OCR Warns Business Associates Against Holding PHI HostageGuidance Clarifies that BAs Cannot Block Access to Data
Even when entangled in billing or other disputes with covered entities, business associates may not block or terminate access by their clients to the protected health information of patients, federal regulators say in recently issued guidance.
The Department of Health and Human Services' Office for Civil Rights' guidance, issued on Sept. 28 in a "frequently asked questions" format, seeks to clarify that BAs that block a client hospital, clinic or other healthcare entity's access to patient data are likely in violation of HIPAA.
"Generally, if a business associate blocks access to the PHI it maintains on behalf of a covered entity, including terminating access privileges of the covered entity, the business associate has engaged in an act that is an impermissible use under the privacy rule," OCR says. "For example, a business associate blocking access by a covered entity to PHI - such as where an electronic health records developer activates a 'kill switch' embedded in its software that renders the data inaccessible to its provider client to resolve a payment dispute with the covered entity is an impermissible use of PHI.
"Similarly, in the event of termination of the agreement by either party, a business associate must return PHI as provided for by the business associate agreement. If a business associate fails to do so, it has impermissibly used PHI."
Interruptions to Care?
The OCR guidance appears to address issues that occasionally arise in conflicts between healthcare providers and their BAs.
"I don't think this is a particularly common situation, but where it occurs, even infrequently, it can be a real problem," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"There have been a limited number of situations where business associates have used access to information as a means of attacking a business dispute, or making it tough for a client to leave and move to a different vendor, or punishing a client that has left," he says. "There may be legitimate business concerns from the business associate - for example, unpaid bills - or these may be unfair business tactics, but HHS is saying that you can't hold PHI hostage to your business concerns. It is an example of where the patient's interest in information - ensuring that their information is available and accurate - overrides other business issues."
Privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek, says the FAQ is an important statement by HHS. "There has been much attention paid to the issue of information blocking and instances where EHR operators have limited or terminated access to patient records because of a business dispute or unpaid fees owed to the vendor," he says. "When these disputes lead to interruption of access to patient treatment information, it disrupts the provision of care and could pose a significant risk to patient safety."
EHR Vendor Dispute
Among publicly fought disputes between BAs and CEs where vendors have allegedly blocked a CE's access to patients' records is a case that started two years ago between Full Circle Health Care, a clinic in Presque Isle, Maine, and CompuGroup, an EHR software provider based in Germany that has U.S. headquarters in Phoenix, Ariz. (see EHR Vendor Dispute: Lessons Learned).
Since fall 2014, CompuGroup has allegedly blocked Full Circle staff from accessing the medical histories on its 4,000 patients after the medical practice stopped paying CompuGroup a $2,000 monthly maintenance fee for 10 months.
Full Circle CEO E. Victoria Grover in September 2014 explained to Information Security Media Group that CompuGroup had recently acquired HealthPort, a vendor from which Full Circle purchased its EHR system.
Grover said the clinic's contract with HealthPort had stated that the practice would be charged $300 to $600 a month for maintenance, which included software updates and replacement of any defective hardware. But when CompuGroup acquired HealthPort, maintenance fees soared to $2,000 per month, she says. "We didn't sign a new contract."
CompuGroup cut off Full Circle's access to the EHR in 2014, and the clinic still cannot access patient information contained on two servers, Grover recently told ISMG.
"The system I purchased, including both software and hardware, from Healthport for $72,000 is still in our office," Grover tells ISMG. "At some point before our conflict, and without our knowledge, CompuGroup inserted a kill switch onto my servers. These are the servers I purchased and maintained. The morning I came to work and found that we had lost access to all of our records, Compugroup had shut us out by activating that kill switch."
Grover says she had contemplated filing a lawsuit against CompuGroup, but she says attorneys advised her that it would cost the clinic more in legal fee than it would ever get back from suing the vendor.
Since the dispute with CompuGroup, Full Circle moved onto a cloud-based EHR system from AthenaHealth.
"After CompuGroup left us with nothing, we put new chart information into Athena primarily from old paper charts that we still had in storage," she says. Full Circle also recreated the patient records through notes it requested from patients' other providers, she says. "And we asked our patients to help us, which they did. All our patients knew about our situation, and were very helpful in re-constructing their history. We also sent to local hospitals for copies of important imaging studies. We also printed off records from our lab that we were able to put into our new Athena charts."
In a Sept. 30 statement to ISMG, CompuGroup says: "We take our compliance responsibilities very seriously. We are currently assessing the impact of the FAQ released by the regulatory authorities on our existing business processes, including pending matter with our client Full Circle."
More Conflicts to Come?
Conflicts like the one between Full Circle and CompuGroup could potentially become more common, which makes the guidance from OCR critical, Holtzman says.
"There has been a consolidation in the EHR marketplace as smaller vendors either leave the business or their operations are taken over by larger companies," he says. "There have been reports from some healthcare providers that maintenance and service agreements that had been in place with the EHR vendor were not being honored by the new operator."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says that the recent OCR FAQ is a warning to BAs.
"Everyone has been put on notice that if OCR sees a business associate is withholding PHI because of lack of payment from a covered entity, they will work from this guidance and say this is an impermissible use subject to potentially millions of dollars in penalties," he says.