On December 13, 2016, the 21st Century Cures Act (the “Cures Act”) was signed into law and made changes to the Public Health Service Act related to health information technology. The Office of the National Coordinator for Health Information Technology (“ONC”), at the U.S. Department of Health and Human Services (“HHS”), is the principal federal entity charged with coordination of efforts to implement advanced health information technology and the electronic exchange of health information. On May 1, 2020, ONC issued the Cures Act final rule, which implements provisions of the Cures Act designed to advance interoperability, support the exchange, access, and use of electronic health information (“EHI”) and address information blocking.
The effective date to comply with the Cures Act information blocking rules was originally November 2, 2020 but was extended to April 5, 2021. Regulatory agencies have announced enforcement discretion for additional periods of time, allowing institutions time to determine if Cures Act compliance is required and, if so, how to implement compliant policies, procedures, and technologies.
Higher education institutions that provide health care services to students and community members may be required to comply with the Cures Act and its information block rules. This article provides an overview of the Cures Act and raises questions your institution may want to discuss among counsel and health care staff. In summary, however, the plain language of the Cures Act makes clear that so long as electronic health records gathered by colleges and universities are education or treatment records, as defined by the Family Educational Rights and Privacy Act (“FERPA”), those records are not subject to the Cures Act.
Who is Covered Under the Cures Act?
The Cures Act prohibits health information technology developers, health information networks, health information exchanges, and health care providers from interfering with the access, exchange, or use of EHI, which is known as “information blocking.” The Cures Act defines health care providers broadly to include:
“Skilled nursing facility, nursing facility, home health entity or other long term care facility, health care clinic, community mental health center … renal dialysis facility, blood center, ambulatory surgical center … emergency medical services provider, Federally qualified health center, group practice, a pharmacist, a pharmacy, a laboratory, a physician…, a practitioner …, a rural health clinic, … a therapist, and any other category of health care facility, entity, practitioner, or clinician determined appropriate by [HHS].”
42 U.S.C. § 300jj(3)(emphasis added).
Drilling down further, a “practitioner” under the Cures Act includes any of the following:
- A physician assistant, nurse practitioner, or clinical nurse specialist;
- A certified registered nurse anesthetist;
- A certified nurse-midwife;
- A clinical social worker;
- A clinical psychologist; or
- A registered dietitian or nutrition professional.
42 U.S.C. § 300jj(3); 42 U.S.C. § 1395u(b)(18)(C).
The definition of a health care provider under the Cures Act is very broad and captures individual providers. To the extent a college or university provides health care services at one of the facilities or by one of the practitioners listed above, the institution may need to comply with the Cures Act, depending on what type of data the institution collects.
What Data is Covered Under the Cures Act?
The Cures Act prohibits the actors above from engaging in information blocking of EHI. EHI is defined to mean electronic protected health information (“ePHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”). 45 CFR § 171.102.
The definition of ePHI specifically excludes education records and treatment records, as those terms are defined by FERPA. 45 CFR § 160.103. Education records are:
“those records, files, documents, and other materials which—
- contain information directly related to a student; and
- are maintained by an educational agency or institution or by a person acting for such agency or institution.”
20 U.S.C. 1232g(a)(4)(A).
Treatment records are defined as:
“records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.”
20 U.S.C. 1232g(a)(4)(B)(iv).
This means that records maintained by educational institutions that meet the requirements of either “treatment records” or “education records” under FERPA are not considered ePHI under HIPAA and therefore are not considered EHI under the Cures Act. As the Cures Act definition of EHI is specific to electronic data; paper records are not implicated.
The interplay between HIPAA and FERPA is complicated and has been the subject of guidance from the U.S. Department of Education and HHS. As noted, to the extent an educational institution maintains records that are not considered ePHI under HIPAA, those records are not EHI under the Cures Act. However, if records are not treatment records or education records, such records may be subject to the Cures Act. Higher education institutions may have records that are ePHI under HIPAA but are not education records of treatment records under FERPA if, for example, the institution has records of students who are patients at a hospital affiliated with a university or if the institution is a HIPAA-covered entity and provides health care to non-students. Such records are subject to the Cures Act. The records maintained and the services provided by the institution must be analyzed to make this determination.
What Actions Are Prohibited?
Under the Cures Act, health information technology developers, health information networks, health information exchanges, and health care providers are prohibited from engaging in information blocking. Examples of potential information blocking are i) not responding timely to EHI requests; ii) charging unreasonably for access to records, iii) disabling EHR functions that facilitate access, iv) unnecessary delay (e.g., not posting available records to the patient portal); and v) entering into contracts that would impede access in ways not required by HIPAA or state law interfering with the access, exchange, or use of EHI.
ONC has announced it will exercise its discretion in enforcing requirements under the Cures Act that have compliance dates and timeframes for three months. This flexibility gives organizations additional time to analyze if the Cures Act applies to their institution or business. Higher education institutions may want to take this opportunity to review the records they maintain to determine if the institution must comply with the Cures Act’s information blocking rules. If the Cures Act is implicated, we recommend that the institution implement policies and procedures to comply with the Cures Act, provide training to employees on how to respond to a records requests, and explore the compliance technologies of its electronic health record provider.
- See, https://www.healthit.gov/curesrule/resources/enforcement-discretion-archived.