In December 2016, President Obama signed the 21st Century Cures Act (“Cures Act”) into law, and the US Department of Health and Human Services published the final rule on May 1, 2020.
In December 2016, President Obama signed the 21st Century Cures Act (“Cures Act”) into law, and the US Department of Health and Human Services published the final rule on May 1, 2020. The act has several elements of interest to healthcare providers, including regulations designed to facilitate sharing of data for research purposes, thereby accelerating drug and device development, and those designed to improve interoperability so that patients have easier access to their health information.
However, the act has the potential to create difficulties for both patients and healthcare providers. Nurse practitioners, registered nurses, and other nursing professionals need to understand the act, its benefits and potential risks, and how to protect themselves against legal action.
What is the Cures Act?
One of the Cures Act’s goals is to speed development of new treatments through a variety of methods, including data sharing. The act also promotes patients’ ready access to information in their electronic health record. Although patients already have the right to access their information under the Health Insurance Portability and Accountability Act (HIPAA), the Cures Act focuses on quick, free access to electronic health information (EHI), including consultation notes, discharge and summary notes, history and physical, imaging narratives, lab report narratives, pathology report narratives, procedure notes, and progress notes. The act requires organizations to have a secure “application programming interface” so patients can access this information via apps on their personal devices.
Failure to provide patients with access can result in penalties related to “information blocking.” The act defines information blocking as practices “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information,” which includes delays in giving access.
The Office of the National Coordinator for Health Information Technology has issued eight exceptions that will not result in penalties for information blocking:
- preventing harm
- health information technology (IT) performance
- content and manner
The “preventing harm” exception is of particular interest to healthcare providers and states: “It will not be information blocking for an actor [healthcare provider] to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.” It’s beyond the scope of this article to review each exception and its associated conditions; more information can be found at www.healthit.gov/topic/information-blocking.
The deadline for compliance with most of the act’s parameters that directly impact healthcare providers was April 5, 2021; full compliance with all information-blocking provisions will be required on October 6, 2022.
What are the potential risks?
Although providing patients with access to information is a worthy goal, that access can create problems. For example, a patient with slight chest discomfort who is waiting in the ED to see a provider may access their lab results via their smartphone app and incorrectly assume they don’t have a problem because no test is marked “abnormal.” The patient may then leave without seeing the provider, but later return with serious heart damage. Or a patient accessing their health record could object to terms or labels used, such as seeing that a nurse listed “male-to-female transgender” as a “health issue” in their record. Issues such as these can affect the clinician-patient relationship between nurses and their patients, and even result in lawsuits.
Another challenge is balancing access with privacy protection. There has been confusion as to what is meant by EHI and how it relates to electronic “protected health information (PHI)” listed under HIPAA. The definition of EHI in the final rule is aligned with the information in HIPAA, so it’s important that nurses review what falls under PHI (see Protected health information).
How can nurses protect themselves?
Nurses, other healthcare providers, administrators, and IT personnel should understand the act’s requirements, particularly as they relate to information blocking, including the eight exceptions that will not result in penalties for information blocking, listed above. Before proceeding with acting under an exception, nurses should consult with a risk manager.
It’s also important to know nurses still need to adhere to state requirements for sharing EHI. If, for example, a state law prohibits sharing certain EHI, nurses should follow the law. And, of course, nurses need to adhere to HIPAA requirements, which include PHI in paper, electronic, and verbal formats.
More data may prompt patients to ask more questions. Therefore, it’s a good time for nurses to remember to document patient counseling fully in the health record so they are protected in case of legal action.
Meeting information needs
As awareness of the act increases, more patients are demanding access to their EHI. Nurses need to ensure that this access is available, while remembering that it’s up to them to help patients interpret that information correctly and to document education and counseling efforts completely in the health record to protect themselves from liability.
Protected health information
HIPAA specifies that PHI is “individually identifiable health information” that relates to the person’s past, present, or future physical or mental health or condition; the provision of healthcare to the person; or the past, present, or future payment for the provision of healthcare to the individual. It refers to information transmitted in any form (verbal, paper, electronic).
Here are items that could be used to identify a person, so they are included under PHI:
- Names (full or last name and initial)
- Geographical identifiers smaller than a state, except for the initial three digits of a zip code (but only under specific conditions)
- Dates (other than year) directly related to an individual
- Email addresses
- Phone, fax, medical records, account, certificate/license, and Social Security numbers
- Health insurance beneficiary numbers
- Device identifiers and serial numbers
- Vehicle identifiers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal, and voice prints
- Full-face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.
Nurses should keep PHI information confidential and only share with the patient’s authorization. Failing to adhere to privacy standards may result in significant penalties, as well as legal action
Sources: U.S. Department of Health and Human Services. Summary of the HIPAA Privacy Rule. OCR Privacy Brief. 2013. www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html; What is protected health information? HIPAA J. 2018. www.hipaajournal.com/what-is-protected-health-information.
By: Georgia Reiner, MS, Senior Risk Specialist, Nurses Service Organization (NSO)
Aebel ES, Newlon AJ. Increased patient access under the 21st Century Cures Act: what it means for providers. Trennan Law. 2020. www.trenam.com/trenam-news/increased-patient-access-under-the-21st-century-cures-act-what-it-means-for-providers.
Ambulatory Surgery Center Association. 2020 Cures Act final rule. 2020. www.ascassociation.org/asca/federalregulations/overview/cures-act
Federal Register. 2020;85(85). 45 CFR Parts 170 and 171.
Majumder MA, Guerrini CJ, Bollinger JM, Cook-Deegan, R, McGuire AL. Sharing data under the 21st Century Cures Act. Genet Med. 2017;19(12):1289-1294.
Posnack S. Pssst…information blocking practices, your days are numbered…pass it on. HealthIT Buzz. 2020. www.healthit.gov/buzz-blog/information-blocking/pssst-information-blocking-practices-your-days-are-numberedpass-it-on.
Primeau D, James J. Game planning the information blocking final rule. J AHIMA. 2020. https://journal.ahima.org/game-planning-the-information-blocking-final-rule.
Office of the National Coordinator for Health Information Technology. Cures Act final rule. Information blocking exceptions. www.healthit.gov/topic/information-blocking.
US Department of Health and Human Services. 21st Century Cures Act: interoperability, information blocking, and the ONC Health IT Certification Program. 2020. www.federalregister.gov/documents/2020/05/01/2020-07419/21st-century-cures-act-interoperability-information-blocking-and-the-onc-health-it-certification.
US Department of Health and Human Services. Summary of the HIPAA privacy rule. OCR Privacy Brief. 2013. www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
What is protected health information? HIPAA J. 2018. www.hipaajournal.com/what-is-protected-health-information.
Disclaimer: The information offered within this article reflects general principles only and does not constitute legal advice by Nurses Service Organization (NSO) or establish appropriate or acceptable standards of professional conduct. Readers should consult with an attorney if they have specific concerns. Neither Affinity Insurance Services, Inc. nor NSO assumes any liability for how this information is applied in practice or for the accuracy of this information.
This risk management information was provided by Nurses Service Organization (NSO), the nation's largest provider of nurses’ professional liability insurance coverage for over 550,000 nurses since 1976. The individual professional liability insurance policy administered through NSO is underwritten by American Casualty Company of Reading, Pennsylvania, a CNA company. Reproduction without permission of the publisher is prohibited. For questions, send an e-mail to firstname.lastname@example.org or call 1-800-247-1500. www.nso.com.