With widespread adoption of electronic health records (EHR), and as providers are increasingly looking to the patient engagement opportunities through digital health, the challenge of how to deal with protected health information (PHI) remains a critical issue for providers. Many times EHR customers look to EHR vendors to ensure that health information is available where and when it is needed. For this reason, the Department of Health and Human Services (HHS) released two resources to help improve the awareness of EHR vendors' obligations to make health information available to their health care provider customers.
The first resource is a new FAQ released by the Department of Health and Human Services' Office for Civil Rights (OCR). The FAQ provides rules on when a health information technology (health IT) vendor (business associate) would violate the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules by failing to make available the information it holds on behalf of its health care provider customer (covered entity).
The second resource is a guide on EHR contracting—EHR Contracts Untangled: Selecting Wisely, Negotiating Terms, and Understanding the Fine Print—that helps providers ask the right questions and better communicate their requirements when selecting an EHR. It also provides a framework for negotiating reasonable contract terms that reflect best practice contracting principles, including when it comes to data access.
The release of the new OCR FAQ and ONC's new EHR Contract Guide are important components in OCR and ONC's ongoing efforts to facilitate information sharing and electronic exchange. These releases build on recent efforts, including fact sheets from ONC and OCR on permitted uses and disclosures for treatment and health care operations, as well as educational videos on patient access to health information, transparency requirements under ONC's 2015 Edition final rule, and ONC's interoperability pledge.