PHI, ePHI, and EHI – Oh my!

Recently, I was presenting at a conference and posed the question to the audience – “do you know what a designated health record set is and why it is important in medical record requests?”

Most people have neither heard of the term “designated health record set” (DHRS) nor are they familiar with the term electronic health information (EHI) and how it relates to protected health information (PHI), electronic health information (ePHI), and electronic health information (EHI). In light of the October 6, 2022 lifting of the limitation on the scope of EHI, there is no time like the present to review these four (4) definitions and understand their relation to information blocking. The definitions include the following:

• DHRS (45 CFR 164.524) – includes medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals.
• PHI (45 CFR § 160.103) – means individually identifiable information that is transmitted or maintained in any form that relates to the past, present, or future diagnosis, treatment, and/or payment that connects the patient to a covered entity. Certain exceptions such as education records covered by the Family Educational Rights and Privacy Act apply.
• ePHI (45 CFR § 160.103) – means information that comes within paragraphs (1)(i) or (1)(ii) of the definition of protected health information as specified in this section. [Basically, any form of electronic media as defined in this portion of the CFR.]
• EHI(45 CFR § 171.102) - is defined as the electronic protected health information (ePHI) in a designated record set (as defined in the Health Insurance Portability and Accountability Act (HIPAA) regulations) regardless of whether the records are used or maintained by or for a covered entity.

Appreciating these definitions is critical because the above definition of EHI, which includes both ePHI and DHRS is “applicable to practices associated with its access, exchange, and use.” To assist “IB actors” and patients alike, ONC launched a website with a variety of resources to help with information blocking compliance. The tools available range from key portions of the 21st Century Cures Act of 2016 and the two related final rules, which were initially published in May 2020, FAQ sheets, and diagrams. For IB actors, knowing the exceptions to information blocking and having an alternative method to deliver patients their EHI is just as critical as knowing what may constitute an information blocking violation. Like the portal available through the U.S. Department of Health and Human Services Office for Civil Rights, which is used to report potential HIPAA Privacy and Security Rule violations, as well as report breaches pursuant to the Breach Notification Rule, ONC has its Information Blocking Portal, which can be used to report potential information blocking violations. Protection is critical for involving a potential violation. Utilizing the various resources is critical for compliance.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.