Sometimes government does pass laws with well-intentioned motives and the 21st Century Cures Act (Cures Act) is a good example of one. However, government has a much shorter list of passing laws that are simple and easy to understand. Perhaps significant endeavors require complexity. Regardless, interpretation and compliance falls on our shoulders.

Let’s look at the most immediately relevant aspects of the Cures Act. Trying to address the entire Cures Act, even summarized, can be overwhelming.

The Cures Act applies to:

  • Healthcare Providers
  • Health Information Networks
  • Health IT Developers

A revised time line was provided in late October. This time line contains more than just the immediately relevant items, however, we do need to have in the back of our mind a concept of the end goal.

  • Information blocking provisions
  • Information Blocking CoC/MoC requirements
  • Assurances CoC/MoC requirements
  • API CoC/MoC requirement – compliance for current API criteria
  • Communications CoC/MoC requirements (except for the notice requirement for 2020
  • 2015 Edition health IT certification criteria updates (except EHI export, which is extended until December 31, 2023)
  • New standardized API functionality
  • Submission of initial attestations
  • Submission of initial plans and results of real-world testing

We will only be focusing on the items with a compliance date of April 5, 2021 for the remainder. These fall into the category of information blocking provisions/requirements. Determining how to apply this depends on what type of actor you are. The following constitutes information blocking and applies to all actors.

Information Blocking Provisions Include

Imposing formal or informal restrictions on access, exchange, or use of EHI

Implementing health information technology in ways that are likely to restrict the access, exchange, or use of EHI

Discouraging efforts to develop or use interoperable technologies or services

Discrimination that frustrates or discourages efforts to enable interoperability

Rent-seeking and opportunistic pricing practices that make information sharing cost prohibitive

However, there are exceptions to the information blocking rules.

Allowable Information Blocking Exceptions

Practices that are likely to interfere with access, exchange, or use of EHI may be justified if the practices are reasonable and necessary to prevent harm to a patient or another person

An actor does not have to fulfill a request to access, exchange, or use EHI in a way that is prohibited under state or federal privacy laws

Practices that are likely to interfere with access, exchange, or use of EHI may be justified in order to safeguard EHI when the practice is tailored to specific security

Legitimate practical challenges may limit an actor’s ability to comply with requests for access, exchange, or use of EHI

Reasonable and necessary practices that temporarily make health IT unavailable or that degrade the health IT’s performance may be permitted for regular maintenance

May be permitted to limit the content of a response to a request to access, exchange, or use EHI or the manner in which it fulfills a request if content and manner conditions are met

Actors may charge fees, including fees that result in a reasonable profit margin, related to the development/provision of technologies and services that enhance interoperability

Protects the value of actors’ innovations and allows the charge of reasonable royalties to earn returns on investments made to develop, maintain, and update those innovations

The remaining items within information blocking related to CoC/MoC requirements are applicable to actors developing applications and interfaces. Typically these are the Health Information Networks and Health IT Developers. However, as applications and interfaces are implemented it will also be the responsibility of the Healthcare providers to ensure Cures Act requirements are being met.

Lastly, here is what you can do now to prepare for the Cures Act.

Kevin Cornwell, CPA, CISA, CITP
IT Audit Associate Director
502.566.1011 | kcornwell@ddaftech.com