Under HIPAA’s Breach Notification Rule, individuals must be notified if their protected health information (PHI), which includes demographic and medical information, has been improperly accessed or disclosed. However, if the information is encrypted consistent the National Institute of Standards and Technology (NIST) guidance, using the Advanced Encryption Standard (AES), the Rule has a “safe harbor” under which no notification is required.
The FTC Case:
A dental practice management software vendor recently paid $250,000 to settle a FTC investigation alleging it misled customers about its encryption of patient data. According to the FTC complaint, the company marketed its software to dentists nationwide with deceptive claims that the software provided industry-standard encryption of sensitive patient information and, in doing so,claimed that patient data would be protected as required by HIPAA. The FTC cited numerous statements from the vendor’s promotional materials, including the following:
“The database also provides new encryption capabilities that can help keep patient records safe and secure. And of course, encryption plays a key role in your efforts to stay compliant with HIPAA security standards.”
In fact, the vendor’s encryption did not meet the AES, and was described as less secure and more vulnerable than other widely used encryption algorithims. The FTC alleged that the vendor was aware of the NIST guidance recommending AES encryption to help providers meet their regulatory obligation to protect data, and the requirement of patient notification of breaches unless the data was encrypted consistent with the NIST guidance. The vendor was charged with two counts of deceptive claims of encryption, related to the industry standard and regulatory obligations.
What This Means for Healthcare Professionals:
Providers need to check with vendors providing encryption to confirm that the encryption technology is consistent with the NIST standards. This should be addressed in contracts with vendors.