OCR: BAs Can’t Hold PHI Hostage to Resolve Payment Disputes

A business associate (BA) who cuts off a covered entity’s (CE) access to its own protected health information (PHI) may violate HIPAA, the Office for Civil Rights (OCR) said in a September 28 FAQ.

The potential for a HIPAA violation hinges on the impermissible use of PHI, OCR said. If a BA maintains PHI on behalf of a CE and blocks or terminates access to resolve a payment dispute or delay, OCR defines the act as an impermissible use of PHI on the part of the BA.

BAs, as well as CEs, are charged with keeping PHI secure and available. Maintaining availability means that the BA is required to make the PHI accessible to the CE even when the BA wishes to terminate its contract with the CE. The BA must return the CE’s PHI in a usable, accessible format when it terminates a contract and may not keep or withhold PHI. The BA may only destroy PHI under certain circumstances, which must be outlined in the BA agreement (BAA).

However, OCR added a caveat: It’s a CE’s responsibility to ensure the availability of its own PHI. If a CE accepts terms in a BAA that prevent the CE from ensuring access to its PHI, the CE may be in violation of HIPAA.