The Pulse | Monday, April 26, 2021

The Cures Act: What Nursing Professionals Need to Know

By Georgia Reiner, MS, Senior Risk Specialist, Nurses Service Organization (NSO)

In December 2016, President Obama signed the 21st Century Cures Act (“Cures Act”) into law. On May 1, 2020, the U.S. Department of Health and Human Services published the final rule. The act has several elements of interest to health care providers, including regulations designed to facilitate sharing of data for research purposes — thereby accelerating drug and device development — and those designed to improve interoperability so patients have easier access to their health information.

However, the act has the potential to create difficulties for both patients and healthcare providers. Nurse practitioners, registered nurses and other nursing professionals need to understand the act, its benefits and potential risks and how to protect themselves against legal action.

What is the Cures Act?

One of the goals of the Cures Act is to promote patients’ readily available access to information in their electronic health record. Although patients already have the right to access their information under the Health Insurance Portability and Accountability Act (HIPAA), the Cures Act focuses on quick, free access to electronic health information (EHI). This includes consultation notes, discharge and summary notes, history and physical notes, imaging narratives, lab report narratives, pathology report narratives, procedure notes and progress notes. The act requires organizations to have a secure application programming interface so patients can access this information via apps on their personal devices.

Failure to provide patients with access can result in penalties related to information blocking. The act defines information blocking as practices “likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information,” which includes delays in giving access.

The Office of the National Coordinator for Health Information Technology has issued eight exceptions that will not result in penalties for information blocking:

1. Preventing harm
2. Privacy
3. Security
4. Infeasibility
5. Health information technology (IT) performance
6. Content and manner
7. Fees
8. Licensing

The “preventing harm” exception is of particular interest to healthcare providers and states: “It will not be information blocking for an actor [healthcare provider] to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.” It is beyond the scope of this article to review each exception and its associated conditions¹.

The deadline for compliance with most of the act’s parameters that directly impact healthcare providers was April 5, 2021; full compliance with all information-blocking provisions will be required on October 6, 2022.

What Are the Potential Risks?

Although providing patients with access to information is a worthy goal, that access can create problems. For example, a patient with slight chest discomfort who is waiting in the ED to see a provider may access their lab results via their smartphone app and incorrectly assume they don’t have a problem because no test is marked “abnormal.” The patient may then leave without seeing the provider, but later return with serious heart damage.

Another challenge is balancing access with privacy protection. There has been confusion as to what is meant by EHI and how it relates to electronic “protected health information (PHI)” listed under HIPAA. The definition of EHI in the final rule is aligned with the information in HIPAA, so it’s important that nurses are aware of what falls under PHI².

How Can Nurses Protect Themselves?

Nurses, other healthcare providers, administrators and IT personnel should understand the act’s requirements — particularly as they relate to information blocking, including the eight exceptions that will not result in penalties for information blocking (listed above). Before proceeding with acting under an exception, nurses should consult with a risk manager.

It’s also important to know that nurses still need to adhere to state requirements for sharing EHI. If, for example, a state law prohibits sharing certain EHI, nurses should follow the law. And, of course, nurses need to adhere to HIPAA requirements, which include PHI in paper, electronic and verbal formats.

More data may prompt patients to ask more questions. Therefore, it’s a good time for nurses to remember to document patient counseling fully in the health record so they are protected in case of legal action.

Meeting Information Needs

As awareness of the act increases, more patients are demanding access to their EHI. Nurses need to ensure that this access is available, while remembering that it’s up to them to help patients interpret that information correctly and to document education and counseling efforts completely in the health record to protect themselves from liability.

---

Resources

1. www.healthit.gov/topic/information-blocking
2. www.hhs.gov/hipaa/for-professionals/privacy

Additional Resources

• Aebel ES, Newlon AJ. Increased patient access under the 21st Century Cures Act: what it means for providers. Trennan Law. 2020. www.trenam.com/trenam-news/increased-patient-access-under-the-21st-century-cures-act-what-it-means-for-providers.
• Ambulatory Surgery Center Association. 2020 Cures Act final rule. 2020. www.ascassociation.org/asca/federalregulations/overview/cures-act.
• Federal Register. 2020;85(85). 45 CFR Parts 170 and 171.
• Majumder MA, Guerrini CJ, Bollinger JM, Cook-Deegan, R, McGuire AL. Sharing data under the 21st Century Cures Act. Genet Med. 2017;19(12):1289-1294.
• Posnack S. Pssst…information blocking practices, your days are numbered…pass it on.  HealthIT Buzz. 2020. www.healthit.gov/buzz-blog/information-blocking/pssst-information-blocking-practices-your-days-are-numberedpass-it-on.
• Primeau D, James J. Game planning the information blocking final rule. J AHIMA. 2020.  https://journal.ahima.org/game-planning-the-information-blocking-final-rule.
• Office of the National Coordinator for Health Information Technology. Cures Act final rule. Information blocking exceptions. www.healthit.gov/topic/information-blocking.
• U.S. Department of Health and Human Services. 21st Century Cures Act: interoperability, information blocking, and the ONC Health IT Certification Program. 2020. www.federalregister.gov/documents/2020/05/01/2020-07419/21st-century-cures-act-interoperability-information-blocking-and-the-onc-health-it-certification.
• U.S. Department of Health and Human Services. Summary of the HIPAA privacy rule. OCR Privacy Brief. 2013. www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
• What is protected health information? HIPAA J. 2018. www.hipaajournal.com/what-is-protected-health-information.

Disclaimer: The information offered within this article reflects general principles only and does not constitute legal advice by Nurses Service Organization (NSO) or establish appropriate or acceptable standards of professional conduct. Readers should consult with an attorney if they have specific concerns. Neither Affinity Insurance Services, Inc. nor NSO assumes any liability for how this information is applied in practice or for the accuracy of this information.

This risk management information was provided by Nurses Service Organization (NSO), the nation's largest provider of nurses’ professional liability insurance coverage for over 550,000 nurses since 1976. The individual professional liability insurance policy administered through NSO is underwritten by American Casualty Company of Reading, Pennsylvania, a CNA company. Reproduction without permission of the publisher is prohibited. For questions, send an e-mail to service@nso.com or call 1-800-247-1500. www.nso.com

Georgia Reiner, MS, is a senior risk specialist at the Nurses Service Organization (NSO).