EHI Export Requirements – Is Your EHR Ready?

EDITOR’S NOTE: Senior healthcare consultant, Rose Dunn, past president of AHIMA, reported this story today during her appearance on Talk Ten Tuesdays.

The Electronic Health Information (EHI) Export requirement is effective Dec. 31, 2023. Part of the 21^st Century Cures Act, this requirement is imposed on system developers such as Meditech, Oracle, EPIC, ECW, etc. So, what is it all about?

All developers of certified health IT modules that store electronic health information are required to certify that their product will meet the export functionality requirements, which include mandates to:

• Electronically export all EHI that is stored as of the date of product certification; and
• Facilitate single-patient EHI access requests, as well as entire patient population EHI exports.

EHI is protected information that is included in the designated record set, per the Office of the National Coordinator (ONC) for Health Information Technology.  According to the American Health Information Management Association (AHIMA) Fundamentals of the Legal Health Record and Designated Record Set, “the designated record set includes patient medical and billing records or information used in whole or in part to make care-related decisions. The designated record set also contains individually identifiable data stored on any medium and collected and directly used in documenting healthcare or health status. It includes clinical data such as WAVE files, images (e.g., x-rays), and billing information.”

EHI does not include psychotherapy notes or information compiled in a reasonable anticipation of or for use in a civil, criminal, or administrative action or proceeding. ONC states that “the EHI definition represents the same (information) that a patient would have the right to request pursuant to the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule.”

If the data is stored by a product that is part of a certified health IT module and the data qualifies as EHI, then it a) must be able to export the patient data at any time the user chooses, without the system developer’s assistance; b) not require the provision of “direct-to-patient” functionality; c) must provide data in an electronic and computable format; and d) must limit which users can use an EHI export. Additionally, the functionality must include a publicly accessible hyperlink allowing any user to directly access the export file information that describes the structure and syntax (not the EHI itself).

Remember, this is a requirement for certified system developers to provide this functionality to clinicians and other healthcare end-users. The single-patient export functionality will allow you to export all EHI in a certified system or module for an individual patient and may facilitate requests for health information under HIPAA.

We should think about what this functionality may mean regarding information exchange requirements that will be imposed on us once it is available.

• Will we be required to implement the export functionality? There is no current federal regulatory requirement to do so, but should we expect that a mandatory requirement will be imposed?
• Could it be considered “information blocking” if we do not implement the export functionality?
• All our EHI may not be in a certified product, and therefore lack the export functionality; if so, how will we tie together the export functionality of different vendors representing different products that hold the EHI?
• Will there be expectations to do an entire patient population export to various authorities (such as state data banks) or health information exchanges?
• Will the entire patient population export facilitate conversions from one EHR to another EHR?

We’ll need to figure out how the system will differentiate restricted information from any other EHI to ensure security of data such as psychotherapy documentation or EHI that is being used for a civil, criminal, or administrative action.

Is your EHR vendor ready, and when will the functionality be available? If you haven’t started to discuss these questions with your HIM, privacy, and IT departments, be proactive and don’t wait.

For additional information, see: https://www.healthit.gov/buzz-blog/healthit-certification/getting-ready-for-ehi-export-a-quick-guide#:~:text=Single%20patient%20export%20must%20be,can%20perform%20an%20EHI%20export.