21st Century Cures Act and HIPAA Compliance

Guide to Cures Act and HIPAA Compliance

Read on for insight on handling PHI, determining whether your HIPAA policy needs an update, and balancing the demands of patient privacy and data exchange.

What is the history of HIPAA?

Appreciating the relationship between HIPAA and the Cures Act begins with understanding the background of both. Signed into law by President Bill Clinton on Aug. 21, 1996, HIPAA mandated the creation of national standards to safeguard sensitive health information.

The HIPAA Privacy Rule laid out requirements for PHI handling that pertain to certain individuals and organizations known as “covered entities.” It established individual rights to view or receive health records upon request. In general, the Privacy Rule seeks to protect PHI while encouraging the flow of information.

Given that HIPAA was signed into law more than 25 years ago — and that interoperability continues to advance — is HIPAA due for an update? There is, for example, no specific “HIPAA interoperability rule.” The Cures Act brought the question to the forefront.

What does the Cures Act require?

The passage of the Cures Act in 2016 ushered in a new era for interoperability. By 2020, the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) shared plans to implement the law with the issuance of their respective Final Rules. 

Like HIPAA’s provision for individual rights to PHI, the Cures Act empowers patients to access, exchange, and use their electronic health information however they wish. The bipartisan legislation was designed to increase choice and access both for patients and providers, with guidance to ease regulatory burdens related to electronic health record (EHR) and other health information technology (HIT) systems. The Cures Act prohibits “information blocking,” or standing in the way of electronic health information (EHI).

The Cures Act does not require information sharing outside the bounds of HIPAA requirements — HIPAA and existing state privacy laws still apply in the era of the Cures Act. But it’s important to make sure your practice’s policies on information sharing do not exceed the bounds of HIPAA and inadvertently lead to information blocking violations.

What is information blocking?

Information blocking applies to providers, as well as to health IT developers, health information networks, and health information exchanges (HIEs). The deadline for stakeholders to comply with information blocking rules was April 5, 2021.

On its website, the ONC defines information blocking as activity that is “likely to interfere with access, exchange, or use of EHI” — except when required by law or specified by HHS as “reasonable and necessary.”

But there are exceptions ...

In its Cures Act Final Rule, the ONC provides eight categories of activities it deems reasonable and necessary, which do not constitute information blocking, provided certain conditions are met. These are called “information blocking exceptions.”

The 8 information blocking exceptions

Exceptions that involve not fulfilling requests to access, exchange, or use EHI

• Preventing Harm Exception
• Privacy Exception
• Security Exception
• Infeasibility Exception
• Health IT Performance Exception

Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

• Content and Manner Exception
• Fees Exception
• Licensing Exception

Source: ONC

Getting prepared for Cures Act and HIPAA compliance: How to make sure your practice is compliant

If your practice abides by HIPAA, how can you ensure you also comply with the Cures Act’s requirement to share information? Understanding that the Cures Act requirements were not meant to supersede HIPAA or other applicable state privacy laws already on the books, and becoming familiar with the eight information blocking exceptions — especially the Privacy and Security exceptions — are great initial steps.

• The Privacy Exception states it is not information blocking if EHI access, exchange, or use is not provided to “protect an individual’s privacy,” provided certain conditions are met.
• The Security Exception states it is not information blocking for an actor to interfere with EHI access, exchange, or use to protect the security of EHI, provided certain conditions are met.

Bearing the eight exceptions in mind, review your existing HIPAA program for policies that may possibly constitute information blocking.

As you undertake this process, try to involve practice staff with the best understanding of compliance processes. Together, your team can reevaluate your existing program taking Cures Act requirements into consideration. Regardless of your current program and policies, it’s recommended to document your processes and share them with practice staff.

You can also provide Cures Act training to orient staff with information blocking and different scenarios that may or may not constitute the practice. You can compile an in-house training practice while also availing yourself of external resources such as Greenway’s 21st Century Cures Academy.

This Academy provides a hub for Cures Act resources and a webinar series to present the information in a lively, accessible format.

Balancing HIPAA and 21st Century Cures Act Compliance

Compliance can be a challenge for practices without extensive resources, but it’s possible to stay current on regulations with a thoughtful approach.

By reviewing your existing HIPAA policies, and dedicating resources to understanding the Cures Act, you can align with the requirements of both, ensuring your practice is compliant and well positioned to serve your patients.

Ready to dive into the Cures Act?

Stop by the 21st Century Cures Academy to navigate the Cures Act and the changes it will bring.

EXPLORE THE ACADEMY