Under HIPAA’s Breach Notification Rule, individuals must be notified if their protected health information (PHI), which includes demographic and medical information, has been improperly accessed or disclosed. However, if the information is encrypted consistent the National Institute of Standards and Technology (NIST) guidance, using the Advanced Encryption Standard (AES), the Rule has a “safe harbor” under which no notification is required.
The FTC Case:
A dental practice management software vendor recently paid $250,000 to settle a FTC investigation alleging it misled customers about its encryption of patient data. According to the FTC complaint, the company marketed its software to dentists nationwide with deceptive claims that the software provided industry-standard encryption of sensitive patient information and, in doing so,claimed that patient data would be protected as required by HIPAA. The FTC cited numerous statements from the vendor’s promotional materials, including the following:
“The database also provides new encryption capabilities that can help keep patient records safe and secure. And of course, encryption plays a key role in your efforts to stay compliant with HIPAA security standards.”
In fact, the vendor’s encryption did not meet the AES, and was described as less secure and more vulnerable than other widely used encryption algorithims. The FTC alleged that the vendor was aware of the NIST guidance recommending AES encryption to help providers meet their regulatory obligation to protect data, and the requirement of patient notification of breaches unless the data was encrypted consistent with the NIST guidance. The vendor was charged with two counts of deceptive claims of encryption, related to the industry standard and regulatory obligations.
What This Means for Healthcare Professionals:
Providers need to check with vendors providing encryption to confirm that the encryption technology is consistent with the NIST standards. This should be addressed in contracts with vendors.
Donna Vanderpool, MBA, JD – Vice President As Vice President of Risk Management, Ms. Vanderpool is responsible for the development and implementation of PRMS’s risk management services for The Psychiatrists’ Program. Ms. Vanderpool has developed expertise in the areas of HIPAA and forensic practice, and has consulted, written and spoken nationally on these and other healthcare law and risk management topics. She most recently contributed to a chapter in Gun Violence and Mental Illness (APPI), authored chapters on telepsychiatry in Mental Health Practice in a Digital World (Springer) and Psychoanalysis Online 2 (Karnac). She also has co-edited and contributed chapters to several other clinical textbooks. Prior to joining PRMS in 2000, Ms. Vanderpool practiced criminal defense law, taught business and legal courses, and spent eight years managing a general surgical practice. Ms. Vanderpool received a Bachelor’s degree in Business Administration and Management from James Madison University. She also earned a Master of Business Administration degree and Juris Doctor degree from George Mason University. Follow Donna on LinkedIn.