It had been a while since an electronic medical record (EMR) vendor or any other vendor withheld access to data, but it has happened again. As first reported by databreaches.net, there is a brewing dispute between Key Dental Group, PA of Pembroke Pines, FL and MOGO of Westmont, IL. The issue was revealed in a breach notification posted by Key Dental.
As set forth in the breach notification, it appeared that Key Dental would not longer use the services of MOGO. Per Key Dental, the end user license agreement (EULA) provided that all data stored in the EMR was to be returned. Without more detail at the moment, MOGO is refusing to return any of Key Dental’s data. The decision was allegedly communicated to Key Dental by MOGO’s attorney on October 19th. Before getting into the issues surrounding holding data hostage, why did Key Dental wait a month before sending out notification? As set forth the notice, Key Dental sent the notice because it could no longer verify that the data was secure or otherwise not subject to inappropriate access since MOGO was denying access. However, that situation existed for a month once MOGO sent official notice that it would not let Key Dental access the database. As soon as that correspondence from MOGO was received, the underlying basis for Key Dental’s notice existed. Accordingly, if Key Dental intended to send a breach notification for inability to access, then those facts existed back in October.
The Real Issue: No Access
As already suggested though, the real issue is what will happen to the patient data. The breach notification suggests that the EULA contemplated the return of data when the license ended. Return of data is appropriate and necessary. An EMR vendor, especially when cloud hosting is involved, will be a business associate under HIPAA. As a business associate, the privacy and security obligations of HIPAA come to bear. Most importantly, the access rights are very important. A business associate is only processing patient data on behalf of the covered entity that is being served, no patient data are created for the business associate. All connects to and is on behalf of the covered entity.
The discussion about roles under HIPAA can lead into considerations about “ownership” or “control” of patient data. While the patient is not a part of this discussion, there are clear implications for the patient. If ownership or control is transferred away from the covered entity, then the patient will likely not have any (or only minimal) contact with the business associate. As such, while HIPAA does not directly deal with ownership, it does address control, which is likely more important. As described in brief detail, all patient information under HIPAA remains under the control of the covered entity and the business associate does not receive any interest in that patient data other than in its role as assisting the covered entity. These concepts are indirectly addressed in the required business associate. The underlying concepts also feed into why it is essential to address data access and control in the contact between a covered entity/provider and an EMR vendor.
As was detailed in the contract guide from the Office of the National Coordinator of Health IT in 2016, the contract governing useage of the EMR needs to address management and safeguarding of data. That includes not blocking access to information. Admittedly, those concerns were apparently addressed appropriately in the agreement between Key Dental and MOGO. What else could have gone wrong?
Until additional details are available, why would access still be denied contrary to the terms of the contract? Arguably, withholding data remains the primary tool of an EMR vendor against a provider in the event of a dispute. For example, if a provider has not fully paid all fees when the contract terminates, then what leverage could be exerted by the EMR vendor to drive payment? Holding onto the data. Fears about inability to access data could “encourage” a provider to make payment or accede to other demands.
However, as the dispute between Key Dental and MOGO is not demonstrating, the resulting backlash and public perception will quickly slant in favor of the provider. Denying access to or taking control of patient data is a sure way to drive attention. With many efforts focused on freeing up patient data and expanding access, any step to go in the opposite direction may quickly result in some amount of liability. MOGO may end up finding that out the hard way.
Related to access, there could be a question as to how the data may be utilized when held by MOGO. Even though the contract apparently recognizes that Key Dental should maintain access and control (despite the current dispute), what about terms covering commercialization or de-identification of the data. For example, can MOGO de-identify the data it holds and then sell or otherwise use the de-identified data, which technically is no longer subject to HIPAA? That was often a term sought by some EMR vendors as data hold a significant amount of value. The ability to monetize data really turns to control, which is another important contractual issue. Even if data can be returned, understanding how it will be used during the term of the agreement is important That can have lingering impacts following the end of an agreement. In the case of Key Dental and MOGO, could MOGO make more use of the data? Is denying access a move to copy it before returning to enable future use?
While answers to a number of the questions raised by the Key Dental and MOGO dispute may not be answered for some amount of time, there are already takeaways. As noted, the primary takeaway is that patient data should be put front and center into a public dispute. In that event, no party will come out very well, though the vendor will most likely take the brunt of the public scrutiny. Additionally, the dispute further emphasizes why focusing on the terms of the contract for use of the EMR upfront is important. It is always better to think ahead and try to anticipate solutions or outcomes for disputes ahead of time than to have a fight later on.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.