Assess Your Cures Act
Compliance in 5 Minutes or Less

Information blocking was officially banned by the Cures Act on April 5, 2021. The definition of information blocking includes “any practice (act or omission by an actor,) that is not required by law or covered by an exception and that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI).

The definition of Electronic Health Information (EHI) was expanded on October 6, 2022, to include all information in a HIPAA Designated Record Set (DRS). This includes medical, billing, and imaging records, as well as any other records used to make decisions about the patient.

The deadline for activating SMART on FHIR capabilities was December 31, 2022. This important update improves interoperability across the health IT landscape and promotes the speedy development of secure, compliant tools for healthcare professionals.

The deadline for implementing bulk EHI exports, or the release of the entire set of PHI for one or several patients, is December 31, 2023. This is the final deadline outlined by the Cures Act, and it will be especially crucial come audit season.

Everybody in your organization plays a part in continued Cures Act compliance, and the only way to help your team avoid noncompliance pitfalls is to ensure they’re trained to understand how this legislation impacts the release of information.

Between the HIPAA Right of Access Initiative and the Cures Act information blocking regulations, the government requires consistently fast ROI turnaround times. Any delays beyond the 30-day deadline require clear communication, documentation, and a compliant reason for the delay.

The healthcare industry is one of the most common targets for cyberattacks, and the rate of attacks has spiked in 2023. PHI often contains everything a criminal needs to commit identity theft, so it’s crucial to take every security precaution necessary to protect sensitive patient data both at rest and in transit.

In the case of an information blocking complaint investigation, one of the worst things your organization can say is, “I don’t know.” In order to prove that your team hasn’t engaged in information blocking activities, you may need to provide specific times, dates, and communications.

Factors beyond your organization’s control, like software maintenance, natural disasters, and other similar situations, can make it impossible to access or release EHI. In these situations, it’s important to document any issues to protect your organization from information blocking claims.

As regulations evolve, so must the processes healthcare organizations follow to ensure compliance and avoid fines. Outdated policies and procedures (such as only releasing medical records via fax) can leave compliance gaps that may lead to penalties of up to $1 million per violation.

The Cures Act essentially requires compliance from each individual and organization involved with health IT or the release of information. In order to protect your organization from noncompliant vendors, your team should ensure your BAA contracts reflect the Cures Act regulations.

Overly complicated instructions or a complete lack of instructions may qualify as “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI)” per the information blocking definition.