2022 Changes to the 21st Century Cures Act

What is the 21st Century Cures Act?

Are you ready for the 2022 regulatory deadlines for the 21st Century Cures Act approaching? To protect yourself, your organization, your staff, and your patients, it’s essential that you prepare for continued compliance. Let’s start with the basics before we dive into what you need to know.

In 2016, President Barack Obama signed the 21st Century Cures Act. After this, the rule was passed to both the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) for further review. 

Each organization released a set of rules, which the United States Department of Health and Human Services (HHS) finalized in March 2020 as the ONC Final Rule. There are many goals of this rule, many of which involve improving the flow of medical information.

HIPAA regulations restrict the unauthorized disclosure of protected health information. Alternatively, the Cures Act outlines the requirements for healthcare providers to disclose PHI. As such, these seemingly opposite sets of regulations work together to improve the safety and efficiency of medical records exchange.

Healthcare professionals have ample time to adapt their practices to the regulations outlined in the Cures Act. These regulations have clear deadlines that extend to the end of 2023. By this date, all United States healthcare practices should be totally compliant with all aspects of the act.

In this article, we will discuss the goals and penalties of the 21st Century Cures Act, information blocking, and the changes essential to your practice in 2022.

What is information blocking?

As mentioned above, many of the goals of the Cures Act depend on a smoother flow of medical information. To accomplish this, one of the primary objectives is to prevent information blocking. Unfortunately, this is easier said than done.

Information blocking, simply put, is when healthcare providers put up unnecessary obstacles that prevent patients from accessing their medical information. With the technical barriers that complicate the release of information, it’s also important that healthcare professionals don’t exacerbate the issue.

Medical record exchange was simultaneously made easier and more complicated with the introduction of electronic health records. This type of record also eliminated the need for file cabinets filled with medical records by digitizing them. 

While electronic medical records were designed for use within the healthcare organization that created them, electronic health records were designed to be shared. As new medical software companies popped up left and right offering new EHR and systems, new complications also arose. 

EHR systems work best when more people are using them, and nobody wants to lose potential users to other systems. Health IT developers didn’t prioritize interoperability. This led to large data silos of patient information that oftentimes requires an alternative method of release.

The inherent information blocking of data silos and some healthcare professionals’ refusal to grant patients access to their medical records created the need for government intervention.

What are the goals of the 21st Century Cures Act?

Breaking down information blockers to improve care coordination is the primary goal of the Cures Act. There are several additional benefits it aims to achieve, however, pertaining to the various pressure points of health information exchange. 

The first set of goals we’ll discuss each involves improving patient rights regarding their medical information. Like HIPAA, the Cures Act also regulates protected health information to improve accessibility without sacrificing security. This act also requires healthcare providers to provide patients with efficient, simple, and quick methods to access their PHI.

Improved data sharing not only helps patients take control of their PHI but benefits the healthcare industry as a whole. Expediting data sharing can accelerate research, development, and delivery for drugs and medical devices that treat serious illnesses and disorders. 

This improved transparency can help aid those affected by mental health disorders and drug addiction. The Cures Act also allocated $1 billion to address the opioid epidemic and additional grants to improve mental health services. 

To reach this ideal degree of transparency and accessibility, the Cures Act eases the regulatory and administrative burdens of using electronic health record systems and other health information technologies. It also calls for developers to end information blocking practices that interrupt the flow of data.

HHS suggests the following strategies for developers:

  1. Reduce the effort and time required to record health information in EHRs for clinicians
  2. Reduce the effort and time required to meet regulatory reporting requirements for clinicians, hospitals, and healthcare organizations
  3. Improve the functionality and intuitiveness (ease of use) of EHRs

By providing guidelines for the future of health information technology, the Cures Act promotes a more efficient release of information process. These are also backed up by steep penalties to ensure compliance.

What are the cures act penalties?

At the moment, the penalties for failure to adhere to the principles set forth in the Cures Act are undecided. It’s clear however that the ONC, HHS, CMS, and other key health entities agree that information blocking must be prevented.

Congress established civil monetary penalties for health IT developers creating certified health information technology, networks, and exchanges that don’t comply. These penalties can reach up to $1 million per information blocking violation.

The fees for healthcare providers have yet to be determined, but there are some suggestions and possibilities that are being considered. Once a decision is reached, penalties won’t be enforced until the Office of the Inspector General (OIG) releases a future notice and comment rulemaking.

The main suggestions listed in the Cures Act for determining penalties for healthcare provider organizations are as follows:

  1. A two-tiered approach with higher penalties for large hospitals and health systems, as well as public reporting or Quality Payment Program (QPP) score reductions. 
  2. A tiered approach, similar to that of HIPAA. Penalties would also increase based on the nature of the violation, the extent of the violation, and the resulting harm.
  3. Disqualification from the PI category of the QPP.

Furthermore, about half of the provider organizations said that healthcare organization penalties should not be at the same level as those against health IT developers, HINs, and HIEs. Whatever the finalized penalty ends up being, it’s fair to say that nobody will want to face it. Even a fraction of the $1 million per violation for developers can be financially devastating, especially for smaller practices. 

Specific Background for 2022 Updates

To understand the largest change coming to the Cures Act in 2022, we need to look back to April 5, 2021. After the compliance date was delayed 6 months due to Covid, this is the date that certifications were required for Application Programming Interfaces (API), Assurances, and information blocking.

Additionally, on this day, information blocking provisions took effect for electronic health information (EHI) elements listed in the United States Core Data for Interoperability (USCDI).

These elements include Allergies and Intolerances, Goals, Medications, Provenance (identifying metadata), Assessment and Plan of Treatment, Health Concerns, Patient Demographics, Smoking Status, Care Team Member(s), Immunizations, Problems, Unique Device Identifier(s) for a Patient’s Implantable Device(s), Clinical Notes, Laboratory, Procedures, and Vital Signs.

The 7 Conditions of Certification

In addition to the USDCI, you must also understand and adhere to the 7 Conditions of Certification. These conditions are information blocking, assurances, communications, APIs, real-world testing, attestations, and EHR reporting criteria submission.

The information blocking requirement forbids health IT developers in the ONC Health IT Certification Program from participating in information blocking.

The assurances condition requires health IT developers to submit reports that prove they’re not inhibiting the access, exchange, and use of EHI. Additionally, they must provide users with EHI export certification and fulfill appropriate record retention requirements.

The communications requirement forbids health IT developers from restricting communications about certified Health IT Modules. This extends to the usability, interoperability, security, business practices, user experiences, and manner of use regarding health IT. To comply with the Maintenance of Certification, these developers must also notify their customers annually if they restrict these communications.

The API conditions of certification address the ongoing transparency, fee, openness, and pro-competitive behavior requirements of certified API technology. These set the standards for publication requirements for business and technical documentation, outline allowable fees, and promote a competitive marketplace.

The real-world testing requirement calls for developers to conduct and log real-world use testing of particular certified Health IT Modules in the settings where it’s used. A testing plan is also due annually on December 15 beginning in 2021. Results are due to the ONC-ACB by March 15 beginning in 2023.

The attestations requirement calls for health IT developers to attest that they comply with these certification requirements every six months. This began on April 1, 2021.

The EHR reporting program requires health IT developers to submit select data points to help address gaps and provide insight regarding the use of certified health IT.

Changes coming in 2022

On April 5, 2022, the first attestation to the Conditions of Certification was required. On this date, developers must have provided an attestation that confirms their compliance to their ONC-ACB with the 7 conditions explained above. Health IT developers must attest again every 6 months. 

Next, on October 5, 2022, the Cures Act definition of electronic health information will expand beyond the specific USDCI elements. This includes claim information and billing records but does not include the 8 sharing exceptions for privacy and security. Outside these exceptions, it’s illegal to participate in information blocking:

  1. Preventing Harm 45 C.F.R. § 171.201
  2. Security Concerns 45 C.F.R. § 171.202
  3. Privacy Concerns 45 C.F.R. § 171.203
  4. Infeasibility C.F.R. § 171.204
  5. Health IT Performance C.F.R. § 171.205
  6. Content or Manner of Request 45 C.F.R. § 171.301
  7. Fees 45 C.F.R. § 171.302 
  8. Licensing 45 C.F.R. § 171.303 

Lastly, on December 31, 2022, the Conditions of Certification will begin requiring HL7 FHIR API update capability. HL7 stands for Health Level 7, a set of international standards for sharing health data. FHIR is a versatile, vendor-neutral EHR exchange standard.

This update will require FHIR compliance in health apps. It will also require healthcare services to respond to requests for a single patient’s data. Health apps must comply with the US Core Server CapabilityStatement developed by HL7.

What will change in 2023?

The best way to ensure that your organization complies with the upcoming deadlines is to prepare ahead of time. To help you chart your course moving forward, we will also discuss the deadlines coming in 2023.

On March 15, 2023, each healthcare organization must submit its 2022 initial real-world testing results to its ONC-ACB. This empowers the ONC-ACB to publish the Certified Health IT Product plan by December 15. This is also an annual requirement.

The next and final new deadline comes on December 31, 2023. On this date, electronic health information export capability must be functional with two comprehensive export features. These export features are:

  1. The ability for a user to export all of a single patient’s EHI easily and at their convenience.
  2. The ability to perform a bulk export of EHI to enhance patient population insights and simplify switching EHR systems.

HHS spaced out these deadlines to help health IT developers adapt to the changes over time. Once these deadlines pass, the Cures Act will be in full effect. 

How can ChartRequest help?

Years before Barack Obama signed the 21st Century Cures Act, ChartRequest began working hard to break down information barriers and improve the flow of integral protected health information. The goals of the Cures Act align with ours, so we’re always up-to-date on our compliance standards. 

We expedite the release of information in our accessible, easy-to-use platform. With ChartRequest, you can process incoming medical records requests from patients, legal/insurance professionals, and healthcare providers with ease. 

We make signup a breeze too, so even users brand new to our platform can submit their requests in minutes. We also provide real-time status updates to mitigate the need for time-consuming phone calls. 

With ChartRequest, you can be confident that you’re strictly adhering to the guidelines provided in the Cures Act. Our Self-Service subscription allows your team to use our streamlined platform to release medical records faster and more securely. Also, a Full-Service plan ensures a fast turnaround by allowing our team of experts to handle your incoming requests.

Click here to learn more about the plans for healthcare professionals at ChartRequest, and get started today!