News & Insights

Does the 21st Century Cures Act Final Rule Require Electronic Health Records on April 5, 2021? 10 Questions Answered.

March 31, 2021

Does the 21st Century Cures Act Final Rule Require Electronic Health Records on April 5, 2021? 10 Questions Answered.
SHARE :           

In a previous article, we mentioned that the Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) extended the compliance due date for its implementation of the 21st Century Cures Act (ONC Final Rule) to April 5, 2021. 

Since then, we have received some questions regarding information blocking provisions related to paper records. Below, we answer these questions, highlight select FAQs answered by the ONC and provide risk mitigation strategies for practice staff.

Q1: I didn’t know about the ONC Final Rule, or I would like some resources about the ONC Final Rule. Where can I go for more information?

The ONC Final Rule applies to healthcare clinicians and certified health IT developers (actors) using electronic health information (EHI) and essentially prevents information blocking practices. While the rule does not require actors to allow access to every element within a patient’s electronic medical record (EMR), one goal of the rule is to make the access, exchange and use of EMR easier and cheaper (over time) for patients, healthcare providers and health IT developers.

To understand the rule, first start here.

Using resources from several reputable organizations (ACP, AHIMA, AMIA, APA, CHIME, CMS, MGMA, ONC and others), an Information Blocking Resource Center was created to assist clinicians in complying with the rule. 

Contact the LAMMICO Risk Management and Patient Safety Department if you have additional questions.

Q2: What information must be provided to the patient?

Your EMR system may already grant patients and other providers access to required data elements. Specifically, EHI that must be accessible include those that are represented in the United States Core Data for Interoperability (USCDI) definition of EHI.

These data classes (and specific data elements) can be found on page 4 of this document. Reviewing the list is important, since not every EMR system uses USCDI as a standard.

For instance, if your current EMR system does not already provide access to clinical notes (e.g., consultation, discharge summary, history and physical, procedure, pathology report and more) and a patient requests the clinical notes, you may have to comply, unless an exception applies in your situation. More guidance and enforcement examples should be forthcoming.

Note that on and after October 6, 2022, the information blocking regulations in 45 CFR part 171 will pertain to all EHI as defined in 45 CFR 171.102. More guidance on this should be forthcoming.

Q3: What is information blocking? Are there exceptions?

45 CFR § 171.103 provides the formal definition of information blocking, but in summary, information blocking is (a) a practice by health IT developers who know or should know that such practice is likely to interfere with the access, exchange or use of EHI or (b) a practice by healthcare providers who know that such practice is unreasonable and is likely to interfere with the access, exchange or use of EHI. Before October 6, 2022, EHI is limited to the EHI identified by the data elements represented in the USCDI standard.

There are eight exceptions that are divided into two categories. To best understand the exceptions, read the factsheet from ONC here, but below is a summary:

Exceptions that involve not fulfilling requests to access, exchange or use of EHI:
1. Preventing harm to a patient or another person
2. Protecting an individual’s privacy
3. Protecting the security of EHI
4. Infeasibility
5. Health IT performance (e.g., to operate properly, health IT must be maintained and sometimes taken offline)

Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI:
6. Limiting the content of the response to a request or the way it is fulfilled
7. Fees (due to the electronic nature of the records and the exception to fees in 45 CFR §164.524(c)(4), this is unlikely to apply to healthcare providers)
8. Licensing interoperability elements for EHI to be accessed, exchanged or used

Q4: Should I change how I document patient visits?

While the ONC Final Rule may require that more information be accessible upon request to the patient, if your previous or current EMR system did not allow certain USCDI data elements, good documentation rules would still apply. Characteristics that maximize patients’ welfare while also reflecting healthcare professionals’ competent care can be described through the framework of “the five Cs”: Correct, Clear, Contemporaneous, Civil and Complete.

Contact the LAMMICO Risk Management and Patient Safety Department if you would like more information about documentation. Additionally, Medical Interactive Community has an educational activity called “Documentation: Strengthening the Story of Patient Care.” Using examples conveyed in vignettes and case scenarios, this course will help you self-assess and sharpen your documentation skills by presenting a better story of each patient’s care. Strengthening your records assists in the defense of good care in a lawsuit. Some topics covered in this course are:

  • How to formulate your own tactics for efficiently documenting, so that you can enter prompt and timely medical record notes
  • Ways to keep nonobjective comments about patients or other providers out of medical charts
  • The value of adding free-text notes to records to describe important care discussions with patients
  • The importance of developing a habit of rechecking record entries before signing off on them

LAMMICO insureds may access this education activity at no additional cost by logging in as a Member at

Q5: (ONC) Do the information blocking regulations require actors to proactively make EHI available through “patient portals,” API or other health IT?

No. There is no requirement under the information blocking regulations to proactively make available any EHI to patients or others who have not requested the EHI. ONC notes, however, that a delay in the release or availability of EHI in response to a request for legally permissible access, exchange or use of EHI may be an interference under the information blocking regulations (85 FR 25813, 25878). If the delay were to constitute an interference under the information blocking regulations, an actor’s practice or actions may still satisfy the conditions of an exception under the information blocking regulations (45 CFR 171.200-303).

Q6: (ONC) Are healthcare providers subject to the information blocking regulations even if they do not use any certified health IT?

Yes, any individual or entity that meets the definition of at least one category of actor—“healthcare provider,” “health IT developer of certified health IT,” or “health information network or health information exchange” — as defined in 45 CFR 171.102  is subject to the information blocking regulations in 45 CFR part 171. The information blocking regulations in 45 CFR part 171 apply to a healthcare provider, as defined in the Public Health Service Act and incorporated in 45 CFR 171.102, regardless of whether any of the health IT the provider uses is certified under the ONC Health IT Certification Program.

Q7: (ONC) Is an actor required to fulfill a request for access, exchange or use of EHI with all the EHI they have for a patient or should the amount of EHI be based on the details of the request? In addition, what if an actor only maintains some of the requested information electronically?

The fulfillment of a request for access, exchange or use of EHI, including what EHI is shared, should be based on the request. However, any activity by the actor that seeks to artificially restrict or otherwise influence the scope of EHI that may be requested may constitute interference and could be subject to the information blocking regulation in 45 CFR part 171.

In terms of fulfilling requests for EHI, it is important to remember that the requirement to fulfill requests for access, exchange, and use of EHI is in any case limited to what the actor may, under applicable law, permissibly disclose in response to a particular request. Under the information blocking regulations in 45 CFR part 171, the actor is only required to fulfill a request with the requested EHI that they have and that can be permissibly disclosed to the requestor under applicable law. However, for protected health information they have, but do not maintain electronically, all HIPAA requirements would still be applicable, including the right of access.

Q8: I only use paper records in my practice. Do I need to upgrade to an electronic health record system?

While the use of EMR may be required under some state laws, the ONC Final Rule does not require healthcare providers to use or upgrade electronic health records if it is not already implemented. Additionally, the ONC Final Rule does not replace HIPAA or state laws, so your practice should continue following HIPAA and state laws.

Q9: Is there a shortened timeline to fulfill patient records requests?

ONC does not prescribe a specific timeline for all requests. Note that HIPAA and state laws do have specific time periods for medical records requests. Contact the LAMMICO Risk Management and Patient Safety Department if you have additional questions about time periods for complying with medical records requests.

Q10: What if I don’t comply with the ONC Final Rule? How will it be enforced? 

It isn’t clear. As of March 31, 2021, no additional enforcement guidance has been issued.

Under the Cures Act, “any healthcare provider determined by OIG to have committed information blocking shall be referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking.”

For health IT developers and health information networks/HIEs, the HHS Office of the Inspector General (OIG) is currently engaged in rulemaking to establish enforcement dates. For healthcare providers, HHS must engage in future rulemaking to establish appropriate disincentives as directed by the 21st Century Cures Act.

For healthcare providers that already attest to complying with information blocking provisions, reviewing the new rules is crucial to avoid inadvertent false certifications.

Risk Mitigation Strategies for Practice Staff

  1. Understand the Rule as it relates to your practice. Read the FAQ above for more information.
  2. Evaluate how your practice currently handles EHI (if any). 
    a. Understand what information your EMR system displays.
    b. Identify whether any restrictive local settings are preventing certain data elements from populating. 
    c. Contact your health IT vendor for more information.
    d. Reminder: The ONC Final Rule does not require that every possible data element be available at all times. The accessibility of the data is based on the request by the patient or their representative.
  3. Review and update your policies on records requests.
    a. Identify the USCDI data elements that patients may now request, and ensure that access to them is possible within a reasonable time.
    b. Review the exceptions that may apply to your practice. Each request from the patient is different, and so is the applicability of each exception.
    c. If a patient requests that certain data NOT be disclosed, ensure that your practice has policies in place to prevent disclosure.
  4. Contact your health IT vendor and ask them how they are complying with the ONC Final Rule. 
    a. Ask them to identity what data elements are now available or if they fully comply with the USCDI standards. Require specific examples.
    b. If the vendor informs you they will no longer seek certification with ONC (or that they are no longer certified), ask them for specifics about their system.
  5. Provide training to all staff members on the new Rule and any updated policies.

Annual Reports:

Receive Regular Updates: