- A recent breach notification has left many scratching their heads. Key Dental Group notified patients their data was potentially breached when an EMR vendor allegedly refused to return a patient database.
In the notification, the Florida-based dental provider explained its EMR vendor MOGO sent a notification to the dental practice, saying it would not return an EMR database — although their contract had ended and the end user license agreement required the company to do so.
Not only that, HIPAA mandates that at the end of a contract a “business associate shall retain no copies of the protected health information.”
While MOGO has not responded to repeated attempts for comment, HealthITSecurity.com spoke the practice owner Steven Heinicke and reviewed the legal documents to gain insight into the situation.
What We Know
Heinicke entered into a contract with MOGO to handle its EMR data in May 2017. The trouble with the vendor began only after the dentist sold a portion of his practice assets to another practice, he explained.
The bill of sale excluded the database in question. According to a letter from MOGO’s attorney, the EMR vendor allegedly transferred the data to the dentist who purchased some of Heinicke’s business.
“They said it was impossible to transfer the document on record,” Heinicke said. “But I don’t know if they’ve sent this to the other doctor or just sent an Excel sheet to her.”
Heinicke asked the practice owner whether she had a copy and if he could have it returned, but he was told to call MOGO.
“What we’ve been able to determine, on investigation, without acknowledgment, is that it appears that the purchaser approached MOGO with a copy of the early draft sales contract that was never executed,” Kendall Smith, MD told HealthITSecurity.com. Smith is consulting with Heinicke on the case.
“The language in that contract differs substantially from the final executive contract,” he continued. “The contract we believe to have been shown to MOGO was just an early attempt at a contract: It transfers the contract, accounts receivable and would transfer other things to the practice.
However, the final executed contract retains the MOGO license and database. But even worse, Heinicke was not contacted by either MOGO or the purchaser about the transfer, so he didn’t discover he couldn’t access his patient files until several weeks later.
“MOGO it appears complied [with the request from the purchaser], but never notified or sought permission from Heinicke for the action,” said Smith. As a result, the vendor abandoned the initial responsibilities from the EULA and HIPAA and began “taking direction for control of the database from [the purchaser].”
“Can't hold data hostage to settle your business dispute, not when you're covered by HIPAA.”
The vendor did not contact Heinicke about the database, including the transfer to the purchaser, “ultimately terminating the EULA with Key Dental Group and then refusing to provide the database back to KDG upon demand, as was KDG's right,” explained Smith.
“So basically, a third-party provided the business associate a piece of paper, the BA never contacted the CE to verify the authenticity or identity of the third party, the BA provided the third party the database and then when confronted about it began taking direction, not from the CE, but from the third-party up to and including refusing to return the database,” he added.
Heinicke is incredibly concerned as the database contains 13 years of patient data that he can’t access to provide full care to patients. For example, oral cancers are prominent in his practice, and yet, without access to his data, he can’t refer to patient records for a complete diagnosis.
Key Dental filed an emergency injunction with the district court of Southern Florida. Smith explained MOGO filed for an extension and a decision is expected by Friday.
Who’s in the Right?
MOGO has since posted a statement on its website that call’s Key Dental’s press release about the incident “inaccurate.” Officials stated that the incident is not an unauthorized breach of data, given they “have not disclosed any financial or protected health information.”
“Key Dental is involved with an ongoing dispute with the successor of its practice and, in light of that dispute, MOGO has asked the court to tell it what to do with the data,” officials said in a statement. “Until we have directive from the court, no data will be disclosed to any parties.”
Until the case is decided, the public won’t fully understand the situation in its entirety. However, the situation has brought up much debate on Twitter from some of the industry’s leading privacy experts, including former HHS privacy head Deven McGraw and former Office of the National Coordinator Chief Privacy Officer Lucia Savage.
“Can't hold data hostage to settle your business dispute, not when you're covered by HIPAA,” McGraw wrote.
And according to others on the thread, this situation is actually not uncommon. Savage even suggested someone set up a database of examples. But at the end of the data, it boils down to the EULA and the BA expectations under HIPAA.
“Think of it this way. You check your bag on an airline. You get your baggage claim receipt. You get on the plane, arrive at your destination and then see your bag sitting in the baggage office. You go in and present your driver’s license, baggage claim receipt and plane ticket to the agent,” said Smith.
“The airline refuses to return your bag saying ‘Ma'am, that's not your bag. We’re holding it for some nameless, faceless person who faxed us a letter claiming that they own the bag. Yes, I see your ticket and bag claim and ID. No, we're not giving you the bag because we've promised it to someone who says it's theirs (even though we never bothered to ask you about it),’ he added.
HealthITSecurity.com will be tracking this story as it unfolds and will provide updates if any further information becomes available.