In the healthcare industry, the management and protection of patient data are governed by strict regulations, chief among them is the Health Insurance Portability and Accountability Act (HIPAA). A key aspect of HIPAA compliance involves the relationship between covered entities and their business associates and the proper handling of protected health information (PHI).
Business associates, which include a wide range of service providers from electronic health record software providers to cloud storage companies, often create, receive, maintain or process PHI on behalf of covered entities. This arrangement raises an important question about PHI access and control. Specifically, whether a business associate is allowed to block, deny or terminate a covered entity's access to PHI.
The Short Answer: No
3 Main Reasons Why Business Associates Can't Block PHI Access
1. Impermissible Use: The HIPAA privacy rule prohibits business associates from using PHI in any manner that would violate the HIPAA Privacy Rule. 45 CFR § 164.502(a)(3). Blocking a covered entity’s access to PHI maintained on behalf of the covered entity is considered an impermissible use under the HIPAA Privacy Rule.
2. Security Rule Requirements: The HIPAA security rule requires business associates to ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI) they create, receive, maintain, or transmit for their covered entities. 45 CFR § 164.306(a)(1). "Availability" means that PHI must be accessible and usable upon demand by the covered entity. 45 CFR § 164.304. As such, a business associate that blocks a covered entity’s access to ePHI is a violation of the HIPAA security rule.
3. Obligation to Facilitate Individual Access: The HIPAA privacy rule requires business associates to make PHI available to covered entities to satisfy the covered entity's obligation to provide individuals access to their own health information. 45 CFR § 164.524; 45 CFR §§ 164.502(a)(4)(ii) and 164.504(e)(2)(ii)(E). Thus, a business associate that blocks a covered entity’s access to PHI violates the HIPAA privacy rule.
Examples of Impermissible Blocking
To better understand what constitutes impermissible blocking, below are some examples:
1. EHR Services: An EHR developer activating a "kill switch" in its software to make ePHI inaccessible to its covered entity due to a payment dispute.
2. Cloud Storage Services: A cloud storage provider denying access to stored ePHI or backups when a covered entity attempts to switch to a different service provider.
3. IT Management Services: An IT consultant changing passwords or access controls to critical systems containing ePHI without the covered entity's authorization.
4. Telemedicine Platforms: A telemedicine service provider shutting down a covered entity’s access to patient consultation records or communication logs containing ePHI.
5. Medical Billing Services: A billing company refusing to return or provide access to billing records containing ePHI when a healthcare provider decides to switch services.
Responsibility of Covered Entities
Covered entities also bear responsibility to ensure the availability of their own PHI and should avoid agreeing to any terms in their business associate agreement (BAA) that would prevent them from doing so. Failure to maintain this availability requirement could result in non-compliance with HIPAA. 45 CFR §§ 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1).
Recommendations for Covered Entities Facing PHI Blocking
Despite HIPAA’s clear regulations, covered entities may sometimes face situations where a business associate attempts to block or terminate access to PHI. If you find yourself in this situation, consider the following steps:
1. Review the BAA. Check the terms of your BAA. It should include provisions providing for PHI access. If these provisions are absent, review the terms for citations to the applicable HIPAA regulations that require PHI access and the appropriate handling of PHI by the business associate.
2. Document the Incident. Keep detailed records of any attempts by the business associate to block, deny or terminate your access to PHI, including representative names, dates, times, and specific actions taken.
3. Communicate in Writing: Formally request access to the PHI in writing, citing the relevant HIPAA regulations and the terms of your BAA. You should also clearly state the potential HIPAA violations if your access is not restored.
4. Set a Reasonable Deadline: Provide a reasonable timeframe for the business associate to comply with your request for access.
5. Report: If the business associate refuses to comply, you may want to report the incident to the HHS Office for Civil Rights, which enforces the HIPAA rules.
The information provided is for general informational purposes only and not intended as legal advice or opinion for any individual matter. Legal development or changes in law or regulations may in the future and the content here may not be the most up-to-date legal or other information at the time of reading. You should consult your own attorney for any legal advice you may require.
If you do not have an attorney and would like explore how Venus Caruso can assist you, you can contact Venus using the website’s contact form or by emailing her at venus@carusolawoffice.com.