The 21st Century Cures Act (“Cures Act”) fundamentally changes the way patients can interact with their health information—and October 6, 2022, is a major milestone. Today, electronic health information (EHI) is limited to the data elements defined as United States Core Data for Interoperability (USCDI), which includes information such as clinical notes, certain patient demographic data, and other data categories (i.e., data provenance).
The new definition of EHI for the Cures Act
When the Cures Act Final Rule was published, the scope of EHI for purposes of the information blocking definition was limited to USCDI only until October 5, 2022. Starting on October 6, 2022, the definition of EHI includes “the entire scope of the Electronic Health Information (EHI) definition [i.e., ePHI that is or would be in a Designated Record Set (DRS)].”
What does this expanded definition of EHI mean to health information management (HIM)?
In short, the broader definition means the complexity of requests for patient records, and subsequently, the volume of data that may be released to authorized requesters will increase significantly. As an HIM leader, you need to prepare not just your team, but your IT department, ancillary staff, and any other groups that may hold data that is part of the DRS but are not normally in the release of information process.
Following are four things you can do now to be ready for the Cures Act EHI change on October 6:
- Form a cross-functional Cures Act committee
- Define and document your organization’s Designated Record Set
- Define processes for accessing DRS data—and train all stakeholders
- Ensure a quality assurance mechanism is in place to check what EHI is being released
Create a Cures Act Committee
The charter of the Cures Act committee is to align people, processes, and technology to ensure full compliance with Cures Act and information blocking requirements.
Compliance is no longer limited to a few compliance and privacy officers working with the HIM department. The introduction of technology into formerly manual processes means that additional people and departments need to be aware of the requirements of the Cures Act, HIPAA, and other state and federal regulations.
For the upcoming EHI milestone, Ciox recommends that HIM leadership convene a group that includes IT, Compliance, and departments that “own” data elements that are part of the DRS and look at that data through a Cures Act compliance lens. IT is critical here to determine if systems can be connected to make accessing data easier. If disparate systems can’t communicate with each other, processes need to be defined to determine how data can be pulled into HIM to fulfill the patient request—within the turnaround times outlined in HIPAA Patient Right of Access or according to state law (if that is more stringent).
Define YOUR Designated Record Set
Designated record sets1 include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals. Your DRS will be a combination of clinical and billing information generated from treating the individual or paying for the individual’s care or otherwise used to make decisions about individuals.
Make a list. The first question the Cures Act committee should answer is: What information is part of the DRS and what data elements are included?
Create a map. Are your records stored electronically, on paper, films, strips, etc., or a combination? If they are electronic, HIM and IT will need to work together to determine which systems house the data – is it all in the EHR? Chances are, there are going to be multiple systems, not to mention physical locations, that you will need to access. Expand the list you created of the data elements to create a comprehensive “map” of your DRS elements.
Identify data owners. Now that you know what information is part of the DRS and where it’s located, you will need to determine who owns the data and make decisions about who can access it. Can HIM access billing records or are those systems restricted? Who can request copies of paper records in storage or films from radiology systems? You will need each data owner to define and approve access to all DRS records. Add this information to your map.
Finalize your DRS master list. Finally, document all this information in a centralized location and assign owners and stakeholders who are responsible for ensuring the ongoing maintenance of this list. Whatever form this documentation takes (e.g., it can be maintained in a spreadsheet), it must be regularly reviewed and updated, especially if legacy systems are retired, new systems are implemented, and/or DRS data is migrated, digitized, or archived.
Determine how DRS data will be accessed…and document that too!
Working with the data “owners” identified in your DRS master list, determine how HIM will access the data needed to fulfill patient requests for their EHI. Some things to think about:
- Can HIM directly access other systems? If so, will team members need logins or is there a single sign-on process that can be used?
- Will HIM need to request information from other departments (versus accessing it directly)? If so, what’s the process, and how long does that take?
- If the information is coming into HIM from different places, how will HIM put it all together to release to the patient?
Once you answer the “how” questions, document each individual process and then put it all together for a comprehensive, end-to-end “all EHI request process.”
Training on the process will be critical—ensure that all stakeholders are trained not just on their roles within the process, but also on the reason the process must be followed. Make sure everyone understands the requirements of the Cures Act and that the Cures Act does not replace or change HIPAA and Patient Right of Access compliance requirements.
Perform quality assurance for every single request
With so much information being retrieved and released, the opportunity for error increases—making quality assurance a requirement as the last step of the release of information process. Thankfully, technology powered by artificial intelligence, natural language processing, and optical character recognition can perform thorough quality assurance to make sure the right records are being released to the right requester.
October 6th is right around the corner so if you haven’t already, you need to start preparing ASAP. While creating a DRS master list and defining and documenting processes may seem daunting, much of it probably already exists. It’s just a matter of bringing it all together into one place—and being diligent about continuously reviewing and updating documents and processes.