In subregulatory guidance, HHS has addressed the ability of HIPAA business associates (BAs) to control a covered entity's (CE's) access to protected health information (PHI) that is maintained by the BA on the CE's behalf. (Regarding HIPAA CEs and BAs, see Practice Note, HIPAA Privacy Rule: Entities Subject to the Privacy Rule.) As a general rule, and for several reasons addressed in the guidance, HHS believes that a BA may not block or terminate a CE's access to PHI maintained by a BA on the CE's behalf.

First, according to HHS, a BA may not use PHI in a way that violates the Privacy Rule. This includes a BA's efforts to:

For example, HHS indicated that it would be impermissible, in the context of a payment dispute, for a developer of electronic health records (a HIPAA BA) to block a CE's access to PHI by activating a "kill switch" embedded in the developer's software that renders the data inaccessible to the developer's health provider client (a HIPAA CE).

Relatedly, a BA must return PHI to the CE, as provided for under the governing BA agreement, if the agreement is terminated by either party (see Practice Note, Disposing of HIPAA PHI for Group Health Plans).

HHS also indicated that HIPAA's Security Rule requires BAs to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI) that they create, receive, maintain, or transmit on a CE's behalf (see Practice Note, HIPAA Security Rule: Safeguards and Related Organizational and Document Requirements). This requirement includes:

As a result, a BA violates the Security Rule by either:

HHS also noted that a BA must make PHI available to the CE so that it can meet its obligations to provide individuals with access to their PHI (see Practice Note, HIPAA Privacy and Security (Individual Rights): Right of Access to PHI). A BA may not deny a CE access to the PHI that the BA maintains on the CE's behalf where the CE needs PHI to satisfy its HIPAA obligations.

HHS acknowledged that some contractual arrangements may authorize a BA to destroy or dispose of PHI. Also, owing to the kind of services to be performed with the PHI by a BA, the CE and BA may agree that the BA will not provide the CE access to the PHI. This might occur, for example, if a CE engages a BA to perform data aggregation of information from multiple sources that renders the disaggregated original source data unreturnable to the CE.

In HHS's view, such arrangements are not the kind of data blocking or access termination addressed in its subregulatory guidance.

Though HHS's guidance on these access/control issues seems generally protective of a CE's rights, the government noted that CEs must ensure the availability of their own PHI. As a result, PHI access and control issues should be addressed in the governing BA agreement. In this regard, HHS takes the view that a CE violates the Privacy Rule by agreeing to a BA agreement provision that prevents it from ensuring the availability of its own PHI (whether in paper or electronic form).