Can EHR Vendors Block or Terminate a Medical Practice’s Access to Patient Information?

We have seen numerous instances in which a medical practice notifies an EHR vendor that it plans to terminate the relationship with the vendor, and the EHR vendor refuses to transfer patient information or otherwise provide the practice with access to patient information, unless the practice pays an exorbitant fee. These situations raise the question of whether such behavior by the EHR vendor is legal and permissible. This question arises because, in this scenario, the practice is considered a “Covered Entity” and the EHR vendor is a “Business Associate” as defined by the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations. Consequently, the relationship is governed by the requirements set forth in HIPAA and its implementing regulations. The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), which enforces HIPAA’s Privacy and Security Rules, recently issued guidance on this topic in a newly released FAQ.

According to the Department of Health and Human Services website, “it is unlawful under HIPAA for EHR vendors to block or terminate access by a medical practice customer or former customer to the protected health information (PHI) maintained by the vendor.” Whether this means the EHR vendor is prohibited from charging for access, requires further analysis.

In order to analyze the question of whether the EHR vendor is prohibited from charging for access, it is first important to note that a business associate may not use PHI in a manner that violates the HIPAA Privacy Rule. (See 45 CFR § 164.502(a)(3).) According to OCR,

“[g]enerally, if a business associate blocks access to the PHI it maintains on behalf of a covered entity, including terminating access privileges of the covered entity, the business associate has engaged in an act that is an impermissible use under the Privacy Rule. For example, a business associate blocking access by a covered entity to PHI (such as where an Electronic Health Record (EHR) developer activates a ‘kill switch’ embedded in its software that renders the data inaccessible to its provider client) to resolve a payment dispute with the covered entity is an impermissible use of PHI. Similarly, in the event of termination of the agreement by either party, a business associate must return PHI as provided for by the business associate agreement. If a business associate fails to do so, it has impermissibly used PHI.”

Second, we note that a business associate is required by the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI) that it creates, receives, maintains, or transmits on behalf of a covered entity. (See 45 CFR § 164.306(a)(1).) OCR has interpreted this to mean that,

“Maintaining the availability of the ePHI means ensuring the PHI is accessible and usable upon demand by the covered entity, whether the PHI is maintained in an EHR, cloud, data backup system, database, or other system. 45 CFR § 164.304. This also includes, in cases where the business associate agreement specifies that PHI is to be returned at termination of the agreement, returning the PHI to the covered entity in a format that is reasonable in light of the agreement to preserve its accessibility and usability. A business associate that terminates access privileges of a covered entity, or otherwise denies a covered entity’s access to the ePHI it holds on behalf of the covered entity, is violating the Security Rule.”

The third point of note in analyzing the question is that a business associate is required by the HIPAA Privacy Rule and its business associate agreement to make PHI available to a covered entity as necessary to satisfy the covered entity’s obligations to provide access to individuals under 45 CFR § 164.524. (See 45 CFR §§ 164.502(a)(4)(ii), 164.504(e)(2)(ii)(E).) Therefore, a business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if the covered entity needs the PHI to satisfy its obligations under 45 CFR § 164.524.

After reviewing these various provisions, the question remains as to whether HIPAA limits or prohibits an EHR vendor from charging a fee for furnishing the patient charts. Certainly, an unreasonably high fee would likely be deemed to interfere with the practice’s, and its patient’s, access to records. One could argue that any fee would be prohibited, but an EHR vendor could probably make a good case that a fee reflecting the reasonable costs incurred by the vendor in downloading, transmitting or providing access to the records would not constitute unlawful interference.

Medical practices should be careful when negotiating contracts with EHR vendors to ensure that the contracts include provisions dealing with the release of and access to records following termination of the contract with the EHR vendor. Whenever possible, records should be downloaded in a readable format for the practice’s use without charge to the practice. If the vendor insists on a charge, it should be set in advance to avoid surprises. If no such provision exists, the practice may be able to successfully argue that the vendor’s failure to release records in a reasonable manner would violate HIPAA and subject the vendor to legal liability. If you have questions or concerns regarding EHR vendors and HIPAA, contact Frier Levitt to speak to an attorney.