Wednesday, November 28, 2018

Dental Breach Notification Sparked by EMR Vendor Refusal

HIPAA.jpg
 
Here is another interesting piece of information regarding a HIPAA violation.  
 
One of the questions I get when it comes to cloud based practice management systems is “what if I want my data back?  How do I get them to give it to me?"
 
This is a great explanation for that situation because, as it turns out, refusing to give the doctor their data is a violation of HIPAA.  When the office is no longer in control of the data, it is considered a data breach even though the data may be totally secure on an encrypted server run by the vendor.
 
Due to the fact that the office can no longer access the data, it is considered “insecure” and patients must be notified.  The article can be read here.  Most of it is below.  I’d also like to add to this that the company involved here is MOGO.  It is company that has been around for a while so I find this a bit surprising, however users of MOGO may want to be aware of this.  Also, there may be more to this story that I haven’t uncovered.  We have yet to hear MOGO’s side of this...
 
 
 

Florida-based Key Dental Group is notifying some of its patients of a breach, after its electronic medical record vendor refused to return a patient database at the end of its contract.

According to officials, Key Dental received a notification from its EMR vendor MOGO that it would not return the dental group’s EMR database as required at the termination of its end user license agreement. It violates both the EULA and several portions of HIPAA.

As Key Dental can no longer view or monitor the database to ensure the security of patient data, officials have begun to notify patients.

The database contained a wide range of personal data including names, health insurance information, claims data, medical history, lab or test results and Medicare data for those applicable patients. Medicare patients also have their Social Security numbers included in the data.

At the moment, there’s no evidence of a breach or unauthorized access. But officials are notifying patients of the incident and risk, given Key Dental no longer has control over the data.

MOGO did not respond to a request for comment on its reasoning for keeping customer data. DataBreaches.net was able to confirm Key Dental has taken MOGO to court, asking for emergency injunctive relief.

Under HIPAA, a “business associate shall return to covered entity [or, if agreed to by covered entity, destroy] all protected health information received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, that the business associate still maintains in any form.”

“Business associate shall retain no copies of the protected health information,” according to the rule.

While it’s not known whether the business associate has retained the database or destroyed it, Key Dental has accused MOGO of breaching its EULA.

HealthITSecurity.com asked HIPAA attorney Matt Fisher, a Partner of Mirick O’Connell for potential reasoning or cause for MOGO to retain the data, and he explained there’s no obvious one outside of an attempt to obtain payment.

“It is unclear why an EMR or other vendor would attempt to withhold patient data in light of all of the guidance and commentary about access,” Fisher said. “Flaunting the tide of public opinion could be a headline that would tempt Office for Civil Rights to issue a fine or get involved, which would not be helpful for any party involved.”

“However, one potential motivation for withholding data could be to obtain payment of disputed or owed fees,” he added. “Arguably, the data is the biggest leverage that could wielded by the vendor, absent filing a lawsuit. As indicated though, blocking access to data is a risky game to play and one that will draw negative attention.”

1 comment:

  1. Good Post to alarm the issue of Database status. Backups are must

    ReplyDelete