The 21st Century Cures Act was signed into law back in 2016. At a high level, the Cures Act is about enhancing patient access to electronic health records. And while empowering patients with access to their health records is a worthy goal, the actual process for providing patients with that access is tricky and bound by a long list of legal requirements that can be hard to untangle.
Although the Cures Act is old enough to be in kindergarten by now, like any good government regulation, it is constantly evolving. There was an update last year that provided additional clarity around the ideas of interoperability and information blocking. And there is another big evolution coming soon, on October 6th, 2022 to be exact.
If you need something to put you to sleep tonight, you can read the complete Cures Act as it exists today. But if you don’t have the energy to wade through the guidance, we’ve done the hard work for you. We’ll start with a refresher on the Cures Act as it exists today, how the Act has evolved, what we know about the anticipated changes in October and what you should be doing now to prepare.
Who has to comply with the Cures Act?
Let’s start with who is impacted. The Cures Act is far-reaching, outlining the following entities that must comply with interoperability and information blocking requirements or face penalties. If you are reading this blog, your organization is most likely impacted by the Cures Act.
- Healthcare providers
- Health IT developers
- Health Information Networks (HINs)
How has the Cures Act evolved since 2016?
The Cures Act Final Rule outlines the implementation of the Interoperability and Information Blocking components of the 21st Century Cures Act. This final rule went into effect in June of 2020, and a cascade of specific compliance requirements began in April 2021.
You may be thinking to yourself: “my organization would never intentionally block patients from receiving their health information.” And while that may be true in theory, information blocking as defined in the Cures Act leaves a lot of room for non-compliance based on common practices at many clinics and hospitals today.
The types of behaviors the Information Blocking Rule is trying to target are described as “any practice that is likely to interfere with, prevent, materially discourage, or otherwise inhibit the access, exchange, or use of Electronic Health Information (EHI).” It goes on to clarify that access must be provided in an electronic format that does not impose unnecessary obstacles.
Based on this broad definition, it’s surprisingly easy for obstacles to slip into the process of patient record requests. Here are just a few examples:
- You require written consent from a patient before sharing EHI with unaffiliated providers
- You have EHR barriers that weaken the portability of EHI with other IT applications
- You have a fee structure that makes sharing EHI cost prohibitive
What are the penalties for information blocking?
The Cures Act enables the Health and Human Services Office of Inspector General (OIG) to impose monetary penalties of up to $1 million per violation against health IT companies that interfere with the proper exchange of electronic health information.
For healthcare providers, the current rule states that violators will face “appropriate disincentives.” This is currently not specifically defined but will likely evolve as the final rule and enforcement actions go into effect.
What changes are anticipated in October?
The anticipated changes in October are around the definition of electronic health information (EHI).
As it’s outlined in the Cures Act today, the EHI is limited to data elements represented in the United States Core Data for Interoperability (USCDI) consists of the following:
- Patient demographics (or what the Cures Act calls “categorical data classes”)
- Granular data elements (such as name, lab reports, and heart rate) contained in an EHR
But beginning on October 6, 2022, the definition of EHI will expand to include ALL electronic PHI (ePHI) included in a patient’s designated record set (“DRS”). This raises the bar from just granular data elements to information regarding enrollment, payment, claims adjudication and full medical records.
So why is this expanded definition of EHI such a big deal? Because it adds an additional layer of confusion around how release of information processes should work. Under the current definition, you’re dealing with a much more limited set of data and therefore a much easier set of data. When the definition expands in October, you’ll be required to respond to a category or request that doesn’t currently exist – an “all ePHI/EHI request”.
Unfortunately, the Cures Act doesn’t define how to fulfill this type of request beyond the expansion of what can be considered information blocking. But even without clear guidance on how exactly to handle these new, expanded information requests, the Cures Act is clear that healthcare providers will be held accountable for fulfilling them. This means that you’ll need a new set of processes and procedures to support this change, as well as a solid plan for handling and documenting any gaps in expected information from patients as they begin to make requests for all of their ePHI.
What should I do now to prepare?
Now is the time to start reviewing your processes around release of information to ensure you don’t have any obstacles that could be considered information blocking, and to consider how you will handle the expanded requirement for EHI come this fall.
Some questions to ask are:
- Does my staff understand what information blocking is and is not as it relates to the processes they handle?
- Are there any processes, systems and/or operational requirements in place today at my organization that may be considered information blocking under the expanded dataset?
- Is my organization prepared to handle the requests for additional patient data that will come with the expanded definition of EHI in October?
- How will my organization handle this new category of requests? What types of requests will or won’t have state regulated fees associated with them? Can our staff identify these distinctions now?
- Does my staff understand our internal definition of the DRS?
- Does my current release of information vendor follow processes that are compliant with the Cures Act? Are we aligned on the DRS for my entity?
As with any major change to a government regulation, the Cures Act is a moving target as the reality of the dynamic patient care environment meets the hypothetical guardrails of the rules. We will keep you updated as we learn more about these anticipated changes and provide additional recommendations on how to prepare.