A violation of HIPAA by a practice’s business associate underscores the importance for conducting adequate due diligence, having business associate agreements (BAAs) in place, and ensuring that the level of encryption is adequate.
The U.S. Federal Trade Commission (FTC) recently released a statement indicating that a business associate, Henry Schein Practice Solutions, Inc. (“Schein”), a dental practice software company, will pay the government $250,000 for false advertising associated with what was relayed to the public and what was actually used in its products in relation to the level of encryption. While the fine is not considered large by any means, the implications for medical professionals, business associates, and subcontractors alike, are significant.
The ramifications to the company, in relation to the issuance of the administrative complaint and the consent agreement are:
• Pay a $250,000 fine;
• Prohibition on “misleading customers about the extent to which its products use industry-standard encryption or how its products are used to ensure regulatory compliance”;
• Prohibition on claims that patient data was protected; and
• Schein needs notify all of its clients who purchased during the period when the material misstatements were made; and
• That the consent agreement will be published in the Federal Register.
Of equal or greater significance is the “NOTE” on the FTC’s press release, which states:
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions for twenty years. Each violation of such an order may result in a civil penalty of up to $16,000.
The takeaways for providers and business associates alike are significant. All government agencies are taking a hard look at material misrepresentations related to HIPAA compliance. The potential implications are significant and underscore the importance of not cutting corners in relation to risk assessments and compliance.