The Cures Act and EHR: What Are the Best Practices

The Cures Act and EHR: What Are the Best Practices?

The Cures Act and EHR: What Are the Best Practices?

Healthcare professionals and patients in the United States are on the cusp of unprecedented regulatory changes that will impact automation, privacy, security, and how we manage access to patient data. The information blocking and interoperability rules of the 21st Century Cures Act are closely related to HIPAA and will begin to transform the whole industry in October 2022. 

The Cures Act is bipartisan legislation designed to help accelerate medical product development and bring new innovations and advances to patients who need them faster and more efficiently. It includes funding research, the FDA, and the opioid crisis. Notably, the Cures Act created new rules to encourage interoperability, prevent information blocking, and ensure patients can access their electronic health information.

The Cures Act will significantly impact how we manage electronic health information (EHI) and who can access and share patient information. This access and exchange will become more common among:

HIPAA entities:

  • providers  
  • payers

Non-HIPAA entities: 

  • personal health apps
  • mobile smartphone-based health apps 
  • related digital apps
  • any third parties that involve patients, providers, and payers

These rules cover more than just patients’ access to their information. The Cures Act will address all use cases where parties that exchange health information will be able to refer to rules to govern their requests for most uses of patient information, even if they are not directly participating in the process. Denying appropriate access, use, or sharing of EHI may result in the new information-blocking rules. Today, these rules act as a deterrent but will soon lead to direct penalties.

The interoperability and information blocking rules require the largest investment for providers and practices. Correct data sharing processes are essential for compliance as they cannot create unreasonable barriers to accessing, sharing, and using EHI. All electronic health record (EHR) interoperability features must be enabled and up-to-date.

Sharing data with your patients and other practices can help you improve outcomes and quality of care. Providing patients with easy access to their EHI can increase satisfaction and involve patients in their care. Seamlessly sharing data with other providers can also improve diagnosis, treatment planning, and outcomes. Complying with the new information blocking rules may require some up-front investment, but the result should be better, more coordinated care.

AIDA is ready to help you leverage the benefits of Certified Electronic Health Record Technology (CEHRT) and comply with the Cures Act the easy way. AIDA enables better patient health outcomes with innovative care transition technology. See what our team can do for your organization by scheduling your demo here.

  • Supports electronic transitions of care, closes referral loops, and gives hospitals straightforward and secure access to their patients’ records for outside organizations.
  • Makes getting patients’ personal health information less time-consuming and tedious for all involved parties while maintaining confidentiality.
  • Enables the use of Application Programming Interfaces (APIs) to help hospitals access and exchange health information in CEHRT more easily.
  • Enables electronic access to health information through advanced and secure technologies, including APIs, which provide patients with greater flexibility and choice in accessing and sharing their health information.

Over time, the Cures Act’s data sharing and interoperability provisions should help improve patient care. These rules, including information blocking rules, are designed to ensure patients can access their data from within apps of their choice. This enables patients to use their EHI in new and innovative ways that ensure that patients who move, switch insurance plans, or switch providers have complete portable medical records to support future diagnosis and treatment decisions.


In theory, patients will have more control over their information and expanded access, use, and sharing means that patients and other parties will soon have a highly controlled environment to share health information through a simple, automated online EHI. For example, with prior permission, a patient’s personal health app on a smartphone will be able to collect patient EHI and provide access to others. This convenience represents a giant leap in the accessibility, sharing, and usefulness of patient health information.

The Cures Act defines new requirements for product features, functionality, and program business practices that must be met to maintain EHR certification. EHR providers must complete development, certification, and upgrades within two years of the final rule’s effect. The new standard requires using APIs that conform to the HL7 FHIR Release 4 (R4) specification. EHR providers must adhere to the following business practices to maintain EHR certification:


  1. Encourage the flow of patient information by not breaking blocking rules
  2. Permit the electronic exchange, access, and use of health information
  3. Don’t stop customer communication with gag rules.
  4. Follow API business practices
  5. Conduct annual real-world product testing
  6. Perform product attestation biannually 


With these rules, the market should shift towards improving the accessibility of patient information and facilitating patient care. Healthcare providers should not rely on a single EHR provider for critical access to the patient information they need. These rules allow physicians to choose their preferred EHR provider, not who their hospital or community works with. While it may seem daunting at first, this will go a long way in helping patients and doctors see the benefits of electronic health records.

Most importantly for practices and providers, the Cures Act introduces new interoperability and data sharing requirements. These new rules are designed to encourage data sharing and ensure patients can access their data.


The most comprehensive of these is the Information Blocking Rule, which took effect on April 5, 2021. Under this rule, EHR providers, health information exchanges, and providers are prohibited from interfering with or preventing access, sharing, or use of EHI, with exceptions for security and privacy. However, the information blocking rules are designed to improve access to EHI, especially for patients. In most cases, practices must respond to requests to share data on time. Violations of information blocking rules are subject to fines of up to $1 million for each instance.


The information blocking rules are rolled out in stages. From April 5, 2021, to October 6, 2022, the new rules apply only to data contained in US Interoperability Core Data. After the initial introductory phase, these rules apply to all HIPAA-covered data, including claims and billing.


The Cures Act also includes provisions to encourage the use of APIs. Information blocking rules and others ensure that patients can access their data through the applications of their choice. By requiring EHR providers, health information exchanges, and providers to open their systems to APIs, the Cures Act will encourage innovation in quality comparison tools, health management applications, and cost calculators.

For compliance professionals, there will be a delicate balance between HIPAA, which protects patient information, and the Cures Act rules, which aim to open access to that information. At this point, perhaps the most crucial aspect of the new regulations is the automation of patient access and records management.


More recently, access, copying, and sharing of patient information were provided only for or during treatment, for payment and operational purposes for patient access, as part of a business partner providing services to affected entities, or for specific purposes after authorized disclosure with few exceptions. The bar is notably high for proof of who is requesting information and ensuring no breaches have occurred. Accessing patient information requests has been manually executed due to poor interoperability, the existence of mixed paper/electronic records, and the lack of automated exchange of information.


These manual processes are ripe for an automation upgrade to increase speed and efficiency, but that requires a federal law. EHRs will improve automation, as will systems containing other designated patient information. Other vendors will offer compliance automation to manage new processes and reduce this risk.


In addition to improved interoperability with API and EHI exports, automation from the new rules covers information blocking incidents and complaint investigations, digital/mobile health applications, and requests related to interoperability and patient access.

HIPAA is often blamed for barriers to patient information disclosure, primarily a byproduct of misunderstanding its complex rules. The result is that the free sharing of patient information is restricted to authorized or otherwise permitted parties, making the free data sharing vision challenging to achieve.


While reducing some of the burdensome aspects of HIPAA is a goal, the Cures Act is not designed to minimize the importance of HIPAA. The idea behind the rules is to create processes that automate the bulk of patient data access, replication, and exchange requests with little or no human intervention. Automating the collection, dissemination, and storage of patient information without HIPAA protections significantly increases the risk of breaches.