Last week, a federal court in Illinois encountered another example of unexpected events causing problematic privacy and data storage implications for a healthcare company. The non-profit organization responsible for maintaining the MetroChicago Health Information Exchange (the HIE) filed suit against its information technology support contractor and the contractor’s owner to prevent the contractor’s plan to destroy all client data after providing a copy to the HIE. MCHC-Chicago Hospital Council v. Sandlot Solutions, Inc. and Santa Rosa Consulting, Inc., 16-cv-4012. The Illinois federal district court issued a temporary restraining order barring destruction of the data for at least 14 days.
In seeking emergency relief, the HIE asserted that the insolvent contractor’s proposed destruction of all client data within 24 hours of providing a copy of the raw data to the HIE would be a breach of its contract and violate the Health Insurance Portability and Accountability Act (HIPAA). Among the data to be deleted were audit trail and node authentication logs. Without this material, the HIE argued that it would be unable to comply with audit control requirements under HIPAA.
The district court judge was persuaded that the destruction of the data would create irreparable harm. The defendants were ordered not to destroy the data without court approval and to provide the plaintiff with the raw client data along with a virtual “VMware” copy as soon as practicable. In obtaining the desired relief, the HIE was required to bear the expense of creating the VMware copy of the data as well as the costs of hardware, personnel and other expenses necessary to receive the copy. The HIE was also required to post bond in the amount of $25,000.
This case serves as another reminder of the importance of ensuring that contracts with business associates and subcontractors include specific provisions related to the return of data and the ability to maintain access to the data for a reasonable period.