Information Blocking Rules Expand

Expanded information blocking rules take effect on October 6. Until then, information blocking only applies to clinical data that conforms to USCDI v1. After that, sharing of all data considered electronic health information (EHI) is required. Not only does this expand the clinical data covered, but it adds financial, administrative, and other types of data to the mix.

What is EHI?

The Office of the National Coordinator provides this abbreviated definition of EHI:

"EHI is electronic protected health information (ePHI) to the extent that it would be included in a designated record set (DRS) (other than psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding), regardless of whether the group of records is used or maintained by or for a HIPAA covered entity."

What does that mean?

Based on the ONC definition, EHI is roughly equivalent to the electronic portion of the HIPAA designated record set, meaning any individually identifiable health information maintained in or transmitted by electronic media that is:

• a medical or billing record of a provider about the individual

• an enrollment, payment, claims adjudication, or case or medical management record maintained by or for a health plan

• used in whole or part to make decisions about an individual

and is not excluded by the definition above (behavioral health or compiled for a legal or administrative proceeding) is EHI. There are also a few other exceptions including health information held by a covered entity only in its role as an employer, but for the most part the definition above holds.

The last bullet - used in whole or part to make decisions about an individual - really expands the definition of the records that must be shared. Have a policy around no shows or late appointments affecting whether patients can make additional appointments with a provider? That data's being used to make a decision about the patient and qualifies, per the definition above.

Is there a test I can use to determine if something is EHI?

Not explicitly, but there are some steps you can use to evaluate data that may exclude some of it from qualifying.

1. Is the data considered ePHI?

   • To evaluate this, consider the definition of PHI: health information that identifies or reasonably could be used to identify an individual (individually identifiable health information)

   • PHI explicitly excludes certain data including FERPA education and treatment records and employment records of a covered entity.

   • All PHI maintained or transmitted in electronic format is ePHI.

2. It must be part of the individual's designated record set

   • While the DRS may include both electronic and paper records, any records in the DRS in electronic format qualify as EHI. Patients already have a right to access this information when held by a HIPAA covered entity or business associate, but now this right is expanded to other actors and to requestors who are not the direct patient, provided they are not denied because of one of the eight exceptions to the information blocking rule.

   • Not all records considered ePHI are automatically part of an individual's DRS. Things like provider performance reviews or other management records used solely to make business decisions could contain the PHI of one or more individuals but are not used to make decisions about those individual patients. These records are not part of the DRS for those individuals but the underlying PHI itself is likely ePHI and part of the DRS.

   • Entities already regulated by HIPAA should know exactly which records are part of an individual's DRS and which are not, as part of complying with the HIPAA Privacy Rule.

What about other sensitive data?

Behavioral health information and information about legal proceedings aren't the only sensitive data out there. Unfortunately, at this time all other sensitive data is usually considered EHI. For example, ONC explicitly states social determinants of health (SDOH) data collected by a healthcare provider to inform an individual's treatment decisions is PHI. If it's maintained or transmitted in electronic format it's ePHI, part of the DRS, and thus EHI.

Demographic and SOGI data also qualify as EHI. A patient's race, ethnicity, contact information, sexual orientation, gender identity, pronouns, or other such information used while providing care - even if only to know how to greet someone - is all part of EHI and must be provided when requested unless one of the exceptions applies.

These types of more sensitive data are also being incorporated into USCDI v2 and later. This information will be widely disseminated via electronic exchange once those versions of USCDI start making their way into regulations, and may already be part of EHRs or other certified health technology that take advantage of the ONC SVAP process allowing optional certification against USCDI v2 instead of USCDI v1.

What else changes about information blocking?

In a word: nothing.

Information blocking rules still apply to the same defined actors - health care providers, developers of certified health IT, and health information networks/exchanges - whether or not they're covered by HIPAA.

Information blocking rules still require information be sent by actors to requestors unless one of the eight exceptions applies. It still requires that information be sent in the format and using the mechanism included in the request unless that mechanism is not feasible for the sender (in which case negotiation is required; the actor does not get to just send information in whatever mechanism is easiest for them).

The only thing that changes on October 6 is the scope and extent of the data that must be provided by an actor provided one of the exceptions is not met.

Note: ONC's Understanding Electronic Health Information datasheet and Say Hi to EHI blog post are heavily referenced in this article