable Diseases

Many states require veterinarians to report certain animal diseases to the state veterinarian or state department of agriculture. Reportable diseases commonly include rabies, brucellosis, tuberculosis, and highly pathogenic avian influenza, among others. The USDA also maintains a federal list of nationally notifiable diseases. Clinics should maintain a current list of reportable diseases for their state and train staff to recognize and escalate suspected cases.

Implementation Blueprint

Compliance Inventory Checklist

Use this checklist to assess your clinic's current compliance posture. For each item, determine whether you have a documented process, whether the process is being followed consistently, and whether you have proof artifacts to demonstrate compliance if audited.

Proof Artifacts by Compliance Bucket

Compliance is only as strong as the evidence you can produce when asked. Organize proof artifacts by category so they are readily accessible during board inspections, audits, or legal proceedings.