Electronic Health Information (EHI) Made Simple
With the recent Information Blocking requirements, the specific definition of Electronic Health Information (EHI) seems confusing, and often raises questions. In this blog post we’ll attempt to simplify EHI, its definition and how organizations can properly frame EHI as they work to implement the EHI requirements of Information Blocking, due on October 6, 2022.
EHI: The Official Definition
Electronic Health Information (EHI) is officially defined in 45 CFR 171 where it is described as follows:
“Electronic health information means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103.”
This is where the confusion begins, as unfortunately what should be a simple definition in fact intersects multiple different regulatory rules and requirements. Let’s unpack this a bit, beginning with a better understanding of the rules involved.
45 CFR 171 – this regulation (along with 45 CFR 170) references the “Information Blocking” rules (the official title being “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.”
45 CFR 160.103 – this section (45 CFR 160) implements the Social Security Act, including (among many other things) the definition of “Electronic Protected Health Information” (ePHI) as well as a “Covered Entity”.
45 CFR 164.501 – this references “Subpart E” which deals with the Privacy of Individually Identifiable Health Information, including the definition of a “Designated Record Set” (DRS) which is a key concept in the definition of EHI.
Let’s look a bit more closely at some of the key terms that are defined in these rules and how they impact our understanding of EHI.
Protected Health Information (PHI)
This term dates back to HIPAA (the Health Insurance Portability and Accountability Act of 1996) where PHI is defined as any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual. This includes both electronic PHI as well as non-electronic PHI (e.g. paper, oral).
There are 18 specific items that must be considered when determining PHI:
2) Geographical identifiers
4) Phone Numbers
5) Fax numbers
6) Email addresses
7) Social Security numbers
8) Medical record numbers
9) Health insurance beneficiary numbers
10) Account numbers
11) Certificate/license numbers
12) Vehicle identifiers and serial numbers, and license plate numbers
13) Device identifiers and serial numbers
14) Web Uniform Resource Locators (URLs)
15) Internet Protocol (IP) address numbers
16) Biometric identifiers, including finger, retinal and voice prints
17) Full face photographic images and any comparable images
18) Any other unique identifying number, characteristic, or code
Consequently, PHI is often interpreted to include any part of a patient’s medical record or payment history.
Note that some items are explicitly excluded from the definition of PHI, including:
- Student education or treatment records covered under FERPA (Family Educational Rights and Privacy Act)
- Employment records of a covered entity
Electronic Protected Health Information (ePHI)
Electronic PHI (ePHI) then is any PHI that is maintained or transmitted in electronic form.
Designated Record Set (DRS)
The DRS dates back to the original HIPAA rule, where it is defined as:
A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider;
(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.
Note that while the DRS is defined with respect to a “Covered Entity” by HIPAA, the Information Blocking rules apply to certain health care providers regardless of whether they are Covered Entities or Business Associates under the HIPAA rules.
Note as well that there may be cases where an actor may have ePHI that is not part of the DRS, and thus not EHI, because the information is not used to make decisions about individual patients.
Lastly, not all PHI is typically included in a DRS. Indeed, HHS has provided guidance regarding information that may be excluded from the Right of Access, including:
- Quality assessment or improvement records
- Patient safety activity records
- Business planning, development, and management records that are used for business decisions or to improve customer service or formulary development (e.g. peer review files, practitioner or provider performance evaluations, or a health plan’s quality control records)
Two additional categories of information are expressly excluded from the Right of Access:
- Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. See 45 CFR 164.524(a)(1)(i) and 164.501.
- Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. See 45 CFR 164.524(a)(1)(ii).
The good news is that most organizations are already familiar with their DRS, as HIPAA covered entities and their business associates have been required to identify and document which records are part of their DRS.
Electronic Health Information (EHI)
Electronic Health Information (EHI) therefore is a subset of ePHI, and it’s defined as all of the ePHI that is available in a Designated Record Set (DRS).
Note that a common misconception is that EHI and ePHI are synonymous, which is not the case. It should also be noted that EHI may not be synonymous with the electronic information maintained in an organization’s Electronic Health Record (EHR).
Should an organization maintain ePHI that is part of a Designated Record Set outside of an EHR, then that information is EHI and would be subject to the information blocking regulations. Examples include image storage systems, document management systems, archived legacy EHRs, and any other ancillary systems containing ePHI.
- EHI is simply the electronic portion of the Designated Record Set defined for a given organization, recognizing that some items may be excluded (e,g. Psychotherapy Notes).
- EHI encompasses more data than just what is in the EHR. Many third-party systems likely contain EHI and are therefore in scope for Information Blocking.
- EHI has no “start date” – if information is stored electronically it should be shared, no matter how old it is.
- Until October 6, 2022 the scope of EHI has been defined to be the USCDI data set. After 10/6 the scope will be all EHI.
- Information Blocking is not limited to Covered Entities or Business Associates as defined by HIPAA, even though the HIPAA rules are used to define the Designated Record Set.
- If information is used to make decisions about individual patients it should be included as Electronic Health Information (EHI).