21st Century Cures Act Updates and Penalty Deadlines 2023

• August 01, 2023

Recent Updates in Cures Act

The Office of the National Coordinator for Health Information Technology (ONC) recently released a proposed rule called "Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing." This rule is based on the 21st Century Cures Act and includes various changes to electronic health record (EHR) certification criteria, information-blocking regulations, and patient control over their health information. While some of the revisions are technical and intended for health IT developers, the main goal is to enhance health information exchange and interoperability. This is the first significant rule since the ONC Cures Act Final Rule of 2020, and it aims to advance the use of health data and technology in the healthcare industry. Below, we've summarized the most important updates in the Proposed Rule.

Updates to EHR Certification Criteria

The proposed rule includes several updates to the certification criteria for Electronic Health Records (EHRs):

1. Adoption of United States Core Data for Interoperability (USCDI) Version 3: The ONC plans to incorporate Version 3 of USCDI as a standard in its Certification Program, while setting an expiration date for Version 1 as a certification standard.
2. Use of Artificial Intelligence for Clinical Decision Support: The ONC proposes a new certification criterion called "decision support interventions (DSI)" to enhance transparency and reliability in the application of artificial intelligence for clinical decision support tools. The compliance date for these requirements is proposed to be December 31, 2024.
3. Application Programming Interface (API) Improvements: Several updates are proposed to improve the secure transmission and access of information through APIs. This includes amending the API Condition and Maintenance of Certification requirements.
4. Updated Demographic Criterion: To promote inclusivity, the ONC suggests adding new data elements like "Sex for Clinical Use," "Name to Use," and "Pronouns" to the proposed Patient Demographics and Observations certification criterion. Additionally, the terminology standards for "Sex," "Sexual Orientation," and "Gender Identity" would be replaced with other terminology codes based on SNOMED CT.

Patient Privacy Protection

The ONC proposed various measures to enhance patient privacy protections and their ability to control the use and sharing of their health information, following the guidelines of the HIPAA Privacy Rule. One of the key proposals is to update the EHR certification criterion, requiring the inclusion of functionality that flags instances when a patient requests restrictions on data use or disclosure. This flagging mechanism will prevent the flagged data from being included in subsequent uses or disclosures for the restricted purpose. If approved, these updates must be implemented by January 1, 2026.

Updates to Information Blocking Regulations

The ONC proposed several updates to the information blocking regulations, which includes defining the scope of "offering health IT" to narrow the applicability of the information blocking rule. The proposed rule clarifies that certain activities, such as providing access through APIs or portals for clinicians and patients, or supplying login credentials for independent healthcare professionals to use EHRs, would not be considered as offering health IT.

Additionally, the Proposed Rule revises the "uncontrollable events" condition and introduces two new conditions for the Infeasibility Exception. These new conditions address situations where a third party requests modification of Electronic Health Information (EHI) and when the actor has exhausted the manner exception options.

Moreover, the Proposed Rule includes a Trusted Exchange Framework and Common Agreement (TEFCA) condition, allowing TEFCA participants more flexibility when fulfilling requests from other TEFCA participants through the framework.

RELATED: TEFCA: How Does It Empower HIE and Streamline Interoperability?

To Whom Does the New Information Blocking Final Rule Apply?

The new information blocking final rule applies specifically to organizations involved in the development and offering of health IT software and networks. This includes developers of certified health IT, health information exchanges, health information networks, and organizations that offer certified health IT.

While healthcare professionals may think the rule doesn't apply to them, the Office of Inspector General (OIG) has mentioned that a separate rule for providers is being worked on. The 21st Century Cures Act outlines financial penalties for non-compliance, and organizations should be aware of their current state of compliance with the act.

What Are the Penalties for Non-Compliance?

Under the 21st Century Cures Act, the Office of Inspector General (OIG) has enforced penalties for information blocking, amounting to a maximum of $1 million per violation. These penalties apply to developers, health information networks, and exchanges. However, healthcare providers will have a separate rule addressing information blocking.

Penalty Deadline: Penalties for Information Blocking Enforcement will take effect on September 1, 2023

The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) has recently released the final rule, known as the IB Enforcement Rule, which introduces civil monetary penalties (CMPs) for information blocking. This rule empowers OIG to investigate claims of information blocking and allows HHS to impose CMPs on health IT developers, certified health IT providers, health information exchanges (HIEs), and health information networks (HINs). The enforcement of information blocking CMPs is set to begin on September 1, 2023. It is important to note that the IB Enforcement Rule does not introduce new information blocking requirements or create disincentives for healthcare providers.

The Office of Inspector General (OIG) will start enforcing penalties for information blocking 60 days after the publication of the new final rule in the Federal Register. However, during this 60-day waiting period, penalties will not be imposed, allowing health IT professionals time to review and rectify any compliance issues before enforcement begins. Nevertheless, organizations should take a proactive approach to ensure compliance, considering the intricacies of the Cures Act and the upcoming separate rule for providers.

How Will the OIG Investigate Information Blocking Claims?

The OIG has established a process for investigating information-blocking claims to address major issues effectively. They expect a high volume of claims and prioritize cases based on certain criteria. High-priority cases include those that harm patients, impede a provider's ability to deliver patient care, have a long duration, cause financial impact on government or private entities, and involve intentional information blocking.

When investigating a claim, the OIG will gather information, conduct interviews, and document the situation. They will then discuss the investigation with the accused entity. If information blocking is found, the entity will receive a demand letter, and they can appeal the penalty if they believe the investigation was incomplete, inaccurate, or overly severe.

While the process outlined is for health IT entities, a similar process is likely to apply when investigating healthcare professionals. Cooperation and corrective action are essential for minimizing penalties during an investigation.

RELATED: Achieving ONC Certification and Ensuring Compliance : Your Trusted Partner

How a Healthcare IT company help avoid penalties?

A Healthcare IT and Interoperability company can play a vital role in helping a health organization avoid penalties under the 21st Century Cures Act. Here are some ways they can assist:

1. Compliance Assessment: The company can conduct a thorough assessment of the health organization's current systems and processes to identify any potential areas of non-compliance with the Cures Act. This includes evaluating data sharing practices, electronic health record (EHR) functionalities, and information blocking risks.
2. Education and Training: They can educate healthcare providers and staff about the provisions of the Cures Act and train them on how to ensure compliance in their daily workflows. This could include information on data sharing, patient access rights, and avoiding information blocking practices.
3. Interoperability Solutions:The company can implement and optimize interoperability solutions that facilitate seamless exchange of health information between different systems and healthcare providers. This will enable the organization to meet the interoperability requirements of the Cures Act.
4. API Integration: They can help the organization develop and integrate APIs (Application Programming Interfaces) to allow easy access and exchange of patient health information, ensuring compliance with the Cures Act's requirements for FHIR APIs.
5. Data Security and Privacy Measures: The company can implement robust data security and privacy measures to safeguard patient health information from unauthorized access, ensuring compliance with HIPAA regulations and information blocking provisions.
6. Monitoring and Reporting: Healthcare IT companies can set up monitoring systems to track data sharing activities and ensure that any potential information blocking practices are detected early. They can also provide reporting tools for the organization to demonstrate compliance to regulators if required.
7. Updates and Upgrades:Staying current with the evolving Cures Act requirements is crucial. The company can regularly update and upgrade the organization's systems to ensure ongoing compliance with any changes to the regulations.

By partnering with a Healthcare IT and Interoperability company , health organizations can better navigate the complexities of the Cures Act, mitigate compliance risks, and avoid penalties for information blocking. It is essential to choose a reputable and experienced company with a strong track record in compliance and healthcare IT solutions.

With KPi-tech's 25+ years of experience in US healthcare IT, we can help you meet all your compliance needs effortlessly and keep your organization safe from any potential issues.