HIPAA Business Associate Dispute Involves 2M-Record Breach

A HIPAA Business Associate dispute is continuing between the Texas Health and Human Services Commission (THHSC) and its former Business Associate (BA), Xerox, over the termination of the Business Associate Agreement (BAA) and a subsequent HIPAA breach of Protected Health Information (PHI). The breach concerns approximately 2 million individuals.

Xerox was required to provide some administrative services under the Texas Medicaid program run by THHSC. The BAA was terminated by THHSC in May after a large volume of patients were allegedly given authorization to have orthodontic braces fitted, yet the devices were not deemed to be a medical necessity. Under the terms of the BAA, THHSC felt it was within its rights to terminate the contract and seek another service provider.

However, Xerox refused to return equipment to THHSC that contained PHI. The Business Associate dispute has continued for some time and has resulted in a lawsuit being filed, while the OCR has been alerted to potential HIPAA violations involving a refusal to return, or render unusable or unreadable, the Protected Health Information that it is currently holding. This suggests a violation of the Security Rule, although both THHSC and Xerox may be implicated. The OCR could potentially fine both it HIPAA violations are discovered.

The lawsuit appears to have been filed in an attempt to recover the PHI; however Xerox believed it had every right to retain the equipment as it contained private and confidential material relating its own company. Company policies would not permit the disclosure of that confidential information to Texas HHSC.

While both parties were at something of an impasse, in September they came to an understanding in court and it was decided that the BA would retain the documentation and data on the equipment and the state would be given the opportunity to inspect the equipment and data. A further court hearing is likely in January, when the legal dispute may finally come to an end. In the meantime, the PHI will be safeguarded in accordance with HIPAA regulations.

A HIPAA Business Associate dispute has potential to lead to HIPAA violations, so it is strongly advisable to include disputes and legal action in BAAs and detail what must happen to PHI under those specific circumstances. Should those terms not be met, the Business Associate would then be held liable for any HIPAA violations and would be dealt with directly by the Office for Civil Rights.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news