The 21st Century Cures Act and

The HIPAA Privacy Rule

The 21st Century Cures Act (Cures Act) of 2016 was passed to encourage innovation in medical research. One purpose of the law was to give patients greater control over their electronic health information (EHI). A provision in the law required the Department of Health and Human Services (HHS) to develop a rule allowing for easier flow of electronic health information, among developers, between providers and patients, providers and EHR vendors, etc. A rule was developed by the Office of the National Coordinator for Health Information Technology (ONC), an agency of HHS. The rule is known as the Interoperability and Information Blocking Rule (“Final Rule”). The rule becomes final – goes into effect – on April 5, 2021. The differences between the 21st Century Cures Act and the HIPAA Privacy Rule are discussed below.

What is Interoperability?

According to section 4003 of the 21st Century Cures Act, the term ‘interoperability,’ with respect to health information technology, means such health information technology that:

  • Enables the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user;
  • Allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and
  • Does not constitute information blocking.

What is Information Blocking?

Information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI) (another word for ePHI).

21st Century Cures Act

EHI means electronic protected health information (ePHI) as the term is defined for HIPAA, to the extent that it would be included in a designated record set, with certain exceptions, regardless of whether the group of records are used or maintained by or for a HIPAA covered entity.

Section 4004 of the Cures Act lists certain practices that could constitute information blocking by these entities:

  • Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT);
  • Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI;
  • Implementing health IT in ways that are likely to:
    • Restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems; or
    • Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.

The final rule promotes interoperability, and prohibits information blocking. Under the final rule, patients are entitled to electronically access all of their electronic health information (EHI), structured and/or unstructured, in a form that is convenient for them.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

Exceptions to Information Blocking

Information blocking is permitted under certain exceptions:

  • Preventing Harm Exception: It is not information blocking for an entity to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
  • Privacy Exception: It is not information blocking if an entity does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.
  • Security Exception: It is not information blocking if an entity interferes with the access, exchange, or use of EHI in order to protect the security of EHI.
  • Infeasibility Exception: It is not information blocking if an entity does not fulfill a request to access, exchange, or use EHI, due to the infeasibility of the request, provided certain conditions are met.
  • Health IT Performance Exception: It is not information blocking for an entity to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met.

There are also exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI:

  • Content and Manner Exception: It is not information blocking for an entity to limit the content of its response to a request to access, exchange, or use EHI, or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.
  • Fees Exception: It is not information blocking for an entity to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met. Healthcare providers specifically, though, must charge fees that are reasonable and cost-based, per the HIPAA Privacy Rule.
  • Licensing Exception: It is not information blocking to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

Who is Covered by the Final Rule? 

The final rule prohibits information blocking of EHI. The rule applies to health IT developers of certified health IT, health information networks, health information exchanges, or healthcare providers, with respect to EHI.

 Healthcare providers include healthcare facilities (including hospices), entities, practitioners, and clinicians listed in the Public Health Service Act. ONC did not expand the definition of healthcare provider in the Final Rule to cover all individuals and entities covered by HIPAA (for example, app developers who are neither business associates nor covered entities must follow the Final Rule, but are not covered by HIPAA), but, healthcare facilities, which are HIPAA-covered entities, are covered under the rule.

 21st Century Cures Act and Healthcare Providers 

In service of the goal of furthering EHR interoperability, the Cures Act prohibits “information blocking,” which is a practice that is “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information . . .,” and, which, “if conducted by a health care provider, such provider knows that such practice is unreasonable and likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.”

Some examples of practices that may implicate the information blocking prohibition are:

  • A healthcare provider organization refuses to share core clinical information with a rival ACO (accountable care organization), or shares information only by a way that is expensive and inefficient for the rival ACO (e.g., by fax);
  • A healthcare provider maintains an over-broad Privacy Policy (e.g., refuses to share treatment records without a patient’s consent, despite the fact that HIPAA does not require consent to share treatment records, or refuses to share mental health records across state lines, even where the patient has consented and no law prohibits such sharing);
  • A healthcare provider notifies its EHR developer of its intent to switch to another EHR system and requests a complete export of its electronic health information (“EHI”). The developer will only provide the EHI in a PDF format, even though it already can and does produce the data in a commercially reasonable structured format;
  • A healthcare provider licenses EHR software from a vendor. A billing dispute turns into litigation and the vendor activates a “kill switch” that renders data maintained by the vendor inaccessible to the provider and its patient; 
  • A small healthcare provider frequently orders tests from a local lab operated by a national laboratory chain, which licenses EHR technology that makes it easy to exchange lab orders and results electronically. The lab has a policy not to enable interfaces from its EHR technology to any labs operated by a competing national laboratory chain.

The Rule requires CMS-regulated hospitals to send electronic patient event notifications of a patient’s admission, discharge, and/or transfer to another healthcare facility or to another community provider or practitioner, when requested. Failure to send the notification is information blocking.

CMS-regulated payers are also regulated under the final rule as follows:

Under the final rule, CMS-regulated payers, specifically MA organizations, Medicaid Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP FFS programs, CHIP managed care entities, and QHP issuers, must:

  • Implement and maintain a secure, standards-based API (Application Programming Interface) that allows patients to easily access their claims and receive information, including cost, through a third-party app of their choice.
  • Make provider directory information publicly available via a standards-based API.
  • Send electronic patient event notifications of a patient’s admission, discharge and/or transfer to another healthcare facility or to another community provider or practitioner.

CMS providers (providers who accept Medicare and Medicaid) who restrict authorized access, exchange, or use of ePHI for permitted purposes, such as treatment, will be publicly reported by CMS as having engaged in information blocking. Providers who create or implement electronic health information access procedures that constitute information blocking will also be publicly reported by CMS.

The 21st Century Cures Act and Penalties 

Consistent with the Cures Act, ONC’s information blocking prohibition seeks to deter information blocking through penalties that differ based on who commits the violation. Health IT developers and health information networks and exchanges are subject to civil money penalties capped at $1 million per violation. Healthcare providers who violate the information blocking provisions may face disincentives – beyond the public reporting mentioned above – for violations. The type of disincentive has yet to be determined. The type of disincentives will be determined in subsequent rulemaking.

Interaction Between The 21st Century Cures Act and The HIPAA Privacy Rule

The 21st Century Cures Act is a separate law from HIPAA. The Final Rule is a series of regulations separate from the HIPAA and HITECH Act regulations. It is therefore not accurate to say that the 21st Century Cures Act modifies or changes HIPAA.

The Cures Act and the HIPAA Privacy are related, though, in that the goal of both is to protect the rights of patients. The laws simply achieve this goal using different methods.

A central component of the HIPAA Privacy Rule is the right of access provision. Under this provision, providers must allow patients to inspect, access, and copy their medical records. The 21st Century Cures Act also has the goal of promoting patient (and provider) access to ePHI. The 21st Century Cures Act and the HIPAA Privacy Rule also both regulate disclosure of PHI. The HIPAA Privacy Rule is designed to prevent unauthorized access to PHI. The 21st Century Cures Act actively requires disclosure of PHI. These two disclosure goals may seem contradictory, but are not. The 21st Century Cures Act’s information blocking provision does prohibit conduct that is “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” However, the 21st Century Cures Act does not permit disclosure of information that the Privacy Rule prohibits disclosure of. 

For example, the Privacy Rule prohibits covered entities from using or disclosing genetic information for insurance underwriting purposes. The Information Blocking rule does not remove this prohibition. If a disclosure is prohibited by the Privacy Rule, or if authorization is required by the Privacy Rule, the Cures Act does not “override” this prohibition. Providers must comply with both laws. By definition, complying with the HIPAA use, authorization, and right of access requirements, is NOT information blocking.

It is nonetheless possible, however, that a provider may have existing HIPAA Privacy Rule policies and procedures, or business associate agreements, that incorporate or constitute information blocking. For example, a covered entity may have a business associate agreement with its business associate EHR software vendor that contains the following condition: “In the event of a billing dispute, EHR software vendor may activate a “kill switch” that renders data maintained by the vendor inaccessible to the provider and the patient. The “kill switch” will not be deactivated until the vendor’s bill is paid in full.”  The prohibition against using a “kill switch,” as noted above, is information blocking.

By April 5, 2021, HIPAA covered entities and business associates must complete review of their HIPAA policies and procedures and business associate agreements, and remove from these, any practices or language that constitutes information blocking under the 21st Century Cures Act.

The 21st Century Cures Act and the HIPAA Privacy Rule do not contradict each other. By complying with both, entities fulfill their obligations to allow for access to health information, while ensuring that access is limited to what is permitted under the law.

HIPAA and State Privacy Compliance

Satisfy state and federal HIPAA laws with streamlined software.

Global CTAs Image