This wouldn’t be a healthcare article if it didn’t have several acronyms.
What is EHI/ePHI?
EHI is electronic protected health information (ePHI) to the extent that it would be included in a designated record set (DRS) (other than psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding), regardless of whether the group of records is used or maintained by or for a Health Insurance Portability and Accountability Act (HIPAA) covered entity.
Designated Record Sets (DRS) classifies data into three categories:
1. Designated Record Set
2. Legal Record Set
3. Limited Record Set
EHI definition aligns with HIPAA healthcare terminology.
The EHI definition incorporates terms defined in the Health Insurance Portability and Accountability Act of 1996 and the HIPAA Rules that are used in the healthcare industry. It focuses on a set of health information that HIPAA covered entities and business associates currently collect, maintain, and make available for access, exchange, and use. For example, EHI is a subset of the same information as DRS categories that covered entities must make available for patients to access when they exercise their HIPAA right of access.
Reminder: EHI does not include: psychotherapy notes as defined in 45 CFR 164.501; or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. 45 CFR 171.102
There are 3 rules in HIPAA governing data privacy and security:
-
Privacy
-
Security
-
Breach notification
Clinics/Centers must have policies and procedures to address all 3 of the rules as well as documentation of implementation.
Privacy rule objectives:
-
All formats of PHI
-
Uses and Disclosures of PHI
-
Patient Authorization vs Treatment, Payment, and Healthcare Operations
-
Notice of Privacy Practices
-
Patient Rights
Security rule objectives:
-
Electronic PHI (ePHI) only
-
Designed to be flexible
-
Manage Risks through administrative, physical, and technical safeguard requirements
Breach notification
-
Four factors
-
Breach Reporting
-
Breach Mitigation
Information Blocking
EHI is part of the information blocking definition. An actor subject to the information blocking regulation could be found to have committed information blocking if the actor engages in a practice that is likely to prevent, or materially discourage, or otherwise inhibit (interfere with) the access, exchange, or use of EHI. This includes withholding from another provider, a patient, the patient’s legal representative, or a third party who is legally permitted to receive the health information.)
(Learn More About Actors HealthIT.gov PDF)
Tip: No lab results cannot be held for physician or provider review prior to releasing to other providers or to the patient themselves.
Examples of behavior that may raise concerns for information blocking include:
-
limiting the timeliness of access, exchange, or use of EHI;
-
imposing fees that make exchanging EHI cost prohibitive;
-
healthcare providers or IT vendors limiting or discouraging sharing of information with other providers, or with users of other IT systems;
-
patients or healthcare providers becoming “locked in” to a particular technology or healthcare network because EHI is not portable.
On June 27, 2023, the U.S. Department of Health and Human Services (HHS) and Office of Inspector General (OIG) posted its final rule implementing information blocking penalties. The final rule establishes the statutory penalties created by the 21st Century Cures Act. If OIG determines that an individual or entity has committed information blocking, they may be subject to a penalty up to $1 million per violation.
September 1, 2023, began the enforcement of the information blocking penalties. OIG will not impose a penalty on information blocking conduct occurring before September 1, 2023.
OIG expects that it will receive more information blocking complaints than it can investigate. To triage allegations and allocate resources, OIG will use the following priorities to select cases for investigation:
-
resulted in, is causing, or had the potential to cause patient harm;
-
significantly impacted a provider’s ability to care for patients;
-
was of long duration;
-
caused financial loss to Federal health care programs, or other government or private entities; or
-
was performed with actual knowledge.
For more detail on these priorities and OIG’s approach to enforcing information blocking penalties, please see the rule
Exceptions that involve not fulfilling request to access, exchange, or use EHI:
-
Preventing Harm Exception: It will not be information blocking for a provider to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met. The relevant harm being prevented must be physical harm and not emotional harm. A provider must either have a written policy describing why the act or omission is reasonable and necessary to prevent harm, or document in individual cases the potential harm that could occur (in other words, a statement noting why releasing the result/note could endanger the life or physical safety of the patient or another person).
-
Privacy Exception: It will not be information blocking if a provider does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met. For example, a provider should not be required to use or disclose EHI when doing so is prohibited under state or federal privacy laws, such as information about substance use disorder treatment, which can be released in very limited circumstances under federal law.
-
Security Exception: It will not be information blocking for a provider to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.
-
Infeasibility Exception: It will not be information blocking if a provider does not fulfill a request to access, exchange, or use EHI because it is impossible to fulfill the request, provided certain conditions are met. For example, a natural disaster may prevent the provider’s ability to fulfill a request for access, exchange, or use of EHI.
-
Health IT Performance Exception: It will not be information blocking if a provider takes reasonable and necessary measures to maintain and improve health IT performance, such as temporarily making health IT unavailable, provided certain conditions are met. For example, systems may be taken offline for a reasonable amount of time due to system maintenance or upgrades.
Exceptions that involve procedures for fulfilling request to access, exchange, or use EHI:
-
Content and Manner Exception: It will not be information blocking for a provider to limit either the content of the response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met. For example, a provider may need to fulfill a request in an alternative manner (e.g., a different electronic format) when the provider is technically unable to fulfill the request in the manner requested.
-
Fees Exception: It will not be information blocking for a provider to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met. For more details, see page 4 from this eight exceptions.
-
Licensing Exception: It will not be information blocking for a provider or another “actor” to license interoperability elements (generally, hardware, software, or services) for EHI to be accessed, exchanged, or used, provided certain conditions are met. This exception generally applies to health information networks and health IT developers of certified health IT.