Beware False Promises From Software Vendors Regarding HIPAA Compliance

February 1, 2016 – In The News
Medical Practice Compliance Alert

Elizabeth G. Litten and Michael J. Kline were featured in the Medical Practice Compliance article, “Beware False Promises From Software Vendors Regarding HIPAA Compliance.” Full text can be found in the February, 2016, issue, but a synopsis is below.

Health providers may be at risk of health violations or security breaches if they rely on assurances from HIPAA compliance and protection from software vendors.

Recently, Henry Schein Practice Solutions Inc. agreed to pay $250,000 in fines to the Federal Trade Commission (FTC) after falsely advertising the level of encryption that was provided and claiming that the software met the standard of the National Institute of Standards and Technology (NIST).

After the NIST placed the company on the vulnerability list, Schein rebranded their product as “data Camouflage” or data masking as opposed to encryption, says Fox Rothschild’s Elizabeth Litten.

According to Fox Rothschild’s Michael Kline, the practices that were affected by Schein’s lack of encryption and compliance with HIPAA may have been skimped on other safeguards as a result, which may still leave records vulnerable.

“The encryption safe harbor [in the event of a breach] would not apply, and practices may not have included this in [their] risk analyses,” adds Kline.

Litten continues by adding that practices need to reassess their risk and determine whether breach of unsecured information occurred. If so, retroactively report to patients, HHS and the media.

“I’m sure there will be a lawsuit on this,” says Kline. “It’s wild and wooly out there, and you don’t know the quality of the wool you’re buying.”

Litten and Kline continue by offering 6 tips to reduce the risk of obtaining unreliable HIPAA compliance and protection software from vendors.