April 21, 2019

April 19, 2019

Subscribe to Latest Legal News and Analysis

OCR Explains How Information Blocking Violates HIPAA

Summary

The US Department of Health and Human Services Office for Civil Rights recently posted guidance clarifying that a business associate such as an information technology vendor generally may not block or terminate access by a covered entity customer to protected health information maintained by the vendor on behalf of the customer.

In Depth

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently posted guidance (OCR guidance) clarifying that a business associate such as an information technology vendor generally may not block or terminate access by a covered entity customer to protected health information (PHI) maintained by the vendor on behalf of the customer. Such “information blocking” could occur, for example, during a contract dispute in which a vendor terminates customer access or activates a “kill switch” that renders an information system containing PHI inaccessible to the customer. Many information vendors have historically taken such an approach to commercial disputes.

The OCR guidance explains that such activity by a business associate is an impermissible use of PHI in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. In addition, to the extent the PHI constitutes a designated record set, such activity could cause a vendor to violate its obligations under the applicable business associate agreement and the Privacy Rule to make available PHI to a customer as necessary for the customer to satisfy its obligation to provide access to PHI to individuals under the Privacy Rule.

A business associate is also required by the HIPAA Security Rule to ensure the confidentiality, integrity and availability of PHI that it creates, receives, maintains or transmits on behalf of a covered entity. Under HIPAA, “availability” means that data or information is accessible and useable upon demand by an authorized person. A vendor that blocks a covered entity customer’s access to essential PHI potentially violates the Security Rule’s “availability” requirement.

Moreover, the OCR guidance clarifies that maintaining the availability of PHI includes returning PHI at the termination of an agreement to a customer in a format that is reasonable in light of the vendor’s obligations under a business associate agreement. OCR acknowledged, however, that not all arrangements involving PHI require the covered entity to be able to access PHI. For example, some data aggregation arrangements will not implicate the information blocking prohibition when the source data that is used to create the aggregated data set is unreturnable after the data processing.

Finally, the OCR guidance notes that a covered entity itself has an obligation to ensure the availability of its own information and may be in violation of both the Privacy Rule and the Security Rule provisions relating to business associate arrangements if it enters into a business associate agreement that by its terms prevents the covered entity from fulfilling this obligation. This new guidance should serve as reminder to covered entities to take care in drafting and negotiating business associate agreements and service agreements to protect against information blocking.

The OCR guidance would not prevent a vendor from charging a fee for access to or post-termination transfer of a covered entity’s data, the amount of which would be primarily a contractual matter. Instead, OCR has taken the position in the guidance that blocking access to PHI is not an appropriate remedy for non-payment of fees or other contractual disputes.

The OCR guidance adds to previous HHS activity discussing information blocking as a barrier to interoperability and health information exchange and a potential source of liability under the federal Anti-Kickback Statute, including the following: 

  • In April 2015, HHS’s Office of the National Coordinator for Health Information Technology (ONC) submitted a Report on Health Information Blocking to the US Congress that defined “information blocking” as the knowing and unreasonable interference with the exchange or use of electronic health information. The report outlined a number of scenarios that describe information blocking conduct, including an electronic medical record (EHR) system billing dispute that results in the termination of customer access to PHI.

  • On October 6, 2015, the HHS Office of Inspector General (OIG) issued an OIG Policy Reminder: Information Blocking and the Federal Anti-Kickback Statute (OIG Policy Reminder) that reminds health care providers that a safe harbor to the federal Anti-Kickback Statute related to the provision of EHR technology requires that a donor of EHR technology must not take any action to limit or restrict the use, compatibility, or interoperability of the items or services with other electronic prescribing or EHR systems (including, but not limited to, health information technology applications, products, or services).

In February of this year, HHS announced that health information technology developers whose products cover 90 percent of the country’s electronic health records and five largest health care systems agreed to implement a commitment to refrain from engaging in information blocking as part of its voluntary Interoperability Pledge

© 2019 McDermott Will & Emery

TRENDING LEGAL ANALYSIS


About this Author

Associate

Amanda Enyeart is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office.  Amanda focuses her practice on general regulatory health law matters. 

Previously, Amanda was an associate at a national law firm in its Chicago office where she provided guidance on regulatory issues, such as practitioner licensure; telehealth; Medicare and Medicaid reimbursement; and compliance with Stark Law and the Anti-Kickback Statute and state fraud and abuse laws.

Additionally, Amanda has...

312 984 5488
Partner

Ryan S. Higgins is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office. He focuses his practice on representing hospitals, health systems, private equity firms and platform companies, and other health care organizations in corporate and transactional matters, including mergers, acquisitions, joint ventures, and management arrangements. He also focuses a significant portion of his practice on representing health care organizations in matters involving health information privacy and security and HIPAA compliance.

312-984-2052
Daniel F. Gottlieb, Health Care Industry Attorney, McDermott Will Emery Law firm
Partner

Daniel Gottlieb is a partner in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Chicago office.  Daniel represents a wide range of health care industry clients, including health care providers, health information technology vendors, pharmaceutical companies, medical device companies, and health plans.  He has extensive experience in advising clients on compliance with federal and state health care laws as well as representing health care industry clients in mergers, acquisitions, joint ventures, and...

312 984 6471
Edward G. Zacharias, McDermott Will Emery Law firm, Healthcare Industry Attorney
Associate

Edward G. Zacharias is an associate in the law firm of McDermott Will & Emery LLP and is based in the Firm’s Boston office.  Edward provides regulatory and transactional representation to health systems, academic medical centers, physician group practices, HMOs, faculty practice plans, nursing facilities and a variety of other health care clients.  He represents clients in connection with acquisitions, joint ventures, strategic affiliations, conversions to tax exempt status, HIPAA compliance, fraud and abuse and Stark, reimbursement,...

617-535-4018