Why Contingency Planning for Vendor Data Disputes Is CriticalLawsuit Over Patient Records Access Highlights the Need to Be Prepared
A lawsuit over a Florida dentist's inability to access patient data stored by a cloud-based electronic medical records vendor illustrates why all healthcare providers need to plan for possible disruptions caused by disputes with business associates.
"Make sure that your organization has planned for contigencies that could result when the relationship with an EHR or cloud computing vendor creates disruption in access to PHI. Ensure that an appropriate plan is in place to create and maintain backup copies of all data to ensure its availability and integrity in the event of a planned or unplanned interruption to the vendor's service."
The Lawsuit's Allegations
In the Florida lawsuit, a dentist who sold his practice alleges his EMR vendor inappropriately locked him out of accessing and retaining copies of his patients' records for retention and accounts receivable purposes.
Steven Heinicke, former owner of Key Dental Group PA - or KDG - alleges that Illinois-based EMR vendor MOGO violated its end user license agreement well as provisions of HIPAA and other regulations by terminating the dentist's access to a database containing EMRs and financial information for approximately 4,000 patients.
Heinicke in January 2018 sold the majority of KDG's assets to another Florida dentist, Nadja Horst, and her company, 610 Dental.
However, the MOGO EHR database, which is the repository for all of KDG's patient medical records and financial information, such as accounts receivable, was excluded from the sale, according to Heinicke's complaint filed in the a U.S. district court in Florida.
The complaint notes: "Heinicke did not sell his accounts receivable, and Heinicke retained the right to bill for and collect on all services rendered prior to Jan. 8, 2018, the effective date of the asset sale agreement [with Horst and 601 Dental]. Unfettered access to the KDG-MOGO database was required to handle Heinicke accounts receivable. Heinicke never gave direction to MOGO to transfer his patient records to Horst."
MOGO has blocked Heinicke from accessing the KDG database, the complaint contends, and a Nov. 19 statement issued by KDG says MOGO subsequently notified KDG that "it would not be returning" the EMR database of the practice's patient records.
Attorney George Castrataro, who is representing Heinicke and KDG in the dispute, tells Information Security Media Group: "MOGO has hijacked the records."
The complaint alleges that MOGO had temporarily restored KDG's access to its patient database for several weeks during the spring, but then blocked the practice's access upon the demand of 601 Dental, the company owned by Horst that had purchased the KDG practice.
The KDG complaint alleges that the practice was "locked out of its own database" on demand of 601 Dental, "a non-party to the end user license agreement" between KDG and MOGO.
During the spring, when KDG temporarily regained access to its MOGO database, "KDG noted several financial transactions within the database occurring during the periods that KDG was denied access to its own database, as well as missing documents and other non-authorized alterations to KDG's records."
In July, KDG provided notice to the Florida state attorney general "of a possible breach of personal health information/personal financial information as defined under the Florida Information Protection Act," the complaint notes.
The ability of the state attorney general and KDG to investigate a potential breach is inhibited by KDG's access to the MOGO database being blocked, the complaint contends.
"While Key Dental Group cannot definitively say that unauthorized access has or will occur to this database, given the apparent violations of various portions of HIPAA triggered by MOGO's actions and the sensitivity of the information the database contains, Key Dental Group, PA is publicly notifying its patients at this time of this incident."
Castrataro, the attorney representing KDG, says MOGO's decision to "lock out" the practice from accessing its records also prevents Heinicke - who is now retired - from retaining copies of his patients medical records for a certain length of time as required by state law.
MOGO nor its attorney immediately responded to an ISMG request for comment.
601 Dental also did not respond to ISMG's request for comment.
Public disputes between healthcare entities and electronic health record vendors involving access to patient records don't appear to be a frequent occurrence. But some reports on such disputes have made the news.
For instance, in 2014, Full Circle Health Care, a clinic in Presque Isle, Maine, accused CompuGroup, an EHR software provider based in Germany that has U.S. headquarters in Phoenix, Ariz., of blocking the clinic's access to patient records as the result of a billing dispute.
"While it clearly is important to ensure that this information is available when needed, there are often some complications that go beyond a catchy headline."
—Kirk Nahra, Wiley Rein
In 2016, the Department of Health and Human Services Office for Civil Rights also issued guidance clarifying that business associates that block a client hospital, clinic or other healthcare entity's access to patient data are likely in violation of HIPAA.
"In the event of termination of the agreement by either party, a business associate must return PHI as provided for by the business associate agreement. If a business associate fails to do so, it has impermissibly used PHI," the guidance notes.
Federal regulators generally disapprove of BAs that block CEs from accessing patient data, including behaviors that could subsequently interfere with patients' ability to access their own health records, some regulatory experts note.
"This situation is an offshoot of the idea that patients should be able to get access to their data," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "In general, the [HIPAA] rules don't allow this kind of 'holding data hostage,' and I suspect OCR will not be thrilled to see this."
An EMR vendor "is digging themselves a very deep hole when they engage in the type of information blocking that is alleged by this dental practice," notes Holtzman of CynergisTek.
The HIPAA privacy and security rules prohibit an EMR vendor from denying the covered entity and their patients access to records maintained created or maintained for that covered entity, he notes.
Business associates are required to ensure the confidentiality, integrity and availability of the PHI of the covered entity that they serve. Under HIPAA, availability means that the PHI is accessible when needed by the covered entity or their patient, Holtzman says.
"Not only can an EMR vendor that blocks a covered entity access to PHI face substantial monetary penalties from HHS for engaging in 'willful neglect' of the HIPAA rules, they can find themselves on the wrong end of an expensive personal injury action if a patient can show they suffered harm as a result of the inability to have access to their health records."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says vendors that block patient data access also face other potential regulatory issues.
"Besides HIPAA, the Federal Trade Commission and state attorneys general could potentially determine that a vendor withholding a healthcare provider's access to patient information is an 'unfair' practice in violation of the FTC Act or state consumer protection laws," he says.
Nonetheless, sometimes compliance during disputes is tricky, Nahra notes.
"While it clearly is important to ensure that this information is available when needed, there are often some complications that go beyond a catchy headline. If the business associate has not been treated well by its client, we need to make sure that, while patient rights need to be protected, a vendor also has the normal kinds of commercial protections against a client that does not fulfill the client's obligations - often paying the vendor," Nahra says.
"Vendors have an obligation to be responsible and to be thoughtful about ensuring patients have access and do not suffer any harm from inaccessibility to data, but the HIPAA rules should not excuse a client from fulfilling their commercial obligations to the vendor."