HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Henry Schein Gets 20-Year Consent Order and $250K FTC Fine for False Advertising of Data Encryption

The HIPAA Security Rule defines encryption as the “use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.” 45 CFR 164.304. Covered entities must ensure that the strength of the encryption software is appropriate. Not all encryption software protects data to the same degree. In fact, some methods of encryption are better referred to as data camouflage rather than data encryption.

The Department of Health and Human Services’ Office for Civil Rights recommends using robust encryption that conforms to a nationally recognized standard such as the Advanced Encryption Standard (AES), recommended by the National Institute of Standards and Technology (NIST).

Henry Schein Practice Solutions, Inc., a vendor of software solutions for dental practices, chose a different encryption standard for its Dentrix G5 software solution. The software allows dentists to enter and store patient data, process claims and payments, and send appointment reminders.

Dentists are covered under HIPAA and must therefore implement a number of administrative, technical and physical safeguards to keep patient data secure. Henry Schein was aware that the AES standard for encryption was recommended by HHS, and also of the requirements of HIPAA-covered entities to use the HHS safe harbor for encrypted data.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Henry Schein marketed its software to dentists suggesting the encryption its Dentrix G5 software solution used would help dentists comply with HIPAA regulations. However, Dentrix G5 did not use AES encryption, instead the company used a proprietary algorithm that did not provide the level of security required by HIPAA.

Its encryption was far less robust than AES. So much so that the United States Computer Emergency Readiness Team (US-CERT) issued a Vulnerability Note and Alert back in 2013, informing Henry Schein that it must change its marketing and branding to avoid any confusion with AES encryption. US-CERT said its data encryption should be referred to as data camouflage.

Even with that warning Henry Schein continued to market its database software as incorporating data encryption until January 2014. Once the change had been made, Henry Schein failed to inform previous purchasers of Dentrix G5 that its encryption was not up to the same standard as AES, as recommended by the HHS. Dentists using Dentrix G5 were led to believe that they had protected data to the requirements demanded by HIPAA when they had done nothing of the sort.

The FTC recently ruled that Henry Schein “falsely advertised the level of encryption it provided to protect patient data.” The company has now been ordered to stop making false and misleading claims and must alert its customers about the lower standard of encryption used by Dentrix G5. The FTC has also ordered Henry Schein Practice Solutions, Inc., to pay a fine of $250,000, and the company must also comply with a 20-year consent order.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.