EHR Vendors Violate HIPAA Rules by Blocking Access to ePHI

Yesterday, Office for Civil Rights (OCR) issued guidance for EHR vendors and other business associates of HIPAA covered entities explaining the need to ensure electronic protected health information (ePHI) is always available to covered entities. The guidance, which takes the form of a FAQ, also clarifies how the HIPAA Rules apply to the blocking or termination of access to ePHI maintained by a business associate.

OCR has confirmed that blocking access to ePHI is a violation of the HIPAA Rules. EHR vendors that prevent a HIPAA-covered entity from accessing patient health records, such as during payment disputes, are violating HIPAA Rules and could potentially be fined for doing so.

EHR vendors have been known to hit the kill switch and prevent access to patient data in the event of a payment dispute or after the termination of an agreement. OCR points out that the failure to return ePHI and/or blocking access to ePHI is a clear violation of the HIPAA Privacy Rule.

The Privacy Rule requires a covered entity to allow patients to obtain copies of their ePHI on request. If a business associate blocks access to ePHI, they would be preventing the covered entity from fulfilling its obligation to provide copies of ePHI to patients. Similarly, once an agreement comes to an end, ePHI must be returned to the covered entity. If the ePHI is not returned in a format that allows the covered entity to continue to access that information, that too would breach the Privacy Rule.

Under the Security Rule, a business associate of a covered entity must ensure the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains, or transmits on behalf of a covered entity. It does not matter where the ePHI is maintained, be it in an EHR system or in the cloud, the business associate must ensure it is always available. Blocking access to the system used to store ePHI would therefore constitute a violation of the HIPAA Security Rule. Returning ePHI in a format that prevents the covered entity from accessing the data would breach the HIPAA Security Rule.

Further information can be found on the HHS website on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.