Data Strategy Briefing — March 9, 2020
The ONC's 21st Century Cures Act Final Rule unlocked API-based patient access and banned information blocking, requiring U.S. health data teams to accelerate interoperability roadmaps despite COVID-19 disruptions.
Executive briefing: The U.S. Office of the National Coordinator for Health IT (ONC) issued the Cures Act Final Rule on , implementing Section 4002 of the 21st Century Cures Act. The rule promotes nationwide interoperability by requiring standardized APIs, enforcing information blocking prohibitions, and updating the ONC Health IT Certification Program. Healthcare providers, certified EHR developers, and health information networks must comply with staged deadlines beginning in 2020.
Key provisions
The rule adopts the HL7 FHIR Release 4 standard for APIs supporting the U.S. Core Data for Interoperability (USCDI) v1 data set. Certified EHR technology must support patient access APIs that allow individuals to retrieve and manage data via third-party apps without special effort. The rule defines eight information blocking exceptions (e.g., preventing harm, privacy, security, infeasibility, maintenance) and sets penalties for actors that unreasonably interfere with access, exchange, or use of electronic health information (EHI).
Developers must provide standardized export capabilities, support bulk FHIR exports (Flat FHIR), and avoid restrictive business practices such as excessive fees or anti-competitive app vetting. The rule also updates certification criteria for electronic prescribing, decision support, and clinical quality measurement.
Implementation timelines and enforcement
ONC phased compliance to account for COVID-19 disruptions, issuing enforcement discretion in April 2020 and later updates in 2021. Key milestones include information blocking compliance for providers and developers (initially November 2020, later April 2021), API requirements (May 2022), and upgraded certification to support USCDI data classes. The HHS Office of Inspector General (OIG) is responsible for civil monetary penalties for health IT developers and health information networks (up to $1 million per violation). CMS coordinates enforcement for providers through "conditions of participation" and the Promoting Interoperability Program.
Developers must submit real-world testing plans, attestation updates, and quarterly reporting to ONC. Compliance requires governance processes to track deadlines, manage testing, and document conformance.
Impact on healthcare providers
Providers must ensure certified EHR technology is upgraded to the 2015 Edition Cures Update. They must implement patient access APIs, educate patients about app privacy considerations, and update policies to avoid information blocking. Health systems should review release of information workflows, request processing times, and patient portal capabilities to ensure timely access to EHI.
Operational changes include revising consent management, adjusting data segmentation for sensitive information (e.g., behavioral health, substance use), and updating HIPAA compliance training. Providers participating in value-based care programmes must coordinate data exchange with payers, leveraging bulk APIs to support risk adjustment and quality reporting.
Developer and vendor obligations
Certified EHR developers must refactor APIs to meet FHIR R4 profiles, publish detailed API documentation, and provide test environments. They must implement transparent pricing for API access, including standardized fee schedules. Developers must also manage app registration, vetting policies, and security controls that respect user-directed access.
Real-world testing requirements necessitate test plans covering interoperability scenarios, including provider-to-provider exchange, patient access, and third-party app integration. Developers must maintain surveillance plans, respond to non-conformities, and coordinate with ONC-Authorized Certification Bodies (ONC-ACBs).
Security and privacy considerations
While the rule prohibits information blocking, it allows actors to deny access when necessary to protect privacy and security. Organisations must implement risk-based policies that document reasons for denying or delaying access. Security teams should evaluate third-party apps for OAuth 2.0 implementation, consent flows, and patient education, aligning with ONC’s Model Privacy Notice.
Providers should deploy monitoring and logging to detect misuse of APIs, implement rate limiting, and ensure PHI is encrypted in transit and at rest. Privacy officers must update notices of privacy practices and evaluate relationships with app developers under HIPAA Business Associate Agreements when applicable.
Opportunities and challenges
The rule unlocks new patient engagement opportunities by enabling consumer-directed health apps, care coordination tools, and precision medicine services. Payers can use API access to streamline prior authorization and quality reporting, aligning with the CMS Interoperability and Patient Access Rule. However, organisations must manage risks related to app security, patient education, and integration complexity.
Health IT developers face resource constraints to meet certification updates while supporting pandemic response priorities. Collaboration with standards bodies (HL7 Da Vinci, CARIN Alliance) can streamline implementation through implementation guides and accelerators.
Action plan
- Immediate: Inventory EHI systems, assess API readiness, and review policies to identify potential information blocking behaviors. Assign compliance owners for each ONC milestone.
- 30–60 days: Engage EHR vendors to confirm upgrade timelines, conduct security risk assessments of API infrastructure, and update patient communications regarding app use and data sharing.
- 60–90 days: Execute testing plans for FHIR APIs, perform real-world testing, and document results. Update governance documentation, training, and audit processes to align with information blocking exceptions.
- Continuous: Monitor ONC and OIG guidance, track enforcement developments, and participate in standards community initiatives to stay current on evolving interoperability requirements.
Proactive implementation of the Cures Act Final Rule enhances interoperability, patient empowerment, and regulatory compliance across the healthcare ecosystem.
Payer and third-party implications
Health plans covered by CMS interoperability rules must align payer-to-payer data exchange with ONC API standards. Payers should coordinate with providers to ensure consistent data semantics, leverage FHIR-based prior authorization workflows, and integrate patient access APIs into member portals. Third-party app developers must implement robust privacy disclosures, adhere to CARIN Code of Conduct principles, and provide mechanisms for revocation of access.
Employers offering self-funded plans and accountable care organizations should evaluate how information blocking prohibitions affect data sharing with business associates, wellness programmes, and care management vendors. Contracts should clarify responsibilities for API security, data quality, and regulatory compliance.
Governance and monitoring
Organisations should establish steering committees to oversee Cures Act compliance, including representation from IT, compliance, privacy, clinical operations, and patient advocacy. Governance frameworks must document exception handling workflows, audit trails, and escalation paths for access disputes. Dashboards should track API uptime, patient access volumes, third-party app registrations, and incident response metrics.
Internal audit and compliance teams should conduct periodic reviews of information blocking risk, verifying that policies align with ONC guidance and that documentation supports exception claims. Training programmes for frontline staff must emphasise timely responses to patient requests and accurate communication about API capabilities.
Follow-up: The information-blocking requirements have been enforceable since April 2021, EHI export obligations began in October 2022, and ONC’s 2023 HTI-1 final rule and TEFCA designated exchange networks extend compliance work into 2024–2025.
Sources
- 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program — Federal Register; Federal Register publication outlining interoperability mandates, API requirements, and phased compliance deadlines.
- 21st Century Cures Act Final Rule — Office of the National Coordinator for Health IT; ONC fact sheet summarising API certification changes, information blocking exceptions, and compliance timelines.