HIE Dispute With Vendor Spotlights Critical Security IssuesDefunct Vendor's Plan to Destroy Patient Data Raises HIPAA Concerns
A HIPAA-related legal dispute between a Chicago-area health information exchange organization and its key IT vendor, which is going out of business, spotlights several important privacy and security issues.
The lawsuit filed in a federal court by MCHC-Chicago Hospital Council, which operates the MetroChicago Health Information Exchange, against its IT vendor, Sandlot Solutions, and Santa Rosa Consulting, an owner of the vendor, alleges breach of contract. The HIE facilitates health data exchange among 30 hospitals in Illinois.
The dispute centers on Sandlots' plan to destroy the exchange's data, including audit log data and HIE members' patient data, within 24 hours after providing a copy of "raw" data to the HIE. The HIE alleged that Sandlot's data transition plan does not adequately allow it to properly download and validate the copy before Sandlot destroys the client data.
The case touches upon a number of issues that all covered entities and business associates need to keep in mind when it comes to the duty to safeguard patient data regardless of unanticipated challenges, such as a company going out of business, says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
"An organization that creates or maintains health information cannot look to the HIPAA rules as a shield to protect against the bad acts of contractors and vendors who maintain or manage the patient records," he says. "The best approach is to compensate for the risk that vendors holding the organization's PHI will have unintentional or intentional disruptions that deprive access to the data. Develop contingency plans, have a remote site that maintains exact real-time duplicate data, or create data backups on a regular basis."
In its lawsuit, MCHC alleged that Sandlot breached its agreement with the HIE "by shutting down the MetroChicago HIE system and denying ... participants' access to their client data on the system."
MCHC said it learned that Sandlot would cease operations by April 8, and that Sandlot was planning to provide the exchange a copy of its "raw client data" and then, within 24 hours, destroy the data from its third-party hosting service's servers. MCHC says that plan would result in "a clear violation" of HIPAA.
"MCHC has grave concerns that the data transition plan suggested by Sandlot and Santa Rosa will not allow MCHC to properly download and validate the copy of the client data produced by Sandlot in order to determine whether any of the client data is even usable and not corrupted before Sandlot destroys the existing client data," the lawsuit stated.
"If Sandlot proceeds with its destruction protocol and MCHC discovers that the raw client data copy is corrupt or unusable, MCHC would lose all of the existing client data which MCHC and its participants collected over a more than two year period. This would result in the loss of millions of individual records with PHI for more than 2 million patients in the MetroChicago HIE."
A federal judge on April 7 signed a temporary restraining order, which was extended on April 19, "to cease any destruction of the client data" and preserve it until May 4.
The restraining order noted that during court arguments, Sandlot attorneys said the vendor would be providing a copy to MCHC of the client data and a virtual copy of the entire software database, including client data and "necessary application software and operating software to run the system and validate the client data."
The legal dispute in Chicago highlights some of the critical security and privacy issues that add to the complexity of relationships between covered entities and business associates.
"HIPAA requires a business associate agreement to include provisions requiring the business associate to return or destroy protected health information at termination of the agreement," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"But this case highlights the amount of uncertainty that remains when the business associate makes the choice to return or destroy protected health information. Accordingly, when contracting with business associates, healthcare entities should consider addressing under what circumstances the business associate may destroy rather than return data, what form returned data will be in, and how much time business associates will have to return data to the covered entity before destruction."
The MCHC case also raises an important question about audit logs, Greene notes.
"While the HIPAA Security Rule requires a business associate to maintain reasonable and appropriate audit logs, the law is unclear as to whether a covered entity must have access to those logs or has any rights to those logs if the business associate ceases operations," he says. "The practical reality is that, without the business associate's audit logs, a covered entity may have no ability to identify how a patient's information has been shared in a health information exchange."
While Greene says HIPAA addresses information that must be included an "accounting of disclosures," HIPAA is less clear about covered entities' and business associates' obligations related to information that is not subject to the accounting-of-disclosures requirements.
David Whitlinger, executive director of New York state's Statewide Health Information Network of New York, or SHIN-NY, says the dispute in Chicago also highlights the importance of carefully vetting vendors to help avoid issues involving data privacy, security and availability.
"Organizations need to carefully check the track records of vendors," he says. SHIN-NY, which handles health data of about 40 million patients, chose a "well-established" HIE software vendor and manages and controls the data on its own servers "so even if the vendor were to go under, we still have our data in our hands," he says.
Privacy attorney Kirk Nahra of the law firm Wiley Rein LLP says the disagreement between MCHC and Sandlot is similar to some disputes he's seen between healthcare providers and their electronic health record vendors.
"There are a variety of issues that can arise in these settings," he says. "We've seen some similar situations come up when there have been contract disputes and threats to move from one EHR to another, where the records have been sort of held hostage."
Among such incidents was a 2014 business dispute involving EHR vendor CompuGroup which allegedly blocked a small Maine clinic, Full Circle Health Care, from accessing the medical histories on its 4,000 patients after the medical practice stopped paying a monthly maintenance fee (see EHR Vendor Dispute: Lessons Learned).
These kinds of potential disputes between healthcare entities and vendors also spotlight the importance of having a recovery and backup plan, Nahra says.
"Unfortunately, this puts some stress on the system, and should cause hospitals and others to develop backup scenarios, which are required by the [HIPAA] Security Rule in any event," he says. "This should be a reminder to hospitals to make sure they have developed an approach to anticipate something going wrong with the vendor."
Other organizations can take key steps to avoid the kind of trouble that's occurred in the Chicago-area dispute, Holtzman says.
"There are many reputable vendors who have developed top-notch technologies to provide secure and reliable platforms that serve as the backbone for the HIE. What is important is that the HIE and its participants put into place strong measures to administer access to the PHI contributed for exchange and to ensure that any vendor selected to handle the data is vetted to ensure they have the necessary policies and technologies in place to keep the PHI secure, and appropriate contingency plans when normal operations are interrupted."