The Texas Health and Human Services Commission (THHSC) hasreported a 2 million-record HIPAA breach by Xerox to the Department of Health and Human Services’ Office for Civil Rights.
Allegedly Xerox did not returned PHI following the termination of the service provider’s contract and dispute between two bodies continues.
Xerox was a former business partner of THHSC and was contracted tosupply administrative services for the Texas Medicaid program. However, THHSC took the decision in May to end the contract following claims that Xerox had inappropriately given authorization for orthodontic braces to be given to thousands of Medicaid patients when the devices were not medically required.
When THHSC had replaced Xerox with a new Business Associate, three months later, it initiated a lawsuit against Xerox claiming that the company had failed to return computer equipment and paper files after its contract was terminated. Stored on those computers and in those files was a large amount of confidential information including personal identifiers, Medicaid numbers and Protected Health Information of almost 2 million people.
The lawsuit was begun because THHSC is required to protect data under the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, Protected Health Information and personal identifiers are strictly controlled, and bodies covered under these regulations are obliged to securely and permanently destroy all PHI before computer equipment is decommissioned or recycled. Covered entities (CEs) must also maintain strict access protocols over all PHI that is held, and it must be returned to the provider – or be securely destroyed – when it is no longer needed.
By failing to maintain control over its Business Associate, Xerox, THHSC could be ruled to have violated HIPAA, and since there are 2 million records involved – the number of victims affected by a breach is taken into consideration by the Office for Civil Rights when issuing financial penalties – this incident could possibly cost the Texas Health and Human Services Commission dearly. Fines up to $1.5 million can be applied for each HIPAA violation and state attorney general’s can also issue financial penalties. Class action lawsuits are also likely to in the event of any loss being identified, theft or disclosure of PHI.
According to the lawsuit, Texas HHSC said that not returning the equipment was “putting the state out of compliance with federal regulations and at risk of massive federal fines.”
According to a statement released by Xerox to the Security Media Group, “retention of property includes Xerox material such as computer monitors, televisions, human resource files, internal financial records and Xerox-branded collateral and posters, while the data represents proprietary Xerox information and was retained with the state’s knowledge [yet the state] declined repeated opportunities to review the material.”
The legal motion was heard in court this September and an agreement was settled between the two parties. A Xerox representative stated, “Under the agreed order, Xerox retained the documents and data, and the state has had the opportunity to inspect materials retained by Xerox. Both continue to operate under the agreed order, and Xerox anticipates that the parties’ progress under the agreed order will be the subject of a further hearing before the court in January.”
A Texas HHSC spokesperson said “Xerox certified that the information was and continues to be safeguarded. With these assurances in places, HHSC believes there was a low risk that client information was compromised and that the information will be protected as the court case continues.”
There have been many disputes between healthcare providers and Business associates in recently, in particular with regards to the failure to return of equipment and Protected Health Information. The Office for Civil Rights has started to take an interest as these incidents give off strong indications that HIPAA rules have been violated.
Business Associates have been included in HIPAA regulations since the introduction of the Omnibus Rule in 2013 and they must therefore agree to adhere to HIPAA rules and regulations. Healthcare providers, health plans and healthcare clearinghouses must obtain a signed Business Associate Agreement (BAA) from any vendor before access to PHI is allowed.
BAAs must outline the responsibilities of each party in relation to securing PHI including the responsibilities of each party when it comes to returning or securely destroying PHI. These terms must be explicit and cover situations such as business disputes, and must state exactly how the data will be terminated, rendered unreadable or returned to the provider. It is in the interests of both parties to complete this. Business Associates can also be fined directly by the OCR for HIPAA breaches.