HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Chicago Hospital Council Files Lawsuit to Prevent Deletion of Patient Data

A lawsuit has been filed against Sandlot Solutions, Inc., and its parent company Santa Rosa Consulting by the MCHC-Chicago Hospital Council in an attempt to prevent the deletion of more than 2 million patient records from Sandlot’s servers.

The MCHC-Chicago Hospital Council (MCHC), which includes over 30 area hospitals, operates the MetroChicago Health Information Exchange (HIE). The HIE was formed to allow all participating hospitals to quickly and easily share patient health information and ensure that up-to-date medical records of patients could always be obtained by doctors and healthcare professionals. The HIE contains patient data collected over the past seven years.

The HIE is hosted by healthcare information technology company Sandlot Solutions, Inc. On March 28, 2016., Sandlot notified MCHC that it would be winding down its operations and would soon be going out of business. Sandlot is alleged to have shut down access to the HIE a day later. MCHC was also advised that Sandlot would be deleting all HIE data from its servers within 24 hours of providing the council with a copy of the raw data stored in the HIE.

MCHC was told that Sandlot was ceasing trading on April 8 and would be providing a copy of the raw data on that date. MCHC filed a lawsuit on April 5 against Sandlot claiming the company had breached its contract by shutting down access to the HIE. MCHC also sought a restraining order to prevent Sandlot from deleting the data.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The council said that providing the data in raw form would not allow data to be easily validated, and certainly not in 24 hours. Sandlot allegedly did not provide any source code or software to enable MCHC to move the HIE to an alternate system.

If the data could not be validated before deletion and records were subsequently discovered to have been lost or corrupted, the HIE would have to be rebuilt from scratch; a process that would take a considerable amount of time and would involve considerable costs.

The council claimed in the lawsuit that the destruction of data would be a violation of the Health Insurance Portability and Accountability Act (HIPAA), which requires all business associates of covered entities to maintain the confidentiality, integrity, and availability of all ePHI. Since audit trail and authentication logs would also be deleted this would prevent MCHC from complying HIPAA Rules on audit control. MCHC claims it was not provided with the logs.

A federal judge agreed that data loss would create irreparable harm and a restraining order was granted on April 7. This was extended on April 19, and Sandlot was ordered to retain the data. Sandlot was also ordered to provide the council with a virtual copy of data as soon as possible. MCHC was instructed to provide the hardware and personnel to allow that to happen.

Sandlot attorneys confirmed that the council will be provided with the “necessary application software and operating software to run the system and validate the client data.”

There is always a possibility that a third party vendor may go out of business. Organizations should therefore develop policies to ensure that all data contained in an HIE is backed up and can be recovered – in a usable format – in the event of disaster.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.