21st Century Cures Act Requirements for Providers – Revised Compliance Dates and Why This Matters

Release of the final rule for the 21^st Century Cures Act by HHS’s Office of the National Coordinator (ONC) on March 9, 2020, and subsequent updates in April and May established compliance and enforcement dates for these regulations. November 2, 2020 stood as the compliance date for the Information Blocking provisions that would directly impact providers’ responsibilities to provide their patients, along with their designated third-parties, access to electronic health information.

Realizing the totality of impacts on provider organizations caused by the COVID-19 pandemic, HHS has extended the compliance dates for healthcare providers until April 5, 2021.

The 21^st Century Cures Act Information Blocking provisions are very specific in regards to the data elements that need to be made available to patients and compels the obligation to provide access; “shall” became “must” provide access in a refinement to HIPAA obligations.

There were additional requirements for hospitals to provide Admission, Discharge, and Transfer notifications to a patient’s designated provider through their Health IT systems, as well as a series of interoperability requirements that would impact software developers, HIEs/Health information Networks, and payers under separate sections of the Act.

From a practical standpoint here are the important facts for providers:

1. This rule impacts EVERY healthcare provider utilizing health IT applications!
2. Achieving compliance does not rest solely with IT developers. Most providers need to initiate multiple activities to be compliant:

• Make configuration changes to your EHR Patient and Provider Portal settings:
  • Avoid blocking access to the USCDI data elements. It is not uncommon for providers to be currently blocking certain type of chart notes and other required data elements from patient view/access.
  • Remove filtering of encounter records from certain specialties or disciplines unless this blocking is compelled by state privacy laws. For instance, electronic mental health encounter records (that are not specifically “psychotherapy” notes) should not be blocked unless state law requires this.
  • Open access to laboratory and pathology results that are not specifically required to be blocked. Example:  HIV results are accessible to patients per most state laws, though access to proxies and non-patient parties could restricted.
  • Remove delays in making clinical data available to patients unless one of the narrowly defined “IB exceptions” are met.
• Revisions may need to be made to key HIPAA privacy documents for your organization:
  • The Notice of Privacy Practices is likely to require changes to the description/process of how your organization responds to a patient request for access.
  • Your Business Associate Agreement template should not contain provisions that would prevent your business associate from responding to a valid patient access request.
  • Revise any policies on privacy, release of information, or security that create information blocking or delays in providing patient access to electronic health information that is not covered by a valid IB exemption.
• Change Management:
  • Opening new categories of documents to patient access may require some provider training on the sensitivity of the language used.
  • Your organization needs to communicate the changes among the staff within your provider organization as well as providing patient education for changes they will experience in the patient portal and new capabilities available as your IT vendor begins to incorporate improved export files and EHR linkage to third-party apps.
• Inventory and plan for patient access to electronic health information that lives only in non-EHR clinical applications
  • Any clinical or diagnostic applications that do not interface their USCDI data with the EHR.
  • Data developed and stored in systems shared or utilized between multiple healthcare entities such as ACO activity. This is a tricky area that could be subject to additional enforcement (and Civil Monetary Penalties) ascribed to “Health Information Networks” or “Health Information Exchanges”.

3. There will be enforcement and consequences. While IT developers, payers, and HIEs/HINs will be subject to OIG Civil Monetary Penalties of up to $1Million per violation; providers can be subject to HHS disincentives when patient complaints are investigated.  These “disincentives” will be clearer when enforcement goes live after April 5.