The 21st Century Cures Act and

The HIPAA Privacy Rule

The 21st Century Cures Act (Cures Act) of 2016 was passed to encourage innovation in medical research. One purpose of the law was to give patients greater control over their electronic health information (EHI). A provision in the law required the Department of Health and Human Services (HHS) to develop a rule allowing for easier flow of electronic health information, among developers, between providers and patients, providers and EHR vendors, etc. A rule was developed by the Office of the National Coordinator for Health Information Technology (ONC), an agency of HHS. The rule is known as the Interoperability and Information Blocking Rule (“Final Rule”). The rule becomes final – goes into effect – on April 5, 2021. The differences between the 21st Century Cures Act and the HIPAA Privacy Rule are discussed below.

What is Interoperability?

According to section 4003 of the 21st Century Cures Act, the term ‘interoperability,’ with respect to health information technology, means such health information technology that:

  • Enables the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user;
  • Allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and
  • Does not constitute information blocking.

What is Information Blocking?

Information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI) (another word for ePHI).

21st Century Cures Act

EHI means electronic protected health information (ePHI) as the term is defined for HIPAA, to the extent that it would be included in a designated record set, with certain exceptions, regardless of whether the group of records are used or maintained by or for a HIPAA covered entity.

Section 4004 of the Cures Act lists certain practices that could constitute information blocking by these entities:

  • Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT);
  • Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI;
  • Implementing health IT in ways that are likely to:
    • Restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems; or
    • Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.

The final rule promotes interoperability, and prohibits information blocking. Under the final rule, patients are entitled to electronically access all of their electronic health information (EHI), structured and/or unstructured, in a form that is convenient for them.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

Exceptions to Information Blocking

Information blocking is permitted under certain exceptions:

  • Preventing Harm Exception: It is not information blocking for an entity to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
  • Privacy Exception: It is not information blocking if an entity does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.
  • Security Exception: It is not information blocking if an entity interferes with the access, exchange, or use of EHI in order to protect the security of EHI.
  • Infeasibility Exception: It is not information blocking if an entity does not fulfill a request to access, exchange, or use EHI, due to the infeasibility of the request, provided certain conditions are met.
  • Health IT Performance Exception: It is not information blocking for an entity to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met.

There are also exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI:

  • Content and Manner Exception: It is not information blocking for an entity to limit the content of its response