Healthcare Information Security

HIPAA and Compliance News

PHI Access Challenges Addressed in Recent ONC Resources

The ONC discussed common PHI access challenges, and how EHR vendors are obligated to make health information available to healthcare provider customers.

By Elizabeth Snell

Healthcare organizations face numerous potential PHI access challenges, especially as more entities continue to adopt new EHRs, according to the Office of the National Coordinator (ONC). That is why ONC wanted to ensure that covered entities are aware of available resources to help EHR vendors make health information readily available to their customers.

ONC discusses PHI access challenges in new resources

In a recent blog post, ONC Chief Privacy Officer Lucia Savage and Senior Policy Officer Karson Mahler, JD explained that EHR customers typically turn to their EHR vendors “to ensure that health information is available where and when it is needed.”

One key resource the duo pointed to is a new OCR Frequently Asked Questions page discussing potential HIPAA violations for business associates. Essentially, business associates would be violating HIPAA if they did not make the information that it holds on behalf of a covered entity readily available.

“Generally, if a business associate blocks access to the PHI it maintains on behalf of a covered entity, including terminating access privileges of the covered entity, the business associate has engaged in an act that is an impermissible use under the Privacy Rule,” Savage and Mahler wrote, citing the FAQ page. “A business associate must not prevent a covered entity from accessing PHI to meet the provider’s obligation to supply or transmit a copy of PHI at a patient’s request.”

There is also an EHR contracting guide that can be beneficial to providers. The guide “provides a framework for negotiating reasonable contract terms that reflect best practice contracting principles.” Furthermore, providers can learn which questions to ask when going through the EHR selection process, ensuring that they are able to meet all necessary requirements as well.

Another key aspect of the FAQ discusses the “kill switch scenario,” which is explained in greater detail in ONC’s 2015 Report to Congress on Health Information Blocking.

“In this scenario, an EHR vendor responds to a billing dispute with its provider customer by activating a kill switch embedded in its software to render PHI inaccessible,” the duo wrote, adding that such action would be a HIPAA violation.

Furthermore, disabling technology that blocks access to PHI is bad for patients’ health. EHR contracts should “prohibit the use of disabling technologies and thereby avoid the patient care, safety, and business risks that remain when an EHR contract is silent on the issue,” stated Savage and Mahler.

It is also important for business associates to understand when PHI must be returned in a useable format. Healthcare providers need to clarify in their business associate agreements how PHI needs to be returned when a contract ends.

“Unless a contract specifies an outgoing EHR vendor’s obligations to transfer the data in a usable format, the vendor may attempt to satisfy its obligations by providing records in a format that cannot be displayed or used effectively in the provider’s new system,” the blog post reads. “The consequences of this can be far reaching, both for health care providers and their patients.”

Savage and Mahler also note that the ONC EHR Contract Guide has sample language that providers can use when working with their EHR vendors on how PHI must be returned.

Both the FAQ page and Contract Guide are part of ONC and OCR efforts to facilitate information sharing and electronic exchange, the duo explained.

“Together, these resources and measures will help providers act as valued custodians of their patients’ health information and ensure that electronic health information is available where and when it is needed to improve health and care.”

Dig Deeper:

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks