The Office of Civil Rights has issued a FAQ on this question: “May a business associate of a HIPAA covered entity block or terminate access by the covered entity to the protected health information (PHI) maintained by the business associate for or on behalf of the covered entity?” In answering “no,” the OCR explained that the business associate is limited to using the PHI in its possession by the terms of its agreement with the covered entity. In addition, the business associate cannot block the covered entity’s access to the PHI. For example, a business associate cannot use an embedded software “kill switch” to block access to electronic PHI because of a billing dispute with a covered entity.
Moreover, business associates are required under the Privacy Rule to ensure the integrity and availability of PHI in their possession. This includes on demand access by the covered entity. There is an exception for business associate arrangements that include data aggregation or combinations that ultimately destroy the source data in the possession of the business associates.
Bottom-line – business associates do not own the PHI in their possession. The PHI belongs to the individual but the business associate is responsible to the covered entity for maintaining the PHI in its possession or custody.