Summary
Data encrypted in accordance with the Advanced Encryption Standard (“AES”) gives dentists a “safe harbor” in the event of certain breaches of patient information. However, those relying on Henry Schein’s Dentrix G5 software to meet HIPAA requirements and protect sensitive patient information may want to test their systems and investigate the extent to which upgrades may be necessary, due to recent charges brought against the company by the FTC.
The Dentrix G5 software is an office management program for dental practices that Henry Schein markets nationwide to dentists. In its filed complaint, the Federal Trade Commission (“FTC”) alleged, among other things, that Henry Schein (1) deceived customers with claims that the Dentrix G5 program provided industry-standard encryption of sensitive patient information sufficient to comply with the requirements of HIPAA and (2) knew the encryption method of data masking utilized by the Dentrix G5 software was less complex, and therefore less protective, than the industry-standard, known as AES, which has been recommended by the National Institute of Standards and Technology (“NIST”) and cited as guidance by the Department of Health and Human Services (“HHS”) for providing the degree of protection necessary to meet HIPAA regulations.
Henry Schein has entered into a proposed consent order with the FTC to settle the complaint, agreeing to pay $250,000 to the FTC, and to refrain from misleading customers about the extent to which its products use industry-standard encryption, help ensure regulatory compliance or protect the personal information of consumers. Henry Schein has also agreed to notify all purchasers of the Dentrix G5 program during the period when deceptive statements were made to advise them that the program does not provide industry-standard encryption. While the consent order is subject to public comment for 30 days and an FTC final order, the real point is that cybersecurity is a big issue now in everyday life and certainly with respect to the protection of sensitive patient information, and federal regulatory agencies such as HHS, NIST and the FTC are paying attention to compliance with HIPAA requirements.
View Document(s):
