Technology is increasingly at the heart of healthcare, and navigating all this new technology, including providing the right electronic access to protected health information (PHI), to the right people, can be headache-inducing. The cure? The recently passed 21st Century Cures Act (see what we did there?) which provides new requirements and guidance around the exchange, access, and use of electronic protected health information (ePHI).
The Cures Act’s requirements are set to go into effect on November 2, 2020 – read on for what your practice needs to know before then.
What is the Cures Act, anyway?
A complement to existing HIPAA laws, the Cures Act is designed to further outline how practices and healthcare app providers should be navigating the balance between providing patients access to their ePHI while maintaining their data privacy and security.
In short, it provides patients clear access to their data – in the ways they choose to receive it – while outlining clear requirements for providers and app developers to promote patient access and prevent information blocking all with the right technical safeguards to protect health information.
So what’s changed?
The Cures Act does make some specific changes that may affect your healthcare operations, including:
- Preventing information blocking (the deliberate blocking of access, exchange or use of health data). Information blocking can prevent or delay proper treatment of patients, reduce patient access to their ePHI, and (though HIPAA is often incorrectly used to justify information blocking) violate HIPAA requirements.
- Not 100% what that really means? You aren’t alone, which is why the Office of the National Coordinator for Healthcare Technology (ONC) has created a helpful cheat sheet for what does and does not qualify as information blocking.
- The act also creates standardized application programming interfaces (APIs) which will allow patients to access their structured ePHI using a wider variety of smartphone applications.
- In addition, it includes a provision requiring patients be able to access their electronic health information (EHI) – a term signifying the same data as what constitutes ePHI – structured or unstructured, at no cost.
What do I need to do about it?
The final rule establishes additional policies that supplement existing HIPAA programs. To best comply with these new requirements, your practice should:
- Ensure that you have a complete HIPAA compliance program in place. This is still the foundation for protecting patient data, and underscores what the Cures Act entails – including patient access policies, technical safeguards, and more. Already an Abyde customer? High-five! You’re good to go here!
- Reevaluate or remove any existing barriers to information sharing with appropriate covered entities or with patients.
- Review technology systems to ensure the ability to link to or interact with any approved API connection to transfer patient data. If you need to review this with your IT provider, now is the time to get in touch!
The biggest takeaway from all this? HIPAA. Doesn’t. Change. All the same safeguards and policies you have in place still apply under the Cures Act – they are just supplemented by new ways to better use patient data and prevent information blocking. These new standards of innovation mean that patients can soon access their medical records on hand (literally) through their app of choice, and will continue to pave the way for HIPAA to interact with advancing technology.
You can read more on the Cures Act by visiting the ONC Cures Act website, or reading through the full Cures Act final rule text (if you do, we would be seriously impressed – but before you read all 320 pages, know that the Abyde team is here to help translate all this legal-ese into something that actually makes, well, sense.)