Defining Electronic Health Information After the 21st Century Cures Act

Doctor holding phone

The digitization of medical records should lead to streamlined access for patients, efficiency upgrades for medical providers, and economic opportunity for developers.

To date, these benefits exist in theory, but not in practice—due to cybersecurity concerns and the overhead costs associated with interconnecting disparate, siloed systems, medical data is often made inaccessible to broader stakeholders by providers, blunting its potential impact.

Efforts persist. With its 2016 passage into law, the 21st Century Cures Act signaled a bipartisan commitment to streamlining the American healthcare system and creating better access for providers and patients. Chief among its benefits were provisions in the Cures Act Final Rule to remove impediments around the sharing and accessibility of Electronic Health Information (EHI). This led to the recent so-called “Information Blocking” regulations, which prohibit blocking of legitimate requests for sharing EHI.

The Cures Act Final Rule seeks to address the delicate balancing act of availability versus patient protection, privacy, and security. Calling on the healthcare industry to adopt standardized application programming interfaces (APIs) is a key initiative. The Final Rule also “includes a provision requiring that patients can electronically access all of their electronic health records, structured and/or unstructured, at no cost.”

Despite the information blocking regulations going into effect on April 5, 2021, the government and industry still lack consensus on exactly what is or isn’t EHI for every case, and there are eight information blocking exceptions which are yet to be fully defined for every instance. Future communications from the OIG Office of Civil Rights are expected to seek to further refine and define EHI.

Here’s a brief summary of what’s at stake:
Icon: Medical Records

For Patients: Controlling health care and medical records securely and privately via software apps, while also expanding patient and payer choice by providing information, data, and options.

Icon: Medical Provider

For Clinicians and Hospitals: Providing patients access to their medical information in a fully automated, low-cost manner via secure, standardized application programming interfaces (APIs). Hospitals should have access to a competitive marketplace for APIs—the Final Rule calls for open APIs, which encourages secure access to data for applications. The Final Rule is also designed to give providers operational flexibility for special situations.

Icon: Cloud IT

For Health IT Developers: Establishing “API Conditions of Certification” to detail health IT developers’ business practices and broadly address the use of APIs. A stated goal is to “encourage transparency around patient safety issues within health IT,” while also aiming to protect intellectual property rights of health IT developers.

While the industry awaits government clarification, it has also sought to frame the questions and possible implications. A task force established in 2020 comprising the American Health Information Management Association, the American Medical Informatics Association, and the HIMSS Electronic Health Record Association released a September 2021 study “focus[ing] on issues around operationalization of the definitions of electronic health information and designated record set”—an important step towards unlocking the power of EHI for all stakeholders.

In its report, the task force worked to establish what EHI means but also what it doesn’t mean—a vital process to help providers, certified IT developers, health information exchanges and networks adhere to the looming compliance dates for the Final Rule. Providers and organizations are expected to comply with Cures Act info-blocking provisions starting October 6, 2022, while the certification process for “the EHI export criterion – the process of electronic health records exporting EHI they’re storing – is expected by December 31, 2023.”

What Happens Next

The task force was clear that “what data classes are considered EHI will continue to evolve over time,” but they also believe the difficult process of standardization is ultimately key to the success of the Cures Act Final Rule. Next, the task force will solicit feedback from stakeholders regarding key findings of the report, while working towards “a consensus understanding of what data classes are considered EHI, including follow-up actions by the federal government and/or private sector to further operationalize the definition of EHI.” After taking the feedback into account, the task force is expected to alter its findings in accordance with technical, regulatory, and business considerations.

Working towards consensus on EHI is a laborious process with no shortage of debate and bureaucratic headwinds. But arriving at consensus has potentially seismic implications—by standardizing its definitions of what data constitutes EHI, the task force can enforce positive outcomes for millions of Americans with greater access to health information than ever before. It is fundamental to the Cures Act’s success, a process years in the making.

This article is authored by

Quandary Peak Research

Based in Los Angeles, Quandary Peak Research provides software litigation consulting and expert witness services. We rapidly analyze large code bases, design documents, performance and usage statistics, and other data to answer technical questions about the structure and behavior of software systems.