New Resources to Help Providers Maintain Access to Protected Health Information
Lucia Savage, J.D. and Karson Mahler, J.D. | November 1, 2016
As electronic health record (EHR) adoption becomes widespread, and providers increasingly embrace the patient engagement opportunities of digital health, EHR customers look to EHR vendors to ensure that health information is available where and when it is needed. And yet we know from our experience that many providers continue to face challenges when they seek access to protected health information (PHI)—challenges that could impact patient care and safety. That’s why we are highlighting two recent resources that improve the awareness of EHR vendors’ obligations to make health information available to their health care provider customers.
OCR Frequently Asked Questions
The first resource is a released by the Department of Health and Human Services’ Office for Civil Rights (OCR). The FAQ provides some bright line rules on when a health information technology (health IT) vendor (who is a “business associate”) would violate the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules by failing to make available the information it holds on behalf of its health care provider customer (who is a “covered entity”). For information on covered entities and business associates, see the Center for Medicare and Medicaid Services’ (CMS) site.
The new FAQ explains that:
- Generally, if a business associate blocks access to the PHI it maintains on behalf of a covered entity, including terminating access privileges of the covered entity, the business associate has engaged in an act that is an impermissible use under the Privacy Rule” (45 CFR § 164.502(a)(3));
- To comply with the HIPAA Security Rule, a business associate must ensure that “electronic PHI (ePHI) is accessible and usable upon demand by the covered entity”, including when the covered entity/business associate relationship ends if the business associate agreement specifies that the PHI is to be returned (45 CFR § 164.306(a)(1) and 45 CFR § 164.304); and
- A business associate must not prevent a covered entity from accessing PHI to meet the provider’s obligation to supply or transmit a copy of PHI at a patient’s request (45 CFR § 164.524; see HIPAA Access Videos).
ONC EHR Contract Guide
The second resource is a guide on EHR contracting—EHR Contracts Untangled: Selecting Wisely, Negotiating Terms, and Understanding the Fine Print—that helps providers ask the right questions and better communicate their requirements when selecting an EHR. It also provides a framework for negotiating reasonable contract terms that reflect best practice contracting principles, including when it comes to data access.
Kill Switches Violate HIPAA Rules
To illustrate potential violations of HIPAA, the new OCR FAQ uses the kill switch scenario described in ONC’s 2015 Report to Congress on Health Information Blocking. In this scenario, an EHR vendor responds to a billing dispute with its provider customer by activating a kill switch embedded in its software to render PHI inaccessible. OCR’s FAQ makes clear that this scenario—which also attracted in 2014 when a small primary care provider discovered that it had been locked out of its cloud-based EHR—would violate HIPAA.
Consistent with OCR’s focus on the need for PHI to remain available, ONC’s EHR Contract Guide examines the patient care and safety hazards that arise from the threat to use or the use of kill switches and other disabling technologies. It recommends that EHR contracts explicitly prohibit the use of disabling technologies and thereby avoid the patient care, safety, and business risks that remain when an EHR contract is silent on the issue.
Together, the OCR guidance and the EHR Contract Guide offer a timely reminder that disabling technology that blocks access to PHI is contrary to law, bad for patient health, and that a contractual prohibition against it should be uncontroversial.
Returning PHI in a Usable Format
The FAQ also clarifies that if a business associate agreement requires that PHI be returned to the provider when the contract ends, it must be returned in a format “that is reasonable in light of the agreement to preserve its accessibility and usability.” That makes it critical for health care providers to ensure their EHR contracts include clear terms about how data will be returned in those cases.
This issue is discussed in detail in the EHR Contract Guide. The guide explains that clinical data is often stored in a format specific to the EHR vendor’s proprietary system. Unless a contract specifies an outgoing EHR vendor’s obligations to transfer the data in a usable format, the vendor may attempt to satisfy its obligations by providing records in a format that cannot be displayed or used effectively in the provider’s new system. The consequences of this can be far reaching, both for health care providers and their patients. The guide gives the example that if patient records are provided in a format that does not make them fully accessible in a new EHR, health care professionals may be unable to rely on clinical decision support tools that use the previously-recorded data to provide automated drug interaction alerts.
ONC’s EHR Contract Guide offers example contract language that health care providers can use as a starting point in discussions with their EHR vendors about returning records in a standardized structure and generally accepted format. We note that the guide serves as a resource but it is not legal advice.
The release of the new OCR FAQ and ONC’s new EHR Contract Guide are important components in OCR and ONC’s ongoing efforts to facilitate information sharing and electronic exchange. These releases build on recent efforts, including fact sheets from ONC and OCR on permitted uses and disclosures for treatment and health care operations, as well as educational videos on to health information, transparency requirements under ONC’s 2015 Edition final rule, and ONC’s interoperability pledge. Together, these resources and measures will help providers act as valued custodians of their patients’ health information and ensure that electronic health information is available where and when it is needed to improve health and care.
This communication was printed, published, or produced and disseminated at U.S. taxpayer expense.