e-mail Print Share

New FAQ addresses provider access to protected health information

October 03, 2016 Washington— Business associates may not block a provider's access to protected health information maintained on behalf of the provider, according to the U.S. Office for Civil Rights.

In a FAQ published Sept. 28, the agency states, for example, that it would be an impermissible use of PHI if an electronic health record developer attempted to resolve a payment dispute by keeping data away from a Health Insurance Portability and Accountability Act covered entity. For dental offices, an example might be if a software vendor were to lock the staff out of patient data files due to a payment dispute.

"Generally, if a business associate blocks access to the protected health information it maintains on behalf of a covered entity, including terminating access privileges of the covered entity, the business associate has engaged in an act that is an impermissible use under the Privacy Rule," said OCR.

The FAQ also states that business associates are required by the HIPAA Security Rule "to ensure the confidentiality, integrity and availability of all electronic protected health information" that it "creates, receives, maintains or transmits" on behalf of covered entities.

OCR also notes that business associates are required by HIPAA to "make protected health information available to a covered entity as necessary to satisfy the covered entity's obligations to provide access to individuals."

Finally, OCR notes that a covered entity is responsible for ensuring the availability of its own PHI.

The new FAQ is on the OCR website.