The 21st Century Cures Act: Are You Ready?
The 21st Century Cures Act, signed into law in 2016, is designed to give patients greater access to and more control over their healthcare information. Added provisions in 2020 focus on increased interoperability and “information blocking.” The Act requires that organizations adopt interoperability requirements and prevent “information blocking,” which according to the American Medical Association (2021) is described as “business, technical and organizational practices that prevent or materially discourage the access, exchange or use of electronic health information (EHI) when an actor knows or should know the practices are likely to interfere with, prevent or materially discourage access, exchange or use of EHI.”
These regulations apply not only to healthcare organizations but also to IT vendors. An IT vendor, for example, can’t use proprietary technology to encrypt data and prevent a hospital or organization from sharing that data.
As regulations go into effect, organizations face new challenges in preparing for and meeting requirements. Understanding what to expect and preventing potential hurdles can help your organization become compliant and improve patient care.
The challenges of preparing
The 21st Century Cures Act includes many new regulations, and preparing for them is no small task. There are new, and more aggressive, timelines for fulfilling patient records requests, and organizations must move fast to get ready. Challenges that organizations are facing include:
Faster turnaround times. The Cures Act created new rules around how fast organizations must deliver on patient information requests. There are rules around what you can, and what you can’t, charge to fulfill patient information requests. If you don’t have a patient portal in place, meeting these deadlines could become increasingly difficult.
Slow adoption of Fast Healthcare Interoperability Resources (FHIR). FHIR defines how healthcare data is exchanged between different computer systems, regardless of how that data is stored within the systems. Many organizations haven’t adopted FHIR; there are nuances around adoption, and extensive testing is often required. Additionally, many organizations are delayed because their IT vendors haven’t adopted the necessary technology. That’s why it’s important to partner with vendors that are leveraging FHIR technology to meet Cures Act requirements.
The need for unique patient identifiers. Increased merger and acquisition activity along with changing regulations underscore the need for unique patient identifiers. These identifiers ensure the right person is accessing the right record—a critical element to staying compliant with HIPAA and the Cures Act. What’s more, if a healthcare organization sends a patient record through an interoperability component, a unique identifier must be in place to transfer that data.
Tips for preparing
Healthcare organizations should be actively working on preparations for the Cures Act. They should start by assessing existing capabilities and identifying potential gaps as well as strategies for addressing those areas. Steps to consider include:
Evaluate your existing archive. The ability to retrieve data at the point of care and make corrections as needed is important to patient care. An active archive provides staff with a complete view of the patient record and prevents the need to scroll through multiple records to find the right person. This capability is critical when considering HIPAA compliance and meeting new Cures Act requirements.
Evaluate strategy and implementation planning. The sooner you work on a plan to meet new requirements, the better. The plan needs to define all necessary processes, steps, technologies, and staff members who need to be evolved to comply with the changes. It’s also important to consider the benefits of adopting unique identifiers to help you meet interoperability requirements and safely allowing the patient’s the ability to access their own records.
Get outside help. Attend a boot camp or training program that helps with conducting an internal assessment of where your organization is today, and what action needs to be taken for your organization to get compliant. Organizations also need clearly written policies and procedures, especially in the area of exceptions. If you don’t release or delay a release of a patient record, for example, you need a written policy in place that explains why or the action could be considered information blocking.
Evaluating where you are with meeting the Cures Act requirements, and identifying any potential gaps, is important for ensuring that you’re on the right path to compliance. Careful implementation of the tools and technologies that support compliance will play an important role in improving patient care and will ensure that only authorized parties access data and that they do so in a way that is compliant with changing regulations.