person looking through healthcare files

February 11, 2021

Preparing Your HIPAA Program for the 21st Century Cures Act: Phase One and Beyond

In part one of our HIPAA-21st Century Cures Act series, we covered that the 21st Century Cures Act is a multifaceted piece of legislation designed to promote interoperability and help patients access their health information more easily. Ensuring compliance with this complex rule requires robust planning and a long-term commitment. We will now delve into what steps organizations should take to prepare for the upcoming implementation and enforcement of the new provisions.

What Should Organizations Be Doing in the Near Term to Prepare?

On April 5, 2021, the first elements of the Cures Act will go into effect, focusing specifically on the topic of information blocking. Over the next few months, there are several actions your organization can take to ready yourself for this first deadline.

Communicate with vendors

Reaching out to your electronic health record (EHR) vendor(s) should top the to-do list as this will allow you to understand the initial changes they are making and how those changes will impact your organization. At this time, vendors will most likely be working to manually provide the USCDI Version 1—a standardized set of information that can be sent to patients when they request personal health information. This data set replaces the Common Clinical Data Set (CCDS), which was previously used to support interoperability efforts. There is a range of information covered in the USCDI, including allergies and immunizations, health concerns, procedures, care plans and more. For a complete list of topics covered, click here.

It's reasonable to assume that certified EHR vendors will be able to produce the USCDI Version 1 in PDF form by April. However, it is wise to check on their progress and determine how patients will be able to ask and receive this information. For example, will the patient request it through the patient portal? Will there be any changes to the way they receive information? What if they do not receive an answer to their request? What role does the healthcare organization play in ensuring the information is sent and received?

Ultimately, vendors must be able to provide the USCDI electronically through APIs that connect with consumer health apps. This functionality will not be required until October 6, 2022. However, getting a sense now of how your vendor plans to meet the API/app requirements is helpful as you start to map out your own compliance plans.

Conduct a gap assessment

After connecting with your vendors, start looking internally and assessing your own potential compliance gaps. A key part of this effort will entail educating yourself on the rule requirements and which ones apply to your organization. Due to the intricate nature of the Cures Act, the assessment process may be challenging. The good news is you do not have to face it alone. There are resources available to guide the work. For example, Stericycle will be rolling out a comprehensive checklist that can inform the assessment process and facilitate a detailed review. 

Update policies and procedures

Reviewing compliance policies and procedures is essential to ensuring the topic of information blocking is covered. As with assessment checklists, sample policies will soon be available to serve as a starting point.

Educate staff

Now is a good time to educate staff on how the new rules will affect them and what their role in compliance will be. This training should outline what constitutes information blocking, what the exceptions to the rule are, and how staff should respond to any patient queries. Walking through case examples, providing scripts, and engaging in role-playing can be helpful tools to reinforce this information.

After these initial steps, it is important to start thinking about preparing for the next deadline. By October 2022, patients should be able to use apps connected with their EHR to request and access their personal health information, and healthcare organizations will need to facilitate the use of those apps while ensuring information privacy and security. Although October 2022 may seem like a long way away, it will be here before we know it. Starting to get your hands around this project now is a good idea to enable a well-considered and achievable compliance effort.

What Are the Penalties for Non-compliance?

The Office of the Inspector General (OIG) is the enforcement agency for the Cures Act, and it is quite serious about compliance. The Cures Act is a top priority for the Department of Health and Human Services (HHS) as the agency believes poor interoperability is impacting healthcare costs and hindering value-based care models that are poised to transform patient care. To demonstrate its commitment to the information blocking rule, the OIG has already created a portal where people can submit complaints about information blocking incidents.

The agency has also published fines for EHR vendors if they don’t meet the requirements, and those violations start at a million dollars per incident. Although the OIG has not established parameters for provider fines, the agency has said it will apply appropriate disincentives for being out of compliance. One could assume the fines will be significant.

How Does HIPAA Relate to the Cures Act?

While most aspects of HIPAA will remain the same, the Office of Civil Rights (OCR), which is the designated enforcement agency for HIPAA, is working to align its requirements with the information blocking rules. As of this writing, the OCR has issued its Notice of Proposed Rule Making (NPRM) and is accepting comments. Once a final rule is released, there will be a 180-day implementation period, which means organizations will most likely be required to meet new HIPAA rules by fall to winter of 2021. You can get a sense of what these new rules might entail by looking at the proposed changes. In general, they relate to aspects of the privacy rule that limit or discourage care coordination and case management communications among individuals and covered entities, including hospitals and physician practices. They also take aim at any aspects of the rule that have the potential to slow progress toward value-based care. While these rules are still evolving, Stericycle is committed to staying up to date on the regulations and how they will impact healthcare organizations.

Learn more about how Stericycle can help you prepare for the Cures Act and ensure compliance with the information blocking rule.

Receive Stericycle’s latest content, including news and regulations on how you can maintain business compliance.

Form Received - Thank You

Submission Error - Please Refresh and Try Again