HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

ONC Draws Attention to New Resources to Help Providers Maintain Access to ePHI

The majority of healthcare providers have now transitioned to electronic health records, yet ensuring ePHI is always accessible when it is needed is sometimes a challenge. Should providers not be able to access ePHI, the health and safety of patients may be put at risk.

To prevent harm to patients and HIPAA violations, the Department of Health and Human Services’ Office of the National Coordinator for Health IT (ONC) has drawn attention to a number of new resources that have been made available to providers to help ensure ePHI access is maintained.

The ONC has drawn attention to a new FAQ that was recently published by Department of Health and Human Services’ Office for Civil Rights (OCR) which explains how Health Insurance Portability and Accountability Act (HIPAA) Rules apply to health IT vendors, such as EHR vendors.

Health IT vendors are classed as business associates of HIPAA-covered entities, and as such they are required to abide by the HIPAA Privacy, Security, and Breach Notification Rules. The FAQ explains that under the HIPAA Privacy Rule, EHR vendors must ensure that the ePHI held on behalf of covered entities must be accessible and usable on demand by the covered entity. This includes ensuring that ePHI can be accessed once a business associate relationship comes to an end and ePHI must be returned.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The ONC has highlighted the importance of stipulating how ePHI should be returned when contracts with EHR vendors come to an end. Data stored in EHRs will typically be in a format specific to that vendor’s system, which may make it difficult for providers to use the data when it is returned. The guide recommends providers stipulate the format that should be used when data is returned. Providers need to explain in clear terms how data should be returned and this should be written into contracts to avoid data access issues.

The ONC also explains that blocking access privileges of a covered entity would be an impermissible use of ePHI and would violate the Privacy Rule. Blocking access could also prevent a covered entity from fulfilling its obligations to provide patients with copies of their ePHI.

ONC explains that activating a kill switch to terminate a provider’s access to ePHI in the event of a billing dispute is a violation of HIPAA Rules. The ONC refers to a 2014 case involving Full Circle Health Care, a small Maine healthcare provider, and it’s EHR vendor CompuGroup. Full Circle Healthcare stopped paying the EHR vendor monthly fees because of disputed billings, only for CompuGroup to terminate access to electronic health records until $20,000 in missed payments were made. By terminating access to ePHI, CompuGroup was in violation of HIPAA Rules and its actions potentially placed the health and safety of patients at risk.

To avoid these situations, ONC recommends the use of kill switches or other technologies to terminate access to ePHI are prohibited in EHR contracts, even in the event of a billing dispute.

The ONC has also drawn attention to a recently published guide to EHR contracting, which can help covered entities negotiate favorable contract terms with EHR vendors. The guide covers some of the questions than need to be asked when negotiating contracts and selecting a new HER. The guide also includes details of best practice contracting principles and explains the language used by EHR vendors to help providers in discussions with new EHR vendors.

The aim of the blog post, and the new resources, is to “help providers act as valued custodians of their patients’ health information and ensure that electronic health information is available where and when it is needed to improve health and care.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.