Improve the health of the people of Wisconsin by supporting and strengthening physicians' ability to practice high-quality patient care in a changing environment.

OCR: EHR vendors can’t hold patients’ records hostage

If an electronic health records (EHR) vendor denies a physician or clinic access to records it maintained on behalf of the physician/clinic, it is in violation of the Health Insurance Portability and Accountability Act (HIPAA).

The US Department of Health and Human Services Office for Civil Rights (OCR) has clarified that EHR vendors may not block or terminate access by a “covered entity” to protected health information (PHI) maintained by the vendor as a means to ensure payment of contracted fees or for any other reason. This clarification was issued in reaction to reports of “information blocking” by EHR vendors that had denied access to patient records as leverage in fee disputes with physicians or other health care providers.

In this FAQ, OCR explains that EHR vendors are business associates under HIPAA and, therefore, must allow access by a covered entity to PHI the EHR vendor is using, storing or transmitting for or on behalf of the covered entity. Such vendors are required to ensure the confidentiality, integrity and availability of PHI of a covered entity; and under HIPAA, “availability” means that data or information is accessible and useful upon demand by an authorized person.

OCR makes clear that the issue of fees is a separate contractual matter. The fact that a vendor is required to provide access to PHI it stores for a covered entity does not mean it cannot charge a fee for that access. It does mean, however, that the vendor cannot condition access to that PHI on payment of the fees.

The FAQ also provides guidance on the obligations of a vendor when the relationship is terminated. According to OCR, in the event of termination of the licensing or service agreement between a covered entity and an EHR vendor, the vendor must return PHI as provided for by the business associate agreement. If it continues to maintain PHI of that covered entity after termination, it must provide the covered entity access upon request, though it may charge fees for that access if payment of the fees is not a precondition to access.

The OCR guidance also makes clear that covered entities have a duty to ensure their continued ability to access their PHI.

The Wisconsin Medical Society recommends issues related to access, transfer, storage, response to patient requests, etc. be addressed with EHR vendors when the relationship is first negotiated. Storing PHI locally or on servers owned or contracted by the covered entity is an additional safeguard to prevent a loss of access. Finally, though this OCR guidance provides means to require EHR vendors to provide access to PHI after the fact, covered entities should ensure that upon termination of a relationship with an EHR vendor all PHI is transferred to the covered entity and/or its new EHR vendor.

For more information regarding considerations in contracting with EHR vendors, see this AMA Stepsforward module on Electronic Health Record (EHR) Software Selection and Purchase, and this article on issues to consider when contracting with EHR vendors by the Texas Medical Association.

Back to May 10, 2018 Medigram