Q: I want to change EMR vendors but the current company is holding me up for big fees.  How is this legal, since the patient is one who really owns the records?  I couldn’t hang onto records to force a patient to pay their bill so how can the EMR company do this with me?

Dr. Medlaw: EMR vendors are considered business associates under HIPAA and so are required to be in compliance with HIPAA, including as to records access.

However, there is no private right of action under HIPAA and so the doctor cannot sue them for not complying with the law.

All that the doctor can do is report them to the OCR, but there the doctor is going to hit a significant problem because of the OCR’s own handling of the situation.

It actually starts off well:

“Generally, if a business associate blocks access to the PHI it maintains on behalf of a covered entity, including terminating access privileges of the covered entity, the business associate has engaged in an act that is an impermissible use under the Privacy Rule. For example, a business associate blocking access by a covered entity to PHI (such as where an Electronic Health Record (EHR) developer activates a “kill switch” embedded in its software that renders the data inaccessible to its provider client) to resolve a payment dispute with the covered entity is an impermissible use of PHI. Similarly, in the event of termination of the agreement by either party, a business associate must return PHI as provided for by the business associate agreement. If a business associate fails to do so, it has impermissibly used PHI.”

However, the OCR also states that a covered entity is responsible for ensuring the availability of PHI:

To the extent that a covered entity has agreed to terms in a business associate agreement that prevent the covered entity from ensuring the availability of its own PHI, whether in paper or electronic form, the covered entity is not in compliance.”

So there is the problem: the doctor who makes a complaint about the vendor holding the records hostage can themselves be slammed for having, as the custodian of the records, agreed to terms that let the vendor do that.

The doctor is then only left with the option to sue for breach of contract, which will drain time and money, all while the EMR that the doctor no longer wants is still in place…and so the doctor pays up.

Practice consultants tell doctors to negotiate with the vendor on the initial contract but while a large corporate practice may have the clout to do so, the very doctors most harmed by the exit fees – small and solo practices – will not.

Short of there ever being a separate regulation with enforceability teeth, your best bet when choosing a new vendor is to look for red flags like the vendor claiming to actually own the data and, of course, to Google them for comments by other practitioners about how the exit process was handled.