21st Century Cures Act and HIPAA Compliance

The 21st Century Cures Act, passed in December 2016, is designed to provide secure health information to patients and healthcare providers.On April 5, 2021, the Information Blocking Provisions take effect.

Graphic provided by ONC


What is “Information Blocking”?

The 21st Century Cures Act defines information blocking as “the practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI)”.

The Office of the National Coordinator for Health Information Technology (ONC)has stated that an action would satisfy the information blocking provision’s “likelihood” requirement if there is a reasonably foreseeable risk that the action will interfere with access, exchange, or use of EHI.

What does Information Blocking mean for my practice?

In the final rule, ONC explained that a policy or action that limits timely access to information in an appropriate electronic format by limiting, disabling, or restricting the use or access to the EHI can be considered information blocking.

A practice might unknowingly block information from a patient.For example, a medical group that has the capability to provide a patient same-day access to their exam or office visit note but takes several days to provide it to the patient could be considered information blockers.Another example might be a medical group that has a policy that restricts access to patient lab results for a certain amount of time to permit review of the lab results by the provider.

Yes.The following are exceptions to the Information Blocking provision of the 21st Century Cures Act:

Exceptions that involve not fulfilling requests to access, exchange, or use EHI:

  • Preventing Harm – protecting patients and other persons against unreasonable risks of harm can justify actions that are likely to interfere with access, exchange, or use of EHI.
  • Privacy Exception – a medical group should not be required to use or disclose EHI in a way that is prohibited under state or federal privacy laws.
  • Security Exception – safeguarding the confidentiality, integrity, and availability of EHI.
  • Infeasibility Exception – legitimate practical challenges may limit a medical group’s ability to comply with requests for access, exchange, or use of EHI.
  • Health IT Performance Exception – for health IT to perform properly and efficiently, it must be maintained, and in some instances improved, which may require that health IT be taken offline temporarily making EHI temporarily unavailable.

Exceptions that involve procedures for fulfilling requests to access, exchange or use EHI:

  • Content and Manner Exception – provides clarity and flexibility to medical groups concerning the required contentof a response to a request to access, exchange, or use EHI and the manner in which the medical group may fulfill the request.
  • Fees Exception – allows medical groups to charge fees related to the development of technologies and provision of services that enhance interoperability.
  • Licensing Exception – allows medical groups to protect the value of their innovations and charge reasonable royalties to earn returns on the investments they have made to develop, maintain, and update those innovations.

Section 4004 of the Cures Act outlines that violation by healthcare providers will be referred to CMS if they have made a fraudulent attestation under the MIPS Promoting Interoperability Program or to the Office for Civil Rights if there is a potential HIPAA violation. The OIG will outline additional penalties for providers violating the information blocking rules.

What action steps can my practice take?

  • Designate an individual within the organization to be the point person for both information blocking policy development and for any issues that arise from patient requests for EHI.
  • Review existing policies and procedures with regards to receiving, processing, and responding to requests to access, exchange, or use EHI and revise the policies as necessary.This process could also include creating standardized forms for receiving, processing, and responding to such requests and procedures specifying how access to EHI may be provided.
  • Contact EHR and online web portal vendors to ensure compliance with information blocking requirements regarding patient access to EHI.
  • Review your fee schedule for records requests.Provider offices should avoid charging patients—or their designated representatives—who request electronic access to their EHI through internet-based methods.
  • Evaluate and review agreements the practice has with IT vendors, hospitals, or other entities to ensure they comply with the information blocking requirements.
  • Establish a process to apply exceptions.
  • Document any new policy developed to comply with the information blocking provision of the act.Retain this document for six years from the date of its creation or the date when it was last in effect, whichever is later.
  • Train physicians, administrative and clinical staff on the importance of adhering to the practice’s information blocking policies.
  • Stay informed.The federal government is expected to announce additional information blocking policies in 2021.


Additional Resources:

Leave a Reply