New HHS 21st Century Cures Act IT Rule – Part 1

The Office of the National Coordinator for Health Information Technology (ONC), which is part of the Department of Health and Human Services, approved a final rule which implements certain provisions of the 21st Century Cures Act. The rule governs:

  • “Conditions and Maintenance of Certification requirements for health information technology (health IT) developers under the ONC Health IT Certification Program (Program)
  • The voluntary certification of health IT for use by pediatric health care providers
  • Reasonable and necessary activities that do not constitute information blocking”

Our experienced healthcare lawyers work with physician practices, IT development companies, and other healthcare businesses. We’ll help you understand your Cures Act compliance requirements and which exceptions apply. We’ll help you enhance your business while protecting the privacy of patients.

The 21st Century Cures Act

The 21st Century Cures Act was enacted in 2016. The law was designed to help foster innovation of medical devices and technology. The law was also enacted to help FDA “incorporate the perspectives of patients into the development of drugs, biological products, and devices in FDA’s decision-making process.” The law is also designed to modernize how clinical trials operate, “including the use of real-world evidence,” and how the trials are assessed – to speed how quickly new medical products can be developed.

The Cures Act also was enacted to help FDA recruit and keep skilled professional, technical, and scientific experts. To achieve these goals the CURES Act includes the following new product development programs:

The Cures Act authorizes FDA to create “inter-center institutes” to coordinate the regulation of “combination” products in major disease areas between the drug, biologics and device centers. – such as the Oncology Center of Excellence.

To help facilitate these goals, the government authorized $500 million over nine years to help FD implement the law.

Is Clinical Decision-Making (CDS) Software Expanded or More Legally Ambiguous under the CURES Act?

The CURES Act codifies the way FDA has regulated clinical decision-making software, but is this better or worse for healthcare startups that are trying to position their software within the CDS model?

The ONC rule

The US HHS rules issued by the ONC and the Centers for Medicare & Medicaid Services (CMS) helps give patients safe and secure access to their health care data. The rules implement “interoperability and patient access provisions of the bipartisan 21st Century Cures Act (Cures Act).” Interoperability balances the right of patients to safely access their information while also keeping that information private and secure. The rules help patients access their electronic health information using modern computing standards and APIs. The rules give patients “control of their electronic health information which will drive a growing patient-facing healthcare IT economy, and allow apps to provide patient-specific price and product transparency.”

The ONC rule:

  • Advances interoperability
  • Supports the use, exchange, and access to electronic health information
  • Enhances health information technology certification
  • Finalizes some of the changes to the 2105 Edition

The ONC rule became effective on June 30, 2020. In simpler terms, the rule helps ensure that patients have free access to their electronic health records.

Interoperability and Information Blocking

The new ONC rules regulate which activities don’t constitute blocking – there are eight exceptions. It also establishes rules to prevent information blocking practices (such as anti-competitive behaviors). The ONC rules update the certification requirements for IT developers and provides new provisions to ensure that providers using these health IT developers can:

  • Communicate about health IT usability
  • Improve the user experience
  • Foster interoperability (use of the electronic information across different platforms)
  • Security – including screenshots and video – which are now essential forms of visual communication

The ONC final rules “also require electronic health records to provide the clinical data necessary, including core data classes and elements, to promote new business models of care.”

This rule advances common data through the U.S. Core Data for Interoperability (USCDI). The USCDI includes clinical notes, allergies, and medications – among other essential clinical data. One aim is to help ensure the date can be easily understood by those who receive. Another goal is to include “essential demographic data to support patient matching across care settings.”

Innovation & Patient Access

The ONC final rules also establishes secure, standards-based application programming interface (API) requirements to support a patient’s access and control of their electronic health information. In this way, patients should be able to access their electronic health information through their smartphone.

The relationship between the ONC rule and CMS

The CMS Interoperability and Patient Access final rule uses the ONC rule to set standards for health plans (Medicare Advantage, Medicaid, CHIP, and through the federal Exchanges) to electronically share claims data with patients.

CMS began focusing on interoperability by starting Medicare Blue Button 2.0 for Medicare beneficiaries in 2018. This software gave people the ability to “securely connect their Medicare Part A, Part B and Part D claims and encounter data to apps and other tools developed by innovators. “ More than 2,770 developers from more than 1,100 organizations worked to create innovative apps. 55 of the organizations have applications that are in production. Starting on January 1, 2021, the various health plans and federal Exchanges “will be required to share claims and other health information with patients in a safe, secure, understandable, user-friendly electronic format through the Patient Access API. “

The final CMS rules further encourage innovation by requiring that all hospitals (which participate in Medicare and Medicaid) send “electronic notifications to another healthcare facility or community provider or practitioner when a patient is admitted, discharged, or transferred.” CMS is also requiring that states, starting on April 1, 2022, send enrollee data daily – “for beneficiaries enrolled in both Medicare and Medicaid, improving the coordination of care for this population.”

In this way, beneficiaries should get the correct services at the correct time at the correct cost..

Exceptions to the Information Blocking Requirements

“Blocking” essentially means that patients shouldn’t be blocked from access to certain information such as clinical notes. The ONC rule (for the Office of National Coordinator for Health Information Technology) does have exceptions where their practices will NOT be considered information blocking.

These exceptions apply to:

  • The providers of healthcare
  • Health IT developers
  • Health information networks
  • Health information exchanges

If the healthcare entity doesn’t meet one of these eight exceptions, their electronic health practice still may not be considered “information blocking.” Each practice will be reviewed on a case-by-case basis.

The eight exceptions are divided into two areas:

  • Not fulfilling requests. “Exceptions that involve not fulfilling requests to access, exchange, or use electronic health information (EHI)”
  • Fulfilling requests. “Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.”

The Not fulfilling request exceptions.

These exceptions are:

1. Privacy Exception

 “It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.”

  • Objective of the Exception. Here, the health care entity should permit the use, exchange, or access of electronic health information – unless the use or disclosure would violate a state or federal “privacy “law.
  • Key conditions of the Exception. The health entity/actor must meet “at least one” of these four sub-exceptions:
    • The need to meet a precondition. For example, if the patient must (according to state or federal law) first give his/her consent or authorization to the access, exchange, or use of EHI – and the patient hasn’t’ done so – then the health entity can choose not to provide the access, exchange, or use of the EHI.
    • HIPAA concerns. The Health Insurance Portability and Accountability Act (HIPAA) was enacted to help protect the exchange of a patient’s electronic health information without the patient’s consent. If the entity is a health IT developer of certified health IT and that entity is not covered by HIPAA – the actor doesn’t need to comply with HIPAA’s privacy rule. The actor may then “choose to interfere with the access, exchange, or use of EHI for a privacy-protective purpose if certain conditions are met.”
    • HIPAA privacy rule. “An actor that is a covered entity or business associate may deny an individual’s request for access to his or her EHI in the circumstances provided under 45 CFR 164.524(a)(1) and (2) of the HIPAA Privacy Rule.”
    • A request from the individual. The health entity can decide not to provide access, to exchange, or the use of an individual’s EHI – if that is the individual’s request – provided certain conditions are met.

2. Prevention Harm Exception

“It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.”

  • Objective of the Exception: This exception considers there are times when the interest of the public to protect patients and others from unreasonable risks of harm – may justify practices that do interfere with the use, exchange, or access to EHI.
  • The Key conditions for the prevention of harm exception. For this exception to apply, the actor (health provider, IT developer, health information network, or health information exchange):
    • Must have a reasonable basis for thinking that the conduct will “substantially” reduce a harm risk
    • Must be no broader than needed
    • Must “satisfy at least one condition from each of the following categories”:
    • Type of risk
    • Type of harm
    • Implementation basis
    • Satisfy the requirement that the patent can request that the harm risk determination be reviewed.

3. Security Exception.

“It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.”

  • Objective of the Exception. This exception isn’t meant to be a one-size-fits-all measure or to prescribe a maximum security level. It is intended to apply to the actors’ legitimate security practices.
  • Key Conditions of the Exception. For this exception to apply, the health conduct/practice must
    • “Be directly related to safeguarding the confidentiality, integrity, and availability of EHI
    • Be tailored to specific security risks
    • Implemented in a consistent and non-discriminatory manner”

Further, the conduct must either implement – either “a qualifying organizational security policy a qualifying security determination.”

Got HIPAA? Get HIPAA? Joyce explains why and how

Interview with an expert in healthcare privacy and security, both on the federal side with HIPAA, and the state side, especially California law.

Common HIPAA privacy and security violations flagged

Common HIPAA violations are flagged by HIPAA Helper, a publication of ProPublica,an “independent, non-profit newsroom that produces investigative journalism in the public interest.”

The ONC and CMS have each recently enacted rules to help implement the development of IT platforms and devices for electronic health information. A main focus of these rules is to certify IT developers, increase interoperability, and protect the privacy and security of patient information. The ONC rule specifically details eight exceptions to the requirement that patient information be blocked so that unauthorized users can’t access it.

Medical practitioners and IT developers should contact Cohen Healthcare Law Group, PC for legal advice on electronic data compliance issues including the new ONC and CMS rules. Our experienced healthcare attorneys explain how new laws create new requirements for patient privacy and security and what exceptions apply.

Contact Us

Book your Legal Strategy Session now
Cohen Healthcare Law Logo

Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.

Start typing and press Enter to search