Skip to main content
Greenway Health
Main navigation
  • Solutions
      • Greenway Solutions
          • Solutions by Product
          • NEW! Medical Coding
          • Cloud Bundle
          • Electronic Health Records
          • Practice Management
          • Revenue Cycle Management
          • Telehealth
          • Patient Engagement
          • Analytics
          • Interoperability
          • Clearinghouse Services
          • Care Coordination Services
          • Marketplace Partner Integrations
          • View All
      • Solutions
          • Solutions by Specialty
              • Cardiology
              • FQHC
              • OB-GYN
              • Orthopedics
              • Pediatrics
              • Primary Care
              • Surgery
              • Tribal Health
              • View All
      Past Webinar

      Breaking down the 21st Century Cures Act — what it means for your practice

      Read More
      Greenway Blog

      2023 Regulatory Updates: A Look Ahead

      View Details
  • Knowledge Center
      • Challenges
          • Data Security
          • Compliance and Reporting
          • Patient Care
          • Workflow Efficiencies
          • Profitability
          • Support and Training
          • MACRA: MIPS and APMs
          • Value-Based Care
          • View All
      • Knowledge Center
          • Resources by Type
              • Greenway Blog
              • Webinars
              • E-books
              • Case Studies
              • Infographics
              • Videos
              • View All
          • Resources by Topic
              • 21st Century Cures Act
              • Cybersecurity
              • EHR/EMR
              • Telehealth
              • Patient Engagement
              • Population Health
              • Regulatory
              • Revenue Cycle Management
              • View All
      Past Webinar

      Breaking down the 21st Century Cures Act — what it means for your practice

      Read More
      Greenway Blog

      2023 Regulatory Updates: A Look Ahead

      View Details
  • About Us
      • About
          • News
          • Events
          • Awards and Certifications
          • Award-Winning Clients
          • Greenway Champions
          • Greenway Engagement Model
          • Community Involvement
          • Careers
  • Cures Act Resources
Utility
  • Login
  • Support
  • Events
  • Careers
  • Contact
  • 877-932-6301

Free Consultation

greenway blog

21st Century Cures Act and HIPAA Compliance

21st Century Cures Act and HIPAA Compliance
Thumbnail

You’re likely familiar with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and perhaps knowledgeable about the 21st Century Cures Act as well. But do their policies go hand in hand?

As regulatory changes continue to roll out, it’s important for practices to be aware of the requirements of HIPAA, the 21st Century Cures Act, and various other laws, especially as they relate to one another.

Both HIPAA and the Cures Act guide how protected health information (PHI) is shared, although each to a different end. While HIPAA seeks to prevent unauthorized access of PHI, the Cures Act encourages access and exchange to appropriate parties. Given the aims of the laws are different (although not necessarily at odds) how can providers meet the requirements of both?

Guide to Cures Act and HIPAA Compliance

Read on for insight on handling PHI, determining whether your HIPAA policy needs an update, and balancing the demands of patient privacy and data exchange.

What is the history of HIPAA?

Appreciating the relationship between HIPAA and the Cures Act begins with understanding the background of both. Signed into law by President Bill Clinton on Aug. 21, 1996, HIPAA mandated the creation of national standards to safeguard sensitive health information.

The HIPAA Privacy Rule laid out requirements for PHI handling that pertain to certain individuals and organizations known as “covered entities.” It established individual rights to view or receive health records upon request. In general, the Privacy Rule seeks to protect PHI while encouraging the flow of information.

Given that HIPAA was signed into law more than 25 years ago — and that interoperability continues to advance — is HIPAA due for an update? There is, for example, no specific “HIPAA interoperability rule.” The Cures Act brought the question to the forefront.

What does the Cures Act require?

The passage of the Cures Act in 2016 ushered in a new era for interoperability. By 2020, the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) shared plans to implement the law with the issuance of their respective Final Rules. 

Like HIPAA’s provision for individual rights to PHI, the Cures Act empowers patients to access, exchange, and use their electronic health information however they wish. The bipartisan legislation was designed to increase choice and access both for patients and providers, with guidance to ease regulatory burdens related to electronic health record (EHR) and other health information technology (HIT) systems. The Cures Act prohibits “information blocking,” or standing in the way of electronic health information (EHI).

The Cures Act does not require information sharing outside the bounds of HIPAA requirements — HIPAA and existing state privacy laws still apply in the era of the Cures Act. But it’s important to make sure your practice’s policies on information sharing do not exceed the bounds of HIPAA and inadvertently lead to information blocking violations.

HIPAA 21st Century Cures Act

What is information blocking?

Information blocking applies to providers, as well as to health IT developers, health information networks, and health information exchanges (HIEs). The deadline for stakeholders to comply with information blocking rules was April 5, 2021.

On its website, the ONC defines information blocking as activity that is “likely to interfere with access, exchange, or use of EHI” — except when required by law or specified by HHS as “reasonable and necessary.”

But there are exceptions ...

In its Cures Act Final Rule, the ONC provides eight categories of activities it deems reasonable and necessary, which do not constitute information blocking, provided certain conditions are met. These are called “information blocking exceptions.”

HIPAA interoperability rule

The 8 information blocking exceptions

Exceptions that involve not fulfilling requests to access, exchange, or use EHI

  • Preventing Harm Exception
  • Privacy Exception
  • Security Exception
  • Infeasibility Exception
  • Health IT Performance Exception

Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

  • Content and Manner Exception
  • Fees Exception
  • Licensing Exception

Source: ONC

Getting prepared for Cures Act and HIPAA compliance: How to make sure your practice is compliant

If your practice abides by HIPAA, how can you ensure you also comply with the Cures Act’s requirement to share information? Understanding that the Cures Act requirements were not meant to supersede HIPAA or other applicable state privacy laws already on the books, and becoming familiar with the eight information blocking exceptions — especially the Privacy and Security exceptions — are great initial steps.

  • The Privacy Exception states it is not information blocking if EHI access, exchange, or use is not provided to “protect an individual’s privacy,” provided certain conditions are met.
  • The Security Exception states it is not information blocking for an actor to interfere with EHI access, exchange, or use to protect the security of EHI, provided certain conditions are met.

Bearing the eight exceptions in mind, review your existing HIPAA program for policies that may possibly constitute information blocking.

As you undertake this process, try to involve practice staff with the best understanding of compliance processes. Together, your team can reevaluate your existing program taking Cures Act requirements into consideration. Regardless of your current program and policies, it’s recommended to document your processes and share them with practice staff.

You can also provide Cures Act training to orient staff with information blocking and different scenarios that may or may not constitute the practice. You can compile an in-house training practice while also availing yourself of external resources such as Greenway’s 21st Century Cures Academy.

This Academy provides a hub for Cures Act resources and a webinar series to present the information in a lively, accessible format.

Balancing HIPAA and 21st Century Cures Act Compliance

Compliance can be a challenge for practices without extensive resources, but it’s possible to stay current on regulations with a thoughtful approach.

By reviewing your existing HIPAA policies, and dedicating resources to understanding the Cures Act, you can align with the requirements of both, ensuring your practice is compliant and well positioned to serve your patients.


21st Century Cures Resources

Ready to dive into the Cures Act?

Stop by the 21st Century Cures Academy to navigate the Cures Act and the changes it will bring.

EXPLORE THE ACADEMY

Related Solutions

Interoperability

Data connections that improve visibility across the range of care.

Learn More

Patient Engagement

Engage with patients beyond the office, without adding extra work.

Learn More

Online Patient Portal

Online patient-provider engagement without extra work for your staff.

Learn More

Additional 21st Century Cures Act resources

Thumbnail
Infographic

A 4 step guide to prepare your practice to meet 21st Century Cures Act requirements

Read More
Thumbnail
Greenway Blog

Interoperability in healthcare: ‘Cures’ for clinical connectivity

Read More
Thumbnail
Greenway Blog

Understanding the CMS and ONC Cures Act Final Rules

Read More
Thumbnail
Greenway Blog

21st Century Cures Act summary: How it impacts your practice

Read More
Visit our Knowledge Center

Social

  • Facebook
  • Twitter
  • Linkedin
  • Instagram
  • YouTube
Footer menu
  • Term of Use
  • Privacy Statement
  • Compliance
  • Careers
© 2023 All rights reserved. Greenway Health, LLC

Stay informed with Greenway Health’s latest news

Subscribe