Cures Act EHI Definition Needs Clarification, Health IT Orgs Say

ONC must standardize the definition of electronic health information (EHI) for the successful operationalization of the 21st Century Cures Act final rule’s interoperability goals, according to a report from three major health IT organizations.

The American Health Information Management Association (AHIMA), the American Medical Informatics Association (AMIA), and the HIMSS Electronic Health Record Association (EHRA) formed a task force to create the Defining EHI and the Designated Record Set in an Electronic World report.

Compliance with the ONC Cures Act Final Rule requires a deep understanding of the HIPAA Privacy Rule’s definition of designated record set (DRS), the authors noted.

The ONC Cures Act Final Rule defined electronic health information (EHI) as: “electronic protected health information (ePHI) as the term is defined for HIPAA in 45 CFR 160.103 to the extent that ePHI would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103 but EHI shall not include (1) psychotherapy notes as defined in 45 CFR 164.501; or (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.”

The HIPAA Privacy Rule’s definition of DRS is the foundation of a patient’s “right of access” to protected health information (PHI).

As defined by HIPPA, DRS is a group of records maintained by or for a Covered Entity (CE) that includes provider medical and billing records and health plan enrollment, payment, claims adjudication, and case or medical management records. DRS also includes any other records used by or for the CE to make decisions about individuals.

The rule defined “record” as any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a CE.

Using the definition above, CEs generally interpret which records may be included in the DRS on an individual basis, the organizations explained.

This subjective interpretation leads to significant variation in how healthcare organizations decide the types of records included in their DRS, which is reflected in inconsistencies and confusion over how to comply with federal regulations, the report authors noted.

The organizations examined data classes commonly used in health IT to determine whether they were also EHI.

They found that certain data classes may not be considered EHI in some instances, depending on their “status.”

“Whether a data class is considered EHI may depend on certain status conditions or characteristics. For instance, some data classes may have a status condition such that it is not used in decision-making and therefore would not be considered EHI,” they wrote. “Other data classes might merit special consideration, such as behavioral health information.”

“Task Force members agreed that there is an inherent challenge in that use of a particular data class in decision-making is a key factor in the definition of EHI but not necessarily easy to track programmatically in an HIT system, leading to actors either casting a wide net as to what is considered EHI or relying on manual identification,” the report authors wrote.

The Task Force members emphasized that the successful operationalization of the 21st Century Cures Act Final Rule’s interoperability provisions will require standardizing clinician and developer expectations around the definition of EHI.