Data Strategy Briefing — March 9, 2020

Executive briefing: The U.S. Office of the National Coordinator for Health IT (ONC) issued the Cures Act Final Rule on 9 March 2020, implementing Section 4002 of the 21st Century Cures Act. The rule promotes nationwide interoperability by requiring standardized APIs, enforcing information blocking prohibitions, and updating the ONC Health IT Certification Program. Healthcare providers, certified EHR developers, and health information networks must comply with staged deadlines beginning in 2020.

Key provisions

Interoperability requirements

The rule adopts the HL7 FHIR Release 4 standard for APIs supporting the U.S. Core Data for Interoperability (USCDI) v1 data set, replacing proprietary interfaces with a uniform baseline that covers demographics, problems, medications, lab results, vital signs, and clinical notes. Certified EHR technology must supply both single-patient and population-level endpoints, enabling payer-to-payer exchange and quality measurement through Bulk FHIR (Flat FHIR) exports. The rule also updates certification criteria for electronic prescribing, decision support, and clinical quality measurement to align with modern interoperability patterns and vocabulary standards.

Patient access API expectations

Certified EHR technology must support patient access APIs that allow individuals to retrieve and manage data via third-party apps without special effort. Actors must publish complete API documentation, limit fees to reasonable cost recovery, and avoid anti-competitive practices in app registration or vetting. The eight information blocking exceptions (e.g., preventing harm, privacy, security, infeasibility, maintenance) define when withholding data is permissible and require thorough documentation of decision rationale.

Export and data portability

Developers must provide standardized export capabilities, including persistent user-export options for a single patient's full electronic health information and bulk exports that support payer, research, and public health use cases. Export functions must run without the vendor’s ongoing involvement, preserving provenance and auditability to satisfy both ONC certification and organizational records retention needs.

Implementation timelines and enforcement

Compliance timelines

ONC phased compliance to account for COVID-19 disruptions, issuing enforcement discretion in April 2020 and later updates in 2021. Key milestones include information blocking compliance for providers and developers (initially November 2020, later April 2021), API requirements (May 2022), and upgraded certification to support USCDI data classes. EHI export obligations began October 2022, and ongoing certification updates extend through the Health Data, Technology, and Interoperability (HTI-1) rule effective 2024.

Enforcement and penalties

The HHS Office of Inspector General (OIG) is responsible for civil monetary penalties for health IT developers and health information networks, with statutory limits up to $1 million per violation for information blocking. CMS coordinates enforcement for providers through "conditions of participation" and the Promoting Interoperability Program, while ONC monitors developer compliance via real-world testing submissions, attestation updates, and quarterly reporting.

Developers must submit real-world testing plans, attestation updates, and quarterly reporting to ONC. Compliance requires governance processes to track deadlines, manage testing, and document conformance, including evidence of security risk analyses and mitigation steps for API endpoints.

Impact on healthcare providers

Providers must ensure certified EHR technology is upgraded to the 2015 Edition Cures Update. They must implement patient access APIs, educate patients about app privacy considerations, and update policies to avoid information blocking. Health systems should review release of information workflows, request processing times, and patient portal capabilities to ensure timely access to EHI.

Operational changes include revising consent management, adjusting data segmentation for sensitive information (e.g., behavioral health, substance use), and updating HIPAA compliance training. Providers participating in value-based care programmes must coordinate data exchange with payers, leveraging bulk APIs to support risk adjustment and quality reporting.

Developer and vendor obligations

Certified EHR developers must refactor APIs to meet FHIR R4 profiles, publish detailed API documentation, and provide test environments. They must implement transparent pricing for API access, including standardized fee schedules. Developers must also manage app registration, vetting policies, and security controls that respect user-directed access.

Real-world testing requirements necessitate test plans covering interoperability scenarios, including provider-to-provider exchange, patient access, and third-party app integration. Developers must maintain surveillance plans, respond to non-conformities, and coordinate with ONC-Authorized Certification Bodies (ONC-ACBs).

Security and privacy considerations

While the rule prohibits information blocking, it allows actors to deny access when necessary to protect privacy and security. Organisations must implement risk-based policies that document reasons for denying or delaying access. Security teams should evaluate third-party apps for OAuth 2.0 implementation, consent flows, and patient education, aligning with ONC’s Model Privacy Notice.

Providers should deploy monitoring and logging to detect misuse of APIs, implement rate limiting, and ensure PHI is encrypted in transit and at rest. Privacy officers must update notices of privacy practices and evaluate relationships with app developers under HIPAA Business Associate Agreements when applicable.

Opportunities and challenges

The rule unlocks new patient engagement opportunities by enabling consumer-directed health apps, care coordination tools, and precision medicine services. Payers can use API access to streamline prior authorization and quality reporting, aligning with the CMS Interoperability and Patient Access Rule. However, organisations must manage risks related to app security, patient education, and integration complexity.

Health IT developers face resource constraints to meet certification updates while supporting pandemic response priorities. Collaboration with standards bodies (HL7 Da Vinci, CARIN Alliance) can streamline implementation through implementation guides and accelerators.

Action plan

1. Immediate: Inventory EHI systems, assess API readiness, and review policies to identify potential information blocking behaviors. Assign compliance owners for each ONC milestone.
2. 30–60 days: Engage EHR vendors to confirm upgrade timelines, conduct security risk assessments of API infrastructure, and update patient communications regarding app use and data sharing.
3. 60–90 days: Execute testing plans for FHIR APIs, perform real-world testing, and document results. Update governance documentation, training, and audit processes to align with information blocking exceptions.
4. Continuous: Monitor ONC and OIG guidance, track enforcement developments, and participate in standards community initiatives to stay current on evolving interoperability requirements.

Proactive implementation of the Cures Act Final Rule enhances interoperability, patient empowerment, and regulatory compliance across the healthcare ecosystem.

Payer and third-party implications

Health plans covered by CMS interoperability rules must align payer-to-payer data exchange with ONC API standards. Payers should coordinate with providers to ensure consistent data semantics, leverage FHIR-based prior authorization workflows, and integrate patient access APIs into member portals. Third-party app developers must implement robust privacy disclosures, adhere to CARIN Code of Conduct principles, and provide mechanisms for revocation of access.

Employers offering self-funded plans and accountable care organizations should evaluate how information blocking prohibitions affect data sharing with business associates, wellness programmes, and care management vendors. Contracts should clarify responsibilities for API security, data quality, and regulatory compliance.

Governance and monitoring

Organisations should establish steering committees to oversee Cures Act compliance, including representation from IT, compliance, privacy, clinical operations, and patient advocacy. Governance frameworks must document exception handling workflows, audit trails, and escalation paths for access disputes. Dashboards should track API uptime, patient access volumes, third-party app registrations, and incident response metrics.

Internal audit and compliance teams should conduct periodic reviews of information blocking risk, verifying that policies align with ONC guidance and that documentation supports exception claims. Training programmes for frontline staff must emphasise timely responses to patient requests and accurate communication about API capabilities.

Follow-up: The information-blocking requirements have been enforceable since April 2021, EHI export obligations began in October 2022, and ONC’s 2023 HTI-1 final rule and TEFCA designated exchange networks extend compliance work into 2024–2025.

Sources

• 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program — Federal Register; Federal Register publication outlining interoperability mandates, API requirements, and phased compliance deadlines.
• 21st Century Cures Act Final Rule — Office of the National Coordinator for Health IT; ONC fact sheet summarising API certification changes, information blocking exceptions, and compliance timelines.
• Office of Inspector General Civil Money Penalty Rules Regarding Information Blocking — Federal Register; final rule detailing enforcement authority and penalty structure for information blocking violations.
• Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule — ONC; rulemaking page outlining the 2023–2024 certification updates, algorithm transparency, and expanded information sharing requirements.