XS
SM
MD
LG
XL

21st Century Cures Act

Implications & Frequently Asked Questions

In March 2020, the Office of the National Coordinator (ONC) for Health Information Technology released the interoperability and “information-blocking” rule as a part of the 21st Century Cures Act (Cures Act). It seeks to increase health data exchange and limit refusals to share health data. Read more on the Cures Act using the following link: Final Rule.

The rule includes a provision requiring that patients be permitted to electronically access all of their electronic health information (EHI). Access must be granted whether the data is in a structured (chosen from a list or a drop-down menu) and/or an unstructured (free text) format, unless one of eight exceptions to the Final Rule applies. EHI generally must be made readily available at no cost to patients and their representatives, and at a reasonable cost to others permitted to receive the EHI. This new rule goes into effect on April 5, 2021.

The information-blocking part of the Final Rule applies to these three categories of organizations, called “actors” in the Final Rule:

  • healthcare providers;
  • health IT developers of certified health IT, and;
  • health information networks, or health information exchanges.

The Cures Act requires that patients generally be given fast, electronic access to the following parts of their medical record(s):

  • consultations;
  • progress notes;
  • discharge summaries;
  • history and physicals;
  • imaging narratives;
  • lab reports;
  • pathology reports;
  • procedure notes.

EHI does not include psychotherapy notes (as defined by 45 CFR 164.501), which are not subject to disclosure under the Final Rule.

The following healthcare providers are required to adhere to the Cures Act provisions and release medical information from the EMR:

  • physicians;
  • APPs;
  • RNs;
  • PTs/OTs/STs/RTs;
  • social workers/case managers;

Information blocking (IB) is a provider’s intentional withholding of patient health information from either another provider, a patient, the patient’s legal representative, or a third party who is legally permitted to receive the health information. Examples of behavior that may raise concerns for information blocking include:

  • limiting the timeliness of access, exchange, or use of EHI;
  • imposing fees that make exchanging EHI cost prohibitive;
  • healthcare providers or IT vendors limiting or discouraging sharing of information with other providers, or with users of other IT systems;
  • patients or healthcare providers becoming “locked in” to a particular technology or healthcare network because EHI is not portable.

Yes, in the Final Rule, the ONC defined eight exceptions that will not be considered IB by providers and other actors. These exceptions have detailed requirements and should be thoroughly reviewed by the practice’s health information administrator and its legal counsel. The eight exceptions are described below, and more details on these exceptions are available via the link above.

  1. Preventing Harm Exception: It will not be information blocking for a provider to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met. The relevant harm being prevented must be physical harm and not emotional harm. A provider must either have a written policy describing why the act or omission is reasonable and necessary to prevent harm, or document in individual cases the potential harm that could occur (in other words, a statement noting why releasing the result/note could endanger the life or physical safety of the patient or another person).
  2. Privacy Exception: It will not be information blocking if a provider does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met. For example, a provider should not be required to use or disclose EHI when doing so is prohibited under state or federal privacy laws, such as information about substance use disorder treatment, which can be released in very limited circumstances under federal law.
  3. Security Exception: It will not be information blocking for a provider to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.
  4. Infeasibility Exception: It will not be information blocking if a provider does not fulfill a request to access, exchange, or use EHI because it is impossible to fulfill the request, provided certain conditions are met. For example, a natural disaster may prevent the provider’s ability to fulfill a request for access, exchange, or use of EHI.
  5. Health IT Performance Exception: It will not be information blocking if a provider takes reasonable and necessary measures to maintain and improve health IT performance, such as temporarily making health IT unavailable, provided certain conditions are met. For example, systems may be taken offline for a reasonable amount of time due to system maintenance or upgrades.
  1. Content and Manner Exception: It will not be information blocking for a provider to limit either the content of the response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met. For example, a provider may need to fulfill a request in an alternative manner (e.g., a different electronic format) when the provider is technically unable to fulfill the request in the manner requested.
  2. Fees Exception: It will not be information blocking for a provider to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met. For more details, see page 4 from this eight exceptions
  3. Licensing Exception: It will not be information blocking for a provider or another “actor” to license interoperability elements (generally, hardware, software, or services) for EHI to be accessed, exchanged, or used, provided certain conditions are met. This exception generally applies to health information networks and health IT developers of certified health IT.

Providers who don’t release EHI in a timely way or who refuse to share EHI when no exception applies may be engaging in IB. If so, then they will be subject to penalties and disincentives (such as reduced Medicare payments). The specific penalties and disincentives have not yet been determined.

Although some critics believe that a requirement to release information can, under certain circumstances, be harmful to the patient, others believe that requiring “open notes” can be very beneficial to the patient. ONC has confirmed that withholding notes due to the risk of solely emotional (or psychological) harm is NOT acceptable.

It would be considered information blocking to delay any note or result to protect the patient from emotional harm, unless the provider reasonably believes that disclosure of the EHI is also likely to endanger the life or physical safety of the patient or others. The medical record can only be withheld from the patient due to harm qualified as physical harm.

In response to a media request, ONC stated in September 2021 that physicians may ask patients in advance if the patients want test results withheld until the physician is able to deliver the results directly (that is, through a discussion with the patient). If a patient agrees, then the physician may delay posting the test results electronically. In support of this statement, ONC noted that the Privacy Exception permits patients to request that their EHI not be shared electronically, including to their own patient portal or to an application programming interface or API. (September 17, 2021, MedPage Today Article, There’s a Workaround for a Common ‘Open Notes’ Criticism.) https://www.medpagetoday.com/special-reports/exclusives/94567

Providers who decide to allow patients to choose to have their test results or notes delayed until the patient’s doctor has reviewed the results and/or discussed such results with the patient in person should create a process by which patients may elect (in writing or electronically) either to receive their EHI as soon as it is available or to delay release of that EHI until the provider has had a chance to review and discuss the results with the patient.

Previous ONC guidance about releasing clinician notes and test results as soon as they become available noted that the Preventing Harm Exception would not permit a provider to create an organizational policy that delays the release of test results for any period or time in order to enable the ordering clinician to review those results and personally inform the patient of the results. The Preventing Harm Exception, however, requires that a clinician who seeks to delay access to EHI must hold a reasonable belief that the delay will substantially reduce a risk of harm to the patient or another person, and such harm must be to the patient’s life or physical safety, not solely mental harm.

However, the definition of information blocking includes two prongs: it is a practice that, except as required by law or covered by an exception, (a) is likely to interfere with access, exchange, or use of EHI, and (b) if conducted by a provider, such provider knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.

  • If a clinician reasonably believes that delaying the posting of test results confirming a cancer or other critical diagnosis for a short period of time so that the clinician may furnish this news in person to the patient will reduce the likelihood of patient emotional distress that likely will lead to physical harm, then such a delay does not meet the definition of information blocking, because the second prong of the definition has not been met (the provider does not know that the practice is unreasonable).
  • For this reason, there should be room for providers to carefully evaluate the likely impact of certain immediate releases of EHI and identify those for which a brief delay enabling discussion with the patient to occur will improve patient care and reduce severe distress likely to result in physical harm. Although providers should not make such determinations lightly, an interference with a patient’s access to EHI does not automatically constitute information blocking if the provider can demonstrate that the practice is not unreasonable.

No. The Cures Act does not replace the requirement to release medical records in compliance with HIPAA or your state regulations. HIPAA describes when PHI can be disclosed; the Final Rule requires disclosure of EHI unless an exception applies or the disclosure is prohibited by law.

Yes, unless you qualify for one of the eight exceptions. The Final Rule says it is not IB if a provider complies in full with one of the eight exceptions to IB. For example, if your practice has a written policy that reasonably specifies narrow circumstances under which the practice has determined a delay in making test results available to patients before consultation with the doctor will result in harm to the patient’s life or physical safety, the practice may rely on that policy.

Alternatively, if a provider reasonably determines in a specific instance—and documents—that making test results available before the provider speaks with the patient would result in such harm, that practice will not be IB.

Finally, if your state law requires a delay in providing access to test results or limits what clinical notes may be provided to patients, your practice should follow that state law.

Although future guidance from ONC may change our response, if the practice’s information systems do not make the lab results electronically available directly to the outside patients, then the Final Rule would permit providers to use the Content and Manner exception to respond to requests for such test results from outside patients. The practice could make such results available to outside patients upon request through secure e-mail, in response to a request for the results from the health information management department, or by referring the patient to the ordering provider once the test results are available. Also, see next topic response.

No. IB applies only to interference with requests to make EHI available. Our attorney experts have suggested that providers:

  • Ask patients whether they want their records in electronic or paper format, since the HITECH rule permits patients to request access to their records in a form and format of their choosing; and,
  • Furnish the records in that form and format, if it is possible to do so. If the provider is not able to do so, then they should discuss with the patient alternative forms/formats and, if no alternative electronic format works for the patient, then the provider may furnish a paper copy of the records.

Currently, there is not a requirement to scan all paper records to create an “electronic” record. However, if a practice has some information in pdf format that is responsive to the patient’s requested EHI, the practice must provide that information to the patient in keeping with the Content and Manner Exception discussed above.

No. Providers should continue to follow HIPAA’s rules for responding to requested amendments to medical records. Some amendment requests may be warranted, but others not. Providers will need to be diligent in their documentation efforts but remain firm on their medical notations and summary findings, based on the provider’s own clinical judgment. For example:

  • “I understand you want ‘moderately obese’ removed from your medical record, but this information has important implications for your overall health and is based upon measurements of your height and weight. Removing this diagnosis is medically inappropriate, and I am unable to honor your request.”
  • “I am sorry you do not agree with my assessment that an excessive use of opioids contributed to your accident. While I cannot change my medical opinion, if you would like, I can add that you disagree with my opinion.”

There are specific HIPAA regulations that govern the handling of medical record amendment requests. For further information, see Patient Right to Amend PHI.

The 21st Century Cures Act only applies to patient health information that is stored electronically. If you are using paper records, the requirements of the Act do not apply to you.

While there is no mandate for you to move to EHRs, you are still required to provide printed health records within a reasonable amount of time after they are requested. You should adhere to HIPAA and your state’s record release requirements for fulfilling these requests, including applicable limits on charges for making copies of records.

No. Delaying posting labs or diagnostic tests to the portal until after a visit is made or not posting all test results until a patient requests them may result in patients or their representatives (or, perhaps, third parties who learn of any such practice in this regard) submitting complaints to the ONC alleging information blocking. Whether this policy constitutes information blocking is a fact-specific determination. However, no practice wants to become a test case for one of the first complaint investigations.

No, an electronic medical record (EMR) and/or EHR is not the same thing as a patient portal. A portal often is a component or feature of an EMR/EHR, but the portal itself can’t be used as a standalone product. Instead, it can be used only after the EMR/EHR is installed.

All medical records (including those from outside your practice) that are incorporated into patients’ electronic records are part of their “designated record set.” Unless one of the eight exceptions to the Information Blocking rule applies, this information should be made available to patients, along with other information available through the portal.

Medications are included as a data class within the United States Core Data for Interoperability v.1, but the other information types listed below are not. Until October 6, 2022, only EHI represented by the data classes and data elements within the USCDI are required to be made available. Therefore, these other types of information do not need to be made available at this time (although practices whose EMRs have the capability to do so may choose to make this information available through the portal at this time).

Some of these miscellaneous documents may include:

  • prior authorization requests for medication
  • approvals for holding blood thinners
  • physician orders
  • prescription requests
  • consent forms

However, as a general rule, an overarching organizational policy requiring provider review will not suffice. Instead, the physician should identify and document individual instances where the immediate release of test results will likely result in physical harm.

The Cures Act prohibits interfering with (which includes delaying) the availability of EHI unless the interference is required by law or permitted by an exception to the Information Blocking rule. As an example, a delay that is required by law exists if your state law prohibits the release of test results for a specified period of time or otherwise regulates the timing or way in which such results may be shared with patients. In these situations, you should follow your state law in delaying the release of this information.

Under the Preventing Harm Exception, you may delay furnishing test results to the patient only if either:

  1. The physician makes a patient-specific finding that releasing such results to the patient without delay will cause “harm to the life or physical safety” of the patient or another person
  2. The patient has expressed a preference that results should be delayed until the physician has reviewed the results and/or discussed such results with him/her. In certain narrowly-defined circumstances, (for example, prohibiting the immediate release of visit notes or test results to the parent of a minor where there is suspected abuse), creation of an organizational policy may satisfy the Preventing Harm Exception’s requirements.

Physicians might briefly advise patients at the time the physician orders lab or radiology tests that the test results will be available through the patient portal when the results are finalized, and that the physician likely will not have had a chance to review those results yet. The physician could discuss the possible outcomes of the tests with the patient and note that the physician will contact the patient to discuss the test results if those results indicate a problem, but that the patient should not make assumptions about the results before speaking with the physician. The physician could add that if he or she has not contacted the patient within a few days after the results are released, the patient should feel free to contact the practice with questions.

Curi’s sample statement:

Your test results will be made available to you through the patient portal soon after they have been finalized, and likely before your provider has had a chance to review them. It can be hard to understand the meaning of test results without the input of your provider, so please do not come to conclusions about the results before speaking with your doctor. Your provider will contact you within a few days with any concerns about the results. If you do not hear from your provider for a few days after you have seen the results and you have questions, please contact your provider through the portal or contact our office directly.

  1. Define the components of the practice’s designed record set.
    The Final Rule defines EHI as electronic PHI that “would be included in a designated record set” as defined by HIPAA, whether or not the records are used or maintained by a HIPAA-covered entity. This means that free clinics, concierge medicine providers, and others not covered by HIPAA must comply with the Cures Act. HHS addresses the designated record set in this online resource: Individuals’ Right Under HIPAA to Access Their Health Information.
  2. Evaluate and update the practice’s policies regarding the availability of EHI.Practices should review their written HIPAA policies to determine if changes need to be made to comply with the Final Rule and to avoid IB.
    • Practices should consider creating a policy noting that test results will be made available without delay unless a clinician determines that delaying the release until after consultation with the patient will substantially reduce a risk of harm to the patient or another person. Any such determinations should be described in writing.
    • Practices also should review their policies describing fees to be charged for copies of medical records. These policies should be updated to comply with the Final Rule. Patients may not be charged for electronic access to their EHI when no manual effort is required to fulfill the request for access.
    • Practices should establish a process to evaluate and respond to requests for access and determine appropriate costs or limitations (depending upon the requestor and the information requested).
  3. Educate clinicians and health information management staff about needed changes.
    Patient release of information (ROI) still must be carried out in accordance with the practice’s stated policy, as that policy is updated to comply with the Cures Act. In a recent American Health Information Management Association (AHIMA) article, alternative workflows for ROI were addressed, including some virtual/electronic options. The article can be accessed at AHIMA Alternative Workflows.
  4. Respond appropriately to requests for sharing of EHI.
    Practices should create processes to route different requests to different people (clinicians, health information management personnel, legal counsel) who can confirm and initiate appropriate responses to such requests.
  5. Look for additional guidance from the ONC on how to comply.
  6. Reach out to Curi’s Risk Management team with any questions or concerns about the Final Rule and how to address it in your practice by calling one of our experts at 800-662-7917.