You. Me. Who owns the healthcare data? That’s a debate going on since the beginning of time.
However, with the arrival of the 21st Century Cures Act, we’ve finally got an answer to this question – the data belongs to the patient.
Since the implementation of the Cures Act, maintaining a steady flow of electronic data between healthcare organizations and other caregivers, and ensuring that everyone has access to the right data, has never been more important.
The Cures Act, first introduced in 2016, is focused on advancing innovative HIT product developments and ensuring patients have access to their data faster and more efficiently.
This article will cover:
- A Short History of the Cures Act
- What is Electronic Health Information (EHI)?
- What’s not Electronic Health Information (EHI)?
- What is Information Blocking?
- Who does the Cures Act concern?
- What type of healthcare data does the Cures Act cover?
- What are the exceptions to the Cures Act?
- Why MUST your healthcare organizations adhere to the Cures Act?
- What CAN your healthcare organization do about the Cures Act?
- How Triyam can help your healthcare organization navigate the Cures Act?
A Short History of the Cures Act
Anytime anyone talks about healthcare data – the conversation is not complete without mentioning the Health Information Portability and Accountability Act (HIPAA), which was created to have standards to protect a patient’s healthcare data from disclosure without their consent.
Now, the 21st Century Cures Act adds to that law of patient safety and privacy, by ensuring that patients can access their healthcare data easily without any industry malpractices such as ‘information blocking.’
The Information Blocking Rule of 2016 was created to eliminate industry-based blocking practices. The problem was based on Health IT developers who refused to provide patients access to their healthcare data, so that they could acquire revenue or gain new clients. The Cures Act, thus, was created to ensure that this doesn’t happen, and that patients have timely access to their health information within the electronic systems.
The Act mandates that healthcare organizations must make healthcare data available quickly and easily to patients requiring it. Though the Act, does have exceptions based on each case, there are no blanket exceptions available. Health organizations must, under no circumstance, obstruct the access, exchange, or use of electronic health information. The Final Rule also mentions a provision for modern smartphone access, so that patients can access their data anywhere, at any time.
The Cures Act concerns healthcare providers, health IT developers of certified health IT, and health information exchanges (HIEs)/health information networks (HINs) specifically.
What is Electronic Health Information (EHI)?
According to HealthIT.gov, Electronic Heath Information includes electronic protected health information (ePHI) to the extent that it would be included in a designated record set (DRS), regardless of whether the records would be used or maintained by or for a covered entity or business associate.
EHI would include individually identifiable health information that is maintained in electronic media or transmitted by electronic media containing:
- Medical and Billing records of a provider about individuals.
- Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan.
- Records used to make decisions about individuals, whether partial or complete.
What’s not Electronic Health Information (EHI)?
The following health information is not considered EHI:
- As defined in 45 CFR 164.501: Psychotherapy notes.
- Information collected for current or future use in a civil, criminal, or administrative action or proceeding.
- Family Educational Rights and Privacy Act: Individually identifiable health information in education records.
- 20 U.S.C. 1232g(a)(4)(B)(iv): Individually identifiable health information in records.
- A covered entity in its role as employer holding individually identifiable health information in employment records.
- Individually identifiable health information regarding a person who has been deceased for more than 50 years.
- As defined in 45 CFR 164.514: The de-identified protected health information.
What is Information Blocking?
Information blocking is a practice by an ‘actor’ that is likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or a Cures Act exception.
According to 45 CFR §171.103, Information blocking means that a practice:
- Except required by law or covered entity interferes with the access, exchange, or use of electronic health information.
- If conducted by a health IT developer of certified health IT, a health information network or health information exchange is aware of any interference with the access, exchange, or use of electronic health information.
- If conducted by a health care provider, such a provider knows that such practice is unreasonable and is likely to interfere with access, exchange, or use of electronic health information.
- Uses technology in a manner that leads to fraud, waste, abuse, or impedes innovations and advancements for health information access, exchange, and use.
Healthcare organizations must acknowledge that just like HIPAA, the Cures Act does not tolerate preventing sharing of electronic health information (EHI,) unless for exceptions; and therefore, they must find ways to collaborate with all parties involved and share the health information with the requestor at the earliest. The Cures Act, after all, is becoming the norm for 21st-century healthcare information exchange.
Who does the Cures Act concern?
There are 3 main actors that the Cures Act concerns, as mentioned in the Final Rule.
They are Health Care Providers, Health IT Developers of Certified Health IT, and Health Information Networks (HIN)/ Health Information Exchanges (HIE).
- Healthcare Providers
- Health IT Developer of Certified Health IT
Health Information Developer of Certified Health IT means an individual or entity other than a healthcare provider that develops and uses health IT technology for itself.
- Health Information Network or Health Information Exchange
Health Information Network or Health Information Exchange refers to an individual or entity that controls or enables the use of technology or services for access, exchange, or use of electronic health information.
HIE or HIN even applies to:
- More than two unaffiliated individuals or entities that are enabled to exchange health information with each other.
- Individuals or entities subjected to sharing information related to treatment, payment, or health care operations purposes.
Does your organization fall under one of these categories?
If yes, then it’s high time you understand all the data classes that you need to be able to access and share as per the baseline provided by the United States Core Data for Interoperability (USCDI.)
What type of healthcare data does the Cures Act cover?
The United States Core Data for Interoperability (USCDI) is described as a standardized set of health data classes that establishes a baseline set of data that can be exchanged nationwide for an interoperable health information exchange. Healthcare organizations must be careful when dealing with the sharing of health information as it may include information that the organization might never even consider as a part of the designated record set.
Data Classes and Data Elements
Learn details about each of the data classes or elements here.
What are the exceptions to the Cures Act?
Now, that your healthcare organization knows what data is covered by the Cures Act, you might wonder if there are exceptions for sharing health information with the requestor and what cases would not be labeled as ‘information blocking’.
As of today, there are eight exceptions mentioned by the 21st Century Cures Act. These categories are as follows:
Learn details of each of the exceptions listed here.
Why MUST your healthcare organizations adhere to the Cures Act?
Your healthcare organization must be familiar with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, and the associated HIPAA Rules. The Act focuses on making healthcare information available for access, exchange and use. Cures Act focuses on a similar target. However, the data that HIPAA covers usually involves Protected Health Information (PHI) and Electronic Protected Health Information (ePHI), while Cures goes a step further and covers Electronic Health Information (EHI) which includes all ePHI (previously covered in HIPAA) and additionally ‘all’ the health data in the Designated Record Set (DRS.) Also, the health information extends to paper portions of the DRS. So, it is important that your healthcare organization has access to all of their EHI in DRS as well.
One of the main reasons, healthcare facilities strictly followed the HIPAA law was to avoid penalties. After all, HIPAA Penalties ranged from Tier 1 (Minimum of $100 per violation) to Tier 4 (Minimum of $50,000 per violation), and serious Tier 4 violations could cost an organization up to $1.5 million.
Similarly, the failure of meeting the requirements of the Cures Act could cause healthcare providers to face huge penalties, and they would be dealt with appropriate disincentives based on the violation as set forth by the HHS Secretary. Health IT developers of certified health IT and HINs and HIEs will be subjected to civil monetary penalties (CMPs) up to $1 million per violation and may lose certification with the public listing of the certification ban and termination.
What CAN your healthcare organization do about the Cures Act?
To avoid the hefty penalties imposed by HIPAA and the Cures Act, healthcare organizations sometimes resort to creating a policy and documenting all information about their data, and making a note of any necessary Act exceptions that their organization falls into. But, here’s the catch – Your healthcare organization thinks it’s an exception, the statutory body might not think so – and the next thing you know is that your organization is paying huge fines over a violation that your organization thought was an exception.
Thus, to remain compliant, most healthcare organizations will usually avoid the risk and decide to store as much as data that they can by transitioning to a new EHR instead. As a solution to this, healthcare organizations tend to decide to migrate their data to the new EHR.
But data migration comes with its own set of challenges and healthcare organizations may not be able to completely migrate ‘all’ data due to the various complex data sets and incompatibility with the new system. However, the Cures Act, requires that ‘all’ data sets covered by United States Core Data for Interoperability (USCDI) must be available at any point in time. Therefore, it is recommended that healthcare organizations consolidate their data from multiple Electronic Health Records (EHR,) Electronic Resource Planning (ERP,) Electronic Medical Records (EMR), business and financial systems into an active archive, with the help of data archiving. After all, archiving legacy data helps acquire data from source systems that includes the DRS.
Data Archiving ensures that ‘all’ data sets mentioned in United States Core Data for Interoperability (USCDI) is extracted, cleansed, archived and consolidated into a single cloud-based archival solution, thus ensuring that an organization complies with the Cures Act completely. This is not possible with data migration, as ‘some’ of the data would be left behind in legacy systems with that process, due to various data format incompatibility issues, and would instead lead the organization to pay additional application, maintenance and support costs to maintain the legacy systems.
However, we do recommend that ‘some’ operational legacy data is migrated to the new system and the remaining legacy data (USCDI-mentioned data sets) is retained and accessed in the archive. Archiving also ensures that all data is cleaned and mapped with unique patient identifiers.
By using a cloud-based archive, the healthcare organization no longer needs to log into multiple legacy systems for a single Release of Information request. The archival solution has standard and custom APIs that would allow the healthcare organization to have interoperability with several other new systems, which is a consideration required by the Cures Act (interoperability using API and FHIR technology), and thereby helping the healthcare organization access data using Single Sign-On.
Additional features and benefits that come with the advanced technology of an archive can help healthcare organizations deliver robust patient access to health information in United States Core Data for Interoperability (USCDI) determined formats and on any device as needed. Additionally, the Business Intelligence feature of a cloud-based archive can help ‘drill’ into legacy data and gain valuable insights that could be used for business gains. Thus, by adapting to the Cures Act – through data archival, organizations could get business success in the long run.
How Triyam can help your healthcare organization navigate the Cures Act?
Triyam helps various healthcare organizations archive their historical patient data to its cloud-based archival solution, ‘Fovea EHR Archive.’ Our solution helps organizations, decommission their legacy systems, and save costs, while meeting statutory retention requirements. In Fovea, providers can easily search for a patient, view records, and download historical data including data sets as per the United States Core Data for Interoperability (USCDI). Triyam’s solution and services are compliant with the Cures Act.
Triyam can archive and host the data in two ways:
Cloud: Triyam hosts Fovea EHR Archive in Microsoft Azure, and organizations can access their data using it from any browser of any device, as well as several go-forward EHRs through API interfacing.
On-premise: The healthcare organization hosts Fovea EHR Archive locally within their Windows Server or virtual machine (VM) environment, which can also be integrated with the go forward EHRs.
At Triyam, we are ready to guide you and help your healthcare organization acquire and manage your legacy data in a way that will help you stay compliant with the Cures Act. Are you ready to learn more?
Contact us today!
Schedule an appointment for a free consultation.