What Does the Cures Act Interim Deadline Mean to You?

Implications of the 21st Century Cures Act Interim Final Rule for each Healthcare Segment

An Untangle Health Thought Leadership Production, written by Adam Norris

Hello Patients, Healthcare Systems, and HCIT Professionals. Welcome to April, 2021. You haven’t seen your “airplane distance” family in person in almost a year, your sourdough starter is rotting away in the cupboard, your tie dye sweatpants may be getting a little tight around the waist, you’ve become a little too good at binge watching Netflix (remember Tiger King?), and to top it off, the day has finally arrived when the Office of the National Coordinator for Healthcare Information Technology (ONC) will start enforcing the Cures Act information blocking final rule (ONC Interim rule) on April 5th.
As if we all didn’t have enough going on in our lives, ONC (who graciously delayed this enforcement date from November 2, 2020 due to the pandemic) has finally said ‘enough is enough’, and will start fining HCIT organizations up to $1M per violation and “appropriate disincentives” to Providers for non-compliance (www.healthit.gov).

Should we, as the affected parties, or “Actors” as the Cures act calls us, have seen this coming when we instituted heavy paperwork, long waiting periods, and fees to comply with patient medical records access requests after the 1996 enactment of the Health Insurance Portability and Accountability Act (HIPAA)? 

No way. We were trying to protect the privacy and security of our patients’ Personal Health Information (PHI), as stipulated by the HIPAA Privacy Rule.

Should we have started preparations to give patients quick and free access to their medical information before the December 2016 21st Century Cures Act becoming law?

Maybe; however, that was two U.S. Presidents and three Supreme Court Justices ago, not to mention the changes to the House and Senate. Needless to say, a lot has changed in Washington.

Should we be ready now, given the extensions ONC provided back in April 2020 due to the Pandemic, and then again via an Interim Final Rule announcing new compliance dates in October 2020 (www.hhs.gov)?

Probably; but with frequent changes to standards and technical corrections from ONC, is anyone really being set up for success or confident that they are “ready”?

And finally, for the most important question: do we want patients to have access to their clinical records?

OF COURSE WE DO. This is 2021, after all. If you can use Google to find thousands of websites to determine the optimal organic vegetable and tomato fertilizer for your Pandemic home garden, then there is no reason you should not be empowered to take an active role in your personal healthcare journey and see your physician’s notes after your visit.

Now, aligning what we want to do and what is actually possible is where things get interesting. As is the case with most technology ambitions, the devil is in the details, and that’s where Untangle Health comes in. Below, we have outlined what the April 5th Information Blocking and Health IT Certification Requirements in the 21st Century Cures Act Interim Rule will mean for Patients, Providers, and HCIT stakeholders. For more information on how this law or future Cures Act requirements will affect your organization, feel free to reach out.

 

ONC Cures Act Final Rule Overview

According to Alex Azar, the Secretary of Health and Human Services: “Patients should be able to access their electronic medical [health] record (EHR), at no cost, period.” While electronic patient access to medical records was already required under the Meaningful Use guidelines from 2018, the main difference now is that this information needs to be made available in a way that can be easily consumed by HCIT developers. This is a huge win for Patients, Providers, and HCIT vendors (including Health Information Networks and Health Information Exchanges) as information blocking and “gag clauses” have become all-too-common amongst these ‘Actors’, with some EHRs requiring customers to sign contracts that explicitly prevent them from publicly sharing feedback regarding the EHR’s solutions. 

Significance of April 5th

As of April 5th, Actors can no longer prevent the access, exchange, or use of electronic health information (EHI), no matter what technology is in play. Of course, exceptions do apply, but there is a newfound ability for Providers to openly and actively shop for technical solutions that will optimize care coordination, enhance data sharing, and most importantly, best meet patient needs (https://www.myndshft.com/).

 

For Patients

Advantages:

  1. Ability to access your medical record faster and easier than ever before through a whole new generation of apps and products. 

  2. Decision-making about care quality and costs will be easier than ever before (bye-bye surprise bills).

  3. Easier data exchange between some of your chosen apps or digital products.

  4. Security standards will be upgraded to match other industries, such as online banking and travel.

Considerations:

  1. Be wary of what you sign up for as the new law stipulates specific parameters around patient authorization / approval and intended use.

  2. Bad actors may try to take advantage by using your data for purposes beyond what you’re comfortable with. Your data could also become susceptible to a data breach, exposing your personal health information inadvertently.

For Providers

Advantages:

  1. More flexibility in options for different functionality and tools.

  2. Ability to to leverage solutions beyond your current set of options. As of April 5th, you should be able to utilize your EHR’s Cures Act Required USCDI v1 (United States Core Data for Interoperability) feed to easily connect new solutions that best meet your needs and/or budget.

  3. Easier Provider-to-Provider data sharing through the use of USCDI feeds, thus enhancing Providers’ ability to manage patient care across a multitude of care settings, health systems, and geographic locations.

Considerations:

  1. Make sure your EHR’s Patient Portal is configured to make EHI available to patients automatically and without delay, understanding exceptions do exist.

  2. Double check your patient admission paperwork, specifically, the release of information verbiage, with your organizations’ lawyers to ensure the policies comply with the ONC Final Rule, HIPAA, and any applicable federal or state laws (www.natlawreview.com).

  3. You will likely be highly reliant on your EHR for data sharing functionality. Depending on the EHR your organization uses, there are watch points to be mindful of:

    1. If using leading EHRs (Epic, Cerner, Meditech, AllScripts, Athena), your EHR will likely make it easy to share data available with Approved Apps on their Marketplace. However, due to Marketplace requirements and costs that are not relevant to the Cures Act, make sure you have the processes in place to review and approve Third-Party Apps not on your EHR’s Marketplace so you can extend your Cures Act-mandated feeds to Third-Party Solutions that are not interested in joining your EHR’s Marketplace.

    2. If using smaller, more specialized EHRs, it is important to understand what capabilities your EHR has to make data available. In the event your EHR’s capabilities are limited, you will need to get familiar with the Content and Manner Exceptions within the Cures Act to make information available to patients in more manual ways (check out #6 under “Exceptions to Information Blocking” here).

For HCIT

Advantages: 

  1. Digital Health applications can facilitate the request for EHI on behalf of their customers, meaning the former hurdle of gaining access to patient information is now more of a formality.

  2. Innovative solutions previously limited by EHI access challenges will now be fully empowered by mandated access to patient data, where applicable.

Considerations:

  1. Double check your contracts and other arrangements with both Providers and fellow HCIT vendors that involve EHI to ensure they comply with the information blocking exception (www.natlawreview.com) found in the Content and Manner, Fees or Licencing Exception (or another exception).

  2. If you haven’t already done so, it may not be too late to update your offering to make sure it addresses ONC Final Rule requirements. First off, not all of these rules go into effect on April 5th, 2021. Secondly, ONC has not yet mobilized a means of enforcement, meaning that you still have time to make changes before getting hit with a steep penalty. Nonetheless, it would be smart to put a plan in place to ensure you’re up-to-speed on the latest ONC Cures Act requirements and to start looking ahead to take advantage of the increased availability of data that has previously been blocked.

  3. Even though data will be more readily available in the post-April 5th world, the dataset made available through USCDI is very similar to a Consolidated-Clinical Document Architecture (CCDA). In other words, while more data will be available from EHRs than before, you may still need to explore interoperability solutions to power workflows requiring real-time data outside the scope of USCDI (but don’t worry – Untangle Health can help you figure this out).

  4. When looking at your sales pipeline of Provider targets, it is now more important than ever before to know which EHR(s) your targets are using. Leading edge EHRs are more likely to have USCDI APIs ready by April 5th, compared to health systems or provider groups with smaller EHRs that have less robust capabilities and may not  be ready on time. Although these less robust EHRs can leverage Content and Manner Exceptions to the Cures Act Rule, these EHRs will share data in a less than ideal format for the HCIT company.

A Note on Payers

Payers in the U.S. can breathe a little easier as far as the April 2021 things go. Having not been specifically identified as an “Actor” by the Interim Act legislation, they have been spared of the ONC’s 21st Century Cures Act requirements…for now. Even so, deadlines for Patient Access and Provider Directory APIs that were originally required January 1, 2021 are ending their 6-month period by which “CMS will exercise enforcement discretion” (www.cms.gov). 

Consequently, we thought it only fair to include the looming deadlines for Payers here as well. As a note, these requirements only apply to insurers participating in CMS-regulated health plans (e.g. Medicare, Medicaid, the Children’s Health Insurance Program, and Qualified Health Plans on federally facilitated exchanges):

By July 1, 2021:

  • Payers must implement and maintain a secure, standards-based Patient Access API to enable member / patient access to clinical and cost information related to medical visits.

  • Payers must make the list of in-network Providers available through a FHIR API.

By July 1, 2022: 

  • Payers must make USCDI v1 patient data available to other Payers to enable members to move between Payers as they choose.

 

Closing Remarks

With the passing of April 5th, 2021, the first major milestone of the 21st Century Cures Act has (finally) arrived. Delayed by COVID-19 for at least 6 months, this is an important date to call the healthcare industry’s attention because it is the first time we need to provide or have access to USCDI patient data.

Even though this date is important, there are some things to note to ease your concerns if you find yourself just getting up to speed on these requirements now. 

  1. There is no discernible mechanism to enforce these requirements at this point, which may be a blessing because you still have time to get yourself into compliance. On the other hand, it could be a curse because the penalties are so high, especially for HCIT, that when enforcement begins, you could be in big trouble if you don’t have your act together.

  2. Many exceptions exist. Above, we covered Content and Manner exceptions, but there are additional exceptions around Preventing Harm, Privacy, Security, Health IT Performance.. to name a few. Long story short, there are ways to get around this technological requirement; however, keep in mind that these workarounds may push your HIM, IT, and/or Privacy and Security functions past their limits, especially based on turnaround time expectations.

  3. Finally, on the point of turnaround time, there is confusion around compliance and expectations for making patient data available to the requestor. There are significant variations based on the laws in your state. According to the Cures Act, Providers must make patient information available in its patient portal the same day it is received. For an interoperability license, the Health System has 10 days to begin negotiations with the requestor and 30 days to complete it (www.ama-assn.org). However, FAQ on www.healthit.gov says that Cures Act requirements would not apply when state law has different requirements. The bottom line here is that there can (and will) be confusion about turnaround time expectations, and that it ultimately will be highly variable based on geographic location and differing state and federal laws.

All in all, we have taken one small step towards making patient data more available across the healthcare ecosystem, but we are still one giant leap away from a truly interoperable and connected healthcare world. We encourage you to get familiar with the recently required Cures Act, as you will almost assuredly be impacted.