As the healthcare industry continues to evolve at a rapid pace, there comes the need for updated regulations and laws. The 21st Century Cures Act Final Rule is one such legislation that aims to modernize healthcare in the United States. This act, which became effective in 2020, is designed specifically to address the advancements in technology and medical research that have occurred over the past decade.
The Office of the National Coordinator for Health Information Technology (ONC) Cures Act Final Rule implements the interoperability provisions of the Cures Act to promote patient control over their own health information. It is an extensive bill that includes diverse provisions, such as funding for cancer research, mental health reform, and importantly, electronic health record improvements.
Cures Act Requirements for Providers
The Cures Act made sharing electronic health information the norm in health care by authorizing the Secretary of Health and Human Services (HHS) to identify and rectify, “reasonable and necessary activities that do not constitute information blocking.”
The requirements apply to healthcare providers seeking to implement and maintain an EHR system. These providers include hospitals, physicians, and healthcare organizations that access, receive, maintain, and transmit electronic protected healthcare information (ePHI). The act requires healthcare providers to:
- Employ certified EHR technology in their practice to ensure that EHR systems are designed adequately to support clinical quality, safety, and outcomes. Any provider that manages or processes ePHI must comply with the HIPAA Security Rule, the HIPAA Privacy Rule, and the breach notification rule.
- Include Application Programming Interfaces (APIs) in certified EHR technology to promote the interoperability of EHR systems and allow patients to share their health data with other providers securely. Patients must be given access to their health information, free of charge.
- Establish the Trusted Exchange Framework and Common Agreement (TEFCA), which outlines the requirements for health information networks to share electronic health information securely.
- Comply with the provisions of the Information Blocking Rule, which prohibits information blocking practices that prevent healthcare providers from sharing electronic health information (EHI).
Types of Information Covered by the 21st Century Cures Act
The Cures Act has wide-ranging implications for the healthcare industry. That is why it is important to understand the types of information covered by the Final Rule, how it impacts medical professionals, and why it is essential to stay compliant.
Protected Health Information
Protected Health Information (PHI) is defined as any information that could identify a patient’s medical history, treatment, or condition. This includes names, addresses, social security numbers, and any other identifying information. The Cures Act expands protections around PHI, requiring greater consent and transparency around its use. Organizations must provide clear information around how PHI is used, and patients must give explicit consent to have their information used for research purposes.
Electronic Health Records
Electronic health records (EHR) are one of the central components of the Cures Act. The act sets out specific standards for EHR systems, including interoperability and data sharing. This means that EHR systems must be designed to work together, allowing for easy sharing of patient information between healthcare providers.
One of the primary goals of the Cures Act requirements is to promote the use of real-world data (RWD) for clinical trials. This means that medical researchers can use data from EHR systems and other sources to conduct clinical trials. The act promotes the use of RWD by creating incentives for medical professionals to participate in data sharing, streamlining the approval process for new treatments based on real-world data.
Precision medicine is an emerging field that uses genetic Information and other factors to develop targeted treatments for individual patients. The Cures Act includes provisions that support the use of precision medicine, including expanded funding for research. The act requires the creation of a national database of genomic data to support research into precision medicine. This will help medical professionals develop new treatments that are tailored to individual patients.
Medical Device Innovation
The Cure Act includes provisions that support the development of innovative medical devices. The act provides funding for research into new medical technologies and streamlines the approval process to bring these technologies to market faster. One of the aims of this provision is to encourage the development of new medical devices that are safer and more effective than existing products.
Cures Act Requirements
The foundation of the Cures Act requirements is a set of regulations that standardizes the functionality and interoperability of EHRs. Some of the EHR requirements under the Act include:
- Health IT developer’s certification requirements
- Provision of patient access to clinical notes and lab reports
- Requirement for certified health IT to prohibit information blocking practices
- Implementation of an Application Programming Interface (API) for patient data access
- Adoption of standard data sets by EHR developers
These requirements focus on preventing harm, improving patient access to their health data, promoting ease of exchange of electronic health information, and reducing clinical burden by reducing provider documentation requirements.
Data Sharing and Interoperability
The Cures Act includes provisions to improve sharing of health information between patients and their healthcare providers and between different healthcare providers. It is intended to improve patient outcomes by ensuring that doctors have access to all the relevant medical information they need. This means health IT systems must be able to send and receive electronic health information compatible with other systems.
In addition, healthcare providers must give patients access to their electronic health information, such as medical histories and laboratory results, upon request. This requirement aims to empower patients to take an active role in their healthcare by giving them access to their medical information. With this accommodation, patients can share their medical information with other healthcare professionals or caregivers as they see fit, providing more comprehensive care.
Finally, the act requires healthcare providers to notify patients when their information has been disclosed to unauthorized parties, which is known as a data breach. This requirement protects patient privacy by reducing the risk of data breaches. Healthcare providers must notify the patient as soon as possible, typically within 60 days of the breach.
The Cures Act also encourages the use of telehealth services. This includes the use of videoconferencing, remote monitoring, and other technologies to deliver care services to patients remotely. This provision holds significant promise for expanding access to care, particularly for those who might not have the resources to travel to a specialist clinic.
The Act provides for telehealth services across various diagnostic, therapeutic, and preventative health services. These provisions include:
- Coverage of telehealth services under Medicare
- Increased flexibility to use telehealth services to address emergency situations
- Removal of geographic barriers to telehealth services
- Expansion of telehealth services to rural areas
- Increased coverage of telehealth services under Medicaid
- State licensure requirements exemption
- Required telehealth reporting
Data Security and Privacy
The Act also includes provisions to improve data security and privacy. This is particularly relevant given the increasing use of EHRs and other technologies that involve the collection, storage, and processing of sensitive patient data.
Privacy and security concerns surrounding sensitive medical data are addressed in the Act with mandates patient data privacy and security regulations, ensuring access, and controlling the sharing of medical records, electronic health records, and genomic data. The Act also imposes stricter penalties on healthcare providers who fail to comply with these regulations.
Healthcare providers can look to the Health Insurance Portability and Accountability Act (HIPAA) and the National Institute of Standards and Technology (NIST) for guidance. These frameworks provide guidelines for handling sensitive data and prevent privacy breaches. Medical professionals can also incorporate multi-factor authentication, use secure machine learning algorithms, and implement data loss prevention solutions to secure their data environment.
The Conditions and Maintenance of Certification Provision
The requirements of the Conditions and Maintenance of Certification have been a subject of controversy among medical professionals. Critics argue that the requirements create a significant burden for physicians and may not reflect the best practices in medicine. However, supporters of the provision argue that ongoing education and skill maintenance are essential for providing safe and effective patient care.
The provision applies to physicians who work with Medicare and Medicaid patients and is included in the Cures Act requirements. Under this provision, physicians must participate in ongoing professional development to maintain their certification.
To meet the requirement, physicians must participate in activities that are approved by the American Board of Medical Specialties or other recognized boards. The approved activities include continuing medical education, quality-improvement programs, and self-assessment.
Penalties for Non-Compliance
Compliance with the 21st Century Cures Act is mandatory, and non-compliance can lead to legal consequences in the form of hefty fines and other penalties. To ensure compliance, medical professionals must take specific measures to ensure that conditions are met, such as encrypting sensitive data, implementing access controls, and utilizing secure communication channels while sharing data.
While the Act presents several benefits, it also comes with stringent compliance requirements that medical professionals need to follow. In case of non-compliance, severe penalties await, including the following:
- Civil monetary penalties: Ranging from between $10,000 to $50,000 for each violation
- Exclusion from government programs, including Medicare and Medicaid
- Criminal Penalties, including imprisonment and hefty fines, for intentional violations
- Legal Consequences, such as lawsuits filed by patients affected by a data breach
In addition, non-compliance can significantly harm a medical professional’s reputation. A data breach or violation of the act can lead to a loss of trust among patients and healthcare providers, leading to a loss of business and revenue. Reputation damage can be challenging to repair and can have long-lasting effects on a medical professional’s career.
Summary: 21st Century Cures Act Requirements
The 21st Century Cures Act represents a significant development for the healthcare industry, providing an opportunity to improve patient care and patient privacy. While the EHR requirements under the Act might pose a few challenges, overall, the benefits outweigh the challenges. By gaining a deep understanding of the Act, healthcare providers will enhance patient care and support the healthcare industry’s overall goal of providing better outcomes for all patients.
Is Your Practice Compliant with the 21st Century Cure Act?
The healthcare industry is constantly evolving, and it can be challenging to stay up to date with all the laws and regulations affecting medical professionals. We are here to break down the complexity of the 21st Century Cures Act into actionable steps that will resolve confusion and give you peace of mind for compliance. Our experienced compliance consultants can help you avoid penalties and leverage provisions to enhance patient care. Contact us to learn more.