Anyone that deals with electronic health information knows just how complicated it can be to establish and maintain HIPAA compliance.

With the recent introduction of the Cures Act Final Rule, there’s a lot to know and do to ensure your practice remains compliant and in good public standing. So to help you better understand and approach these impending changes, here’s a look at what the Cures Act Final Rule is, how it works, and what it means for your practice.

What is the Cures Act Final Rule?

The Cures Act Final Rule was introduced on May 1, 2020 by the Office of the National Coordinator for Health Information Technology (ONC) of the Department of Health and Human Services.

It is primarily composed of two core provisions, one of which addresses what constitutes information blocking, and the other of which addresses the updates, conditions, and maintenance of Health IT certification—in short, interoperability and access. Both of these provisions apply to health care providers, certified IT vendors, and health information networks and exchanges.

While it does create additional complications in terms of compliance for covered entities and Business Associates, the Final Rule’s intent is to ensure that patients have secure access to their health information and data. In turn, the hope is that this will also improve data sharing, promote innovation and healthy competition, and create better health care outcomes for patients in alignment with the ONC’s vision of value-based care.

While the Cures Act itself was originally introduced in 2016, it was much more conceptual than actionable. Its aim was to produce a seamless and secure exchange of personal health information (PHI) and how it’s handled. Unfortunately, before the Final Act in 2020, there were very few legal implications, let alone ramifications, and much of the ambiguous language used left much of it open to subjective interpretation.

With the introduction of the Final Rule, a clear definition was created in both scope and precision, helping to set a new standard for the Health Information sharing with improved collaboration, as well as the rights and expectations of patients/users, HIT organizations, and health care providers alike.

The compliance date was originally intended to be enforced in 2020, but due to Covid-19, it was pushed back to April 5, 2021—but it’s also important to note the ensuing penalties and start dates are still in development and should be actively reviewed until finalized.

How does the Cures Act Final Rule work?

At its core, the Cures Act Final Rule ensures the healthcare industry adopts standardized application programming interfaces (APIs) to help allow individuals to have secure and easy access to their electronic health information through smartphone applications.

It is largely governed and enforced by three Department of Health and Human Services entities:

  • The ONC, who wrote and published the information blocking rule, creates and oversees health IT certification.
  • The Office of the Inspector General combats waste, fraud, and abuse and acts as the primary investigator to any information blocking allegations.
  • The Centers for Medicare and Medicaid, the public payers and arbiters of annual fee schedules, promote interoperability and enforce the use of certified HIT amongst providers.

As mentioned above, the rule covers two primary provisions, one to address information blocking and the other to address the updates to HIT certification criteria as well as the conditions and maintenance of certification. We’ll address each one more specifically below.

Information Blocking

Information blocking is defined as any practice that is likely to interfere with, prevent, or materially discourage access, use, or exchange of electronic health information unless the practice is required by law or meets one of the established exceptions.

While that definition will become more clear as we discuss it below, it’s important to note that information blocking does not supersede HIPAA, SAMHSA, or any other state or regional regulation.

As covered by the Final Rule, the ONC has standard requirements for what constitutes information blocking.

While there are many ways that can occur, some examples include:

  • Charging a patient for electronic access to their personal health record
  • Requiring a patient to consent to exchange their EHI for treatment when not required by law
  • An entity has the capacity to offer data access the same day, but takes multiple days to respond to an incoming request
  • An entity refusing to share EHI with a non-affiliated organization
  • A certified HIT developer refusing to share technical processes or information needed to properly export patient data
  • Health information networks or exchanges charging additional fees to non-affiliated organizations, beyond the state-mandated fees charged to 3rd party requesters.

Of course, while there are reasons an action may be deemed information blocking, there are also eight reasonable exceptions the ONC has outlined.

Acceptable exceptions that involve not fulfilling a request include:

  • Preventing harm
  • Privacy
  • Security
  • Infeasibility
  • Health IT performance

Acceptable exceptions and procedures for fulfilling requests to access, use or exchange EHI include:

  • Content and manner (format alternatives like PDF, snail mail, etc)
  • Fees
  • Licensing

In addition, it’s worth noting that until October 6, 2022, information blocking is limited to data elements included in the USCDI. After that date, all information blocking requirements will include all ePHI.

Certification Criteria

Providing secure and easy access to health data means patients need to be able to choose a third-party app on their phone or smart device.

To achieve this, the Final Rule provides numerous updates and changes to the criteria for HIT certification and maintenance. For entities to properly adhere to these requirements, their electronic access solutions should have:

  • Authentication processes – This pertains to individual users as well as the systems they’re interacting with.
  • Patient authorization measures
  • A digital consent process/framework like Consent2Share (C2S)
  • Settings for patients to define data sharing preferences
  • An API gateway that can talk to fast healthcare interoperability resources (FHIR) and understand United States Core Data for Interoperability (USCDI)
  • Documentation, monitoring, and reporting for all request processing—including why record requests were sent or denied.
  • Cross-version support
  • FHIR profiles for different use cases
  • An enterprise master patient index (EMPI)
  • A transaction system
  • An approval system to handle data merging since not all APIs are updated routinely
  • A technical infrastructure to handle notifications/patient events

While not every aspect listed above is a true requirement, together, they go a long way in ensuring your organization is not only protected from legal repercussions, but also provides a level of service that helps the industry and those it serves.

Of course, there are penalties in place for those who fail to comply. Although the final details in terms of compliance timelines and fines are still being finalized at the time of this writing, it has been established that penalties, including fines up to $1M per violation and placement on the HIPAA/CMS Wall of Shame, will both be in play to ensure it is taken seriously.

How can my organization prepare and adapt?

Outside of simply adhering to these new requirements, there are several steps you can take to best prepare your organization moving forward, such as:

  • Appointing an information blocking officer. While it’s not required, it will help get a lot of questions answered internally and establish an authority who can train and educate staff on the rule’s complexities, as well as how to recognize and act upon requests to access, use, or change EHI.
  • Review and update organizational policies that include information about data access, exchange, and use.
  • Review information blocking exceptions and define internal politics on how/where/when it’s appropriate to use them and how they will be documented, logged, and retained.
  • Ensure you charge for personal health record access, it’s important to know what activities fall outside the scope and are therefore permissible.

In the end, with a bit of knowledge, preparation, and action, you should be better prepared for the impending compliance dates and help make the industry that much better for those it serves.

Of course, if you have any further questions about compliance, release of information, or outsourcing your processes to a trusted ROI partner, feel free to reach out to us here.