Until your last post, I understood you (now and hereafter, to mean "you or your company") as providing computer consulting, developing a program to manage data, transmit billing, and prevent unauthorized access of PHI for an MD and, or his practice via a clearing house for billing. My mistake; I must be getting old! I now understand you to be a computer consulting provider with a (former) client who owns/operates a clearing house for medical billing. In that capacity, you were/are a Business Associate of the clearing house and as such, HIPAA allows you to view, receive, and "use" all of the clearing house's information, including PHI, in order to develop a program or assess the security of the clearing house's system. You can even share the information with others, for example to test the system's ability to transmit properly and to prevent unauthorized access to PHI. HIPAA requires that you protect the PHI and do not use it in an authorized manner.
If you did not accept the information and use it, then the clearing house owner did not share the information; he attempted to share it for the purpose of meeting the HIPAA requirements for security analysis and compliance.
One of my daughters is a software developer and computer consultant; she performs the very services described above for healthcare providers and for class action attorneys handling medical products and pharmaceutical class action suits. I don't believe she has developed a program for a clearing house or reviewed a clearing house, but some of the healthcare providers for whom she has consulted use a clearing house for billing. It is possible that accessing the clearing house's data base would be needed in order to develop the appropriate program and train the staff in its use. I'll have to ask her. Anyway, in addition to the reference site that I provided, that's why I believe your former client has not violated HIPAA.
I do not understand why he is threatening to sue you for refusing to provide a service for which you have no agreement or contract to provide; however, you state "you were" protective of his clients' information. If you did not agree to provide the service, then you had no right to access the data by reading the information and should have no idea what information is on the disc. If you did "look at" the disc and did not accept the job, YOU violated HIPAA by accessing PHI not necessary for the job at hand. It's the same as reading your own medical records or your friend's medical records when neither of your records have anything to do with your current assignment.
EC