Menu Close

OCR Guidance Confirms That EHR Vendors Cannot Block Access to ePHI

Posted in Electronic Health Records, HIPAA and the HITECH Act, Hospitals and Institutions, Legislation and Public Policy, Privacy and Data Protection

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued guidance for vendors of electronic health records (EHRs) and other HIPAA business associates (BAs) confirming that they must always make electronic protected health information (ePHI) available to covered entities. The guidance, issued as an FAQ, describes how the HIPAA Rules apply to situations where a BA terminates or blocks a covered entity’s access to ePHI.

The September 28 guidance confirms that blocking or terminating access to ePHI (for example, as a result of a dispute over payment for the BA’s services) is a violation of the HIPAA Privacy Rule that could result in a fine for the BA. In addition, the HIPAA Security Rule requires the BA to ensure the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains, or transmits on behalf of a covered entity. Blocking access to the ePHI, or returning it to the covered entity in an unusable format, would therefore violate the Security Rule.

Leave a Reply

Your email address will not be published. Required fields are marked *