The 21st Century CURES Act Final Rule: Compliance and Exceptions

On April 5th, 2021, the patient access to clinical notes mandate in the 21st Century Cures Act will go into effect. We've uncovered the requirements and exceptions you need to know about to keep your practice compliant while also giving you some breathing room.

Patient Access to Electronic Records

*If your practice is already using the InSync Healthcare Solutions electronic health records and practice management software, you can share the required information via your dedicated patient portal, making your practice compliant.

What is Information Blocking?

The Office of the National Coordinator for Health Information Technology (ONC) defines it as a health IT developer of certified health IT, health information network, health information exchange, or healthcare provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI). 

It is important to note that practices relying on paper medical records are not exempt from information blocking. They are still required to provide printed records within a reasonable amount of time. For providers using electronic health records software, that information can be shared instantly without human intervention and resources affecting your bottom line.

Practices must now make available to patients eight different forms of electronic patient data.

Those are:

1. Progress Notes

2. Procedure Notes

3. Consultation Notes

4. Discharge Summary Notes

5. History and Physical

6. Laboratory Report Narratives

7. Pathology Report Narratives

8. Imaging Narratives

An example of information blocking would be if your practice has a 3rd party software vendor doing a custom implementation that increases the complexity of accessing, exchanging, or using electronic health information. How do you know if this is happening? If you're a key stakeholder within the practice and you're not involved in the implementation of a health IT project, you might not. If you're approaching the implementation of an EHR system for your practice, it's a great time to read this article, Are You Really Ready for EHR Software Implementation? 

ONC CURES Act Final Rule Exceptions

Just like there are eight categories of EHI to share with your patients, there are also eight exceptions to the rule. Five are broken out into the category for not fulfilling requests to access, exchange, or use EHI. The final three are considered as exceptions that involve procedures
for fulfilling requests to access exchange, or use EHI. Regardless, each exception comes with several sub-exceptions making your options as healthcare providers very clear when it comes to refusing certain levels of Electronic Health Information exchange.

A note on language used: In the original document produced by the ONC the term "Actor" is used in lieu of healthcare providers, health IT developers, health information networks (HINs) and health information exchanges (HIEs). For the benefit of our audience we have replaced actor(s) with healthcare provider(s), or more simply provider. 

1. Preventing Harm

The exception for preventing harm states, "This exception recognizes that the public interest in protecting patients and other persons against unreasonable risks of harm can justify practices that are likely to interfere with access, exchange, or use of EHI."

In order to qualify for this exception there are some key requirements that must be met. 

• The healthcare provider must have a reasonable belief that the practice will substantially reduce a risk of harm.

• The healthcare provider's practice of withholding the information must be no broader than necessary.

• The healthcare provider must satisfy at least one condition from each of the following categories: type of risk, type of harm, and implementation basis.

• The practice must satisfy the condition concerning a patient right to request review of an individualized determination of risk of harm.

2. Privacy

From healthit.gov, "This exception recognizes that if a healthcare provider is permitted to provide access, exchange, or use of EHI under a privacy law, then the provider should provide that access, exchange, or use. However, a healthcare provider should not be required to use or disclose EHI in a way that is prohibited under state or federal privacy laws."

It will not be information blocking if a healthcare provider does not fulfill a request to access, exchange, or use EHI in order to protect an individual's privacy.

In order to meet the requirements of the privacy exception a provider must first meet one of the sub-exceptions listed below. 

1. Precondition not satisfied: If a healthcare provider is required by a state or federal law to satisfy a precondition (such as a patient consent or authorization) prior to providing access, exchange, or use of EHI, the provider may choose not to provide access, exchange, or use of such EHI if the precondition has not been satisfied under certain circumstances.

2. Health IT developer of certified health IT not covered by HIPAA: If a healthcare provider is a health IT developer or certified health IT that is not required to comply with the HIPAA Privacy Rule, the provider may choose to interfere with the access, exchange, or use of EHI for privacy-protective purposes if certain conditions are met.

3. Denial of an individual’s request for their EHI consistent with 45 CFR 164.524(a)(1) & (2): A healthcare provider that is a covered entity or business associate may deny an individual's request for access to his or her EHI in the circumstances provided under 45 CFR 164.524(a)(1) and (2) of the HIPAA Privacy Rule.

4. Respecting an individual’s request not to share information: A healthcare provider may choose not to provide access, exchange, or use of an individual's EHI if doing so fulfills the wishes of the individual, provided certain conditions are met.

3. Security 

"This exception is intended to cover all legitimate security practices by healthcare providers, but does not prescribe a maximum level of security or dictate a one-size-fits-all approach. It will not be information blocking if your practice interferes with the access, exchange, or use of EHI in order to protect the security of EHI provided certain conditions are met."

It will not be information blocking for a provider to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.

The key conditions of the security exception are as follows:

The security practice must be:

1. Directly related to safeguarding the confidentiality, integrity, and availability of EHI;

2. Tailored to specific security risks; and

3. Implemented in a consistent and non-discriminatory manner.

• The practice must either implement a qualifying organizational security policy or implement a a qualifying security determination. 

4. Infeasibility

Here the ONC states, "This exception recognizes that legitimate practical challenges may limit a healthcare provider's ability to comply with requests for access, exchange, or use of EHI. A provider may not have-and may be unable to obtain-the requisite technological capabilities, legal rights, or other means necessary to enable access, exchange, or use."

It will not be information blocking if a provider does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.

The practice must provide a written response to the requestor within 10 business days of receipt of the request with the reason(s) why the request is infeasible. 

The key conditions of the exception that a provider must meet at least one of the following are:

• Uncontrollable events: The provider cannot fulfill the request for access, exchange, or use of electronic health information (EHI) due to a natural or human-made disaster, public health emergency, public safety incident, war, terrorist attack, civil insurrection, strike or other labor unrest, telecommunication or internet service interruption or act of military, civil or regulatory authority.

• Segmentation: The healthcare provider cannot fulfill the request for access, exchange, or use of EHI because the provider cannot unambiguously segment the requested EHI.

• Infeasibility under the circumstances: The healthcare provider demonstrates through a contemporaneous written record or other documentation its consistent and non-discriminatory consideration of certain factors that led to its determination that complying with the request would be infeasible under the circumstances. 

5. Health IT Performance

"This exception recognizes that for Health IT to perform properly and efficiently, it must be maintained, and in some instances improved, which may require that health IT be taken offline temporarily. Healthcare providers should not be deterred from taking reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of health IT." 

It will not be information blocking for a healthcare provider to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met.

The health IT performance practice must:

1. Be implemented for a period of time no longer than necessary to achieve the maintenance or improvements for which the health IT was made unavailable or the health IT's performance degraded;

2. Be implemented in a consistent and non-discriminatory manner; and

3. Meet certain requirements if the unavailability or degradation is initiated by a health IT developer of certified health IT, HIE, or HIN.

A healthcare provider may take action against a third-party app that is negatively impacting the health IT's performance, provided that the health IT performance practice is:

1. For a period of time no longer than necessary to resolve any negative impacts;

2. Implemented in a consistent and non-discriminatory manner; and

3. Consistent with existing service level agreements, where applicable

If the unavailability is in response to a risk of harm or security risk, the healthcare provider must only comply with the Preventing Harm or Security Exception, as applicable.

6. Content and Manner

The objective of this exception is to, "...provide clarity and flexibility to healthcare providers concerning the required content (i.e., scope of EHI) of a healthcare provider's response to a request to access, exchange, or use EHI and the manner in which the provider may fulfill the request. This exception supports innovation and competition by allowing providers to first attempt to reach and maintain market negotiated terms for the access, exchange, and, use of EHI."

It will not be information blocking for a healthcare provider to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.

The key conditions of the exception are:

Content Condition: Establishes the content a healthcare provider must provide in response to a request to access, exchange, or use EHI in order to satisfy the exception.

1. Up to 24 months after the publication date of the Cures Act final rule, a healthcare provider must respond to to a request to access, exchange, or use EHI with, at a minimum, the EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard.

2. On and after 24 months after the publication date of the Cures Act final rule, an actor must respond to a request to access, exchange, or use EHI with EHI as defined in § 171.102.

Manner Condition: Establishes the manner in which an actor must fulfill a request to access, exchange, or use EHI in order to satisfy this exception.

• A healthcare provider may need to fulfill a request in an alternative manner when the provider is:

  • Technically unable to fulfill the request in any manner requested; or

  • Cannot reach agreeable terms with the requestor to fulfill the request.

• If a healthcare provider fulfills a request in an alternative manner, such fulfillment must comply with the order of priority described in the manner condition and must satisfy the Fees Exception and Licensing Exception, as applicable. 

7. Fees

"This exception enables healthcare providers to charge fees related to the development of technologies and provision of services that enhance interoperability, while not protecting rent-seeking, opportunistic fees, and exclusionary practices that interfere with access, exchange, or use of EHI." 

It will not be information blocking for a healthcare provider to charge fees, including fees that result in a reasonable profit margin, for access, exchanging, or using EHI, provided certain conditions are met.

The practice must:

• Meet the basis for fees condition.

  • For example, the fees a provider charges must:

    • Be based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons of entities and requests. 

    • Be reasonably related to the healthcare provider's costs of providing the type of access, exchange, or use of EHI.

    • Not be based on whether the requestor or other person is a competitor, potential competitor, or will be using the EHI in a way that facilitates competition with the healthcare provider.

• Not be specifically excluded.

  • For instance, the exception does not apply to:

    • A fee based in any part on the electronic access by an individual, their personal representative, or another person or entity designated by the individual to access the individual's EHI.

    • A fee to perform an export of electronic health information via the capability of health IT certified to § 170.315(b)(10).

      • *In short, they are saying that as a Health IT company, companies like InSync Healthcare Solutions are allowed to charge fees to providers or third parties to export the data in our system if it is not a single individual. The fee must be reasonable and consistent to all similar types of entities and requests. 

• Comply with Conditions of Certification in § 170.402(a)(4) (Assurances – certification to “EHI Export” criterion) or § 170.404 (API).

8. Licensing 

Lastly, the licensing exception, "...allows (healthcare providers, health IT developers, health information networks, and health information exchanges) to protect the value of their innovations and charge reasonable royalties in order to earn returns on the investments they have made to develop, maintain, and update those innovations."

It will not be information blocking to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

• The negotiating a license conditions: A healthcare provider must begin license negotiations with the requestor within 10 business days from receipt of the request and negotiate a license within 30 business days from receipt of the request.

• The licensing conditions:

  • Scope of rights

  • Reasonable royalty

  • Non-discriminatory terms

  • Collateral terms

  • Non-disclosure agreement

• Additional conditions relating to the provision of interoperability elements.

If you still have any concerns about these new mandates for your practice we encourage you to seek out the correct legal professionals to aid you. This article should not be considered legal advice for your practice and is intended for educational purposes only.

Maintaining Compliance

The Final Rule for the 21st Century CURES Act can seem daunting, however these lengthy exceptions to the Final Rule allow healthcare providers some much needed breathing room during an already arduous pandemic. At InSync Healthcare Solutions we truly value the relationships we have fostered with our clients. We will continue to monitor government mandates and always keep our electronic health and medical records software updated and fully integrated, bringing your medical practice the latest in practice management and medical billing technologies.

CARES Act Provider Relief Fund Update

The Application Deadline for the Provider Relief Fund Phase 3 General Distribution was Nov. 6, 2020.

For healthcare providers who have only partially completed your application, good news. If you submitted your Taxpayer Identification Number (TIN) for validation by 11:59 p.m. ET on Nov. 6, 2020 for Phase 3 relief funds and your TIN is validated by Nov. 13, you will be able to proceed with submitting your revenue documentation to complete your application by 11:59 p.m. ET on Nov. 27, 2020. Use the calculator below to calculate your potential reimbursement.