[Login]

21st Century Cures Act: Health IT and HIM Provisions

Policy Proposal H.R. 34, the 21st Century Cures Act
Privacy Protections for Human Research Subjects Sec. 2012, Sec. 2013
  • Directs the Secretary of HHS to issue certificates of confidentiality to researchers that receive federal funding. Allows the Secretary of HHS to also offer certificates to privately funded researchers.
  • Prohibits researchers to whom certificates are issued from disclosing the names of participants or any other identifiable data gathered during research except: (a) when required by federal, state, or local law, (b) it is necessary to treat the individual in question, (c) the individual gives consent, or (d) when the disclosure of information is for the purpose of other research in compliance with privacy laws.
  • Prohibits researchers who are issued certificates from being compelled to disclose identifiable, sensitive information about participants that was gathered during research.
  • Grants immunity from the legal process to all identifiable, sensitive information gathered during research. Such information can only be used in legal proceedings with the consent of the research participant. All of these protections are afforded in perpetuity.
  • Allows the Secretary of HHS to exempt individual biomedical research data from being disclosed if the data is identifiable or could be used for identification. In such instances, the Secretary is required to submit a written basis for each disclosure exemption and make it available to the public upon request to the Chief Freedom of Information Act Officer at HHS.
Data Sharing for Research Purposes Sec. 2063
  • Requires the Secretary of HHS to issue guidance clarifying that researchers may remotely access protected health information provided certain security and privacy safeguards are maintained by the covered entity and the researcher and the protected health information is not copied or otherwise retained by the researcher.
  • Requires the Secretary of HHS to issue guidance clarifying circumstances under which the authorization for the use or disclosure of protected health information for future research purposes contains a sufficient description of the purpose of the use or disclosure. The guidance must include: (a) whether the authorization sufficiently describes the purpose of the use or disclosure such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for future research; (b) whether the authorization will expire on a particular date or after the occurrence of a particular event; or whether the authorization will remain valid unless and until it is revoked by the individual, and (c) instructions to the individual on how to revoke the authorization.
  • Requires the Secretary of HHS to issue guidance clarifying the circumstances under which it is appropriate to provide an individual with an annual notice or reminder of his or her right to revoke the authorization. The guidance must include appropriate mechanisms by which an individual may revoke the authorization for future research purposes.
  • Establishes a working group to study and report on the uses and disclosures of protected health information for research purposes under the Health Insurance Portability and Accountability Act (HIPAA).
Reducing Documentation Burden for Providers Sec. 4001
  • Requires the Secretary of HHS to establish a goal and develop a strategy to reduce regulatory or administrative burdens related to the use of electronic health records (EHRs.)
  • Allows a physician, to the extent consistent with state law, to delegate electronic medical record documentation requirements specified by the Centers for Medicare and Medicaid Services (CMS) to a person performing a scribe function who is not a physician provided the physician has signed and verified the documentation.
  • Requires the Office of the National Coordinator for Health IT (ONC) to encourage voluntary certification of health information technology (HIT) for use in medical specialties and sites of service where no such technology is available or where more technological advancement or integration is needed.
EHR Reporting System Sec. 4002
  • Requires a HIT developer to attest, as a condition and maintenance of certification that it: (a) did not engage in information blocking, (b) provided assurances that it will not engage in information blocking or take any action that may inhibit the exchange, access and use of electronic health information unless for a legitimate purpose specified by the Secretary of HHS, and (c) did not prohibit or restrict communication regarding the usability, interoperability or security of HIT. The developer must also demonstrate that it does not prohibit or restrict information regarding: (a) users’ experiences when using HIT, (b) its business practices related to exchanging electronic health information, and (c) the manner in which a user has used the technology. The developer must also attest that it published application program interfaces (APIs) and allows health information from such APIs to be accessible, exchanged and used without special effort through the use of APIs or successor technologies or standards, including providing access to all data elements of a patient’s EHR to the extent permissible under applicable privacy laws. The developer must also attest that it has successfully tested the technology for interoperability in the setting in which it will be marketed.
  • Provides a hardship exemption for eligible professionals (EPs) and eligible hospitals (EHs) under the Meaningful Use EHR Incentive Program and the Merit-based Incentive Payment System (MIPS) if the Secretary determines the EP is unable participate properly because their certified EHR technology has been decertified. The hardship exemption will be offered to EPs on a yearly basis and subject to annual renewal. The hardship exemption will also be offered to EHs on an annual basis.
  • Requires the Secretary of HHS to convene stakeholders to develop a reporting system that collects information that would help providers select appropriate EHR products. The reporting criteria would include the evaluation of certain functionalities of EHR systems including: security, usability and user-centered design, interoperability, conformance to certification testing, and other factors necessary to measure the performance of EHR technology.
Interoperability Defined Sec. 4003
  • Defines interoperability as HIT technology that: (a) enables the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user, (b) allows for the complete access, exchange, and use of all electronically accessible health information for authorized use under applicable state and federal laws and (c) does not constitute information blocking.
Patient Matching Sec. 4007
  • Requires the U.S. Government Accountability Office (GAO) to submit a report to Congress that reviews the policies and activities of ONC and other stakeholders to ensure that appropriate patient matching is occurring to protect patient privacy and security. Also requires the GAO to survey ongoing efforts and the relative effectiveness in the private sector in correctly matching a patient to their information.
  • The GAO must evaluate current methods used in certified EHRs for patient matching and focus on such factors as the privacy and security of patient information, improving patient matching rates and reducing duplicate records. The GAO must also determine whether ONC could improve patient matching: (a) by defining additional data elements to assist in matching, (b) by agreeing on a required minimum set of elements needed to be collected and exchanged, or (c) by requiring EHRs to have the ability to make certain fields required and use specific standards as well as other options recommended by stakeholders.
Digital Provider Directory Sec. 4003
  • Beginning in 2019, requires the Secretary of HHS to establish a digital provider directory that includes contact information for health professionals and health facilities. The Secretary may use an existing provider directory to make such digital contact information available. An index will ensure that contact information is available at the individual provider level and at the health facility or practice level.
HIT Advisory Committee Sec. 4003
  • Replaces the ONC HIT Policy and Standards Committees with a new HIT Advisory Committee. The committee’s purpose is to recommend standards, implementation specifications and certification criteria relating to the implementation of health IT infrastructure that advances the electronic access, exchange and use of health information. The committee will recommend an order of priority for the development, harmonization, and recognition of standards, specifications and certification criteria including recommended standards, architectures, and software schemes for access to electronic individually identifiable health information across disparate systems including user vetting, authentication, privilege management and access control.
  • The committee will make recommendations on at least each of the following areas: (a) achieving a HIT infrastructure, nationally and locally, that allows for the electronic access, exchange and use of health information, including through technology that provides accurate patient information for the correct patient, (b) the promotion and protection of privacy and security of HIT, including technologies that allow for an accounting of disclosures and protections against disclosures of individually identifiable health information made by a covered entity for purposes of treatment, payment and healthcare operations including for the segmentation and protection from disclosure of specific and sensitive individually identifiable health information with the goal of minimizing the reluctance of patients to seek care and (c) the facilitation of secure access by an individual of their protected health information including a family member, caregiver or guardian acting on behalf of a patient.
  • The committee will also in the development, harmonization or recognition of standards and implementation specifications, provide for the testing of such standards and specifications by NIST.
  • Requires ONC to establish and update as appropriate, objectives and benchmarks for advancing and measuring the advancement of the above target areas.
  • The committee, in consultation with ONC, must submit an annual report to the Secretary of HHS and Congress on the progress made in achieving a HIT infrastructure that allows for the electronic access, exchange and use of health information.
Trusted Exchange Network Sec. 4003
  • Requires ONC, in collaboration with NIST and related agencies, to convene partnerships to build and support a voluntary trusted exchange framework for trust policies and practices and for the creation of a voluntary common agreement for exchange among health information networks nationally. (i.e.—a “network of networks.”)
  • Requires ONC, in collaboration with NIST, to provide technical assistance on how to implement the trusted exchange framework and common agreement. ONC and NIST will also provide pilot testing of the trusted exchange framework and the common agreement.
  • Requires ONC to publish on its website and in the Federal Register, the trusted exchange framework and the common agreement in a manner that protects proprietary and security information, including trade secrets and other protected intellectual property. Also requires ONC to publish on its website a list of health information networks that have adopted the common agreement and are capable of trusted exchange pursuant to the common agreement.
  • Federal agencies contracting or entering into agreements with health information exchange networks may require such networks to adopt the trusted exchange framework and the common agreement as a condition of the contract and/or agreement.
  • The trusted exchange framework and common agreement will take into account existing trusted exchange frameworks and agreements used by health information networks to avoid disrupting existing exchanges and to avoid duplication.
Health IT Standards Sec. 4003
  • Requires the Secretary of HHS in adopting and implementing standards to give deference to standards published by standards development organizations (SDOs) and voluntary consensus-based standards bodies.
  • ONC must periodically convene the HIT Advisory Committee to identify priority uses of health information technology focusing on priorities arising from the implementation of incentive programs including the Meaningful Use EHR Incentive Program, the Quality Payment Program, the Hospital VBP Program and any other value-based payment programs, or that are related to the quality of patient care, public health, clinical research, the privacy and security of electronic health information, innovation in the HIT field, patient safety, usability of HIT, individuals’ access to electronic health information and other priorities determined appropriate by the Secretary. The committee will also convene to identify existing standards and implementation specifications that support the use and exchange of electronic health information and publish a report summarizing its findings and analysis with subsequent recommendations.
  • Analysis by the committee must include an evaluation of the need for a core set of common data elements and associated value sets to enhance the ability of certified HIT to capture, use and exchange structured electronic health information.
  • Beginning in 2021 and every 3 years thereafter, ONC will convene stakeholders to review the existing set of adopted standards and implementation specifications and make recommendations with respect to whether they should be maintained or phased out.
  • The committee in collaboration with NIST will annually (with public input), review and publish priorities for the use of health information technology, standards, and implementation specifications.
  • Nothing in this section will prevent the use or adoption of novel standards that improve upon existing HIT infrastructure and facilitate the secure exchange of health information.
Information Blocking Sec. 4002, Sec. 4004
  • Requires, as a condition and maintenance of certification that a HIT developer not engage in information blocking.
  • Defines information blocking as: (a) a practice likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information and, (b) if conducted by a HIT developer, exchange, or network and the entity knows or should know that the practice is likely to interfere with, prevent or materially discourage the access, exchange or use of electronic health information, or (c) if conducted by a provider and the provider knows that the practice is unreasonable and likely to interfere with, prevent or materially discourage the access, exchange or use of electronic health information.
  • Defines practices that may constitute information blocking including: (a) practices that restrict authorized access, exchange or use of information under applicable state or federal laws for treatment and other permitted purposes including transitions between certified HIT, (b) implementing health information technology in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging or using electronic health information, and (c) implementing health information technology in ways that are likely to restrict the access, exchange or use of electronic health information with respect to exporting complete information sets or in transitioning between HIT systems, or that lead to fraud, waste or abuse or impede innovations and advancements in health information access, exchange and use including care delivery enabled by health information technology.
  • Requires the Secretary to identify reasonable and necessary activities that do not constitute information blocking.
  • Does not penalize providers for the failure of developers to ensure that the technology does not engage in information blocking.
  • Allows the Inspector General (IG) of HHS to investigate claims of: (a) developers offering certified HIT and submitting to HHS a false attestation that it did not engage in information blocking, (b) developers engaging in information blocking, (c) providers engaging in information blocking or (d) health information exchanges or networks engaging in information blocking.
  • Developers, networks, and exchanges determined by the IG to have engaged in information blocking will be subject to a civil monetary penalty not to exceed $1 million per violation. Such determination will take into account such factors as the nature and extent of the information blocking, the harm resulting from such action including the number of patients affected, and the number of days the information blocking persisted.
  • Providers determined by the IG to have engaged in information blocking will be referred to the appropriate agency to be subject to disincentives under applicable Federal law.
  • Allows the IG to refer instances of information blocking to HHS’ Office for Civil Rights (OCR) if the IG determines that a consultation of the Privacy and Security rules under HIPAA would resolve an information blocking claim.
  • Requires ONC and OCR to issue guidance on common legal, governance and security barriers that prevent the trusted exchange of electronic health information.
  • Allows ONC and OCR to refer to the IG instances or patterns of refusal to exchange health information with an individual or entity using certified EHR technology which is technically capable of trusted exchange and under conditions when exchange is legally permissible.
  • Requires ONC to implement a process for the public to report claims of developers or HIT products not being interoperable or resulting in information blocking and actions that result in information blocking.
Clinical Registries Sec. 4005
  • Requires EHRs to be technically capable of transmitting to, receiving and accepting data from registries as a condition of certification in accordance with standards recognized by ONC. This includes clinician-led data registries that are certified to be capable of receiving, accepting and transmitting data to certified EHR technology.
  • Defines a “clinician-led clinical data registry” as a clinical data repository that is: (a) established and operated by a clinician-led or controlled, tax-exempt, professional society or other similar clinician-led or controlled organization, or such organization’s controlled affiliate that is devoted to the care of a population defined by a particular disease, condition, exposure or therapy, (b) designed to collect detailed, standardized data on an ongoing basis for medical procedures, services or therapies for particular diseases, conditions, or exposures, (c) provides feedback to participants who submit reports to the repository, (d) meets standards for data quality including systematically collecting clinical and other healthcare data, using standardized data elements and having procedures in place to verify completeness and validity of those data and being subject to regular data checks or audits to verify completeness and validity, and (e) provides ongoing participant training and support.
Patient Access Sec. 4006, Sec. 4008
  • Requires the Secretary of HHS to encourage partnerships between health information exchange organizations, networks and providers, health plans and other entities to offer patients access to their electronic health information in a single, longitudinal format that is easy to understand, secure and may be updated automatically.
  • Requires the Secretary of HHS and OCR to: (a) educate providers on ways to leverage health information exchanges to provide patients with access to their electronic health information, (b) clarify misunderstandings by providers about using health information exchanges and (c) educate providers about health information exchanges that employ the capabilities described above.
  • Requires OCR to issue guidance to health information exchanges to ensure that the electronic health information provided to patients is private and secure, accurate, verifiable and where a patient authorization is required by law, easily exchanged pursuant to the authorization.
  • Nothing in this section preempts state laws applicable to patient consent for the access of information through a health information exchange that provide protections to patients greater than the protections provided under federal law.
  • Requires ONC and OCR to promote patient access to health information in a manner that ensures that the information is available in a form convenient for the patient in a reasonable manner without burdening the provider involved.
  • Requires the Secretary of HHS to promote policies that ensure a patient’s electronic health information is accessible to the patient and the patient’s designees in a manner that facilitates communication with the patient’s providers and other individuals, including researchers while consistent with the patient’s consent.
  • Requires OCR and ONC to assist individuals and providers in understanding a patient’s right of access under HIPAA including providing best practices for requesting personal health information in a computable format, including using patient portals or third-party applications.
  • Allows ONC to require that HIT certification criteria support: (a) patient access to their electronic health information, including a single, longitudinal format that is easy to understand, secure and able to be updated automatically, (b) a patient’s ability to electronically communicate patient-reported information (such as family history and medical history) and (c) patient access to their personal electronic health information for research.
  • Allows the HIT Advisory Committee to develop and prioritize standards, implementation specifications and certification criteria to support patient access to electronic health information, patient usability, and technologies that offer patients access to their electronic health information in a single, longitudinal format that is easy to understand, secure and may be updated automatically.
  • Requires the GAO to submit a report to Congress on the barriers to patient access and the difficulties providers face in providing access to patients. As part of the study, the GAO must consider: (a) instances where covered entities charge individuals, including patients, third parties, and providers for record requests including records that are requested in an electronic format, (b) examples of the amount and types of fees charged to individuals for record requests, including instances where the record is requested to be transmitted to a third party, (c) the extent to which covered entities are unable to provide access to individuals in a form and format requested by the individuals, (d) instances where third parties may request protected health information through patients’ individual right of access, including instances where such requests may be used to circumvent appropriate fees that may be charged to third parties, (e) opportunities that permit covered entities to charge appropriate fees to third parties for patient records while providing patients with access to their protected health information at low or no cost, (f) the ability of providers to distinguish between requests originating from an individual that require limitation to a cost-based fee and requests originating from third parties that may not be limited to cost-based fees and (g) other circumstances that may inhibit the ability of providers to provide patients with access to their records.
Confidentiality of Mental Health Records Sec. 11002
  • Requires the Secretary of HHS upon finalizing the rule for 42 CFR Part 2, (relating to the confidentiality of mental or substance use disorder treatment records), to convent stakeholders to determine the effect of the regulations on patient care, health outcomes and patient privacy.
Permitted Uses and Disclosures of Protected Health Information of Patients Seeking or Undergoing Mental or Substance Use Disorder Treatment Sec. 11003, Sec. 11004
  • Requires OCR to ensure that providers, professionals, patients, their families and others involved in mental or substance use disorder treatment have adequate, accessible and easily comprehensible resources concerning the appropriate uses and disclosures of protect health information under HIPAA.
  • Requires OCR to issue guidance clarifying the circumstances under which a provider or covered entity may use or disclose protected health information under HIPAA. The guidance must address circumstances where (a) consent is required by the patient, (b) the patient is provided an opportunity to object, (c) the patient is incapacitated or receiving emergency treatment and lacks the opportunity to object, and (d) it is in the best interest of the patient and the patient is either not present or incapacitated. The guidance must also clarify permitted uses or disclosures of protected health information when: (a) communicating with a family member, caregiver or other individual to the extent they are involved in the care of the patient, (b) the family member, caregiver or others who are involved in the patient’s care or care plan including facilitating treatment and medication adherence, (c) listening to the patient or receiving information about the patient from the family or caregiver, (d) communicating with family members, caregivers, law enforcement or others when the patient presents a serious and imminent harm to himself, herself or others and (e) communicating to law enforcement and family about the admission of the patient to receive care at or the release of the patient from a facility for an emergency psychiatric hold or involuntary treatment.
  • Requires the Secretary of HHS to identify or recognize private or public entities to develop model training and educational programs to educate providers, regulatory compliance staff and others regarding the permitted use and disclosure of protected health information of patients seeking or undergoing mental or substance use disorder treatment under HIPAA.
Development of Medicare HCPCS version of MS-DRG codes for similar hospital services Sec. 15001
  • Requires the Secretary of HHS by 2018 to develop HCPCS versions for MS-DRGs similar to the ICD-10 PCS so that outpatient hospital codes for 10 surgical procedures will be similar to claims coded under inpatient hospital codes.
Eligible Professionals in Ambulatory Surgical Centers for the Meaningful Use EHR Incentive Program and MIPS Sec. 16003
  • Excludes physicians who furnish substantially all of their Medicare services at ambulatory surgical centers (ASCs) from penalties under the Meaningful Use EHR Incentive Program and the subsequent program under MIPS. The exclusion ends three years after the Secretary of HHS, in consultation with stakeholders, determines that EHRs are available in the ASC setting.
Article citation:
Riplinger, Lauren Ellis. "21st Century Cures Act: Health IT and HIM Provisions" (AHIMA, December 2016)