Has a HIPAA business associate ever threatened to withhold protected health information (PHI) during a business dispute? If so, the Office of Civil Rights (OCR) has indicated that such business associate may be violating the HIPAA Privacy and Security Rules. OCR recently issued guidance in the form of a new Frequently Asked Question addressing whether it is permissible for a business associate to block or terminate a covered entity’s access to the PHI being maintained by the business associate for or on behalf of the covered entity.
In answering this question, OCR points out that “a business associate may not use PHI in a manner or to accomplish a purpose or result that would violate the HIPAA Privacy Rule” and further states that an Electronic Health Record (EHR) vendor that “activates a ‘kill switch’ embedded in its software that renders the data inaccessible to resolve a payment dispute with the covered entity is an impermissible use of PHI.”
In addition, OCR states that “a business associate that terminates access privileges of a covered entity, or otherwise denies a covered entity’s access to the ePHI it holds on behalf of the covered entity, is violating the Security Rule” by failing to ensure the PHI remains accessible and usable as requested by the covered entity.
Furthermore, OCR indicates that “a business associate is required by the HIPAA Privacy Rule and its business associate agreement to make PHI available to a covered entity as necessary to satisfy the covered entity’s obligations to provide access to individuals,” and failure to do so violates the Privacy Rule.
Lastly, OCR reminds covered entities that ultimately it is their responsibility to ensure the availability of their PHI. Therefore, covered entities should carefully review the terms of their vendor and business associate agreements. Covered entities are at risk of violating the Privacy and Security Rules if they agree to contract terms that prevent the covered entities from ensuring the availability of their own PHI.