Share this article on:
The dispute between Xerox and the Texas Health and Human Services Commission (THHSC) continues with the latter now having reported a 2 million-record HIPAA breach to the Department of Health and Human Services’ Office for Civil Rights for allegedly not returning PHI following the termination of the service provider’s contract.
Xerox was a former Business Associate of THHSC and was contracted to provide administrative services for the Texas Medicaid program. However, THHSC took the decision in May to terminate the contract following allegations that Xerox had inappropriately given authorization for orthodontic braces to be given to thousands of Medicaid patients when the devices were not medically necessary.
Three months later, once THHSC had replaced Xerox with a new Business Associate, it filed a lawsuit against Xerox claiming that the company had failed to return computer equipment and paper files after its contract was terminated. Stored on those computers and in those files was a large volume of confidential information including personal identifiers, Medicaid numbers and Protected Health Information of approximately 2 million individuals.
The lawsuit was filed because THHSC is required to protect data under the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, Protected Health Information and personal identifiers are strictly controlled, and entities covered under these regulations are obliged to securely and permanently erase all PHI before computer equipment is decommissioned or recycled. Covered entities (CEs) must also maintain access controls over all PHI that is held, and it must be returned to the provider – or be securely destroyed – when it is no longer required.
By failing to exercise control over its Business Associate, Xerox, THHSC could be found to have violated HIPAA regulations, and since there are 2 million records involved – the number of victims created by a breach is taken into consideration by the Office for Civil Rights when issuing financial penalties – this incident has potential to cost the Texas Health and Human Services Commission dearly. Fines up to $1.5 million can be issued for each HIPAA violation and state attorney general’s can also issue financial penalties. Class action lawsuits are also likely to follow any loss, theft or disclosure of PHI.
According to the lawsuit, Texas HHSC said that the failure to return the equipment was “putting the state out of compliance with federal regulations and at risk of massive federal fines.”
According to a statement issued by Xerox to the Security Media Group, “retention of property includes Xerox material such as computer monitors, televisions, human resource files, internal financial records and Xerox-branded collateral and posters, while the data represents proprietary Xerox information and was retained with the state’s knowledge [yet the state] declined repeated opportunities to review the material.”
The motion was heard in court this September and an agreement was reached between the two parties. According to Xerox, “Under the agreed order, Xerox retained the documents and data, and the state has had the opportunity to inspect materials retained by Xerox. Both continue to operate under the agreed order, and Xerox anticipates that the parties’ progress under the agreed order will be the subject of a further hearing before the court in January.”
Texas HHSC said “Xerox certified that the information was and continues to be safeguarded. With these assurances in places, HHSC believes there was a low risk that client information was compromised and that the information will be protected as the court case continues.”
There have been a number of disputes between healthcare providers and Business associates in recent months, in particular with regards to the return of equipment and Protected Health Information. The Office for Civil Rights has started to take an interest as these incidents give off strong signals that HIPAA rules have been violated.
Business Associates have been covered under HIPAA regulations since the introduction of the Omnibus Rule in 2013 and they must therefore agree to abide by HIPAA rules and regulations. Healthcare providers, health plans and healthcare clearinghouses must obtain a signed Business Associate Agreement (BAA) from any vendor before access to PHI is granted.
BAAs must outline the responsibilities of each party with regards to safeguarding PHI including the responsibilities of each party when it comes to returning or securely destroying PHI. These terms must be specific and cover situations such as business disputes, and must stipulate exactly how the data will be destroyed, rendered unreadable or returned to the provider. It is in the interests of both parties to do this. Business Associates can also be fined directly by the OCR for HIPAA violations.