In the past when I heard consultants or corporate attorneys talk about the importance of crossing all the T’s and dotting all the I’s in business associate agreements, I sometimes thought they were overstating the case. No more! Did you see the news stories a few weeks ago about the MetroChicago Health Information Exchange and Sandlot Solutions Inc.? It demonstrated the need to have all contingencies imaginable covered ahead of time.
Here is the gist of the story as reported by the Law360 web site. The MCHC-Chicago Hospital Council, a nonprofit that runs the MetroChicago Health Information Exchange, had to resort to suing Sandlot Solutions Inc., the company whose solution powered the HIE, to prevent it from destroying all data before Sandlot shut down operations. The tech solutions provider had planned to hand over a copy to MCHC.
According to the news report, Sandlot told MCHC on March 28 that it would close by April 8 and then shut down the exchange permanently a day later, blocking access to client data, MCHC said. Although Sandlot said it would provide a copy of the raw data to the organization and then delete the original data from its servers 24 hours later, MCHC deemed this plan “unacceptable.”
MCHC argued that Sandlot’s plan could cause MCHC itself to shut down if there were any issues with the transfer and that it would likely suffer irreparable harm. MCHC argued it could lose more than two years of time, effort and money it and others spent recording millions of transactions involving more than 2 million patients, as well as the credibility and reputation of the HIE, which serves providers and patients in the Chicago area, according to the Law360 story.
MCHC’s complaint said that among the data that would have been deleted are audit trails and logs that include notations showing when a patient’s file was accessed.
U.S. District Judge Virginia M. Kendall granted MCHC’s request for a temporary restraining order, barring Sandlot from destroying data until after April 19.
Although Sandlot is insolvent and closing after a merger fell through, MCHC has offered to reimburse the expenses necessary to create a virtual copy of the database. Sandlot has also been ordered to provide the copies as soon as it can.
As Stacey Callaghan, an attorney with Miami-based law firm Akerman LLP, noted in a blog post on the situation: “This case serves as another reminder of the importance of ensuring that contracts with business associates and subcontractors include specific provisions related to the return of data and the ability to maintain access to the data for a reasonable period.”
Amen! This is also a reminder to think about all your data in the cloud. If those cloud vendors went out of business, would you be able to respond and take your data back in house without a hiccup? Of course, you also have to re-think how those business associates are handling HIPAA compliance and data breach planning and response.