News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Kirk Nahra Discusses OCR Guidance for Business Associates on Access to Patient Data

Healthcare Info Security
October 4, 2016

Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in an October 3 Healthcare Info Security article regarding recent guidance issued by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). The guidance clarified that the business associates of health care organizations may not block a client’s access to the protected health information (PHI) of patients.  The guidance appears to address conflicts that occasionally arise from business disputes or unpaid bills. OCR stated that vendors found to be withholding sensitive patient data as a bargaining chip in business disputes will be considered in violation of the Health Insurance Portability and Accountability Act (HIPAA). 

“I don't think this is a particularly common situation, but where it occurs, even infrequently, it can be a real problem,” said Mr. Nahra.

“There have been a limited number of situations where business associates have used access to information as a means of attacking a business dispute, or making it tough for a client to leave and move to a different vendor, or punishing a client that has left,” Mr. Nahra explained. “There may be legitimate business concerns from the business associate—for example, unpaid bills—or these may be unfair business tactics, but HHS is saying that you can’t hold PHI hostage to your business concerns. It is an example of where the patient’s interest in information—ensuring that their information is available and accurate—overrides other business issues.”

To read the full article, please click here.