The 21st Century Cures Act Final Rule Has Taken Effect

By Mathew J. Levy, Esq. Email Mathew

After years of anticipation, the Office of the National Coordinator for Health Information Technology’s (“ONC”) issued its Cures Act Final Rule on Interoperability, Information Blocking, and Open Notes, effective April 5, 2021. This important issuance, which originated with the 21st Century Cures Act (2016), aims to transform on a national level the interoperability of healthcare IT systems, which has been a persistent impediment to efficient and effective delivery of health care and usage of electronic medical records. To achieve this important goal, the Final Rule contains complex and comprehensive mandates that warrant close scrutiny to ensure that providers and other entities are in full compliance.

The three-part Final Rule, which supports seamless and secure access, exchange, and use of electronic health information, is designed to give patients and their providers secure access to patient health information and to increase innovation and competition generally in the health information technology sector. The Final Rule applies to a range of health care providers, including physicians, PAs, NPs, nurses, social workers, therapists, and chaplains; health information networks and/or exchanges; and developers of certified health IT, such as electronic medical record vendors (collectively, “Actors”).

The Interoperability Rule calls for the healthcare IT industry to create and/or adopt standardized application programming interfaces (“APIs”), to allow individuals undelayed access to their structured and unstructured health information via secure, user-friendly smartphone applications and practice management systems at no cost to the patient.

The Cures Act defines “information blocking” as an organizational practice that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information (EHI) when an entity knows, or should know that the practices is likely to do so. Under the new Information Blocking rule, individuals who are unable to access “without delay” their personal health information for clinic visits after April 5, 2021, and who are not provided with requested health information promptly by their providers and/or health systems, may report those providers to the US Department of Health and Human Services.

The Open Notes Rule sets forth eight types of notes that must be made immediately available to all patients, unless the information is compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding:

• Patient history and physical notes
• Consultation notes
• Procedure notes
• Progress notes
• Discharge summary notes
• Imaging narratives
• Lab report narratives
• Pathology report narratives

The Open Notes rule also requires mental health providers to provide information about medication prescriptions and monitoring, clinical test results, modalities and frequency of treatments, start and stop times of sessions, and any summary of diagnosis, functional status, treatment plan, symptoms, progress, and/or prognosis. However, the Open Notes rule does not apply to psychotherapy notes, if they are:

• Separated from the rest of the individual’s medical record
• Recorded, in any medium, by a mental health care provider who is documenting or analyzing the contents of a conversation that takes place during a private, group, joint, or family counseling session

There are eight exceptions to the Final Rule’s prohibition against information blocking, which fall under two categories. Category 1 exceptions involve non-fulfillment of requests to access, exchange, or use EHI, while Category 2 exceptions address procedures for fulfilling EHI requests.

Category 1 exceptions include the following, if certain conditional requirements are met:

• The Preventing Harm Exception allows Actors to engage in practices that are reasonably necessary to protect patients and other persons against appropriately documented risks of harm.
• The Privacy Exception allows Actors to deny a request in order to protect an individual’s privacy.
• The Security Exception allows Actors to deny a request in order to protect the security of the EHI itself, provided the denial is “directly related to safeguarding the confidentiality, integrity, and availability of EHI; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner.”
• The Infeasibility Exception allows Actors to deny a request if its fulfillment would be impracticable and/or impossible as a result of, i.e., natural or man-made disasters, public health emergencies, technological limitations, or an inability to “unambiguously” segment requested EHI.
• The Health IT Performance Exception allows Actors to make EHI temporarily unavailable or to degrade the EHI’s performance for the benefit of the overall performance of the health IT, i.e., while performing routine maintenance, making system improvements, or to address some cause beyond the control of the healthcare organization.

Category 2 exceptions include the following, if certain conditional requirements are met:

• The Content and Manner is a time-limited exception that allows Actors to limit a response to a request based on their EHR vendor’s ability to access, use, or exchange EHI. The provider must meet both the content and manner conditions, meaning that (i) they must provide at least the data elements set forth under the US Core Data for Interoperability Standard (USCDIS) and (ii) they must respond to the request either in the manner requested or in an alternative manner. This exception applies for the next 24 months, to allow EHR vendors time to improve the capacity of their systems in order to fulfill requests in full compliance with the Final Rule thereafter.
• The Fees Exception, which will likely apply primarily to EHI vendors as opposed to physicians and other providers, allows Actors to recover certain costs reasonably incurred for the access, exchange, or use of EHI. This limited exception allows Actors to make a reasonable profit, however no fees may be collected for electronic access to EHI by individuals.
• The Licensing Exception, which aims to promote innovation in health IT, allows Actors to protect their intellectual property by licensing Interoperability Elements (i.e., hardware, software, integrated technologies or related licenses, technical information, privileges, rights, intellectual property, upgrades, or services). Actors must initiate licensing negotiations within 10 days of the request and must negotiate a license within 30 days of the request. As with the Fee Exception, this exception will likely apply primarily to EHI vendors.

Under the Final Rule, health care Actors must develop compliant infrastructure and governance standards to eliminate prohibited information blocking. Steps to be taken by Actors include:

• Establishing a governance structure to review requirements
• Develop an action plan to implement that governance structure
• Develop, review, and/or revise access policies to ensure compliance with the Final Rule, including processes for evaluating and appropriately documenting potentially applicable exceptions
• Conduct policy training for staff, including training in any new internal reporting processes
• Develop implementation plans to identify and mitigate risks including current non-compliant information blocking practices
• Identify necessary changes with respect to contracting and licensing policies and practices
• Review and update formal policies regarding access, exchange, and use of EHI

Weiss Zarett assists healthcare providers and business owners to develop policies and procedures that are compliant with state and federal law. For more insights on how to protect your practice from inadvertent information blocking and to discuss our solutions for EHI regulatory compliance, contact us today.

Mathew J. Levy is a Partner of the firm and co-chairs the Firm’s corporate transaction and healthcare regulatory practice. Mr. Levy has extensive experience in, defending healthcare professionals in actions brought by State licensing authorities and the Federal agencies (OIG, Medicare, OMIG, Medicaid, DEA, OSHA, OCR OSHA, Hospital Review Boards, Office of Professional Medical Conduct and Office of Professional Discipline.) Mr. Levy has successfully defended numerous healthcare providers in actions involving the US Attorney’s Office investigations, Medicare Fraud Waste and Abuse investigations, Medicaid Fraud Control Unit investigations, OPMC, OPD, Medicare, Medicaid as well as commercial insurance audits including Prepayment Review, Post Payment Review, Medicare Hearings and Hospital Discipline Investigations.

Mr. Levy has successfully structured and negotiated joint venture agreements, private equity transactions, venture capital transactions, stock purchase agreements, asset sale agreements, shareholders agreements, partnership agreements, employment contracts, managed care agreements and commercial leases. Among the areas in which he focuses are coordinating mergers and acquisitions, compliance programs, ambulatory surgery centers, the establishment of diagnostic and treatment centers, HIPAA privacy regulations, fee-splitting issues, Stark law issues, fraud and abuse rules and regulations and Medicare/ Medicaid, Oxford, Americhoice, Fidelis, Healthfirst and other third-party payor settlements. Mathew Levy can be reached directly at [email protected] or 516-627-7000.

Weiss Zarett Brofman Sonnenklar & Levy, P.C. is a New York law firm providing a wide array of legal services to the members of the health care industry, including corporate and transactional matters, employment counseling and controversies, civil and administrative litigation, healthcare regulatory issues, bankruptcy and creditors’ rights, and commercial real estate transactions.

ATTORNEY ADVERTISING: PRIOR RESULTS DO NOT GUARANTEE FUTURE OUTCOMES.