The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently posted guidance (OCR guidance) clarifying that a business associate such as an information technology vendor generally may not block or terminate access by a covered entity customer to protected health information (PHI) maintained by the vendor on behalf of the customer. Such “information blocking” could occur, for example, during a contract dispute in which a vendor terminates customer access or activates a “kill switch” that renders an information system containing PHI inaccessible to the customer. Many information vendors have historically taken such an approach to commercial disputes.
The OCR guidance explains that such activity by a business associate is an impermissible use of PHI in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. In addition, to the extent the PHI constitutes a designated record set, such activity could cause a vendor to violate its obligations under the applicable business associate agreement and the Privacy Rule to make available PHI to a customer as necessary for the customer to satisfy its obligation to provide access to PHI to individuals under the Privacy Rule.
A business associate is also required by the HIPAA Security Rule to ensure the confidentiality, integrity and availability of PHI that it creates, receives, maintains or transmits on behalf of a covered entity. Under HIPAA, “availability” means that data or information is accessible and useable upon demand by an authorized person. A vendor that blocks a covered entity customer’s access to essential PHI potentially violates the Security Rule’s “availability” requirement.
Moreover, the OCR guidance clarifies that maintaining the availability of PHI includes returning PHI at the termination of an agreement to a customer in a format that is reasonable in light of the vendor’s obligations under a business associate agreement. OCR acknowledged, however, that not all arrangements involving PHI require the covered entity to be able to access PHI. For example, some data aggregation arrangements will not implicate the information blocking prohibition when the source data that is used to create the aggregated data set is unreturnable after the data processing.
Finally, the OCR guidance notes that a covered entity itself has an obligation to ensure the availability of its own information and may be in violation of both the Privacy Rule and the Security Rule provisions relating to business associate arrangements if it enters into a business associate agreement that by its terms prevents the covered entity from fulfilling this obligation. This new guidance should serve as reminder to covered entities to take care in drafting and negotiating business associate agreements and service agreements to protect against information blocking.
The OCR guidance would not prevent a vendor from charging a fee for access to or post-termination transfer of a covered entity’s data, the amount of which would be primarily a contractual matter. Instead, OCR has taken the position in the guidance that blocking access to PHI is not an appropriate remedy for non-payment of fees or other contractual disputes.
The OCR guidance adds to previous HHS activity discussing information blocking as a barrier to interoperability and health information exchange and a potential source of liability under the federal Anti-Kickback Statute, including the following:
In February of this year, HHS announced that health information technology developers whose products cover 90 percent of the country’s electronic health records and five largest health care systems agreed to implement a commitment to refrain from engaging in information blocking as part of its voluntary Interoperability Pledge.