The state is suing Xerox for a second time, afraid the company’s recent actions in withholding a large number of documents relating to its tenure as the state’s primary Medicaid claims administrator will lead to millions of dollars of federal fines against the state due to HIPAA violations.
This morning HHSC issued a press release (see below) announcing that Xerox is being sued for failing to turn over client Medicaid and health records to the state. These are the same records that Xerox has already filed a motion for protection with the court as the company claims they need the documents for their defense. The Dallas Morning News has already covered the story.
The state has also reported the company to the federal Office for Civil Rights, claiming that Xerox is out of compliance with HIPAA regulations that “could lead to millions of dollars in fines against both the state and Xerox.”
Kyle Janek, Executive Director of HHSC, is calling Xerox “reckless and irresponsible” for its actions.
State Sues Xerox over Failure to Return, Protect Client Data
A contractor being sued by the state for fraud has failed to turn over client Medicaid and health records, putting the state out of compliance with federal regulations and at risk of massive federal fines.
In May, the Texas Health and Human Services Commission (HHSC) notified Xerox Corp. that it was terminating the company’s Medicaid claims administration contract after Xerox staff approved thousands of requests for braces that weren’t medically necessary. The Texas Attorney General filed a lawsuit on behalf of the state the same day. HHSC transitioned the Medicaid contract to a new vendor Aug. 1.
“There is a legal process for the company to get any records it needs for the lawsuit, but instead Xerox has chosen to put information of Medicaid clients at risk and force the state to take court action to protect those records,” said Texas Health and Human Services Executive Commissioner Kyle Janek.
The state today filed a lawsuit in Travis County District Court seeking the immediate return of the data.
During the contract transition, HHSC objected to any attempt by Xerox to copy or take records related to its work for the state without appropriate court action to ensure the security of the data. However, Xerox acknowledged in a court filing on July 21 that it had removed records from servers and hard drives and allowed those records to be stored and viewed by other vendors. HHSC also learned that Xerox removed 244 boxes of information before the Texas Medicaid & Healthcare Partnership contract transitioned to the new vendor.
Xerox has refused to return the records or provide any information about efforts to ensure the security of the information, which HHSC believes includes client names, photographs, birthdates and medical and billing records.
“Xerox has admitted that it has the information and it’s being stored by its lawyers and at least one other company,” Janek said. “They have refused to tell us exactly what information they have, who has access to the information and what’s being done to protect it. We don’t know anything about the security of the servers now housing the information, staff training, background checks, nothing.”
The refusal to return the data or provide information about its security has forced the state to file a notice with the federal Office for Civil Rights that Xerox is now out of compliance with regulations designed to protect an individual’s health information. Violations of federal HIPAA regulations could lead to millions of dollars in fines against both the state and Xerox.
Federal law also requires the state to notify individuals when information related to their state case may not be protected. HHSC is preparing to send notices to current and former Medicaid clients who were approved for braces by Xerox staff and will maintain a call center to answer questions from concerned clients.
“Once again, the reckless and irresponsible actions of this company put Texas tax dollars at risk,” Janek said. “It really makes you wonder what they’re trying to hide.”