The Cures Act Information Blocking Rule: Impact on Data Access, Interoperability, and Security

The 21st Century Cures Act (Cures Act) was signed into law by President Barack Obama on December 13, 2016.¹ The overarching goal of this legislation was to modernize the US healthcare system through technology and science, which can enhance national interoperability by promoting the sharing of health information.²

In May 2020, the Office of the National Coordinator for Health Information Technology (ONC) published the Final Rule of the Cures Act, which is designed to ensure that patients have access to their electronic health information (EHI). The ruling also supports provider needs regarding clinical data sharing and addresses industry-wide information blocking practices.³

To be compliant and offer the best support to their patients, healthcare providers need to understand the provisions of the Final Rule as it pertains to creating, maintaining, and sharing patient health data, and the impact of this legislation on their practices.

Interoperability and Information Blocking

The ONC is charged with pulling together national efforts to implement the most advanced health information technology (IT) and the electronic exchange of information. The framework that the ONC has developed through the Final Rule allows for secure national sharing of healthcare data amongst various organizations and healthcare entities. This is known as “interoperability.”⁴

For software vendors to make this data sharing a reality, their programs must be able to “speak” to one another. The healthcare industry uses Health Level Seven International medical data standards for information exchange. To adhere to new programming requirements for system interoperability, Health Level Seven International released its Fast Healthcare Interoperability Resources version 4.0.⁴

The Final Rule also includes the government authority to prohibit 3 categories of “actors”—healthcare providers, health IT developers of certified health IT, and health information networks/health information exchanges—from a practice known as “information blocking,” which is defined as impeding or delaying the flow of health data among healthcare providers, networks, vendors, and patients.⁵

The information blocking provisions dictate that clinical notes created in an electronic health record must be immediately available to patients through a secure online portal. The 8 types of clinical notes that must be shared with patients are as follows⁶:

1. Consultation notes
2. Discharge summary notes
3. History and physical notes
4. Imaging narratives
5. Laboratory report narratives
6. Pathology report narratives
7. Procedure notes
8. Progress notes.

Information Blocking Exceptions

There are 8 information blocking exceptions established in the Final Rule that providers also need to be aware of to ensure compliance. These exceptions are as follows⁷:

1. Preventing harm
2. Privacy
3. Security
4. Infeasibility
5. Health IT performance
6. Licensing
7. Fees
8. Content and manner.

It is best to become familiar with these information blocking exceptions before attempting to apply them to data sharing scenarios. It is important to understand that these exceptions are voluntary and offer actors certainty, but it is also worth noting that even in cases where a practice does not meet any of the exceptions, this does not automatically mean that information blocking has occurred. This is determined on a case-by-case basis.

Information Blocking Complaints and Investigations

Providers have a responsibility to educate patients on their rights regarding the access of personal health information and what to do if they feel they have been denied this access. Information blocking complaints do not require individuals to submit personal identifying information; they may remain anonymous and are protected from disclosure by the Freedom of Information Act.

So, what happens after a patient reports information blocking through the Information Blocking Portal on ONC’s website, HealthIT.gov? The ONC will confirm receipt with the submitter and the report is automatically assigned a tracking number (eg, IB-XXX). Depending on the facts and details included in the complaint, the ONC may contact the submitter for additional information.

Information blocking complaints can be initiated with the Office of Inspector General (OIG) at https://oig.hhs.gov/fraud/report-fraud/index.asp or by phone at 1-800-HHS-TIPS (1-800-447-8477). The OIG Hotline will not be able to respond to any inquiries about action taken in response to a complaint. For more information, see OIG’s Hotline website: https://oig.hhs.gov/fraud/report-fraud/before-you-submit/.

Do not leave your organization in a lurch; be sure to publicize the name and contact information of your Compliance Officer so that complaints are handled internally prior to escalating to Federal or state authorities.

Securing Patient Portals

Now that practices are required to share more EHI online with patients, it is critical that they ensure the privacy and security of their platforms. Patient portals can become easy targets for cybersecurity attacks; therefore, it is critical to include added security layers such as multifactor authentication. These new requirements open additional opportunities to encourage patients to take ownership of and manage their health information.

ONC’s HealthIT.gov website has curated a number of frequently asked questions related to the Cures Act and information blocking to help actors better understand compliance requirements (see below).

Conclusion

The Cures Act is monumental legislation, and this article barely scratches the surface in terms of what providers need to know. However, my hope is that this information may generate ideas that will encourage you to implement new internal processes in your practice. I would encourage you to utilize your resources to develop policies and procedures for interoperability and information sharing by considering the following internal compliance opportunities:

• Update internal medical record release policies
• Update medical record copying pricing
• Conduct security risk assessment
• Update patient portal permissions
• Sign off on notes in a timely manner
• Update notice of privacy practices.

References

1. US Food and Drug Administration. 21st Century Cures Act. January 31, 2020. www.fda.gov/regulatory-information/selected-amendments-fdc-act/21st-century-cures-act. Accessed September 27, 2022.
2. HealthIT.gov. Health IT legislation. Updated August 9, 2022. www.healthit.gov/topic/laws-regulation-and-policy/health-it-legislation. Accessed September 30, 2022.
3. Federal Register. 21st Century Cures Act: Interoperability, Information Blocking and the ONC Health IT Certification Program. Updated April 4, 2020. www.federalregister.gov/documents/2020/05/01/2020-07419/21st-century-cures-act-interoperability-information-blocking-and-the-onc-health-it-certification. Accessed October 15, 2022.
4. HealthIT.gov. United States Core Data for Interoperability (USCDI). www.healthit.gov/isa/united-states-core-data-interoperability-uscdi. Accessed September 27, 2022.
5. HealthIT.gov. Information blocking. Updated October 31, 2022. www.healthit.gov/topic/information-blocking. Accessed November 8, 2022.
6. HealthIT.gov. Clinical notes. www.healthit.gov/isa/uscdi-data-class/clinical-notes. Accessed October 15, 2022.
7. The Office of the National Coordinator for Health Information Technology. Cures Act final rule: information blocking exceptions. Updated July 2022. www.healthit.gov/sites/default/files/2022-07/InformationBlockingExceptions.pdf. Accessed September 27, 2022.