Patients know the U.S. healthcare system for its opacity. It’s unclear where their personal health information (PHI) lives, who can access it, how it’s used, and when and why health data moves through the system. That lack of interoperability can open the door to poor health outcomes— and it’s one of the problems that the 21st Century Cures Act aims to solve.
Signed into law in late 2016, The 21st Century Cures Act was “designed to help accelerate medical product development and bring new innovations and advances to patients who need them faster and more efficiently.” 1 But in addition to this broad stated aim, this law presents evolving opportunities and challenges regarding increased access to PHI that clinicians and health systems should understand. In May 2020, the U.S Office of the National Coordinator of Health Information Technology (ONC) finalized delayed regulations implementing the 21st Century Cures provisions regarding data interoperability and elimination of “information blocking.” That same month, the U.S. Centers for Medicare and Medicaid Services (CMS) issued companion interoperability regulations focused on payers, using the same standards and technology approaches finalized in the ONC rule. In December 2020, ONC issued an updated rule that pushed out some of the initial compliance and implementation dates because of the COVID-19 pandemic.
Steven Nichols, senior director of interoperability at GE Healthcare, knows well the ups and downs of this law and the resulting regulations. In addition to his responsibility for advancing interoperability within GE Healthcare Radiology, Cardiology, Patient Care, and IT product lines, he coordinates GE engagement in the IHE, DICOM, and HL7 standards development organizations.
In a recent webinar hosted by the Sepsis Alliance and jointly supported by GE Healthcare and Roche, Nichols detailed key takeaways from the 21st Century Cures Act and its implementation regulations for frontline clinicians and healthcare provider organizations.2 Here’s what they need to know to make the most of the law’s opportunities and to handle its challenges.
What Is the 21st Century Cures Act and How Will It Impact Health Systems?
In its simplest form, the 21st Century Cures Act and the resulting ONC and CMS regulations set forth policy aimed at moving the healthcare industry toward the type of standardization that allows information to flow more freely, potentially benefiting all stakeholders, Nichols said.
But eliminating all barriers to interoperability will take some time. “As much as we want a set of standards to connect our healthcare devices that’s as simple as email, it’s not where we’re at right now,” he explained.
The 21st Century Cures Act is designed to make healthcare information more accessible and transparent, which Congress and regulators believe will improve transparency, safety, interoperability, and innovation, all of which benefit the patient. To that end, the act forbids any practices that are “likely to inhibit the flow of information,” a phrase that Nichols said leaves a significant onus on healthcare organizations and technology companies, who must demonstrate that they are not inhibiting the flow of healthcare information in ways that meet the statutory and regulatory definition of “information blocking.”
An extension of earlier U.S. federal government laws and rules intended to increase the use of healthcare technology, increase data flow, and protect privacy and security, these legislative and regulatory requirements affect the development and use of electronic medical record (EMR) systems and other health IT, especially those certified by ONC and developed by organizations that have certified health IT. They focus particularly on interoperability practices, encouraging the use of standards-based application programming interfaces (APIs) for data access and exchange, while putting patient access to healthcare data front and center. “There’s a big patient empowerment aspect of the Cures Act,” Nichols said. “Patients have the right to access their data and a right to dictate where their data goes. So, there is a paradigm change when it comes to patients accessing their data and how they may or may not provide consent for others to access their data.”
Under the 21st Century Cures Act provisions, as well as HIPAA privacy rules, patients aren’t the only ones with the power to access their information and direct where it goes (e.g., to an app or another provider). Clinicians can do the same, exchanging data with other clinicians or even payers, or when they move to another EMR, Nichols said.
Clinicians and healthcare organizations can expect new upgrades and changes to their EMRs under the Cures Act regulations, including changes to the way provider organizations pay fees to their EMR vendors for interoperability capabilities, as well as new updates to EMR certifications, especially regarding standards-based APIs and data sets that must be available for access and exchange. The ONC and CMS regulations specify that U.S. Core Data for Interoperability (USCDI) data elements and associated standards must be available in certified electronic health systems. The USCDI builds on past ONC and CMS standard data sets and includes but is not limited to the following:
- Assessment and plan of treatment
- Clinical notes
- Health concerns
- Lab values/tests
- Vital signs
What Are the Key Challenges of the 21st Century Cures Act?
Even though the Cures Act interoperability and information-blocking requirements and subsequent regulations were designed to move the healthcare industry towards greater data access, the two-and-a-half-year phase-in of these provisions will come with growing pains. Here are three of its most pressing challenges for application developers and API users, according to Nichols.
Different versions of the standard. As the 21st Century Cures Act interoperability and information blocking regulations continue to roll out, so too will versions of the standard designated in ONC API certification requirements, HL7 FHIR, designed to support granular (as opposed to document-level) data exchange through APIs and apps. FHIR is on its first normative version, R4, but earlier trial use versions, such as DSTU2 and STU3, remain in wide use. Prior versions of HIR are not designed to be backward- or forward-compatible, so many healthcare delivery organizations must operate in different FHIR-related API and app ecosystems.
Different versions of the EMR. During the phase-in of the new ONC certification requirements, disparate maintenance and upgrade cycles and variations in FHIR implementations available in the EMR and health IT marketplace will play an important role. These issues may require application developers to account for different FHIR versions before the certification deadline, which was recently extend to Dec. 21, 2022 for developers of certified health IT, with provider use of this capability staging in before and after this date.
Dangers around information blocking. The Cures Act is essentially stepping in to say, “There should be no activity, whether it’s between vendors or healthcare providers, that inhibits the access or exchange of electronic heath information, unless this activity meets one of a set of strict exceptions, such as prevention of patient harm or technical infeasibility,” Nichols said. This requirement is a move toward a more transparent system, but a good deal of specific information-blocking compliance guidance and enforcement details remain to be established. In general, the burden of proof that an “actor”—a provider, a developer of certified health IT, or a health information exchange or network—is not information blocking falls on that organization. Developers and HIEs or HINs face fines of up to $1 million per violation, with providers facing penalties for false attestation to CMS incentive programs that they are not information blocking, as well as other penalties to be determined. In addition, all of these parties face the risk of big hits to their reputations.
The 21st Century Cures Act Interoperability and Information-Blocking Timeline
Here are the three rollout phases, which you can expect to see in 2021 and 2022.
April 5, 2021: All actors are subject to the prohibition, and the Office of the Inspector General (OIG) will begin enforcing some information-blocking rules. Developers of certified health IT are also subject to requirements around their certified APIs, not information blocking, and other rules. In addition, the OIG will likely soon issue final regulations on its enforcement of civil monetary penalties for information blocking for developers, HIEs, and HINs. Providers can also expect additional enforcement requirements.
Oct. 6, 2022: Full information blocking compliance will focus on all electronic PHI in the HIPAA-defined Designated Record Set is required, as opposed to the initial narrower focus on the data elements in the USCDI.
Dec. 31, 2022: New certification criteria for APIs and related standards and capabilities are in effect.
While the Cures Act interoperability and information blocking provisions were slated to begin rolling out in November 2020, ONC has pushed the timeline out as a result of COVID-19-related pressures on the healthcare system. But that extended timeline hasn’t stopped EMR vendors and providers from implementing many of the new technical and policy requirements already, Nichols said— emphasizing that pushing healthcare towards greater transparency and data availability is a goal that is widely shared in healthcare and worthy of wide embrace.
- Homepage. U.S. Food and Drug Administration, https://www.fda.gov/regulatory-information/selected-amendments-fdc-act/21st-century-cures-act. Accessed Dec. 28, 2020.
- “Sponsored Webinar: Electronic Information Exchange and the 21st Century Cures Act: Why it Matters to Frontline Clinicians.” Sepsis Alliance Institute, https://www.sepsisinstitute.org/content/sponsored-webinar-electronic-information-exchange-and-21st-century-cures-act-why-it-0#group-tabs-node-course-default4. Accessed Dec. 28, 2020.