Definition of Electronic Health Information Expanded to Include Electronic Protected Health Information

Posted on October 13, 2022 by Mark Schulz

Starting on Oct. 6, the definition of electronic health information (EHI) in the 21st Century Cures Act (Cures Act) expanded to include electronic Protected Health Information (ePHI) that a patient has the right to access under the Health Insurance Portability and Accountability Act (HIPAA). Healthcare providers must provide patients, residents, and clients easy access to a wider swath of EHI under the Cures Act or face potential penalties.

The Cures Act final rule defines healthcare providers broadly, including “a hospital, skilled nursing facility, nursing facility, home health entity or other long term care facility,” among other categories.

About the Cures Act

Although HIPAA requires that healthcare providers turn over healthcare data when asked by patients, the process has often been fraught with delays, costs to patients and limits on what was shared. The Cures Act was signed into law by President Obama in 2016 with overwhelmingly bipartisan support. Among other provisions, the Cures Act sought to make health information sharing the norm, with the US Department of Health and Human Services providing oversight. Information sharing is central to the Cures Act final rule released by the Office of the National Coordinator for Health Information Technology (ONC) to counter information blocking.

What is Information Blocking?

In general, information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or covered by an exception in the ONC’s rules, is likely to interfere with access, exchange, or use of EHI. This essentially means that if a healthcare provider receives a request from a patient/resident/client for EHI, the provider must not respond to that request in a way that unreasonably blocks the individual’s access to the information requested. As of Oct. 6, for all actors covered by the information blocking rules, all ePHI in a Designated Record Set defined under HIPPA is EHI and subject to those rules.

Examples of EHI include:

• Medical records and billing records about individuals maintained by or for a covered healthcare provider;
• Enrollment, payment, claims adjudication, and case or medical management record systems; or
• Other records are used, in whole or in part, by or for the covered entity to make decisions about individuals.

State laws around data release may not supersede the Cures Act. The Cures Act final rule specifically states that information need not be released to patients if such release is prohibited by other laws. The information-blocking regulations also do not require providers to adopt or use certain technologies or platforms to make EHI available for access, exchange or use.

Learn More

The Office of the National Coordinator for Health Information Technology (ONC) has also published regulatory notes to assist stakeholders better understand the change. ONC will be holding a “Ask Us About Information Sharing” webinar regarding this definition change on Oct. 27 at 1 p.m. CST. If you are interested, you can register in advance.