The 21st Century CURES Act: What Physicians Need to Know


By: Ray Posa, MBA, Co-Chair of the firm’s HIPAA Compliance Division

The 21st Century CURES Act was passed into law in December of 2016. Many physicians may not have heard of this Act unless they are involved in research. The bulk of this Act has to do with the National Institutes of Health Research and Data Access. It discusses Collaborative Research, Supporting Young Emerging Scientists, Advancing Precision Medicine, Patient Focused Drug Development and on and on for over 300 pages.

The 21st Century CURES Act is designed to provide seamless and secure access, exchange, and use of electronic health information. The rule is designed to give patients and their healthcare providers secure access to health information.

So, the logical question is, what impact does this Act have on my practice? Buried in this Act are provisions on Data Blocking and how these Data Blocking rules apply to your practice. What exactly is Data Blocking? Here the explanation from the Office of the National Coordinator for Health Information Technology (ONC):

In general, information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).

Section 4004 of the CURES Act specifies certain practices that could constitute information blocking:

  • Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT);

  • Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI.

  • Implementing health IT in ways that are likely to— 
    • Restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems; or
    • Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.

A lot of the requirements under Data Blocking are focused on EHR companies and the way their products work. When HIPAA was first launched in 2003, the main focus was on patient privacy, and we had the Privacy Rule. As HIPAA has evolved, the government was making a big push to get the medical industry to

go paperless. This was to help reduce the huge workload created by paper charts and paper claims. In 2005, we got the Security Rule. The Security Rule specified requirements to help safeguard patient information in a digital environment. These two rules were thorough in their thought and did help enhance patient privacy and data protection.

These HIPAA rules helped establish the technology groundwork. The government was not satisfied with the rate at which healthcare was adopting EHR software. In order to help increase adoption rates of EHR software the government started a stimulus program called Meaningful Use. This program offered monitory payments to help offset the cost of implementing EHR software into the practice. This program worked, and adoption rates soared above 80%. At this point it looked like “mission accomplished”. Then the devil in the details appeared – the various EHR companies could not communicate with each other; in fact, most EHR’s were proprietary. The government in its zeal to get everything electronic, overlooked seamless sharing. Now we are in an environment that was not much better than paper charts in terms of sharing patient information efficiently.

Over the next couple of years, the government began imposing data sharing requirements on EHR developers through the use of the certification program. The government conditioned stimulus payment to practices by requiring them to only use certified software. This, in effect, put out of business any company that did not have certified software. While the certification program did bring interoperability closer to fruition, there were still gaps. This is where the CURES Act comes in.

The CURES Act aims to increase innovation and competition by fostering an ecosystem of new applications to provide patients with more choices in their healthcare. It calls on the healthcare industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access electronic health information using smartphone applications.

The CURES Act includes a provision requiring that patients can promptly electronically access all of their electronic health information (EHI), structured and/or unstructured, at no cost.

The CURES Act supports provider access and exchange of EHI.  The rule implements the information blocking provisions of the CURES Act thus using the data blocking requirements as a means of forcing full interoperability.

The CURES Act also sets out requirements for data sharing as well as exemptions to data sharing, which I will discuss in detail. For now, a practice that does not meet the conditions of an exception would not automatically constitute information blocking. Such practices just would not have guaranteed protection from civil monetary penalties or appropriate disincentives and would be evaluated on a case-by-case basis to determine whether information blocking has occurred.

The exceptions to information blocking are divided into two classes:

  • Exceptions that involve not fulfilling requests to access, exchange, or use EHI; and

  • Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.

Exceptions that involve not fulfilling requests to access, exchange, or use EHI:

  • Preventing Harm Exception: It will not be information blocking for a practice to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.

  • Privacy Exception: It will not be information blocking if a practice does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.

  • Security Exception: It will not be information blocking for a practice to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.

  • Infeasibility Exception: It will not be information blocking if a practice does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.

  • Health IT Performance Exception: It will not be information blocking for a practice to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met.

Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI:

  • Content and Manner Exception: It will not be information blocking for a practice to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.

  • Fees Exception: It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.

  • Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

How does a practice comply with the Data Blocking requirements? First, look at your patient portal. This will be your single best method of complying the CURES Act. I have seen many practices allowing only minimal information in the portal. You should work with your EHR company and make sure your portal is properly configured to allow patients access to ALL of their EHI, again this will include both structured and unstructured data. By using the portal, the patient can access their information without charge and without expense to the practice. 

Second, speak to your EHR vendor and make sure that all lab results, X-Rays, MRI’s CAT scans that you ordered, can be imported directly into the EHR and the patient portal.

The CURES Act mandates that patient information be made available to the patient electronically as soon as possible. It is now a right of the patient to request their information and have it available electronically as soon as possible. ONC has setup a reporting website so that complaints for non-compliance can be filed: .

One of the things that the CURES Act does not do is mandate the use of a certified EHR software program. A practice is still free to use paper charts, however when the patient makes the request for their information, the burden now falls on the practice to take the paper charts and convert them into an electronic format and deliver them to the patient without delay or the practice would be subject to fines. This is the catch 22 that the government has set up – they won’t force you to use a certified EHR, but they will penalize you for not being able to deliver information to the patient as mandated by the Act.

The requirement to comply with the Act was March 9, 2020 but then was given an extension till April 5, 2021.  Do not panic. ONC has said they will not be imposing penalties right away; they will be providing guidance rather than sanctions. The Rule, while it is Final, still has more committee work ahead and the formal final adoption will be in 2022.

One of the conflicts of the rule is with the HIPAA requirement and your licensing board’s requirement to provide the patient with their information in a reasonable amount of time, 30 days. The Privacy Rule states that the information must be provided upon request. The Office for Civil Rights (OCR) is in the process of modifying the HIPAA Privacy Rule to be in line with ONC’s Data Blocking requirements. OCR is now in an open comment period, so if you would like to comment on the proposed new rule changes, you have till May 6, 2021 to submit comments.

If you have any questions regarding the CURES Act and how it will impact your practice, please feel free to reach out to us, and we will be more than happy to answer your questions. Also, now would be a good time to review your HIPAA policies and procedures, because they will now be subject to more scrutiny. Here at The Nan Gallagher Law Group, we stand at the ready to assist if you are in need of our services. For more information, feel free to contact the firm at (973) 998-8494 or

Leave a Reply

Your email address will not be published. Required fields are marked *