Vendors can’t hold your patient data hostage.
It is not okay for EHR vendors to lock out providers from health records during payment disputes, says HHS’s Office of Civil Rights in recently published guidance.
A vendor that hits a “kill switch” embedded in its software is violating HIPAA provisions that govern protected health information (PHI), the OCR says.
If a covered entity and a business associate terminate an agreement, the business associate must return PHI to the covered entity. If the BA fails to do so, it has broken the law, OCR adds.
The OCR guidance aims to prevent vendors from blocking providers’ access to PHI, as was the case in a high-profile story involving a Maine clinic in 2014, Politico notes. The small clinic was locked out of its EHR system when it could no longer afford to pay its vendor’s fees, according to The Boston Globe (https://www.bostonglobe.com/news/nation/2014/09/21/electronic-health-records-vendor-compugroup-blocks-maine-practice-from-accessing-patient-data/6ILpMv78NARDsrdU5O0T9N/story.html).
Editor’s Note: To read the OCR guidance, go to http://www.hhs.gov/hipaa/for-professionals/faq/2074/may-a-business-associate-of-a-hipaa-covered-entity-block-or-terminate-access/index.html.