1. Home
  2. Practice Help
  3. Health Information Technology
  4. Electronic Health Records

Know Your Rights to Your Patients’ PHI
By Ellen Terry

Accessing_Info

Can your electronic health record (EHR) vendor block or terminate your access to your patients’ medical records?

No, says the U.S. Department of Health and Human Services. 

As your business associate, your EHR vendor is subject to HIPAA Privacy and Security rules with respect to patients’ protected health information (PHI). 

The Privacy Rule, with few exceptions, gives patients the right to inspect, review, and receive a copy of their medical records. HIPAA requires that business associates make PHI available to a physician as necessary to satisfy the physician’s obligation to the patient. Blocking access — such as “turning off” EHR access during a payment dispute — is a violation of the Privacy rule. 

The Security Rule requires business associates to ensure the confidentiality, integrity, and availability of all electronic PHI it creates, receives, maintains, or transmits on behalf of a physician. This means the PHI must be accessible and usable upon request by the physician practice whether it’s maintained in an EHR, cloud, data backup system, database, or other system. 

If your business associate agreement with a vendor specifies PHI is to be returned at termination of the agreement, the vendor must provide the PHI in a format that is “reasonable,” in other words, accessible and usable. The Texas Medical Association has a sample agreement available at our online HIPAA Resource Center.

The Office of the National Coordinator for Health Information Technology suggests incorporating the terms of the sample agreement into your EHR vendor contract and expressly stating that it takes precedence in any conflict or inconsistency. It’s wise also to include a provision regarding the return of your own confidential data, beyond what is PHI under HIPAA.

Be sure you have a signed business associate agreement with the vendor on file, in which the vendor agrees to comply with applicable HIPAA provisions. HIPAA requires this.

If you believe your technology vendor may be violating HIPAA by blocking access to PHI, you can file a complaint with the Office for Civil Rights. Before filing a complaint, review your business associate agreement carefully.

See the TMA publication, Switching EHR Systems, for more about transitioning your data when you switch vendors. The continuing medical education course is free for TMA members, thanks to sponsorship from TMA Insurance Trust


Last Updated On

June 04, 2018

Originally Published On

June 04, 2018

Related Content

EHRs | HIPAA

TMA Membership

What could a TMA Membership mean for you, your practice, and your patients?

Join TMA Now

Texas Medicine 

Incoming TMA President Ray Callas, MD's 26 years of experience as a member have prepared him to lead the association at a time when Texas physicians face economic challenges and when the state simultaneously faces a record influx of new physicians amid a workforce shortage. Both, he says, are opportunities that put organized medicine in a unique position to offer feasible solutions. TMA also debuts its newest leadership development program for physicians at every career stage, and the TMA Alliance’s outgoing and incoming presidents share their passion for building and bonding the Family of Medicine. Plus, learn how TMA’s Physician Payment Resources Center communicates with payers on behalf of physicians’ best interests. 

April_24_TM_Cover

 

Get the latest issue.