As new technologies and delivery models create challenges for
health care providers in regard to protecting patients'
personal health information, many have incorporated or are
incorporating encryption tools into their electronic health records
and technology platforms to help ensure compliance with the privacy
and security requirements of HIPAA and similar state statutes. Most
encryption products convert readable text into encoded text by
means of an algorithm, and although not uniformly required by law
(and not always successful in practice), properly
implemented encryption can be a fundamental first step in
protecting patient data and can provide the user with a safe harbor
from certain breach notification requirements.
A recent enforcement action by the Federal Trade Commission
("FTC"), however, suggests that health care providers
should perform careful diligence when selecting an encryption
product, and those software providers should ensure their
"encryption" claims actually afford the level of security
purported in their marketing campaigns.
Last month, the Consumer Protection Bureau of the FTC released
details of an enforcement action against a provider of office
management software for dental practices. In its complaint, the FTC had alleged the company
falsely advertised the level of encryption provided to protect
patient data. Specifically, the FTC alleged the company advertised
its software as providing "industry-standard encryption"
despite the fact that the company used a less complex method of
"data masking" or "data camouflage"—what
the FTC described as a "weak obfuscation
algorithm"—to protect patient data, rather than the
Advanced Encryption Standard recommended by the National Institute
of Standards and Technology ("NIST"). Under the terms of
the proposed consent order, the company must pay
$250,000 to the FTC and agree to stop certain marketing practices
deemed misleading.
In addition, the company must notify all customers who purchased
the software product during the relevant period and must update the
FTC regarding its notification program. The proposed consent order
was made available for public comment.
This action represents continued regulatory scrutiny into the
marketing practices of software vendors, especially on data privacy
and security issues. In particular, the proposed settlement
highlights the risk of using phrases like "industry
standard," indicating that when regulators investigate such
claims, they often rely on NIST standards not merely as guidance
but as the formative framework for the investigation. Likewise, as
health care providers look to adopt new software products, they
should evaluate their security needs and have technical staff
examine the software's encryption functions prior to
contracting with a vendor.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.