1. Does everybody in your organization understand the definition of information blocking?(Required) This answer lowers your risk
This answer raises your risk
Information blocking was officially banned by the Cures Act on April 5, 2021. The definition of information blocking includes “any practice (act or omission by an actor,) that is not required by law or covered by an exception and that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI).
2. Can your organization share all electronic PHI that a patient may access under HIPAA in any compliant format a patient may request?(Required) This answer lowers your risk
This answer raises your risk
The definition of Electronic Health Information (EHI) was expanded on October 6, 2022, to include all information in a HIPAA Designated Record Set (DRS). This includes medical, billing, and imaging records, as well as any other records used to make decisions about the patient.
3. Does your organization have a secure, electronic process for records release that uses SMART on FHIR? (This is a required API designed to help health IT apps communicate with EHR systems.)(Required) This answer lowers your risk
This answer raises your risk
The deadline for activating SMART on FHIR capabilities was December 31, 2022. This important update improves interoperability across the health IT landscape and promotes the speedy development of secure, compliant tools for healthcare professionals.
4. Can your organization produce bulk EHI exports?(Required) This answer lowers your risk
This answer raises your risk
The deadline for implementing bulk EHI exports, or the release of the entire set of PHI for one or several patients, is December 31, 2023. This is the final deadline outlined by the Cures Act, and it will be especially crucial come audit season.
5. Has your team received training about the Cure Act requirements, their roles in preventing information blocking, and how to use the information blocking exceptions?(Required) This answer lowers your risk
This answer raises your risk
Everybody in your organization plays a part in continued Cures Act compliance, and the only way to help your team avoid noncompliance pitfalls is to ensure they’re trained to understand how this legislation impacts the release of information.
6. Does your organization consistently release records within the 30-day HIPAA turnaround deadline (or faster if state statutes apply)?(Required) This answer lowers your risk
This answer raises your risk
Between the HIPAA Right of Access Initiative and the Cures Act information blocking regulations, the government requires consistently fast ROI turnaround times. Any delays beyond the 30-day deadline require clear communication, documentation, and a compliant reason for the delay.
7. Is your team trained to understand what is and is not a secure, compliant method of releasing EHI?(Required) This answer lowers your risk
This answer raises your risk
The healthcare industry is one of the most common targets for cyberattacks, and the rate of attacks has spiked in 2023. PHI often contains everything a criminal needs to commit identity theft, so it’s crucial to take every security precaution necessary to protect sensitive patient data both at rest and in transit.
8. Does your organization have a documentation process to track request submissions, fulfillment, and use of exceptions?(Required) This answer lowers your risk
This answer raises your risk
In the case of an information blocking complaint investigation, one of the worst things your organization can say is, “I don’t know.” In order to prove that your team hasn’t engaged in information blocking activities, you may need to provide specific times, dates, and communications.
9. Does your organization have a process to document system downtime or uncontrollable events that limit access to PHI?(Required) This answer lowers your risk
This answer raises your risk
Factors beyond your organization’s control, like software maintenance, natural disasters, and other similar situations, can make it impossible to access or release EHI. In these situations, it’s important to document any issues to protect your organization from information blocking claims.
10. Has your organization reviewed current ROI policies and procedures to verify they’re all compliant with the Cures Act regulations?(Required) This answer lowers your risk
This answer raises your risk
As regulations evolve, so must the processes healthcare organizations follow to ensure compliance and avoid fines. Outdated policies and procedures (such as only releasing medical records via fax) can leave compliance gaps that may lead to penalties of up to $1 million per violation.
11. Has your organization reviewed and/or updated business associate agreements (BAAs) to reflect the Cures Act requirements?(Required) This answer lowers your risk
This answer raises your risk
The Cures Act essentially requires compliance from each individual and organization involved with health IT or the release of information. In order to protect your organization from noncompliant vendors, your team should ensure your BAA contracts reflect the Cures Act regulations.
12. Does your organization provide requestors with clear, simple instructions to access or request their medical records?(Required) This answer lowers your risk
This answer raises your risk
Overly complicated instructions or a complete lack of instructions may qualify as “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI)” per the information blocking definition.
Get Your Results Name(Required) First Last