May a business associate of a HIPAA covered entity block or terminate access by the covered entity to the protected health information (PHI) maintained by the business associate for or on behalf of the covered entity?
First, a business associate may not use PHI in a manner or to accomplish a purpose or result that would violate the HIPAA Privacy Rule. See 45 CFR § 164.502(a)(3). Generally, if a business associate blocks access to the PHI it maintains on behalf of a covered entity, including terminating access privileges of the covered entity, the business associate has engaged in an act that is an impermissible use under the Privacy Rule. For example, a business associate blocking access by a covered entity to PHI (such as where an Electronic Health Record (EHR) developer activates a “kill switch” embedded in its software that renders the data inaccessible to its provider client) to resolve a payment dispute with the covered entity is an impermissible use of PHI. Similarly, in the event of termination of the agreement by either party, a business associate must return PHI as provided for by the business associate agreement. If a business associate fails to do so, it has impermissibly used PHI.
Second, a business associate is required by the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI) that it creates, receives, maintains, or transmits on behalf of a covered entity. See 45 CFR § 164.306(a)(1). Maintaining the availability of the ePHI means ensuring the PHI is accessible and usable upon demand by the covered entity, whether the PHI is maintained in an EHR, cloud, data backup system, database, or other system. 45 CFR § 164.304. This also includes, in cases where the business associate agreement specifies that PHI is to be returned at termination of the agreement, returning the PHI to the covered entity in a format that is reasonable in light of the agreement to preserve its accessibility and usability. A business associate that terminates access privileges of a covered entity, or otherwise denies a covered entity’s access to the ePHI it holds on behalf of the covered entity, is violating the Security Rule.
Third, a business associate is required by the HIPAA Privacy Rule and its business associate agreement to make PHI available to a covered entity as necessary to satisfy the covered entity’s obligations to provide access to individuals under 45 CFR § 164.524. See 45 CFR §§ 164.502(a)(4)(ii), 164.504(e)(2)(ii)(E). Therefore, a business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if the covered entity needs the PHI to satisfy its obligations under 45 CFR § 164.524.
OCR recognizes, however, that there may be certain arrangements that authorize the business associate to destroy or dispose of PHI, or perform data aggregation or otherwise combine data from multiple sources, and where, because of the nature of the services to be performed by the business associate with the PHI as specified in the contractual arrangements between the parties, the covered entity and business associate agree that the business associate will not provide the covered entity access to the PHI. For example, a covered entity may engage a business associate to perform data aggregation of information from multiple sources that renders the disaggregated original source data unreturnable to the covered entity. OCR does not consider these contractual arrangements to constitute the types of impermissible data blocking or access termination described above.
Finally, OCR notes that a covered entity is responsible for ensuring the availability of its own PHI. To the extent that a covered entity has agreed to terms in a business associate agreement that prevent the covered entity from ensuring the availability of its own PHI, whether in paper or electronic form, the covered entity is not in compliance with 45 CFR §§ 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1).