Are You Ready for the 21st Century Cures Act Enforcement?
The Century Cures Act was signed into law four years ago on December 13, 2016. Although this regulation (law) has been in the making for nearly four years, the general effective date was June 30, 2020. The compliance requirements for Information Blocking, Assurances, and APIs start April 5, 2021.
The law focuses on interoperability, with the patient being the key element. The goal was to put patients in control of their healthcare and that includes easy access to their medical records. By getting other parties involved, referred to as ‘actors,’ the final goal of a universal health record could be attained. According to the Office of the National Coordinator for Health Information Technology (ONC), the rule also considers the following:
- Transparency into the cost and outcomes of care
- Competitive options in getting medical care
- Modern smartphone apps, to provide convenient access to patients’ records
- An app economy that provides patients, physicians, hospitals, payers, and employers with innovation and choice
Is this a HIPAA Rule?
Although everything seems to get blamed on HIPAA, the Information Blocking Rule is not part of the HIPAA Privacy Rule. They do, however, share the same rule-making entity, Health and Human Services (HHS). As a result, you will see some similar language and requirements.
What does this mean for providers?
Simply put, a clinic must avoid Information Blocking by implementing an electronic process for patient access to their medical record. If you have a HIPAA program in place, you are probably familiar with the Right of Access Initiative that the Office of Civil Rights has enforced since 2019. The Cures Act has taken this a step further by focusing on applications that allow for immediate access to portions of the medical record and complete access to the entire medical record within a short period of time.
Is it true that providers could face million-dollar penalties from the Office of Inspector General (OIG)?
We are not sure where this information is coming from, but it is alarming providers. If you take time to read the rule you will see that the intent is to direct, instruct, guide, and assist providers in understanding how they can engage Health Information Exchange applications and other parties to provide patient access. In fact, in Section 4004 under the title (b) INSPECTOR GENERAL AUTHORITY, with regards to Penalties, it states, “Any individual in subparagraph A or C of paragraph 1…shall be subject to a civil monetary penalty determined by the Secretary, which may not exceed $1,000,000 per violation.”
So, who will the OIG penalize? In subparagraph A, health information technology developer is listed and in subparagraph C, health information exchange or network is listed. Health care providers fall under subparagraph B, which states if they are found violating the rule, they will be “referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal Law..” It appears that if a clinic is found in violation, the Secretary will defer to the Office of Civil Rights to investigate and apply the HIPAA Privacy Rule and Right of Access terms. The million-dollar fine does not appear to apply to providers. The ONC Cures Act rule is complex and extensive but when it comes to Information blocking the focus is on healthcare IT software developers and electronic health exchange entities.
What steps should a provider take?
Remember, the Information Blocking rule is a close cousin to a HIPAA rule, already in place. We recommend clinics immediately review their current record request process. If you do not have a Medical Record Policy and lack written procedures, it is time to make this a priority. Next, check out the Cures Act resources and examine your current setup with your Electronic Health Record vendor. The focus should be on patient access based on the terms of the rule. Even if you do not use electronic health records, do not dismiss this rule. The intent of the rule still applies to those providers who maintain paper records. The Cures Act Rule Section 4004 and 4006 directs health care providers (actors) to review the Right of Access resources located on the HHS site.
If you are a library member, please locate the lesson titled HIPAA & Patient Records in the KMC University Library. There, you will find a tutorial that breaks down the HHS rules and the recent Information Blocking rule. We also provide some helpful downloadable reference documents for your consideration.
Jill Foote currently contracts with KMC University as a Subject Matter Expert. She had over 13 years of chiropractic clinic experience in billing and practice management prior to working for the American Chiropractic Association. In her past position as Senior Manager of Coding and Practice Management she served as staff liaison to the ACA’s Coding Manual Workgroup, ICD-10 Taskforce and the Coding Committee where she was instrumental in coordinating the association’s coding initiatives and educational campaigns. As she worked with doctors on a national level, she saw a growing need for training in HIPAA compliance, especially as it relates to the IT world. She holds a certification as a HealthCare IT Specialist and is currently the owner/operator of Easy Tech Compliance.