Breach Reported After Vendor DisputeTexas Agency in Legal Battle with Xerox
An ongoing legal dispute between the Texas Health and Human Services Commission and its former contractor, Xerox, has led the state agency to report to federal authorities that the business associate was responsible for a data breach affecting 2 million individuals.
The dispute, which arose when the state ended its contract with Xerox, serves as an important reminder of the importance of preparing for the ending of relationships between covered entities and BAs by including specific details about data return or destruction in business associate agreements.
Despite the ongoing nature of the legal battle, the breach already has been added to the Department of Health and Human Services' "wall of shame" tally, which tracks breaches affecting 500 or more individuals since September 2009, when the HIPAA breach notification rule kicked in. The tally now includes 1,167 incidents affecting a total of nearly 41.3 million individuals. Business associates have been involved in approximately 25 percent of those incidents.
Under the HIPAA Omnibus Rule, which went into effect last year, business associates and their subcontractors are now directly liable for HIPAA compliance.
To date, the largest breach involving a business associate was a 2011 incident involving military healthcare program, TRICARE and its vendor, Science Applications International Corp. That incident, involving the theft of unencrypted backup computer tapes, affected about 4.9 million individuals.
The dispute between the Texas commission and Xerox began in May when the state notified Xerox that it was terminating its relationship with the company, which had been contracted to provide administrative services for the Texas Medicaid program. The state cancelled its contract with Xerox, alleging the company inappropriately authorized orthodontic braces that were not medically necessary for thousands of Medicaid patients.
In August, after the transition to a new Medicaid vendor, the Texas commission filed a lawsuit against Xerox, alleging that the contractor had failed to turn over computer equipment, as well as paper records, containing Medicaid and health information for 2 million individuals, "putting the state out of compliance with federal regulations and at risk of massive federal fines," says a statement issued by Texas HHSC in August.
Xerox, in a statement to Information Security Media Group, contends that the company's "retention of property includes Xerox material such as computer monitors, televisions, human resource files, internal financial records and Xerox-branded collateral and posters, while the data represents proprietary Xerox information and was retained with the state's knowledge [yet the state] declined repeated opportunities to review the material."
In September, following a court hearing on Xerox's motion to retain the disputed documents and data, the state and Xerox reached an agreed order, Xerox says. "Under the agreed order, Xerox retained the documents and data, and the state has had the opportunity to inspect materials retained by Xerox. Both continue to operate under the agreed order, and Xerox anticipates that the parties' progress under the agreed order will be the subject of a further hearing before the court in January."
Texas HHSC, in a statement provided to ISMG, says that following the court order, "Xerox certified that the information was and continues to be safeguarded. With these assurances in places, HHSC believes there was a low risk that client information was compromised and that the information will be protected as the court case continues."
Nevertheless, because of the dispute, Texas HHSC reported the incident to HHS as an unauthorized access/disclosure data breach. The state also notified the 2 million individuals whose data was involved. Texas HHSC says data involved potentially includes Medicaid clients' names, birthdates, Medicaid numbers, and medical and billing records related to care provided through Medicaid, such as reports, diagnosis codes and photographs.
"Xerox takes data security very seriously, and at all times, Xerox has maintained and will continue to maintain the required data protection measures around all sensitive information to ensure the data's integrity," the company states. "Any claims by the Texas Health and Human Services Commission that Medicaid client information was compromised in any way are outrageous and unfounded. Xerox has securely maintained any and all Medicaid client information for purposes of the litigation in a manner consistent with requirements of both federal and state law."
The legal haggling between Texas HHSC and its business associate, Xerox, has some similarities to a recent billing dispute involving a small healthcare clinic in Maine and its electronic health records provider.
Full Circle Health Care in Presque Isle, Maine says its EHR vendor, CompuGroup, continues to block Full Circle staff from accessing the medical histories on its 4,000 patients after a billing dispute with the vendor (see EHR Vendor Dispute: Lessons Learned).
Even after the dispute attracted media attention in September, "we are still locked out," Full Circle CEO E. Victoria Grover tells ISMG. "But we have spent much time and money to reconstruct as much of those records as we can. We still hope to get in someday," she says, adding that the clinic is still considering legal action against CompuGroup.
CompuGroup did not respond to ISMG's request for comment.
Cause for Concern
Privacy attorney Adam Greene of law firm Davis Wright Tremaine says disputes between business associates and covered entities where patient data is involved - such as the recent Texas/Xerox and Full Circle/CompuGroup battles - are catching the attention of government regulators.
"We have recently seen a few cases involving disputes over disposition of protected health information after an agreement between a covered entity and business associate sours. Judging from recent remarks from OCR [HHS Office for Civil Rights] officials, OCR seems to be particularly concerned about these issues, and may closely scrutinize incidents where a business associate refuses to return or destroy protected health information," he says.
OCR, which enforces HIPAA, did not reply to ISMG's request for comment.
These recent incidents highlight why business associate agreements need to spell out how protected health information will be safeguarded, returned or destroyed at the end of a relationship with a covered entity, including when there's a business dispute, Greene says.
"While HIPAA has always required a business associate agreement to specify that the business associate will return or destroy protected health information where feasible, the recent cases highlight that parties may want to have frank discussions and potentially add specificity in this area," he says.
For example, the agreement should specify whether the business associate will return or destroy the information, when it will do so, what form any returned information will take and what circumstances - such as technical issues or litigation - may make return or destruction infeasible, Greene says. "Not every business associate relationship is created equal, so covered entities may wish to prioritize negotiating these points in certain high-risk situations, such as where the business associate maintains the primary copy of the protected health information.
"Covered entities should also consider these circumstances in their information security risk analysis and contingency planning, so that they are prepared if a problem with respect to a business associate returning or destroying protected health information arises."