21st Century Cures Act: A guide to understanding for those without a PhD, Part 1
By: Dean Dorton | December 7, 2020
Question? Contact Us
In this blog post, we look at the most immediate, relevant aspects of the Cures Act and how it impacts Healthcare Providers, Healthcare Information Networks, and Health IT Developers.
Healthcare | Technology
Sometimes government does pass laws with well-intentioned motives and the 21st Century Cures Act (Cures Act) is a good example of one. However, government has a much shorter list of passing laws that are simple and easy to understand. Perhaps significant endeavors require complexity. Regardless, interpretation and compliance falls on our shoulders.
Let’s look at the most immediately relevant aspects of the Cures Act. Trying to address the entire Cures Act, even summarized, can be overwhelming.
The Cures Act applies to:
- Healthcare Providers
- Health Information Networks
- Health IT Developers
A revised time line was provided in late October. This time line contains more than just the immediately relevant items, however, we do need to have in the back of our mind a concept of the end goal.
April 5, 2021
- Information blocking provisions
- Information Blocking CoC/MoC requirements
- Assurances CoC/MoC requirements
- API CoC/MoC requirement – compliance for current API criteria
- Communications CoC/MoC requirements (except for the notice requirement for 2020
December 31, 2022
- 2015 Edition health IT certification criteria updates (except EHI export, which is extended until December 31, 2023)
- New standardized API functionality
April 1, 2022 to March 31, 2023
- Submission of initial attestations
- Submission of initial plans and results of real-world testing
We will only be focusing on the items with a compliance date of April 5, 2021 for the remainder. These fall into the category of information blocking provisions/requirements. Determining how to apply this depends on what type of actor you are. The following constitutes information blocking and applies to all actors.
Information Blocking Provisions Include
Imposing formal or informal restrictions on access, exchange, or use of EHI
Implementing health information technology in ways that are likely to restrict the access, exchange, or use of EHI
Discouraging efforts to develop or use interoperable technologies or services
Discrimination that frustrates or discourages efforts to enable interoperability
Rent-seeking and opportunistic pricing practices that make information sharing cost prohibitive
However, there are exceptions to the information blocking rules.
Allowable Information Blocking Exceptions
Practices that are likely to interfere with access, exchange, or use of EHI may be justified if the practices are reasonable and necessary to prevent harm to a patient or another person
An actor does not have to fulfill a request to access, exchange, or use EHI in a way that is prohibited under state or federal privacy laws
Practices that are likely to interfere with access, exchange, or use of EHI may be justified in order to safeguard EHI when the practice is tailored to specific security
Legitimate practical challenges may limit an actor’s ability to comply with requests for access, exchange, or use of EHI
Reasonable and necessary practices that temporarily make health IT unavailable or that degrade the health IT’s performance may be permitted for regular maintenance
May be permitted to limit the content of a response to a request to access, exchange, or use EHI or the manner in which it fulfills a request if content and manner conditions are met
Actors may charge fees, including fees that result in a reasonable profit margin, related to the development/provision of technologies and services that enhance interoperability
Protects the value of actors’ innovations and allows the charge of reasonable royalties to earn returns on investments made to develop, maintain, and update those innovations
The remaining items within information blocking related to CoC/MoC requirements are applicable to actors developing applications and interfaces. Typically these are the Health Information Networks and Health IT Developers. However, as applications and interfaces are implemented it will also be the responsibility of the Healthcare providers to ensure Cures Act requirements are being met.
Lastly, here is what you can do now to prepare for the Cures Act.
Step 1: Evaluate existing processes for providing information
Step 2: Identify tools, systems, and applications that hold data elements
Step 3: Map data fields to Health Level 7 (HL7) transaction sets
Step 4: Access strategy and develop implementation plan
Kevin Cornwell, CPA, CISA, CITP
IT Audit Associate Director
502.566.1011 | firstname.lastname@example.org
Have a question? Click here to contact this representative.
A Smarter and Safer Way to Plan Enterprise Technology Spending
Five Keys to Effective Credentialing
MFA: Not the Cure for all Cyber Ailments
Public Health Emergency Ending and 1135 Waivers
New Year, New Outlook – Preparing for 2023
California Privacy Rights Act (CPRA) | Changes Going into Effect in 2023