EHR Vendor Dispute: Lessons LearnedClinic Says Vendor 'Locked Out' Staff's Access to Patient Data
A recent business dispute between a small clinic and a electronic health record system vendor over access to patient data illustrates why healthcare organizations need to carefully vet their vendors and scrutinize the HIPAA-related fine print in their business associate contracts.
See Also: HIPAA Audits: A Revised Game Plan
The dispute, first reported by the Boston Globe, involves Full Circle Health Care in Presque Isle, Maine, and CompuGroup, an EHR software provider based in Germany that has U.S. headquarters in Boston.
CompuGroup recently blocked Full Circle staff from accessing the medical histories on its 4,000 patients after the medical practice stopped paying CompuGroup a $2,000 monthly maintenance fee for 10 months. Full Circle CEO E. Victoria Grover explains to Information Security Media Group that CompuGroup recently acquired HealthPort, a vendor from which Full Circle purchased its EHR system.
"I spent more than $72,000 in late 2010 or early 2011 to purchase all the hardware that we use today for our electronic medical record. That included two servers, which are always in my office. All our medical records from CompuGroup, as well as copies of important medical records from my previous paper charts, going back as far as 25 years, are on those servers."
Grover says Full Circle's contract with HealthPort stated that the practice would be charged $300 to $600 a month for maintenance, which included software updates and replacement of any defective hardware. When CompuGroup acquired HealthPort, maintenance fees soared to $2,000 per month, she says. "We didn't sign a new contract." CompuGroup cut off Full Circle's access to the EHR in July, Grover says.
"My IT administrator says the program works this way: Every time our servers turn on, the CompuGroup 'kill switch' asks CompuGroup for permission to let us into the EMR. But CompuGroup tells the program no, and our servers close us out of all our data. That's why we can't just install a back up. We made back ups every night. The data is there, but the door is locked."
A CompuGroup spokeswoman declined to comment on the dispute.
But legal experts say that the incident, as well as similar dispute that ended in a settlement last year between Milwaukee Health Services Inc. and its EHR vendor, Business Computer Applications (which was recently acquired by Acentia), offer important lessons.
One key lesson: Carefully scrutinize business associate agreement provisions for how access to patient data will be provided under all circumstances, including vendor acquisitions and mergers, and how data will be secured in case of a contract dispute.
HIPAA Security Requirements
"The HIPAA Security Rule requires a business associate to 'ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits,'" notes Adam Greene, a privacy attorney at law firm David Wright Tremaine. "Whether this requires making protected health information available to the covered entity in this situation [the Maine clinic dispute] is an open question that the Office for Civil Rights could address," he says.
In fact, during a question and answer session at a HIPAA conference last week, an official from OCR, the unit of the Department of Health and Human Services that enforces HIPAA, noted that the agency was aware of the dispute between Full Circle and CompuGroup.
"BAs need to ensure availability to EHR data," said Iliana Peters, senior adviser for HIPAA compliance and enforcement at OCR, who did not comment further on the specifics of the dispute.
OCR did not respond to a follow-up request for further comment on whether a business associate withholding a covered entity's access to secure health data of the covered entities' patients could constitute a potential violation of HIPAA.
No Slam Dunks
HIPAA doesn't specifically address issues involving disputes between covered entities and business associates, although some state statutes might, notes attorney Kathryn Coburn, of the law firm Cooke Kobrick & Wu LLP.
"In California, the courts look at the big picture of business matters - including fairness and public policy. There isn't a slam dunk, even for situations alleging non-payment," she says.
"In any case, I would never want a client to enter into a contract that would allow a vendor to cut off communication to data," Coburn says. "HIPAA says you need to have emergency access to data, and you need to have back up. A vendor needs to make that available, and it should be part of the contract."
Coburn suggests covered entities request a third-party audit of business associates before signing contracts to verify the vendor's measures to provide emergency access and back up of data.
Ideally, when there's a dispute with a covered entity, the BA's recourse will be outlined in the contract with the client, Greene says.
"But the BA should be sensitive to limitations on HIPAA and its business associate agreement. For example, its BAA may require it to return all protected health information if the contract is terminated for any reason," he says.
And the business associate could potentially be violating the HIPAA Security Rule if the vendor inappropriately restricts a covered entity from accessing PHI, he says.
Compliance attorney Betsy Hodge says restricting access to EHR data poses a potential patient safety and liability issue for both the medical provider and the vendor, especially if care goes awry.
"There could be a potential liability issue if the BA didn't allow access to patient data," and something bad happens in the delivery of care that depends on that access, she says.
Additionally, under HIPAA, patients have a right to access their health information. Preventing patients from accessing their health information, such as via a portal, also potentially complicates matters, she notes.
"This situation is a good reminder to providers and EHR vendors to think about what happens if there is a dispute, and ways to resolve the issues without putting the patient in the middle and safety at risk," Hodge says. These considerations also apply to paper-based records that are stored for healthcare providers by third-party records management firms, she adds.
Colburn also advises that contracts with BAs include provisions for speedy mediation in the case of disputes.
Greene suggests that CEs should address in their contracts under what circumstances the BA can discontinue the service, and what happens to the patient data in such circumstances. "For example, the BA may readily have the right to discontinue providing the EHR software where there is a breach of contract, but that does not necessarily also mean that the CE does not have a right to obtain its patient data," he says. "CEs also should consider, if the agreement is terminated, in what form they will get their patient data? Will it be readily portable to another EHR solution?"
Also, covered entities should consider in their overall contingency planning "how they back up patient data and how they will restore such data if their EHR software becomes inaccessible, such as due to a contract dispute," Greene says.