21st Century Cures Act – Information Blocking & Rule Summary


The 21st Century Cures Act, first introduced in 2016, is broadly focused on advancing innovative medical products while removing barriers for development and bringing the advancements to patients more quickly. The focus of this blog will be on the rules around information blocking, interoperability and data access and how providers can continue to adapt and deliver medical information wherever and whenever it is needed with respect to the Cures Act and overall best practices for health data management.

21st Century Cures Act

Three main tenants of the Cures Act – Patient Access, Protection and Choice:

  1. Ease of access to their records – The Cures Act supports a patient’s control of their health care and their medical record through smartphones and modern software apps.
  2. Protecting patient privacy and security – The rule supports secure patient access to their electronic medical record data. Patients will be able to use applications they authorize to receive data from their medical records. OAuth2 is used to authorize applications – the same highly secure protocol used on travel and banking apps.
  3. Promoting the ability to shop for care and manage costs – The final rule expands patient and payer choice by increasing data availability that supports insights about care quality and costs. This is similar in how apps have increased transparency in other industries such as online shopping, travel and banking to deliver information to patients and payers to assist in decision making.

Ease of Access and Information Blocking

The Information Blocking Rule was first introduced as part of the 21st Century Cures Act in 2016 to eliminate industry-wide information blocking practices. The problem centered around a patient’s inability to access their entire health record history caused by developers of health IT  deliberately preventing access to PHI in an effort to maximize short-term revenue or to compete for new clients.

The implementation of the finalized rules around information blocking provides a comprehensive response to concerns about this anti-competitive behavior while supporting the overall goal of increased transparency for patients as well as access, exchange and usability of electronic health information.

There are many key dates related to the Information Blocking Rules, including Oct. 6, 2022 which is the date that the definition of electronic health information changes from the specific  elements listed in the USCDI to ALL electronic health information (ePHI) in the designated record set (DRS).

How to determine if information is EHI: 

EHI is defined as electronic protected health information (ePHI) to the extent that it would be included in a designated record set (DRS), regardless of whether the group of records are used or maintained by or for a covered entity. The expanded definition of EHI (as defined in 45 CFR 171.102) includes a broad set of records. To determine whether the information is EHI, consider if the information:

  1. Is individually identifiable health information that is maintained in electronic media or transmitted by electronic media
  2. And would be included in one of the following groups of records:
    a. medical records and billing records of a provider about individuals;
    b. enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan;
    c. records used in whole or in part, to make decisions about individuals
  3.  And is not excluded from the EHI definition

If the answer to the three questions above is “yes,” then it is EHI.

What is not EHI?

  • Psychotherapy notes as defined in 45 CFR 164.501
  • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding
  • Individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g
  • Individually identifiable health information in records described at 20 U.S.C. 1232g(a)(4)(B)(iv)
  • Individually identifiable health information in employment records held by a covered entity in its role as employer
  • Individually identifiable health information regarding a person who has been deceased for more than 50 years
  • De-identified protected health information as defined under 45 CFR 164.514

There also are eight exceptions to the information blocking ban that have been established to allow clinicians and hospitals common sense operational flexibility. These exceptions are grounded in protecting patient privacy, security, and handling situations where moving data isn’t a technically viable solution. These exceptions are divided into two categories:

  1. Exceptions that involve not fulfilling requests to access, exchange or use EHI, and
  2. Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.

To review the most current updates related to interoperability, information blocking and the ONC Health IT Certification Program, visit the ONC’s Cures Act Final Rule website.

Switching EHRs shouldn’t mean a disruption in a provider’s access to their data.

EHR vendors are required to enable a usable export of all patient records when a healthcare provider is switching health IT systems, as opposed to only providing the summary of care records, which was the prior requirement. Not only will this allow providers to switch EHRs more easily and completely, but it will also ensure that a complete patient narrative is being transferred for better patient care. As the ONC states, “Providers should be able to choose the IT tools that allow them to provide the best care for patients, without excessive costs or technical barriers.”

Determining how healthcare IT delivers on these finalized rules is somewhere on every healthcare organization’s to-do list. Moving it toward the top could make could business sense. Industry experts suggest healthcare organizations look at meeting the finalized rules sooner rather than later and as an opportunity for business success, citing that adopting the rules as soon as possible represents a huge business opportunity.

Those physician practices and health systems that can step up, navigate the obstacles, and deliver robust patient access to health information through apps and next-generation digital tools, may find themselves at a competitive advantage.

Speaking of competitive advantages, let’s talk about the long game.

One big step forward in the health data management race is to consolidate records from legacy EHR, ERP and HR systems into an active archive.  This approach avoids the user having to log in to multiple legacy systems to fulfill a single Release of Information request.   Advanced authentication services such as  Single Sign-On allows a seamless connection from the current EHR (i.e., Single Sign-On from Epic) in context to the patient’s historical medical record.

As healthcare providers continue to adapt and evolve with how they need health and business data to flow through technology systems and now more fluidly to patients on new apps, it will be even more important to have a solid lifecycle data management plan that consolidates disparate data sets. With some multi-hospital organizations managing 30 to 40 read-only legacy EHRs with varying states of usability, it is even more important to streamline and have a lean and forward-thinking data management strategy for the long haul.

As your team continues to adapt to rules, follow retention guidelines and safely guide the data within your care wherever it needs to go, it’s a good time to make sure your inventory of applications is consolidated, secured, accessible and usable.

An active archive such as HealthData Archiver® is a long-term medical data storage strategy that reduces or eliminates legacy system management costs, provides role-based security and is a vendor-neutral long-term home for legacy records. Secure, compliant, long-term PHI storage in an electronic health data archive solution helps manage the legacy application portfolio which saves on maintenance contracts, mitigates technical risk, and reduces labor burden. With an active archive, outdated legacy applications can be decommissioned and ROI is often seen in 18-24 months.

What to do if a vendor organization is keeping you from your health data:

Clinicians and hospitals continue to consider their options in choosing the EHR that best fits the organization, gaining access to protected health information (PHI) from the outgoing EHR vendor may remain a challenge.

Even before the newest information blocking law was handed down, EHR vendors were required by law to return PHI to the covered entity in a reasonable and usable format upon termination of a contract. If your healthcare organization is or continues to have PHI held hostage by an EHR vendor, there are currently measures that can be taken to gain rightful access to data.

The final rule also includes provisions for the HHS Office of Inspector General (OIG) to investigate allegations of information blocking and to coordinate the involvement of other government agencies, as well as provides anonymous reporting options and a certificate of compliance that organizations can sign to show they meet the guidelines.

Beyond filing a complaint with the U.S. Department of Health and Human Services, you can also start with these steps to help with the process:

  1. Familiarize yourself with the HIPAA Covered Entity portion of the gov website for additional information on how the vendor may be in violation of the HIPAA Privacy Rule.
  2. Formally communicate to the vendor that they are legally required to provide access to your ePHI in a reasonable and usable format.

If you’ve already considered the above and still feel like you need additional guidance and tools to help facilitate dialogue to gain access to your PHI,

We’re ready to talk about the best approach that will lead to your PHI residing where we’ve always believed it should be – with you and your organization.


Note: This blog is updated from a previous version published on March 2, 2021.

Nov 30 2022

Ready to learn more?

Contact us today to learn more about our healthcare data management solutions.

First Name *
Last Name *
Email *

Healthcare IT tips, guides, news & more delivered to your inbox

Sign me up