OCR Confirms that an EHR Kill Switch Violates HIPAA

If you’re a digital health vendor with an EHR product, take heed. Simply because your client hasn’t paid you for implementation, or you’ve had a disagreement about the product, doesn’t mean you can refuse them access to the EHR and the ePHI within. It’s a HIPAA violation. You can check out the FAQ, aka the guidance, from OCR that clearly states just how the HIPAA Rules apply in this situation.

You’re probably familiar with the idea of a “kill switch” – an old trick from the early days of web and application development that’s still around. Example: In the case of an EHR, there’s a payment dispute between the CE and the BA, or the covered entity decides not to renew a BA agreement, and the BA decides to pull the plug. No more access to EHR, no way to get to ePHI. Never mind that it’s not a good way to do business – word gets around – it’s also going to get the BA in trouble with OCR.

Patients need to be able to access their health data – it’s a requirement of the Privacy Rule. Covered entities need to be able to get to and share that health data in a format that the patient – and the CE – can use. If you block a covered entity access to the ePHI, you’re effectively blocking the patient, because the CE must be able to give that information to their patients upon request.

The ePHI doesn’t belong to the BA just because it’s stored or transmitted or touched by the BA or its application. No matter what, it must be available to the patient and to the CE that the BA agreement is with – or be in violation of the Privacy & Security Rule. So work out your differences without involving ePHI. The trouble isn’t worth it.

Covered Entities Beware

If you enter into a BA relationship with a vendor and you include language in the contract that the BA may withhold access to your ePHI, that’s a violation of HIPAA.  Unless the data is being disclosed to be converted to a limited data set or de-identified data, say, following a research project, entering into a contract with a vendor where you know you will no longer have access to your ePHI could land you in trouble with OCR.

Chris Apgar, CISSP, CEO, is a frequent educator and panelist for OMA, HCCA and other industry-leading organizations. Chris is also available as an expert witness and columnist. Contact Apgar and Associates  for help with questions and concerns about your privacy and security compliance program at 877-376-1981.