The digitization of medical records should lead to streamlined access for patients, efficiency upgrades for providers, and economic opportunity for developers.

Doctor holding mobile phone in hands viewing patient data

To date, these benefits exist in theory, but not in practice—due to cybersecurity concerns and the costs associated with interconnecting disparate, siloed systems, medical data is often made inaccessible to broader stakeholders, blunting its potential impact.

Efforts persist. With its 2016 passage into law, the 21st Century Cures Act signaled a bipartisan commitment to streamlining the American healthcare system and creating better access for providers and patients. Chief among its benefits were provisions in the Cures Act Final Rule to remove impediments around information sharing of the newly defined, “Electronic Health Information (EHI)”, and “Information Blocking” regulations, which prohibit blocking of lawful requests for EHI.

The Cures Act Final Rule seeks to address the delicate balancing act of availability versus patient protection, privacy, and security. Calling on the healthcare industry to adopt standardized application programming interfaces (APIs) is a key initiative. The Final Rule also “includes a provision requiring that patients can electronically access all of their electronic health records, structured and/or unstructured, at no cost.”

Here’s a brief summary of what’s at stake:

Icon: Medical Records

For Patients: Controlling health care and medical records securely and privately via software apps, while also expanding patient and payer choice by providing information, data, and options.

Icon: Medical Provider

For Clinicians and Hospitals: Providing patients access to their medical information in a fully automated, low-cost manner via secure, standardized application programming interfaces (APIs). Hospitals should have access to a competitive marketplace for APIs—the Final Rule calls for open APIs, which encourages secure access to data for applications. The Final Rule is also designed to give providers operational flexibility for special situations.

Icon: Cloud IT

For Health IT Developers: Establishing “API Conditions of Certification” to detail health IT developers’ business practices and broadly address the use of APIs. A stated goal is to “encourage transparency around patient safety issues within health IT,” while also aiming to protect intellectual property rights of health IT developers.

New Actors

Despite the information blocking regulations going into effect on April 5, 2021, many “actors” to which the regulations apply remain unclear as to what is or isn’t EHI for every case, and which of the eight information blocking exceptions might apply and when.

In addition, some companies may assume that because they are not subject to HIPAA or the ONC’s Certified Health IT program that the information blocking regulations do not apply to them – but such assumptions are misguided. Recent guidance from the ONC makes it clear that “certain health care providers subject to the information blocking regulations (and any other actor that supports them) may not be covered entities or business associates under the HIPAA Rules” and further states “If an organization is an actor but not subject to HIPAA, the actor must now determine which information that they hold would qualify as EHI.”

For example, some entities may fit the definition of a “health information network” (HIN) or “health information exchange” (HIE) as defined under the new law, and may not realize it. The government has clarified in their FAQs, “We did not specifically exclude any particular entities from the definition, nor did we specifically identify particular entities in the definition” and points the reader to the definition from the regulation.

EHI Industry Task Force

While the industry awaits other potential federal rules and further guidance, it has also sought to frame important questions regarding interpretation of the new regulations. A task force established in 2020 comprising the American Health Information Management Association, the American Medical Informatics Association, and the HIMSS Electronic Health Record Association released a September 2021 study “focus[ing] on issues around operationalization of the definitions of electronic health information [EHI] and designated record set [DRS]”—an important step towards unlocking the power of EHI for all stakeholders.

In its report, the task force sought to “standardize expectations for data classes relevant to the DRS and EHI” and to “operationalize the regulations in an electronic environment” —vital steps to help providers, certified IT developers, health information exchanges and networks adhere to the looming compliance dates for the Final Rule. Next, the task force will solicit feedback from stakeholders regarding key findings of the report. The task force does not consider the findings in this report to be final, and after taking the feedback into account, it expects to alter its findings in accordance with technical, regulatory, and business considerations.

Notably, the definition of EHI is no longer limited to the USCDI data elements starting October 6, 2022, and the certification process for the EHI export criterion – the process of electronic health records exporting EHI they’re storing – is required by December 31, 2023.

Next Steps – Operationalizing EHI in Health IT Organizations

Identifying and understanding the specific data elements within an actor’s business that constitute EHI is a laborious but essential process. Reaching a firm and clear understanding of these EHI data elements and the business processes in which they are shared (or not) is key to regulatory compliance but will also give millions of Americans better access to their health information than ever before – a foundational goal of the Cures Act.