As If a 20-Year Consent Order Wasn’t Enough Fun: FTC Brings First Monetary Settlement in Information Security Case

The FTC reached a $250,000 settlement with a 20-year consent order with Henry Schein Practice Solutions, Inc. over its use of allegedly subpar encryption technology in its offering to dental practices. This settlement is particularly noteworthy for a number of reasons:

• In addition to the typical 20-year consent order (in this case requiring Schein to make annual compliance reports to the FTC), the FTC order includes the first financial settlement of an information security matter ($250,000), which goes into a redress fund for affected customers, and with unused funds deposited to the U.S. Treasury.
• The FTC’s complaint alleged that the encryption that Schein’s software used “was not capable of helping dentists protect patient data, as required by HIPAA.” What the FTC's complaint suggests that the HIPAA Security Rule requires arguably is not the case. The HIPAA Breach Notification Rule includes a breach notification safe harbor if data is encrypted in accordance with NIST standards; however, the Security Rule, in contrast, does not. Although it appears that a covered entity or business associate could comply with the HIPAA Security Rule even with encryption that does not meet NIST standards, this FTC settlement raises the prospect that the FTC may consider related claims of HIPAA compliance as deceptive if encryption does not meet NIST standards.
• To our knowledge, this is the sixth FTC complaint that has been brought against an entity that also is covered by HIPAA with respect to a health information privacy or security matter. As with prior cases such as GMR Transcription (involving the level of required due diligence for business associates) or PaymentsMD (involving how a patient authorization was obtained online), the FTC appears to be applying tougher standards than HIPAA’s requirements (e.g., requiring a greater level of vendor management than what HHS historically has interpreted HIPAA as requiring).

While the FTC’s authority under Section 5 is not applicable to non-profits, for other health care covered entities and business associates this settlement provides some important lessons:

1. HIPAA compliance may not be enough. Even if you have encryption or other technology that might satisfy the HIPAA Security Rule, the FTC nonetheless may find that it does not satisfy industry standards. Implementing measures consistent with NIST guidance, though, may generally be a safe bet.
2. All of that marketing regarding HIPAA compliance can come back to bite you. Health care customers expect their service providers to comply with HIPAA. But making glossy promises of compliance may invite greater FTC scrutiny.
3. As if a 20-year consent order was not bad enough, now the FTC may seek financial payment too. And an FTC settlement does not preclude a HIPAA action by HHS, a HIPAA action by one or more state attorneys general, or actions under state laws.