ONC Information Blocking Rule Compliance Relies on HIPAA-Defined Terms

Understanding ONC information blocking rule compliance depends upon a clear understanding of HIPAA-defined terms related to patient health information, according to a HealthITBuzz blog post written by ONC’s Kathryn Marchesini and Michael Lipinski.

ONC’s information blocking regulations apply to interferences with the access, sharing, or use of electronic health information (EHI).

“EHI is defined as electronic protected health information (ePHI) to the extent that it would be included in a designated record set (DRS), regardless of whether the group of records are used or maintained by or for a covered entity,” Marchesini and Lipinski wrote. “The EHI definition incorporates terms (ePHI and DRS) defined by the regulations issued under HIPAA.”

However, the definition of EHI excludes psychotherapy notes and information compiled in anticipation of legal proceedings as defined in HIPAA.  

EHI relies on the electronic part of what the HIPAA Rules define as the DRS.

"It’s important to note that certain healthcare providers subject to the information blocking regulations (and any other actor that supports them) may not be covered entities or business associates under the HIPAA Rules,” the ONC officials noted.

“These actors will need to familiarize themselves with the HIPAA-defined terms and assess what information they have that would be records that align with those included in the DRS (ie, used for making decisions about individuals),” Marchesini and Lipinski continued.  

However, they pointed out that most actors subject to the information blocking regulations are also covered entities or business associates under HIPAA, so it is key that stakeholders understand how the EHI definition aligns with HIPAA-defined terms.

Information must first meet the definition of ePHI. Protected health information (PHI), as defined in HIPAA, is health information that identifies or reasonably could be used to identify a patient.

Such information not only identifies the individual, but also relates to the past, present, or future physical or mental health of an individual; the provision of healthcare to an individual; or payment for care.

PHI may be maintained or transmitted in any form or medium. Any PHI that is maintained or transmitted in electronic form is ePHI, ONC officials said.

For example, social determinants of health (SDOH) information becomes PHI when it is collected by a covered entity to inform an individual’s treatment decisions. If this information is maintained or transmitted in electronic form, it is ePHI.

Information must also meet the definition of a DRS. HIPAA gives patients a legal right to access their health information maintained in an entity’s DRS. The DRS may include paper and electronic records, but EHI, held by a HIPAA covered entity or business associate, is only the electronic subset.

“Thus, the information held by a HIPAA covered entity or business associate to which the information blocking regulations apply is the same information that patients already have a legal right to access,” the blog authors wrote. “If an organization is an actor but not subject to HIPAA, the actor must now determine which information that they hold would qualify as EHI.”

A record is any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a HIPAA covered entity or business associate.

A HIPAA DRS is a group of records maintained by or for a covered entity that is: the medical records and billing records about individuals maintained by or for a covered health care provider; the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or used by or for the covered entity to make decisions about individuals.

“A HIPAA covered entity or business associate that is also an actor may have ePHI that is not part of the DRS, and thus not EHI, because the information is not used to make decisions about individual patients,” the ONC officials said.

Examples of ePHI that is not part of the DRS include electronic peer review files, provider performance evaluations, and management records used solely for business decision-making.

“The HIPAA Rules identify certain types of records that are always part of a covered entity’s DRS,” Marchesini and Lipinski wrote. “However, the HIPAA Rules do not specify the particular information that would make up a DRS.”

For HIPAA-regulated entities, EHI is simply the part of the DRS that is ePHI.

Therefore, since the definition of DRS is not specific to particular technology platforms where an organization maintains the information, neither is the definition of EHI, ONC officials noted.

For instance, EHI is not limited to what’s in a certified EHR.

“If actors maintain information that would be ePHI in a DRS and they were a HIPAA covered entity or business associate, then the information is EHI and subject to the information blocking regulations,” the blog authors wrote.

The information blocking regulations have been in effect since April 5, 2021. Currently, the information blocking definition applies only to a subset of EHI that is represented by data elements identified by the USCDI v1.

However, starting on October 6, 2022, actors will be subject to a claim of information blocking for the full scope of EHI, unless an exception applies or a law requires that the information not be shared.

“There’s no need to wait until October 6,” Marchesini and Lipinski emphasized. “Anyone ready to share more than the USCDI v1 is welcome and encouraged to do so as permitted under applicable law.”