21st Century Cures Act - Patient Access Rights

21st Century Cures Act  |  Patient Access |  HIPAA  |  Interoperability  |  Right of Access

What does this word salad mean to senior care providers? 

We've compiled the best resources to help you make sense of the upcoming requirements affecting your facilities.

Why is This Happening Now?

A quick summary of the legal and compliance drivers of the new Patient Access requirements.

21st Century Cures Act from 2016

The 21st Century Cures Act (“Cures Act”) is a bipartisan-backed law passed in December 2016 and implemented through rulemaking in 2020. 

A key aspect of the Cures Act is the intention to give patients safe and secure access to health data so they can better manage their care and make more informed healthcare decisions.

In March, 2020 the U.S. Department of Health and Human Services (HHS) finalized two rules to implement the interoperability and patient access provisions of the 21st Century Cures Act:

  • Issued by the HHS Office of the National Coordinator for Health Information Technology (ONC)
  • Issued by the Centers for Medicare & Medicaid Services (CMS)

To these ends, rules issued under the Cures Act are designed to prevent “information blocking.”  Providers are not allowed to engage  in information blocking, which is defined as anything formally restricting the access or use of electronic health information (“EHI”) through contracts or policies. It also prohibits unnecessarily slowing or delaying access or limiting the timeliness of access to EHI or charging for EHI.

Health care providers need to be ready to share certain electronic health records with patients by the April 5, 2021 deadline and avoid claims of “information blocking” in violation of the rule.

The ONC Rule

The ONC Final Rule in summary does the following:

  • identifies and finalizes the reasonable and necessary activities that do not constitute information blocking while establishing new rules to prevent “information blocking” practices (e.g., anti-competitive behaviors) by healthcare providers, developers of certified health IT, health information exchanges, and health information networks.
  • updates certification requirements for health IT developers
  • establishes new provisions to ensure that providers using certified health IT have the ability to communicate about health IT usability, user experience, interoperability, and security including (with limitations) screenshots and video
  • requires electronic health records to provide the clinical data necessary, including core data classes and elements, to promote new business models of care.
  • Creates a common data model called the U.S. Core Data for Interoperability (USCDI). The USCDI is a standardized set of health data classes and data elements that are essential for nationwide, interoperable health information exchange
  • Within the USCDI, the rule also explicitly provides for “open notes,” meaning that patients will have full and unfettered access to their physician notes, with just a couple explicit exceptions
  • establishes secure, standards-based application programming interface (API) requirements to support a patient’s access and control of their electronic health information. APIs are the foundation of smartphone applications (apps)
  • Ensures that patients will be able to securely and easily obtain and use their electronic health information from their provider’s medical record for free, using the smartphone app of their choice


The CMS Interoperability and Patient Access Rule

CMS Interoperability and Patient Access final rule is focused on driving interoperability and patient access to health information using CMS authority to regulate Medicare Advantage (MA), Medicaid, CHIP, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs). The plans are required to:

  • implement and maintain a secure, standards-based (HL7 FHIR Release 4.0.1) API to allow patients to easily access their claims and encounter information, including costs
  • to make provider directory information publicly available via a standards-based API, to allow third-party application developers to access information so they can create services that help patients find providers for care and treatment, as well as help clinicians find other providers for care coordination, in the most user-friendly and intuitive ways possible
  • Beginning January 1, 2021, Medicare Advantage, Medicaid, CHIP, and, for plan years beginning on or after January 1, 2021, plans on the federal Exchanges will be required to share claims and other health information with patients in a safe, secure, understandable, user-friendly electronic format through the Patient Access API. The intent is to provide more complete data to patients so they can be informed decision makers
  • The Patient Access API to allow patients to access their data through any third party application they choose to connect to the API - which could be used to integrate a health plan’s information to a patient’s electronic health record (EHR).  By requiring their relevant health information including their claims to be shared with them, patients can take this information with them as they move from plan to plan, and provider to provider throughout the healthcare system
  • Establishes a new Condition of Participation (CoP) for all Medicare and Medicaid participating hospitals, requiring them to send electronic notifications to another healthcare facility or community provider or practitioner when a patient is admitted, discharged, or transferred
  • Requires states to send enrollee data daily beginning April 1, 2022 for beneficiaries enrolled in both Medicare and Medicaid, improving the coordination of care for this population
  • CMS will publicly report eligible clinicians, hospitals, and critical access hospitals (CAHs) that may be information blocking based on how they attested to certain Promoting Interoperability Program requirements
Timelines and Key Dates

October 29, 2020, the Office of the National Coordinator for Health Information Technology (ONC) issued an Interim Final Rule which extended the deadlines for compliance with the ONC Final Rule.

In particular the Information Blocking Applicability Date was changed from November 2, 2020 to April 5, 2021.  

For details on key milestones, see the Journal of AHIMA summary or the ONC Applicability Dates table.

Further rule making on compliance penalties is expected.

How Is the Cures Act Different from HIPAA?

The Cures Act is a supplement to and not a replacement of HIPAA compliance.

Patients have always had a right to access their patient records under HIPAA.  The Cures Act expands this right to include the quick and free access to electronic health information (“EHI”). The Cures Act's purpose is to make EHI available to patients without cost or delay.

Providers should work with EHR vendors, privacy officers and legal counsel to ensure you are providing patients with a free and easy electronic access to their health records and are not engaging in any information blocking.

More Resources


21st Century Cures Act

Became law Dec 13, 2016.   Full text


ONC Cures Act Rule

The Office of the National Coordinator for Health Information Technology (ONC).
Final Rule


CMS Rule 9115-F

Interoperability and Patient Access final rule Fact Sheet