Say Hi to EHI
Kathryn Marchesini and Michael Lipinski | December 20, 2021
ONC’s information blocking regulations apply to interferences with the access, exchange, or use of electronic health information (EHI) (45 CFR Part 171) and define certain exceptions to the definition of information blocking. Thus, it’s important that those subject to the information blocking regulations – health care providers, developers of certified health IT, and health information networks/exchanges (cumulatively, “actors”) – understand what health information the regulations cover. So, what is EHI anyway?
EHI is defined as electronic protected health information (ePHI) to the extent that it would be included in a designated record set (DRS), regardless of whether the group of records are used or maintained by or for a covered entity. The EHI definition incorporates terms (ePHI and DRS) defined by the regulations (Rules) issued under the Health Insurance Portability and Accountability Act of 1996, as amended (generally referred herein as HIPAA). The definition of EHI, however, specifically excludes psychotherapy notes as defined in the HIPAA Rules and information compiled in anticipation of legal proceedings, which is consistent with the individual “right of access” standard in the HIPAA Rules. EHI relies on the electronic part of what the HIPAA Rules define as the DRS. The use of terms defined by the HIPAA Rules (“HIPAA-defined terms”) provides familiarity for the health care industry and consistency across regulations.
It’s important to note that certain health care providers subject to the information blocking regulations (and any other actor that supports them) may not be covered entities or business associates under the HIPAA Rules. These actors will need to familiarize themselves with the HIPAA-defined terms and assess what information they have that would be records that align with those included in the DRS (i.e., used for making decisions about individuals). However, most actors subject to the information blocking regulations are also covered entities or business associates under HIPAA. Given this relationship and to inform those actors not covered by HIPAA, we want to dive into how the EHI definition aligns with well-known HIPAA-defined terms.
EHI’s Relationship with HIPAA Terms and Definitions
We have published an infographic and fact sheet [PDF- 346 KB] that illustrates how the EHI definition under the information blocking regulations relates to HIPAA-defined terms and the United States Core Data for Interoperability (USCDI v1) (45 CFR 171.103(b)), which we also discuss below in more detail.
1. Information must first meet the definition of electronic Protected Health Information. To start, protected health information (PHI) generally is health information that identifies or reasonably could be used to identify an individual (individually identifiable health information) with certain exclusions such as Family Educational Rights and Privacy Act (FERPA) education or treatment records and employment records of a covered entity. Second, such health information not only identifies the individual, such as demographic information, but also relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or payment for care. Lastly, the information may be maintained or transmitted in any form or media (e.g., electronic, paper, or oral).
To illustrate these concepts with an example, information considered to be social determinants of health (SDOH) is PHI when it is collected by a health care provider that is a covered entity, to inform an individual’s treatment decisions. If this information is maintained or transmitted in electronic form, it’s ePHI.
2. Information must also meet the definition of a Designated Record Set. HIPAA gives individual patients a legal right to access their health information that is maintained in an entity’s DRS. The DRS may comprise paper and electronic records but EHI, held by a HIPAA covered entity or business associate, is only the electronic subset (i.e., that portion of the DRS that would be maintained electronically). Thus, the information held by a HIPAA covered entity or business associate to which the information blocking regulations apply is the same information that patients already have a legal right to access. If an organization is an actor but not subject to HIPAA, the actor must now determine which information that they hold would qualify as EHI.
A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a HIPAA covered entity or business associate. A HIPAA DRS is a group of records maintained by or for a covered entity that is: 1) the medical records and billing records about individuals maintained by or for a covered health care provider; 2) the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or 3) used, in whole or in part, by or for the covered entity to make decisions about individuals. A HIPAA covered entity or business associate that is also an actor may have ePHI that is not part of the DRS, and thus not EHI, because the information is not used to make decisions about individual patients. Examples of this include electronic peer review files, provider performance evaluations, and management records used solely for making business decisions.
The HIPAA Rules identify certain types of records that are always part of a covered entity’s DRS. HHS also has issued guidance that describes some categories of information that generally would be excluded from a DRS. However, the HIPAA Rules do not specify the particular information that would make up a DRS.
3. HIPAA-regulated entities should already know what information that they maintain is EHI. Since the release of the HIPAA Privacy Rule in 2000, HIPAA covered entities and their business associates have been required to identify and document which records are part of their DRS. For these entities, EHI is simply the part of the DRS that is ePHI. Because the definition of DRS is not specific to particular systems or technology platforms where an organization maintains the information, neither is the definition of EHI. EHI is not limited to what’s in a certified electronic health record (EHR), for example. If actors maintain information that would be ePHI in a DRS and they were a HIPAA covered entity or business associate, then the information is EHI and subject to the information blocking regulations.
There’s Time, but There’s No Need to Wait
As of April 5, 2021, the information blocking regulations are in effect and applicable to all actors. To give people time to adjust, the information blocking definition applies only to a subset of EHI—i.e., EHI represented by the data elements identified by the USCDI v1. A USCDI data element is the most granular level at which a piece of data is represented in the USCDI for exchange (e.g., patient date of birth, medications, or procedure note).
But starting on October 6, 2022, actors will be subject to a claim of information blocking for the full scope of EHI (as discussed above), except when an information blocking exception applies or a law requires that the information not be shared.
There’s no need to wait until October 6. Anyone ready to share more than the USCDI v1 is welcome and encouraged to do so as permitted under applicable law.
We hope this blog, infographic, and fact sheet are helpful resources on what EHI is and how it relates to already existing HIPAA-defined terms. To learn more about EHI, please also check out our recently released EHI-related FAQs.
For more information about information blocking, including links to fact sheets, webinars, and FAQs, please visit ONC’s information blocking webpage.