December 14, 2020

Importance of the 21st Century Cures Act for HIPAA Compliance

21st Century Cures Act Summary

The 21st Century Cures Act is intended to provide patients with greater access to care and implement new standards to enable enhanced access to electronic health information (EHI) and coordination of patient care between providers. This only applies to electronic patient health information and not paper medical records. It simplifies patient access to their medical data and prevents information blocking. This legislation requires healthcare providers and payers to grant patients access to electronic healthcare records without delay or expense.

In this content:

Who Must Comply With The 21st Century Cures Act?

These rules impact all members of the healthcare industry and are created to help guide providers, payers, EHR and technology vendors as they design their health IT systems.

Importance of 21st Century Cures Act 

The Cures Act was signed into law to give patients more control over their healthcare data and apply information-blocking rules to penalize providers and payers who interfere with EHI's use, access, and exchange. The Cures Act requires encrypted messages and APIs (application programming interfaces, which are protocols for allowing applications to communicate with each other) to gather requested data from the patient's EHR safely. 

21st Century Cures Act Information Blocking

What Is Information Blocking?

The Cures Act was developed to prevent healthcare organizations from interfering with the access, exchange, or use of EHI.  Blocking includes practices that prevent and/or discourage access, exchange, or use of EHI between health systems, apps, and devices.  Any practice likely to interfere with, prevent, materially discourage, or otherwise inhibit the access, exchange, or use of EHI is considered information blocking. 

Who Can Be an Information Blocker?

The Cures Act specifies four types of “actors” that must comply with the information blocking rule:

  1. Healthcare providers
  2. Health information technology companies that have a certified health IT system
  3. Health information networks (HINs)
  4. Health information exchanges (HIEs)

To be considered an information blocker, an entity must recognize that its actions would interfere with EHI use. Providers can experience information blocking when they try to obtain patient health data from another provider and are denied access to all or part of the requested information. The issue can also arise when a patient aims to retrieve their personal health information and are prevented from doing so. Blocking can be as overt as directly thwarting information exchange or as subtle as making health IT so complex that it all but eliminates the possibility of information sharing.

The law also prescribes penalties for information blocking, the most serious of which apply to health IT vendors, HINs, and HIEs. These entities can incur monetary penalties up to $1 million per violation and may be banned from certifying health IT going forward. Healthcare providers could also be penalized but the Office of the National Coordinator (ONC) has not fully defined what those penalties would entail.

How Does the Information Blocking Rule Relate to HIPAA Compliance?

While healthcare organizations should avoid information blocking, they also must remain focused on keeping confidential patient health information private and secure to maintain compliance with HIPAA . The ONC addresses this concept in two of the information blocking rule’s eight exceptions.

The Privacy Exception

The privacy exception indicates an activity will not be considered information blocking if an actor does not fulfill an EHI request in order to protect an individual’s privacy, provided certain conditions are met. This exception suggests that an actor should not be required to use or disclose EHI in a way that is prohibited under state or federal privacy laws.

For example, if the provider is required to obtain consent before sharing patient information with another healthcare entity, it may delay sharing the information until it receives consent. This delay is not information blocking. Similarly, if a patient has requested that their information not be shared, the provider has the right not to share the information.

The Security Exception

The security exception also pertains to HIPAA. This exception states that an activity will not be considered information blocking if it is done to protect the security of EHI, provided certain conditions are met. This exception is intended to cover all legitimate security practices but does not prescribe a maximum level of security or dictate a one-size-fits-all approach.

To fit within the security exception, an activity must be directly related to safeguarding EHI’s confidentiality, integrity, and availability; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner.

How Does It Impact Patients? 

Providers can provide faster treatment and better care because they will have quicker access to pertinent medical information about patients. The Cures Act gives patients more control over their data. It improves their ability to shop for care, considering cost and quality and allowing for more informed decision-making and quality comparisons. Patients can use devices with applications to get personal EHI or direct information to be sent to a provider or payer.

How Does It Impact Healthcare Providers And Payers? 

Technology is the hardest part of the equation for providers, EHR vendors, and payers. They will now be required to build government-certified data paths that travel through the ONC’s Health Level 7 (HL7) pipeline, where the data is formatted, authenticated, and exchanged. The ONC HL7 is a set of international standards for transferring clinical and administrative data between software applications used by various healthcare providers. They need to ensure procedures are in place to calculate and document patient Information into designated record sets. Therefore, providers and payers must develop and implement guidelines and procedures around Cures Act compliance practices.

How to Prepare Your Healthcare Organization for Cures Act and HIPAA Compliance Changes

There are many nuances involved in the interpretation of the information blocking rule, especially when you consider its evolving relationship with HIPAA. The Department of Health and Human Services (HHS) has not yet released revised rules regarding HIPAA in the context of information blocking. 

That said, here are a few things organizations should be doing now to prepare for this critical part of the Cures Act and whatever associated HIPAA changes may go along with it:

Understand the requirements for information blocking.

Taking time to read about the rule and what it entails is a good first step to set the context for updating your compliance processes and procedures. The federal government has a comprehensive site that details the legislation and its various components.

UPDATE: All EHI now falls under the Cures Act rule and must be made available upon authorized request from patients, providers, payers, and health information systems. Beginning October 6, 2022, the definition of “information blocking” in 45 CFR 171.103 no longer limits what is considered EHI to the data elements represented in the USCDI.

Review your current compliance program.

After getting up to speed on the legislation, you should examine your compliance policies to determine where additions or corrections may be necessary. To help with this, you may want to pull together a team of experts. This group may include legal resources familiar with the Cures Act, IT professionals that understand the intricacies of information exchange, and privacy and security compliance experts that fully understand the implications from a HIPAA perspective. Team members may be internal or external, depending on your organization’s size and compliance resources.

Plan for increased compliance training.

Once you have new policies in place, you will also need to implement compliance training that walks staff through the details of the information blocking rule and how they can preserve patient privacy and security while facilitating patients’ access to their health information. Although you can develop training programs in-house, there will likely be external offerings available as the compliance deadline approaches.

Stay tuned for Cures Act updates.

As of this writing, healthcare providers, vendors, and other actors must comply with information blocking rules and regulations starting on April 5, 2021. However, that may change as the time gets closer. As such, it’s important to stay abreast of new developments to make sure you are on track to remain in compliance.  

Find FAQs and latest updates on Cures Act here.

Partner with Stericycle to Enhance Your HIPAA Compliance Efforts in Accordance With The 21st Century Cures Act

One of the challenges with the information blocking rule is that it applies to all healthcare organizations, even those that don’t have a large compliance department that can review policies, assess risk, make updates and offer training. That’s where Stericycle comes in. Our compliance experts are committed to helping customers think through the implications of the information blocking rule and how to meet the intent of both the Cures Act and HIPAA. We will be offering several resources in the coming months to guide customers through their compliance journey.

Learn more about how Stericycle helps organizations manage HIPAA compliance. Act now.

Receive Stericycle’s latest content, including news and regulations on how you can maintain business compliance.

Thank You!

We have received your request and a representative will contact you shortly to discuss your business needs.

Submission Error - Please Refresh and Try Again


Please enter a valid value


Please enter a valid value


Please enter a valid value

To find out what personal data we collect and how we use it, please visit our Privacy Policy