Skip to main content

What Is The 21st Century Cures Act?

The Department of Health and Human Services (HHS) extended the original implementation date for the the complex federal regulation aimed at ending information blocking practices that may impede the secure exchange and use of electronic health information by patients, doctors and healthcare organizations. The original date of effect was November 1, 2020, and now this went into effect on April 5, 2021.1 On and after this date, this applies to all “actors” (which includes health information networks and exchanges), EHR vendors, and providers.1 This is an important new set of regulations that many practitioners may not be fully acquainted with.

The Cures Act DOES require healthcare providers to comply with the information blocking regulations regardless of using software that is Office of the National Coordinator for Health Information Technology (ONC) certified or not.1 The Cures Act also does NOT replace the HIPAA regulations we already follow. The implementation of the Cures Act aims to put patients in control of their health records, and pushes for greater interoperability and transparency of electronic health records. It is also meant to bring patients electronic access through Electronic Health Interchanges so that patients can make use of their smartphone with their choice of an app, drive innovation and competition among the EHR vendors and finally, to support the needs of patients for faster access to their health information with the goal of more efficient and effective care.1

The types of information that one must provide patients as mandated by the 21st Century Cures Act include the following:1

• Notes, consultations, history, discharge summaries;

• Physical exam findings;

• Imaging results and reports;

• Laboratory and pathology results and reports; and

• Procedure notes, operative notes, progress notes.

What Are Examples Of Practices That Could Be Considered Information Blocking?

Section 4004 of the Cures Act specifies certain practices that could constitute information blocking:1

• Practices that restrict authorized access, exchange, or use information for treatment and other permitted purposes under applicable law, including transitions between certified health information technologies (health IT) or providers;

• Implementing health IT in nonstandard ways likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI (this item seems more directed toward the vendors in how they share technology and improve interoperability);

• Implementing health IT in ways likely to restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems (this item again appears to be to improve patient use of an app of their choice to access their records, regardless of the EMR software that providers are using); or

• Actions that lead to fraud, waste, abuse, or impede innovations and advancements in health information access, exchange and use, including care delivery enabled by health IT. This is looking to reduce repeated tests, and procedures as well as innovations within care delivery.

What Are Some Exceptions To These Regulations?

The eight exceptions to information blocking are like safe harbors, shielding from liability and not considered information blocking when satisfying the conditions. The exceptions are limited to certain activities that the ONC determined are important to the successful functioning of the U.S. healthcare system. 

Exceptions fall into two categories: those that involve not fulfilling requests to access, exchange or use EHI (reasonable and necessary activities where actor does not provide the data, or items one through five); and those that involve procedures for fulfilling requests to access, exchange or use EHI (actor provides data under certain restrictions, or items six through eight).1 It is not considered information blocking when one is in the following scenarios.1

1. Preventing Harm: Engaging in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.

2. Privacy: When a request is not fulfilled for access, exchange, or use of EHI in order to protect an individual’s privacy, provided certain conditions are met.

3. Security: When the action is to protect the security of EHI, provided certain conditions are met.

4. Infeasibility: When the request is infeasible, provided certain conditions are met.

5. Unavailability: When health IT is temporarily unavailable, provided certain conditions are met.  An example would be when the software is being upgraded or repaired.

6. Limitation Of Content: When one limits the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.

7. Fees: When one charges fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met. You may want to seek your state regulations on reasonable fees that can be charged. 

8. Licensing: When one licenses interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

As noted each exception has a provision that “certain conditions” are required in order to claim the exception.1 I encourage each one of us to speak with a compliance expert or health care attorney to develop policies and procedures regarding this new regulatory requirement.

EHR vendors can receive up to $1 million in civil monetary penalties per violation. Penalties and other "disincentives" for physicians and all other healthcare providers are not yet known. However, physicians participating in the Promoting Interoperability (PI) Program may see an impact to their Center for Medicare and Medicaid Services (CMS) Merit-based Incentive Payment System (MIPS) incentives if they are found to be information blockers. I would not be surprised in future updates if civil penalties become assigned to violating providers as the program develops.

Dr. Aung is Chief of the Podiatry Section of the Tenet Health System/St. Joseph’s Hospital in Tucson, Ariz. She is a member of the APMA Coding Committee, the APMA MACRA/MIPS Task Force and is on the Exam Committee of the American Board of Wound Management. Dr. Aung is also on the Editorial Review Board for Wound Management and Prevention. Her website is


1.  ONC Cures Act Final Rule 85 Fed. Reg. 25642, 42 U.S.C. 300jj-52;45 CFR Part 171. Available at: Revised August 4, 2020. Accessed April 6, 2021. 

2. Information Blocking FAQs. Available at: . Accessed April 6, 2021.

3. HHS Extends Compliance Dates for Information Blocking and Health IT Certification Requirements in 21st Century Cures Act Final Rule. Available at:  Accessed April 6, 2021

Back to Top