The U.S. Department of Health and Human Services Office for Civil Rights (HHS-OCR) recently provided some clarification on this frequently asked HIPAA question:
Is the business associate of a HIPAA covered entity permitted to block or terminate that covered entity's access to the protected health information (PHI) which the business associate maintains for or on behalf of that covered entity?
The answer "No, the business associate is not permitted to block
or terminate access." HHS-OCR offers three reasons why:
- A business associate violates the HIPAA Privacy Rule if it blocks or terminates access to PHI it maintains on behalf of a covered entity. Examples include situations such as blocking access to PHI in order to resolve a payment dispute with the covered entity or a failure by the business associate to return PHI after the termination of an agreement by either party.
- The HIPAA Security Rule requires business associates to ensure the confidentiality, integrity, and availability of the electronic PHI it creates, receives, maintains, or transmits on behalf of a covered entity. What does this mean? Business associates must be able to ensure that data can be accessible and usable on demand if requested by the covered entity or, if the agreement is terminated, the data must be returned in an accessible and usable format.
- The HIPAA Privacy Rule and its business associate agreement requires a business associate to make PHI available so that a covered entity can meet its obligation to provide individual right of access.
Are there situations in which a business associate destroys or disposes of PHI that DO NOT constitute data blocking?
HHS-OCR says that it is aware of contractual arrangements that authorize a business associate to destroy or dispose of PHI or combine data from multiple sources. If, for instance, a covered entity enters into an agreement in which the business associate is directed to aggregate data, it is possible that the original source data may be rendered unreturnable. This type of arrangement does not constitute data blocking.
What's the bottom line for physicians and practices?
A covered entity bears the ultimate responsibility for making sure its PHI is accessible. If a covered entity enters into an agreement that prevents it from ensuring PHI access, it is not in compliance with HIPAA regulations.
A blog post from the Office of the National Coordinator for
Health Information Technology offers more information on model contract
language that can help covered entities prevent data blocking. Read
Read HHS-OCR's FAQ on the issue of data blocking and access HHS-OCR's HIPAA FAQs for Professionals.
Pennsylvania Medical Society (PAMED) members with questions on HIPAA can also contact PAMED's Knowledge Center at 855-PAMED4U (855-726-3348) or KnowledgeCenter@pamedsoc.org.