The U.S. Department of Health and Human Services Office for Civil Rights (OCR) recently issued guidance for vendors of electronic health records (EHRs) and other HIPAA business associates (BAs) confirming that they must always make electronic protected health information (ePHI) available to covered entities. The guidance, issued as an FAQ, describes how the HIPAA Rules apply to situations where a BA terminates or blocks a covered entitys access to ePHI.
The September 28 guidance confirms that blocking or terminating access to ePHI (for example, as a result of a dispute over payment for the BAs services) is a violation of the HIPAA Privacy Rule that could result in a fine for the BA. In addition, the HIPAA Security Rule requires the BA to ensure the confidentiality, integrity, and availability of all ePHI it creates, receives, maintains, or transmits on behalf of a covered entity. Blocking access to the ePHI, or returning it to the covered entity in an unusable format, would therefore violate the Security Rule.