What is the 21st Century Cures Act?
The 21st Century Cures Act, going into effect on April 5, 2021, gives patients more control over their electronic health information and aims to prevent information blocking. More details are discussed below.
What is Information Blocking?
Information blocking refers to the interference of access, exchange, or use of electronic health information (EHI) by healthcare providers or their business associates.
The 21st Century Cures Act further defines information blocking as:
- Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT);
- Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI;
- Implementing health IT in ways that are likely to:
- Restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems; or
- Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.
Although the 21st Century Cures Act prohibits information blocking, there are certain instances in which an exception applies.
The following is not considered information blocking:
- Preventing Harm Exception: practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
- Privacy Exception: an entity does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.
- Security Exception: an entity interferes with the access, exchange, or use of EHI in order to protect the security of EHI.
- Infeasibility Exception: an entity does not fulfill a request to access, exchange, or use EHI, due to the infeasibility of the request, provided certain conditions are met.
- Health IT Performance Exception: an entity to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met.
Providing Patients with Access to Their EHI
Under the 21st Century Cures Act, patients have the right to access their EHI, whether it is structured or unstructured, in a format that is convenient to the patient.
There are some exceptions for the procedures for fulfilling requests:
- Content and Manner Exception: It is not information blocking for an entity to limit the content of its response to a request to access, exchange, or use EHI, or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.
- Fees Exception: It is not information blocking for an entity to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met. Healthcare providers specifically, though, must charge fees that are reasonable and cost-based, per the HIPAA Privacy Rule.
- Licensing Exception: It is not information blocking to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.
21st Century Cures Act, Policies and Procedures, and Business Associate Agreements
As the 21st Century Cures Act prohibits information blocking, it is important for healthcare providers to review their policies and procedures, and their business associate agreements to ensure compliance with the law. For example, some business associate agreements allow business associates to withhold data from a healthcare provider if they are owed money. Under the 21st Century Cures Act, this practice is considered information blocking, and will no longer be acceptable.
By April 5, 2021, covered entities and business associates must review their HIPAA policies and procedures and business associate agreements, to remove any practices or language that constitute information blocking under the 21st Century Cures Act.