• Important Lessons for Protecting Patient Data in Recent FTC Action on Vendor's "Encryption" Claims
  • February 15, 2016 | Authors: Stephen E. (Steve) Gillette; Alexis S. Gilroy; Kevin D. Lyles; Cristiana Spontoni; Soleil E. Teubner
  • Law Firms: Jones Day - Palo Alto Office ; Jones Day - Washington Office ; Jones Day - Columbus Office ; Jones Day - Brussels Office ; Jones Day - San Francisco Office
  • As new technologies and delivery models create challenges for health care providers in regard to protecting patients' personal health information, many have incorporated or are incorporating encryption tools into their electronic health records and technology platforms to help ensure compliance with the privacy and security requirements of HIPAA and similar state statutes. Most encryption products convert readable text into encoded text by means of an algorithm, and although not uniformly required by law (and not always successful in practice), properly implemented encryption can be a fundamental first step in protecting patient data and can provide the user with a safe harbor from certain breach notification requirements.

    A recent enforcement action by the Federal Trade Commission ("FTC"), however, suggests that health care providers should perform careful diligence when selecting an encryption product, and those software providers should ensure their "encryption" claims actually afford the level of security purported in their marketing campaigns.

    Last month, the Consumer Protection Bureau of the FTC released details of an enforcement action against a provider of office management software for dental practices. In its complaint, the FTC had alleged the company falsely advertised the level of encryption provided to protect patient data. Specifically, the FTC alleged the company advertised its software as providing "industry-standard encryption" despite the fact that the company used a less complex method of "data masking" or "data camouflage"-what the FTC described as a "weak obfuscation algorithm"-to protect patient data, rather than the Advanced Encryption Standard recommended by the National Institute of Standards and Technology ("NIST"). Under the terms of the proposed consent order, the company must pay $250,000 to the FTC and agree to stop certain marketing practices deemed misleading.

    In addition, the company must notify all customers who purchased the software product during the relevant period and must update the FTC regarding its notification program. The proposed consent order was made available for public comment.

    This action represents continued regulatory scrutiny into the marketing practices of software vendors, especially on data privacy and security issues. In particular, the proposed settlement highlights the risk of using phrases like "industry standard," indicating that when regulators investigate such claims, they often rely on NIST standards not merely as guidance but as the formative framework for the investigation. Likewise, as health care providers look to adopt new software products, they should evaluate their security needs and have technical staff examine the software's encryption functions prior to contracting with a vendor.