Frequently Asked Questions
We have focused the EHI definition on terms that are used in the HIPAA Rules and that are widely understood in the health care industry as well as on a set of health information that is currently collected, maintained, and made available for access, exchange, and use by actors. On and after October 6, 2022, the definition of information blocking will apply to the full scope of EHI (as defined in 45 CFR 171.102):
“Electronic health information (EHI) means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include:
(1) Psychotherapy notes as defined in 45 CFR 164.501; or
(2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.” (emphasis added)
EHI as defined for the purposes of information blocking is information that is consistent with the definitions of electronic protected health information (ePHI) and the designated record set (DRS) regardless of whether they are maintained by or for an entity covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules. Just like ePHI, the data that constitutes EHI is not tied to a specific system in which the EHI is maintained. We also noted in our final rule that health information that is de-identified consistent with the requirements of 45 CFR 164.514(b) is not included in the definition of EHI for the purposes of information blocking (85 FR 25804). Thus, any individually identifiable health information that is transmitted by or maintained in electronic media is EHI to the extent that the information would be included in the designated record set.
As defined in the HIPAA Rules, the designated record set comprises:
- medical records and billing records about individuals;
- enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan;
- other records that are used, in whole or in part, to make decisions about individuals.
The term “record” means any item, collection, or grouping of information that includes protected health information. (45 CFR 164.501)
As stated in the United States Core Data for Interoperability Version 1 (July 2020 Errata) (“USCDI v1”), a progress note “represents a patient’s interval status during a hospitalization, outpatient visit, treatment with a LTPAC provider, or other healthcare encounter.” Any note that meets the above definition is considered a progress note for the purposes of the information blocking regulations codified in 45 CFR part 171.
From April 5, 2021 through October 5, 2022, the definition of information blocking is limited to the subset of EHI that is represented by data elements in the USCDI v1. The initial limitation of information blocking to the subset of EHI that is described in USCDI v1 was established to create a transparent, predictable starting point for sharing EHI while actors prepare for the sharing of all EHI (85 FR 25794).
In our final rule, we noted that clinical note types identified in the USCDI are content exchange standard agnostic, and thus they should not necessarily be only interpreted or associated with the specific C-CDA Document Templates that may share the same name (85 FR 25674-5).
For more information on EHI including clinical notes, please review the other FAQs under the Electronic Health Information heading.
This FAQ is specific to the information blocking regulations codified in 45 CFR part 171. For more information about certification of health IT under the ONC Health IT Certification Program, including certification to criteria that include the USCDI as a standard, please see the About The ONC Health IT Certification Program and 2015 Edition Cures Update Test Method pages of ONC’s website, HealthIT.gov.
Yes. Electronic health information (EHI), as defined in 45 CFR 171.102, does not specifically include or exclude notes or other clinical observations based on the type or specialty of the professional who authors them.
Until October 6, 2022, EHI’s scope for purposes of the information blocking definition (45 CFR 171.103) is limited to that information represented by data classes and elements within the United States Core Data for Interoperability (USCDI). Therefore, until October 6, 2022, only those notes that map to any of the eight types specified in the “Clinical Notes” data class within the USCDI would be required to be included in a response to a request for legally permissible access, exchange, or use of EHI. However, actors (health care providers, health IT developers of certified health IT, and health information networks or health information exchanges) should bear in mind that none of the eight types of clinical notes currently represented within the USCDI are limited based on the type or specialty of the professional who authors them.
Please review the other questions under this heading for more information.
It depends. To the extent the content of any particular note meets the definition of “psychotherapy notes” in the HIPAA Rules (see 45 CFR 164.501), that note would be considered a psychotherapy note for purposes of information blocking. The information blocking regulations do not specify types of health care providers to be mental health professionals for purposes of applying the “psychotherapy notes” definition under the information blocking regulations. Thus, all notes that are “psychotherapy notes” for purposes of the HIPAA Rules are also “psychotherapy notes” for purposes of the information blocking regulations in 45 CFR part 171, and are therefore excluded from the definition of EHI for purposes of the information blocking regulations.
It depends. Draft clinical notes and laboratory results pending confirmation are, as we discussed in the ONC 21st Century Cures Act Final Rule, examples of data points that may not be appropriate to disclose or exchange until they are finalized. However, if such data are used to make health care decisions about an individual then that data would fall within the definition of “designated record set” (see 45 CFR § 164.501), and therefore within the definition of EHI. To the extent a data point falls within the definition of EHI, practices likely to interfere with legally permissible access, exchange or use of that EHI could implicate the information blocking definition.
From April 5, 2021 through October 5, 2022, EHI’s scope for purposes of the information blocking definition is limited to the EHI that is represented by data classes and elements within the United States Core Data for Interoperability (USCDI). Therefore, during this period, interference with a request for legally permissible access, exchange, or use of non-final data points would potentially implicate the information blocking regulations only to the extent noted in the above paragraph and only to the extent that the data are within both the definition of EHI and the data classes and elements represented within the USCDI.
No. The definition of electronic health information in 45 CFR 171.102 is not limited by whether the data is recorded or could be exchanged using any particular technical functionality or standard. The information blocking definition (45 CFR 171.103) provides that before October 6, 2022, electronic health information (EHI) is limited to the subset of EHI represented by the data elements identified by the USCDI standard. This limitation of EHI for purposes of the information blocking definition is not contingent on whether those data elements are recorded or represented using the specific content and vocabulary standards in the USCDI standard at 45 CFR 171.213. On and after October 6, 2022, the information blocking regulations in 45 CFR part 171 pertain to all EHI as defined in 45 CFR 171.102.
An actor is not automatically required to fulfill a request using the specific content and vocabulary standards identified in the United States Core Data for Interoperability (USCDI) standard for the representation of data classes and data elements, nor are they required to use certified technology or any specific functionality. The information blocking definition (45 CFR 171.103) provides that before October 6, 2022, electronic health information (EHI) is limited to the subset of EHI represented by the data elements identified by the USCDI standard. This limitation of EHI for purposes of the information blocking definition is not contingent on whether those data elements are recorded or represented using specific content and vocabulary standards in the USCDI standard in 45 CFR 171.213. On and after October 6, 2022, the information blocking regulations in 45 CFR part 171 pertain to all EHI as defined in 45 CFR 171.102.
Again, the information blocking regulations do not require the use of any specific standard or functionality. Instead, the “Manner” exception (45 CFR 171.301) outlines a process by which an actor may prioritize the use of standards in fulfilling a request for EHI in a manner that supports and prioritizes the interoperability of the data. This means that, for the purposes of information blocking, before October 6, 2022, an actor may have fulfilled a request with the EHI identified by the data elements represented in the USCDI standard, first in the manner requested and, if not, in an alternate manner agreed upon with the requestor, following the order of priority specified in the exception.
Updated:
This FAQ has been updated to reflect the effective date of the HTI-1 Final Rule.
No, the definition of electronic health information (EHI) is not limited by when the information was generated. Before October 6, 2022, an actor must respond to a request to access, exchange, or use EHI with, at a minimum, the requested EHI that they have and that can be identified by the data elements represented in the United States Core Data for Interoperability (USCDI), regardless of when the information was generated. On and after October 6, 2022, an actor must respond to a request to access, exchange, or use EHI with EHI as defined in 45 CFR 171.102, regardless of when the information was generated. For example, an actor who has the necessary technical capability to do so is required to fulfill a request to access, exchange or use EHI that they have and could appropriately disclose in response to that request even if the EHI was generated before the ONC Cures Act Final Rule was published and even if the EHI was generated before the Cures Act was enacted by Congress.
The fulfillment of a request for access, exchange or use of EHI, including what EHI is shared, should be based on the request. However, any activity by the actor that seeks to artificially restrict or otherwise influence the scope of EHI that may be requested may constitute interference and could be subject to the information blocking regulation in 45 CFR part 171.
In terms of fulfilling requests for EHI, it is important to remember that the requirement to fulfill requests for access, exchange, and use of EHI is in any case limited to what the actor may, under applicable law, permissibly disclose in response to a particular request. Under the information blocking regulations in 45 CFR part 171, the actor is only required to fulfill a request with the requested EHI that they have and that can be permissibly disclosed to the requestor under applicable law. However, for protected health information they have, but do not maintain electronically, all HIPAA requirements would still be applicable, including the right of access.
The Preventing Harm Exception at 45 CFR 171.201 relies on the same types of harm as apply for a covered entity to deny access to protected health information under the HIPAA Privacy Rule (see 45 CFR 164.524(a)(3)). Where an actor's practice, based on an individualized (45 CFR 171.201(c)(1)) determination of risk, is likely to interfere with a patient's or patient representative's access, exchange, or use of the patient's EHI, the type of harm (45 CFR 171.201(d)) needed for the exception to apply depends on who is seeking access to the EHI, and what EHI they are seeking to access.4
The table below shows the type of harm recognized under the Preventing Harm Exception for several commonly encountered patient access scenarios.1
|
Access, exchange, or use of patient's EHI |
EHI for which access, exchange, or use is affected by the interfering practice is |
Applicable type of harm1 |
Regulation Text References |
|
Patient exercising own right of access |
Patient's EHI |
Danger to life or physical safety of the patient or another person |
§ 171.201(d)(3), referencing HIPAA Privacy Rule § 164.524(a)(3)(i) |
|
Patient's EHI that references another person |
Substantial harm3 to such other person |
§ 171.201(d)(2), referencing HIPAA Privacy Rule § 164.524(a)(3)(ii) |
|
|
Patient's personal representative as defined in HIPAA Privacy Rule (45 CFR 164.502) exercising right of access to patient's EHI (for example, parent of a minor child)2 |
Patient's EHI |
Substantial harm3 to the patient or to another person |
§ 171.201(d)(1), referencing HIPAA Privacy Rule § 164.524(a)(3)(iii) |
|
Patient's EHI that references another person |
Substantial harm3 to such other person |
§ 171.201(d)(2), referencing HIPAA Privacy Rule § 45 CFR 164.524(a)(3)(ii) |
|
| Notes: | |||
|
1 - For simplicity of presentation, this table focuses only on patient access use case examples where risk has been determined on an individual basis (45 CFR 171.201(c)(1)). Where the risk arises from data that is known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason (45 CFR 171.201(c)(2)), the exception's applicable type of harm conditions (45 CFR 171.201(d)(3) and (4)) recognize only danger to life or physical safety of the patient or another person. |
|||
|
2 - For more information about the definition of a “personal representative” under the HIPAA Privacy Rule, please see https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html |
|||
|
3 - “Substantial harm” includes “substantial physical, emotional, or psychological harm” (see, for example, HIPAA Privacy Rule preamble at 65 FR 82556). |
|||
|
4 - In order for the Preventing Harm Exception to cover any practice likely to interfere with access, exchange, or use of EHI based on an individualized (45 CFR 171.201(c)(1)) determination of risk, the practice must also satisfy requirements in 45 CFR 171.201(a), (b), (e), and (f). |
|||
For more information about the Preventing Harm Exception, please reference the ONC Cures Act Final Rule preamble discussion and the other FAQs under the Preventing Harm Exception heading.
For more information about the HIPAA Privacy Rule, the Privacy Rule individual right of access, or grounds for denial of access under the Privacy Rule, please visit the Health Information Privacy section of the HHS website.
No. Unless an actor reasonably believes a practice that interferes with a parent or other legal representative’s requested access, exchange, or use of the minor’s electronic health information (EHI) will substantially reduce a risk of at least substantial harm to the patient or another person, the Preventing Harm Exception is not designed to cover that practice.
The Privacy Exception contains a sub-exception (45 CFR 171.202(e)) that covers practices respecting an individual’s request not to share information, subject to certain conditions.
Yes. The Preventing Harm Exception’s type of harm condition relies on the same types of harm that serve as grounds for reviewable denial of an individual’s right of access under the Privacy Rule (45 CFR 164.524). (See ONC Cures Act Final Rule preamble Table 3—Mapping of Circumstances Under § 171.201(d) to Applicable Harm Standards.)
In most instances, including where a practice interferes with a patient’s own or the patient’s other health care providers’ legally permissible access, exchange, or use of the patient’s electronic health information (EHI), coverage under the Preventing Harm Exception requires that the risk be of physical harm. (See 45 CFR 171.201(d)(3) and (4).)
However, the Preventing Harm Exception’s type of harm condition applies a “substantial harm” standard for practices interfering with a patient’s representative’s requested access, exchange, or use of the patient’s EHI and to the patient’s or their representative’s access to other persons’ individually identifiable information within the patient’s EHI in some circumstances. (See 45 CFR 171.201(d)(1) and (2)).
No. Blanket delays that affect a broad array of routine results do not qualify for the Preventing Harm Exception. The Preventing Harm Exception is designed to cover only those practices that are no broader than necessary to reduce a risk of harm to the patient or another person.
As we discussed in the Cures Act Final Rule, a clinician generally orders tests in the context of a clinician-patient relationship. In the context of that relationship, the clinician ordering a particular test would know the range of results that could be returned and could prospectively formulate, in the exercise of their professional judgment, an individualized determination for the specific patient that:
- withholding the results of the particular test(s) from the patient would substantially reduce a risk to the patient’s or another person’s life or physical safety
- or - - that withholding the results of the particular test(s) from a representative of the patient would substantially reduce a risk of substantial harm to the patient or another person.
Such individualized determinations made in good faith by an ordering clinician, in the exercise of their professional judgment and in the context of the treatment relationship within which they order the test, would satisfy the type of risk and type of harm conditions of the Preventing Harm Exception. Actors, including but not limited to the ordering clinician, could implement practices in reliance on such determinations and the Preventing Harm Exception would cover such practices so long as the practices also satisfy the other four conditions of the exception.
No. The reasonable belief condition does not include a requirement that the harm be expected to occur within a particular time period or that the likelihood of the harm be high enough to be considered “imminent.” (See 45 CFR 171.201(a)). The Preventing Harm Exception’s reasonable belief condition requires an actor engaging in a practice likely to interfere with a patient’s access, exchange, or use of their own EHI to have a reasonable belief that the practice will substantially reduce a risk to life or physical safety of the patient or another person that would otherwise arise from the affected access, exchange, or use.
Yes, where the risk of harm has been determined on an individualized basis and all other conditions of the Preventing Harm Exception are met. For example, the practice must be no broader than necessary and the actor must reasonably believe the practice will substantially reduce the risk of harm. (For all the conditions of the Preventing Harm Exception, please see 45 CFR 171.201.)
For purposes of the Preventing Harm Exception, a parent or legal guardian would be considered a patient’s legal representative. The Preventing Harm Exception’s type of harm condition applies a “substantial harm” standard for practices interfering with a patient’s representative’s requested access, exchange, or use of the patient’s EHI. (See 45 CFR 171.201(d)(1)).
The type of harm conditions for Preventing Harm Exception coverage of practices interfering with patients’ and their representatives’ access to EHI on the basis of an individualized determination of risk are specifically aligned with the HIPAA Privacy Rule’s grounds for reviewable denial of an individual’s right of access under the Privacy Rule. (See also ONC Cures Act Final Rule preamble discussion and Table 3—Mapping of Circumstances Under § 171.201(d) to Applicable Harm Standards).