Know Your Rights to Your Patients’ PHI
By Ellen Terry


Can your electronic health record (EHR) vendor block or terminate your access to your patients’ medical records?

No, says the U.S. Department of Health and Human Services. 

As your business associate, your EHR vendor is subject to HIPAA Privacy and Security rules with respect to patients’ protected health information (PHI). 

The Privacy Rule, with few exceptions, gives patients the right to inspect, review, and receive a copy of their medical records. HIPAA requires that business associates make PHI available to a physician as necessary to satisfy the physician’s obligation to the patient. Blocking access — such as “turning off” EHR access during a payment dispute — is a violation of the Privacy rule. 

The Security Rule requires business associates to ensure the confidentiality, integrity, and availability of all electronic PHI it creates, receives, maintains, or transmits on behalf of a physician. This means the PHI must be accessible and usable upon request by the physician practice whether it’s maintained in an EHR, cloud, data backup system, database, or other system. 

If your business associate agreement with a vendor specifies PHI is to be returned at termination of the agreement, the vendor must provide the PHI in a format that is “reasonable,” in other words, accessible and usable. The Texas Medical Association has a sample agreement available at our online HIPAA Resource Center.

The Office of the National Coordinator for Health Information Technology suggests incorporating the terms of the sample agreement into your EHR vendor contract and expressly stating that it takes precedence in any conflict or inconsistency. It’s wise also to include a provision regarding the return of your own confidential data, beyond what is PHI under HIPAA.

Be sure you have a signed business associate agreement with the vendor on file, in which the vendor agrees to comply with applicable HIPAA provisions. HIPAA requires this.

If you believe your technology vendor may be violating HIPAA by blocking access to PHI, you can file a complaint with the Office for Civil Rights. Before filing a complaint, review your business associate agreement carefully.

See the TMA publication, Switching EHR Systems, for more about transitioning your data when you switch vendors. The continuing medical education course is free for TMA members, thanks to sponsorship from TMA Insurance Trust

Last Updated On

June 04, 2018

Originally Published On

June 04, 2018

Related Content