To export or not to export? That is the question.
All certified Health IT Modules that are part of a health IT product that stores electronic health information (EHI) are required to certify to the Electronic Health Information export criterion (45 CFR 170.315 (b)(10)) and make the functionality available to end users by December 31, 2023. As this deadline approaches, we thought it would be helpful to revisit the requirements of § 170.315(b)(10) and which product types are required to certify to this criterion.
Section 170.315 (b)(10), which is part of the 2015 Edition Cures Update, replaces the 2015 Edition § 170.315 (b)(6) data export criterion. This new criterion requires certified Health IT Modules to electronically export all EHI that can be stored at the time of certification by the product of which the Health IT Module is a part. Section 170.315(b)(10) provides functional requirements to support single patient EHI access requests as well as entire patient population EHI export.
What is EHI?
EHI is the “electronic protected health information” (ePHI) that would be included in a designated record set as defined in 45 CFR 164.501. Notably, EHI does not include psychotherapy notes or information compiled in a reasonable anticipation or, for use in, a civil, criminal, or administrative action or proceeding. The EHI definition represents the same ePHI that a patient would have the right to request a copy of pursuant to the HIPAA Privacy Rule. View ONC’s fact sheet on the EHI definition.
Who needs to certify to § 170.315(b)(10)?
The Assurances Maintenance of Certification requires any certified Health IT Module that is part of a Health IT Product that electronically stores EHI to certify to § 170.315(b)(10). This includes certified Health IT that leverages third party EHI storage. A helpful process for determining whether a Health IT Module should be certified is to ask the following questions:
- Is data stored by the product of which the certified Health IT Module is a part?
- Would that data qualify under the aforementioned EHI definition?
If the answer to both questions is “yes,” then the Health IT Module is required to certify to § 170.315 (b)(10).
What are the EHI export requirements?
The § 170.315(b)(10) criterion includes requirements for both single patient EHI export and entire patient population EHI export.
Single patient EHI export functionality must allow for the export of patient data at any time the user chooses without developer assistance. The criterion requires the EHI export to be done on the clinician/ user side and, thus, does not require that the product needs to provide “direct-to-patient” functionality. Single patient export must be created in a timely fashion, include all available patient EHI, be in an electronic and computable format, and include a publicly accessible hyperlink of the export’s format. In addition, the Health IT Module should have the ability to limit which users can perform an EHI export.
Similarly, the patient population export functionality must include all available patient population EHI, be exported in an electronic and computable format, and include a publicly accessible hyperlink of the export’s format. However, contrary to single patient EHI export functionality, patient population EHI export can involve additional action or support on the part of the certified Health IT Developer.
As mentioned above, certified health IT developers are required to provide EHI export files in an electronic and computable format that includes a publicly accessible hyperlink which allows any user to directly access the export file information without preconditions or additional steps. The EHI export file format needs to describe the structure and syntax of how the EHI is exported, but not the EHI itself. Users will utilize the export format documentation to process EHI after it has been exported by the product and to facilitate the movement of EHI to other systems.
Export Requirements for Clinicians
As certified health IT developers work to provide § 170.315(b)(10) functionality to clinicians by the December 2023 deadline, it is important to highlight that this criterion specifies requirements solely for certified health IT developers. ONC’s rules for this criterion only place requirements on developers to make the functionality available to its end users. There are no ONC regulatory requirements on end users or clinicians related to the use of § 170.315(b)(10). Similarly, while the § 170.315(b)(10) criterion can help in certain circumstances to fulfill requests for EHI, “actors” under the Information Blocking regulations should also be fully aware of the functional and EHI scope limitations that this criterion will likely have as a result of being associated with certified health IT.
This article was originally published on the Health IT Buzz and is syndicated here with permission.