21st Century Cures Act

HHS Announces Crackdown on “Information Blocking” Violations

WyattLLP Electronic Health Records, Health Information Technology , , , , , , ,

By: Kathie McDonald-McClure

The 21st Century Cures Act of 2016 (Cures Act) was passed by Congress and signed into law by President Obama on December 13, 2016. The Cures Act seeks to ensure access, exchange, and use of electronic health information. The Act mandated the U.S. Department of Health and Human Services (HHS) to establish rules prohibiting “information blocking” by developers of certified electronic health information technology (CEHRT), healthcare providers, health information networks (HINs), and health information exchanges (HIEs).

HHS, during the first Trump Administration, proposed and finalized initial information blocking rules for CEHRT developers and healthcare providers. The rules were initially set to take effect in November 2020 but were delayed due to the COVID-19 pandemic. The Biden Administration HHS announced that there would be no further delays and those initial information blocking rules became effective on April 21, 2021. These rules are applicable to developers of CEHRT and healthcare providers as well as HINs and HIEs. See 45 C.F.R. Part 171—Information Blocking and see our April 6, 2021 article discussing these complex rules, “Information Blocking Rule Effective April 5, 2021: Are Providers Ready?

The next mandate under the Cures Act was to establish civil monetary penalties (CMPs) for CEHRT developers and “appropriate disincentives” for healthcare providers who violate the information blocking rules. The Biden Administration HHS Office of Inspector General (OIG) proposed and finalized the CMPs of not more than one million dollars per violation for CEHRT developers who commit information blocking. Those rules became effective September 1, 2023. See 42 C.F.R. Part 1003 Subpart N.

The Biden Administration HHS also proposed and finalized the disincentives for certain healthcare providers who run afoul of the information blocking rule. These disincentives became effective on July 31, 2024. See 45 C.F.R. 171.1000.

On September 3, 2025, HHS, under the direction of Secretary Robert F. Kennedy, Jr., announced a crackdown on information blocking violations. The announcement states that the Cures Act was “published” during the first Trump Administration despite being signed into law by President Obama. The announcement goes on to say that “[i]nformation blocking was not a priority under the Biden Administration” despite the implementation of penalties and disincentives for violations.

Nevertheless, it is important to note the intent of HHS under Secretary Kennedy to prioritize enforcement of the information blocking rules. The announcement summarizes the penalties and disincentives for information blocking violations. The disincentives for hospitals, critical access hospitals, and clinicians are not as straightforward as the CMPs for CEHRT developers because they are tied to Medicare payment formulas. Although not detailed in the HHS announcement, we discuss the disincentives in more depth in our July 3, 2024 article, “HHS Adds New Teeth to Information Blocking Law for Health Care Providers.”

Looking for assistance in navigating compliance and avoiding the pitfalls associated with the information blocking rules?  We work with our clients regarding their policies and procedures related to compliance with information blocking, HIPAA and other data privacy and security laws and regulations. If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Levi Young at (859) 288-7469. To learn more about Wyatt’s health care, data privacy and cyber security practice, visit the following Wyatt website pages: Wyatt Data Privacy & Cyber Security and Wyatt Health Care.

INFORMATION BLOCKING RULE EFFECTIVE APRIL 5, 2021: ARE PROVIDERS READY?

WyattLLP Cures Act and Program Interoperability, Health Information Technology , , , ,

By Kathie McDonald-McClure and Margaret Young Levi

The Information Blocking Final Rule, a provision of the 21st Century Cures Act geared towards ensuring access, exchange and use of electronic health information (EHI), was published on May 1, 2020, and became effective on June 20, 2020.  However, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) extended the compliance effective dates for the Final Rule several times over the last year—and most providers were hopeful that it would be extended once again—but there are no more delays.  Information Blocking compliance is now effective, as of April 5, 2021.  Health care providers should take immediate steps to ensure compliance.

Continue reading

HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

Kathie McDonald-McClure Data Privacy & Security, HIPAA, HITECH Law , , , , ,

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021.  This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA). 

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule. 

Continue reading

CMS Issues COVID-19 Related Extension of the Deadline for Hospitals to Implement Electronic Patient Event Notifications

Kathie McDonald-McClure Cures Act and Program Interoperability, Health Information Technology , , , , ,

by Margaret Young Levi and Kathie McDonald-McClure

Post-Note: On April 30, 2021, the requirements for hospitals with certain EHR capabilities to send admission, discharge and transfer notifications to other providers went into effect. See CMS webpage, “Policies and Technology for Interoperability and Burden Reduction“.

Last year, we wrote about the CMS Proposed Rule on Hospital EHR “Electronic Patient Event Notifications” in which CMS proposed new Medicare Conditions of Participation (CoPs) for hospitals that will require the hospital to send electronic event notifications to primary care or post-acute care providers identified by the patient when a patient has been admitted, discharged, or transferred (ADT Notifications).  ADT Notifications are an outgrowth of the 21st Century CURES Act passed by a bi-partisan majority of Congress and signed into law on December 13, 2016 (CURES Act). The CURES Act contains aggressive goals to promote the interoperability of electronic health records and patient access to their health information.

The objective of ADT Notifications is to improve care coordination and patient outcomes. These ADT Notifications are to be integrated into either the hospital’s interoperable certified electronic health record technology (CEHRT) or other electronic administrative system such as a registration system. An ADT Notification will be required when the patient is:

  • registered in the Emergency Department (ED) or as an observational stay;
  • admitted to the hospital (regardless if the patient was admitted from the ED, from an observation stay, or as a direct admission from home, from their practitioner’s office, or as a transfer from some other facility);
  • transferred from the ED or inpatient care; or
  • discharged from the ED, observational stay or inpatient services unit.
Continue reading