NEW HHS GUIDANCE SUGGESTS EMR VENDORS AND OTHER BUSINESS ASSOCIATES CANNOT HOLD PROTECTED HEALTH INFORMATION HOSTAGE

The Department of Health and Human Services (“HHS”) recently issued guidance regarding the practice of a Business Associate cutting off a Covered Entity’s access to Protected Health Information (“PHI”). This may occur when a healthcare provider refuses to pay its electronic medical records (“EMR”) vendor or when the provider decides to switch vendors. The EMR vendor may cut off access to the EMR and the Covered Entity is left without access to its patients’ records.

HHS has indicated that a Business Associate may not use PHI in a manner that would violate the HIPAA Privacy Rule. A Covered Entity is required to maintain medical records and allow patients to access their medical records. If an EMR vendor cuts off access to the EMR, the Covered Entity may be unable to respond to patient record requests. (This type of action could also create significant patient safety and liability issues.)

With this guidance, providers have gained some leverage when an EMR or other vendor attempts to hold their PHI hostage; however, providers also need to be aware that entering into vendor agreements that allow a Business Associate to deny the Covered Entity/provider access to PHI may also violate HIPAA.  A Covered Entity is responsible for ensuring the availability of its own PHI.

Takeaways:

  • Covered Entities should ensure they have updated Business Associate Agreements in place with vendors;
  • Covered Entities should carefully examine their EMR vendor agreements to ensure that there is not a provision that allows the vendor to cut off access to patient records without a backup or retrieval mechanism;
  • Covered Entities should review other vendor agreements which may involve PHI and ensure that there are no provisions that allow the vendor to cut off access to the PHI;
  • As a reminder, the Office of Civil Rights is continuing audits this Fall. The audits will focus on Covered Entities with small breaches (affecting less than 500 people) and Business Associates.  Now is a good time to review HIPAA policies and procedures to make sure they are up to date.

This publication is provided for information purposes only and shall not constitute legal advice or create an attorney-client relationship.

 

Written by: Samantha Prokop, Healthcare Attorney