Chiropractors will have a once in a lifetime opportunity that brings them into a greater role in a patient’s healthcare lifecycle. Technology will connect patient records from all licensed providers and organizations and will analyze, organize, and be distributed across the entire healthcare platform. It is the first step into connecting patients to your service, skillset and providing an all-encompassing value-based care for your patients.

– Brad Cost, CEO, Infinedi and other healthcare data analytic companies

As we have been outlining for chiropractic physicians over the last few months, the 21st Century CURES Act is federal law that is designed to promote “innovation in the health care technology ecosystem to deliver better information, more conveniently, to patients and clinicians. It also promotes transparency, using modern computers, smartphones, and software to provide opportunities for the American public to regain visibility in the services, quality, and costs of health care.” 

In the last article, we discussed interoperability and its role for the patient, provider, and your practice. The other major component of the Cures Act prohibits information blocking, which are practices that prevent interoperability from taking place.

What is Information Blocking?

Information blocking is a practice that a healthcare provider knows is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI).[1] Although HIPAA has controlled for the last two decades how providers handle records, the Cures Act shifts providers’ record sharing practices. HIPAA outlines situations when a provider may share health information, but the Cures Act requires the provider to share health information (with certain exceptions, including privacy, of course).

In short, the regulations shift our mindset from, “Do not disclose records unless these provisions are met,” to, “Share these records unless these exceptions exist.” Do not worry – the records are still protected for HIPAA privacy purposes.

What is Electronic Health Information (EHI)?

Interestingly, the rules for the Cures Act are extremely broad when describing what types of EHI are covered under the Cures Act.  The Cures Act rules incorporate HIPAA definitions about what is covered, as follows: “electronic protected health information (ePHI) to the extent that the ePHI is included in a designated record set as these terms are defined for HIPAA.”[2] HIPAA defines a designated record set to include medical records, billing records, and information used, in whole or in part, by or for the covered entity to make decisions about individuals.” As you can see, this law will impact nearly every facet of information maintained by doctors and other health care providers about their patients.

Understanding that it may take some time for providers and IT developers to create systems to handle this broad definition, the Office of the National Coordinator of Health Information Technology (ONC) is initially requiring inclusion of only some elements of a patient’s medical record (referred to as “United States Core Data for Interoperability” or “USCDI V1 dataset”). This list is closer to the required elements many of you may remember from the EHR incentive program (i.e. height, weight, smoking status, notes, etc.).  You can see the full listing here.[3] This version of required core data will be in effect for the first 18 months after April 5, 2021.

However, beginning on October 6, 2022, EHI will include the entire suite of electronic health information that includes medical records, billing records, and more. This will require that providers find a way to transmit even their practice/patient management software data, along with EHR.

Who Does the Information Blocking Prohibition Affect?

Interestingly, the Cures Act impacts more than just healthcare providers. Health information technology developers (EHR vendors included) that have certified software, health information exchanges, and health information networks are also included in the Cures Act. It is critical to note that, even though the Act does not require systems to obtain certification, nor does it require providers to use only certified systems, , it DOES require healthcare providers to comply with the information blocking regulations “regardless of whether any of the health IT the provider uses is certified under the ONC Health IT Certification Program.”[4]

More specifically, the Cures Act, by federal statute reference to physician, specifically includes chiropractic physicians.[5] Thus, we gain all of the benefits of the Cures Act but also have the professional responsibility to comply with its regulations.

The CURES Act refers only to electronic health information, and practices that have any patient data in an electronic format must have a method to share that data. This means that practices that utilize ONLY paper charts, appointment books, and billing would not be subject to the Cures Act regulations. However, practices that use paper charts are still covered under HIPAA, so all of the patient right of access rules still apply in those cases, even in rare cases where the Cures Act does not.  Those patients have a right to request and obtain a broad array of records, whether maintained on paper or as electronic health records, without the imposition of unreasonable barriers by the provider.

When Do the Information Blocking Prohibitions Begin?

Beginning on April 5, 2021[6], the Cures Act specifically prohibits “actors” (specifically including chiropractic physicians) that have electronic health information (“electronic protected health information”) from information blocking through several requirements.

To see a full timeline for additional upcoming deadlines, see this chart.

What are the Exceptions to Information Blocking?

As mentioned above, the Cures Act is designed to require the sharing of information–unless an exception is met. Of course, the exceptions are the most important compliance consideration when providers work to adhere to the provisions of the Cures Act. The exceptions are designed more as a provider “safe-harbor” that will help them identify when they will not be considered to be information blocking. This article will cover only the baseline information for the exceptions; our next article will provide the practical steps for exercising an exception while providing the information requested.

According to the ONC, requested health information MUST be provided unless one of these exceptions is met:[7]

Exceptions that involve not fulfilling requests to access, exchange, or use EHI:

  • Preventing harm exception,
  • Privacy exception,
  • Security exception,
  • Infeasibility exception, and
  • Health IT performance exception)

Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI:

  • Content and manner exception,
  • Fees exception, and
  • Licensing exception.

These exceptions are put into two very distinct categories: 1) exceptions for when it is acceptable NOT to share the records; and 2) exceptions based on procedures for fulfilling the requests. That means that those exceptions in the second grouping apply only to the procedures used for providing the information but still require that the information be provided. The CCA will cover these in more detail in our next article.

How Does the Information Have to be Shared?

This information must be provided in the way it is requested, unless an exception applies and is met. The list of EHI elements that must be provided when requested will increase beginning October 6, 2022, as many elements will be added at that time. 6

The Cures Act defines standards for the transmission of the information, including a specific structured dataset that defines the fields and transmission methods. This includes application programming interfaces (APIs) designed to communicate the information across many platforms, applications, and mobile applications (see Patient Request section below).

In order to help providers comply with this requirement, electronic health information systems, including EHR systems that are certified, are required to meet the data requirements. Providers should follow-up with their EHR providers to find out if they intend to meet the new certification requirements.

How Will Patients Make Requests for EHI?

“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel and every other component of their lives. This requires using modern computing standards and APIs that give patients access to their health information and give them the ability to use the tools they want to shop for and coordinate their own care on their smartphones. A core part of the rule is patients’ control of their electronic health information which will drive a growing patient-facing healthcare IT economy, and allow apps to provide patient-specific price and product transparency.” – Don Rucker, M.D., National Coordinator for Health Information Technology

We expect to see health information requests come from many different directions. When releasing the final rule, the ONC clearly indicated that the purpose was to allow patients to access their medical records from multiple providers and multiple systems in one place. In fact, they state, “patients will be able to securely and easily obtain and use their electronic health information from their provider’s medical record for free, using the smartphone app of their choice.”[8]

Over the next few years, most of the requests will come from patients or other requestors on patients’ behalf, typically from health app developers. There are a significant number of medical record apps available in the Apple Store and in Google Play, and according to research, the number of mobile health apps available in the Apple Store nearly doubled over the last 6 years.[9] Apple has even recently released its own patient-centric health app for records, appointments, etc.[10]

How Much Time Do We Have to Comply with a Request?

The Cures Act does not change the timeframe currently required under HIPAA. However, according the rules, providers “must fulfill the request without unnecessary delay.”[11] HHS further weighs in on the timeliness of responding to a request under HIPAA and states, “The 30 calendar days is an outer limit and covered entities are encouraged to respond as soon as possible.”

This means that providers cannot simply “slow play” the requests, and HHS believes that patients “may reasonably expect a covered entity to be able to respond in a much faster timeframe when the covered entity is using health information technology in its day-to-day operations.” Since the Cures Act is specific to providers housing EHI, it is safe to say that the Office of Inspector General (OIG) will expect quick turnarounds on these patient requests.

Additionally, if you were not aware, HHS has released new HIPAA rules that aim to reduce record request compliance time from 30 days to 15 days. Although this change is not final, we do expect it to be final toward the end of 2021.

What are the Consequences of NOT Complying with the Cures Act?

The current enforcement provisions in the Cures Act may be akin to a “slap on the hand” for most providers, because the OIG will only refer information blockers “to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law.”[12] Disincentive reporting, as described will therefore impact doctors covered under MIPS more than other doctors.

However, although we believe this would only be used in very rare cases, some legal experts believe that practitioners in serious violation could be reported to Medicare for possible exclusion. This, of course, would be a devastating blow to those practices.

In addition to enforcement consequences for providers, developers of certified health information technology along with health information exchanges and networks are subject to civil monetary penalties of up to $1,000,000 per violation.

Another key consideration will be a newly established standard of care. Chiropractic physicians should not simply ignore the requirements simply because the penalties are not significant. Instead, the profession should consider that most of the other healthcare professions will be adhering to the new requirements, thus establishing a new expectation from patients and a standard of care for all providers.

What is Next?

The CCA will be publishing another article that will walk through the particulars of each of the exceptions and how they will apply in your office. This will give more practical guidance to our doctors in how to implement the Cures Act in their practices.

Doctors should reach out to their EHR vendors to request their plans for complying with the Cures Act. It is important to note that, although EHI vendors are NOT required to become certified, providers that have EHI are required to comply with Cures. That means that a doctor’s EHR vendor may decide to forgo certification, and the doctor will have to find a way to provide requested information on his/her own.