Information Blocking: Electronic Health Information Definition (45 CFR 171.102)
EHI is the full electronic Designated Record Set as defined by HIPAA at 45 CFR 164.501 (since October 6, 2022), broader than the USCDI subset that applied during the initial phase.
Primary source
45 CFR 171.102 (EHI definition) — eCFR →https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-A/section-171.102
Verified May 23, 2026 · This is the authoritative regulator URL. The summary below is a research aid; the linked source controls.
Additional sources
45 CFR 171.102 defines Electronic Health Information (EHI) as electronic protected health information (ePHI) as defined in HIPAA, to the extent it would be included in a designated record set as defined at 45 CFR 164.501, regardless of whether the records are used or maintained by or for a covered entity.
EHI excludes psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
Through October 5, 2022 the definition was limited to the USCDI subset (problem list, allergies, medications, demographics, and a defined list of additional data classes). The transition to the full Designated Record Set on October 6, 2022 substantially expanded the scope of information that providers must make accessible, exchangeable, and usable.
In practice, EHI now covers nearly everything in the EHR: clinical notes, lab results, imaging reports, billing records used by the provider for treatment, intake forms, and any other record used in whole or in part to make decisions about the individual. Practices that previously released only USCDI elements via portal must now meet requests for broader content unless an exception applies.
Use this in your workspace
D3rx assembles the documentation linked to this regulation, walks the practical decisions in plain English, and stores the artifacts against the .gov sources cited above. It is an administrative research aid, not a substitute for counsel.
Related regulations
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- RegulationInformation Blocking Actors (45 CFR 171.102)Three classes of actors subject to information blocking: health care providers, health IT developers of certified health IT, and health information networks/exchanges.
- RegulationInformation Blocking Eight Exceptions (45 CFR 171.200-303)The eight regulatory exceptions to information blocking: preventing harm, privacy, security, infeasibility, health IT performance, content and manner, fees, and licensing.
- RegulationInformation Blocking Rule Overview (45 CFR Part 171)The 21st Century Cures Act information blocking provisions and the ONC rule prohibiting actions by providers, health IT developers, and HINs/HIEs that interfere with electronic health information access, exchange, or use.
- SRAHIPAA Patient Right of Access: A Small-Practice WalkthroughHow 45 CFR 164.524 governs patient access to their records, the 30-day rule and 30-day extension, the limited fees a practice may charge, and the OCR Right of Access Initiative.
- RegulationHIPAA Marketing Restrictions (45 CFR 164.508(a)(3))Most communications encouraging an individual to purchase or use a product or service require a HIPAA-compliant authorization, with narrow exceptions for face-to-face communications and promotional gifts of nominal value.
- SRAHIPAA Risk Analysis for a Mental Health PracticeWhat therapists, psychologists, and psychiatry practices need in a HIPAA Security Risk Analysis, including the psychotherapy notes carve-out at 45 CFR 164.501 and 164.508(a)(2).
- SRAHIPAA Risk Analysis for a Physical Therapy PracticeWhat an outpatient physical therapy clinic owes under 45 CFR 164.308(a)(1)(ii)(A), with the ePHI workflows specific to PT, OT, and rehab settings.
- GlossaryEHI (Electronic Health Information)Electronic protected health information to the extent that it would be included in a designated record set, plus other identifying health information held by an actor.
Last reviewed May 23, 2026 · Citation verified May 23, 2026
Research aid, not legal advice. This summary is an administrative research aid prepared by D3rx. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. For authoritative regulatory text follow the primary source link at the top of this page. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.