Share this article on:
The majority of healthcare providers have now transitioned to electronic health records, yet ensuring ePHI is always accessible when it is needed is sometimes a challenge. Should providers not be able to access ePHI, the health and safety of patients may be put at risk.
To prevent harm to patients and HIPAA violations, the Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC) has drawn attention to a number of new resources that have been made available to providers to help ensure ePHI access is maintained.
The ONC has drawn attention to a new FAQ that was recently published by Department of Health and Human Services’ Office for Civil Rights (OCR) which explains how Health Insurance Portability and Accountability Act (HIPAA) Rules apply to health IT vendors, such as EHR vendors.
Health IT vendors are classed as business associates of HIPAA-covered entities, and as such they are required to abide by the HIPAA Privacy, Security, and Breach Notification Rules. The FAQ explains that under the HIPAA Privacy Rule, EHR vendors must ensure that the ePHI held on behalf of covered entities must be accessible and usable on demand by the covered entity. This includes ensuring that ePHI can be accessed once a business associate relationship comes to an end and ePHI must be returned.
The ONC has highlighted the importance of stipulating how ePHI should be returned when contracts with EHR vendors come to an end. Data stored in EHRs will typically be in a format specific to that vendor’s system, which may make it difficult for providers to use the data when it is returned. The guide recommends providers stipulate the format that should be used when data is returned. Providers need to explain in clear terms how data should be returned and this should be written into contracts to avoid data access issues.
The ONC also explains that blocking access privileges of a covered entity would be an impermissible use of ePHI and would violate the Privacy Rule. Blocking access could also prevent a covered entity from fulfilling its obligations to provide patients with copies of their ePHI.
ONC explains that activating a kill switch to terminate a provider’s access to ePHI in the event of a billing dispute is a violation of HIPAA Rules. The ONC refers to a 2014 case involving Full Circle Health Care, a small Maine healthcare provider, and it’s EHR vendor CompuGroup. Full Circle Healthcare stopped paying the EHR vendor monthly fees because of disputed billings, only for CompuGroup to terminate access to electronic health records until $20,000 in missed payments were made. By terminating access to ePHI, CompuGroup was in violation of HIPAA Rules and its actions potentially placed the health and safety of patients at risk.
To avoid these situations, ONC recommends the use of kill switches or other technologies to terminate access to ePHI are prohibited in EHR contracts, even in the event of a billing dispute.
The ONC has also drawn attention to a recently published guide to EHR contracting, which can help covered entities negotiate favorable contract terms with EHR vendors. The guide covers some of the questions than need to be asked when negotiating contracts and selecting a new HER. The guide also includes details of best practice contracting principles and explains the language used by EHR vendors to help providers in discussions with new EHR vendors.
The aim of the blog post, and the new resources, is to “help providers act as valued custodians of their patients’ health information and ensure that electronic health information is available where and when it is needed to improve health and care.”