- Florida-based Key Dental Group is notifying some of its patients of a breach, after its electronic medical record vendor refused to return a patient database at the end of its contract.
According to officials, Key Dental received a notification from its EMR vendor MOGO that it would not return the dental group’s EMR database as required at the termination of its end user license agreement. It violates both the EULA and several portions of HIPAA.
As Key Dental can no longer view or monitor the database to ensure the security of patient data, officials have begun to notify patients.
The database contained a wide range of personal data including names, health insurance information, claims data, medical history, lab or test results and Medicare data for those applicable patients. Medicare patients also have their Social Security numbers included in the data.
At the moment, there’s no evidence of a breach or unauthorized access. But officials are notifying patients of the incident and risk, given Key Dental no longer has control over the data.
“Flaunting the tide of public opinion could be a headline that would tempt Office for Civil Rights to issue a fine or get involved, which would not be helpful for any party involved.”
MOGO did not respond to a request for comment on its reasoning for keeping customer data. HealthITSecurity.com confirmed with Key Dental that they've taken MOGO to court, asking for emergency injunctive relief.
Under HIPAA, a “business associate shall return to covered entity [or, if agreed to by covered entity, destroy] all protected health information received from covered entity, or created, maintained, or received by business associate on behalf of covered entity, that the business associate still maintains in any form.”
“Business associate shall retain no copies of the protected health information,” according to the rule.
While it’s not known whether the business associate has retained the database or destroyed it, Key Dental has accused MOGO of breaching its EULA.
HealthITSecurity.com asked HIPAA attorney Matt Fisher, a Partner of Mirick O’Connell for potential reasoning or cause for MOGO to retain the data, and he explained there’s no obvious one outside of an attempt to obtain payment.
“It is unclear why an EMR or other vendor would attempt to withhold patient data in light of all of the guidance and commentary about access,” Fisher said. “Flaunting the tide of public opinion could be a headline that would tempt Office for Civil Rights to issue a fine or get involved, which would not be helpful for any party involved.”
“However, one potential motivation for withholding data could be to obtain payment of disputed or owed fees,” he added. “Arguably, the data is the biggest leverage that could wielded by the vendor, absent filing a lawsuit. As indicated though, blocking access to data is a risky game to play and one that will draw negative attention.”