OCR: Business Associates Blocking Access to Data are in Violation of HIPAA | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OCR: Business Associates Blocking Access to Data are in Violation of HIPAA

October 4, 2016
by Heather Landi
| Reprints

It is an impermissible use of protected health information (PHI) for a business associate to block a healthcare provider’s access to data in order to resolve a payment dispute, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) stated in a new guidance.

In the guidance, posted last week in a “frequently asked questions” format, OCR clarified that business associates that block a client hospital, clinic or other healthcare entity's access to patient data are likely in violation of the Health Information Portability and Accountability Act (HIPAA) Privacy Rule.

“Generally, if a business associate blocks access to the PHI it maintains on behalf of a covered entity, including terminating access privileges of the covered entity, the business associate has engaged in an act that is an impermissible use under the Privacy Rule,” OCR stated.

For example, it would be impermissible for an electronic health record (EHR) developer to activate a “kill switch” embedded in its software that renders the data inaccessible to its provider client in order to resolve a payment dispute. “Similarly, in the event of termination of the agreement by either party, a business associate must return PHI as provided for by the business associate agreement. If a business associate fails to do so, it has impermissibly used PHI,” the OCR guidance stated.

There have been high profile cases of business disputes between EHR vendors and providers in which the vendors have blocked a hospital or clinic’s assess to patient records. As cited in a September 2014 article in the Boston Globe, staff members and clinicians at Full Circle Health Care, a clinic based in Presque Isle, Maine, were locked out of the EHR. As part of a billing dispute, the vendor for the clinic’s electronic health records, German-based company CompuGroup, took steps to block the staff’s ability to look up medical histories on its 4,000 patients.

Additionally, in the guidance, OCR stated that a business associate is required by the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI) that it creates, receives, maintains, or transmits on behalf of a covered entity. Maintaining the availability of the ePHI means ensuring the PHI is accessible and usable upon demand by the healthcare provider, whether the data is maintained in an EHR, cloud, data backup system, database, or other system. “This also includes, in cases where the business associate agreement specifies that PHI is to be returned at termination of the agreement, returning the PHI to the covered entity in a format that is reasonable in light of the agreement to preserve its accessibility and usability. A business associate that terminates access privileges of a covered entity, or otherwise denies a covered entity’s access to the ePHI it holds on behalf of the covered entity, is violating the Security Rule,” OCR stated.

Further, OCR stated that a business associate is required by the HIPAA Privacy Rule and its business associate agreement to make PHI available to its provider client as necessary to satisfy the provider’s obligations, as a covered entity, to provide access to individuals under 45 CFR § 164.524. To that end, a business associate may not deny its provider client access to the PHI the business associate maintains on behalf of the healthcare provider if that provider needs the PHI to satisfy its obligations.

“OCR recognizes, however, that there may be certain arrangements that authorize the business associate to destroy or dispose of PHI, or perform data aggregation or otherwise combine data from multiple sources,” the agency stated. For example, a covered entity may engage a business associate to perform data aggregation of information from multiple sources that renders the disaggregated original source data unreturnable to the covered entity. The agency does not consider these contractual arrangements to constitute impermissible data blocking or access termination, OCR stated.

 

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.

Analysis: Healthcare Ransomware Attacks Decline in First Half of 2018

In the first half of 2018, ransomware events in major healthcare data breaches diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a new report form cybersecurity firm Cryptonite.

Dignity Health, UCSF Health Partner to Improve the Digital Patient Experience

Dignity Health and UCSF Health are collaborating to develop a digital engagement platform that officials believe will provide information and access to patients when and where they need it as they navigate primary and preventive care, as well as more acute or specialty care.

Report: Digital Health VC Funding Surges to Record $4.9 Billion in 2018

Global venture capital funding for digital health companies in the first half of 2018 was 22 percent higher year-over-year (YoY) with a record $4.9 billion raised in 383 deals compared to the $4 billion in 359 deals in the same time period last year, according to Mercom Capital Group’s latest report.

ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.