The 21st Century Cures Act Final Rule – A New Phase of Patient Centered Health IT

Free Case Evaluation

Fill out the form below to schedule a free evaluation.

This field is for validation purposes and should be left unchanged.

Before a plaintiffs’ medical malpractice lawyer embarks on their mission for a client, they will embrace the relevant medical records. But, securing the medical records we need to evaluate a case can be challenging. An industry of third-party vendors hired by health care providers to produce medical records and efforts to profit from attorney requests can drain resources and inflate costs.  Obstacles to securing complete medical charts in a timely and cost-efficient manner stall or even preclude investigations into new cases, especially when the statute of limitations is near expiration.

Fortunately, federal regulations will soon emerge to stimulate innovation in health information technology (health IT) and break down barriers between our clients and their complete electronic health records.  On March 9, 2020, the U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) issued a final rule that will amend the Code of Federal Regulations in ways that greatly enhance an individual’s ability to access their electronic health records through modern tools, like apps and the internet.

Titled the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, the final rule will become effective sixty-days after the date it is published in the Federal Register.[1]  Notably, patients will be soon be able to quickly and easily secure a complete copy of their electronic heath record via an electronic hyperlink.

The new regulations will also advance a goal every party seeks to achieve – increased patient safety.  The final rule introduces new requirements for certification of health IT designed to enhance the communication and use of electronic health information (EHI) in ways that will both improve clinical care for patients and aid research to advance the quality of health care.

Overview of the Final Rule: Putting EMR at clients’ fingertips and enhancing patient safety

The final rule will enforce and implement several provisions of the 21st Century Cures Act (Cures Act) to “advance interoperability and support the access, exchange, and use of electronic health information.”[2] Specifically, the final rule will enforce and implement the following provisions of the Cures Act:

  • Conditions and Maintenance of Certification requirements for health IT developers;
  • The voluntary certification of health IT for use by pediatric health providers;
  • Reasonable and necessary activities that do not constitute information blocking; and,
  • Modification of the 2015 Edition Health IT certification criteria and ONC Health IT Certification Program.

This article will focus on a fifth provision of the final rule: giving individual patients access to their electronic health information (EHI) in a convenient and electronically accessible form.  This article also includes a discussion of new data and communication requirements for certified Health IT, designed in part to improve patient safety.

Background to the 21st Century Cures Act

The final rule represents the latest in the evolution of regulations establishing a national infrastructure for health IT.  The HIPAA Act of 1996 and the HIPAA Privacy and Security rules which followed began a new era of federal standards for the certification, exchange, privacy, and security of electronic health records.

Then, on February 17, 2009, Congress passed the HITECH Act.  The HITECH Act amended the Public Health Service Act (PHSA) by adding Title XXX, titled Health Information and Technology.  The HITECH Act was designed to promote health IT and electronic health information exchange, and in turn improve the quality, safety, and efficiency of healthcare in America.

The Secretary of HHS issued multiple lawmaking rules since the HITECH Act was enacted.  The final rules updated and strengthened standards and specifications to promote an interoperable health IT infrastructure and establish programs for the certification of health IT.[3]

On October 16, 2015, the Secretary of HHS published a final rule titled “2015 Edition Health Information (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications”.  The 2015 Edition rule set forth the criteria for health care professionals and hospitals to achieve “meaningful use” of certified electronic health record technology.  By meeting the “meaningful use” criteria for certification of EHR technology, health care professional and hospitals could receive incentive payments under the Medicare and Medicaid EHR Incentive Programs.  Now known as the Promoting Interoperability Programs, the incentive programs were designed to promote qualify, safety, and efficiency in the delivery of health care. [4]

The evolution of standards for the interoperability and certification of health IT continued with the passage of the 21st Century Cures Act on December 13, 2016.  The Cures Act modified certain portions of the HITECH Act and is designed to do exactly what the name implies – discover, develop, and deliver 21st century cures to patients.

On March 4, 2019 ONC published a proposed rule to implement certain provisions of the Cures Act. After considering comments to the proposed rule, ONC released the final rule on March 9, 2020.

The final rule is unique in its emphasis on the patient’s right to access, use and exchange their health care information. To the point, on their webpage ONC describes the final rule as putting “patients in charge of their health records” and recognizes “access to information is key” to giving patients “more power in their health care.”[5]

Patient access to their electronic health information via hyperlink: More ease and no cost

Under the final rule, certified health IT must grant patients access to their electronic medical records via an easy to use, electronic hyperlink.  Patients must be able to access their EHI in a manner unfettered by unusable file formats or other technological barriers.[6]

The standards for patient access to EHI via hyperlink are detailed under the section of the final rule titled “Electronic Health Information (EHI) Export Criterion” (“EHI Export”).  As a condition of certification, health IT products must meet the following standards for patient access to their EHI:

  • Full Content – The hyperlink must provide access to all electronic protected health information (ePHI) as defined in 45 CFR 160.103, i.e. individually identifiable health information transmitted by or maintained in electronic media. The ePHI must be accessible via a hyperlink to the extent the information is included in a “designated record set”. The term “designated record set” is defined at 45 CFR 164.501 and includes what is commonly recognized as an individual’s medical records” and “billing records” as maintained by health care providers.[7]

As simplified in the final rule, patients are entitled to the same “ePHI that a patient would have the right to request a copy of pursuant to the HIPAA Privacy Rule”. This is the same content the industry has become accustomed to producing upon patient request over the past 20 years. [8]

  • Developers of health IT must ensure their product is capable of exporting all of the EHI the product is capable of storing at the time the product is certified.
  • Ease for the “users of health IT” and the patients– Users of the health IT (e.g. health care professional or their office staff, or a software program or service that interacts directly with the health IT) must be able to create an export file(s) of a single patient’s EHI at any time the user chooses and without assistance from the developer of the health IT to operate. Log-in or similar requirements are not expressly forbidden under the rule; however, a patient must be able to access their EHI via the hyperlink “without any preconditions or additional steps”.
  • The export files must be electronic, in a computable format, and the export file(s) format, including structure and syntax, must be included with the exported file.
  • The developer must keep the hyperlinks up-to-date. [9]
  • Nearly Real-Time – The user must be able to create an export file in a timely manner. The term “timely” means nearly real-time, though reasonable and prudent under the circumstances.[10]
  • Radiographic imaging – The hyperlinks must provide access to images, imaging information (i.e. reports) or imaging elements that can be stored in a health IT module at the time of certification. However, it is unlikely this certification standard will make images readily available to patients via hyperlink.  The final rule recognizes many health IT products may only include links to imaging or imaging data stored in a separate imaging system, such as Picture Archiving and Communication Systems (PACS).  In such cases, only the links must be capable of export to the patient.[11]

The final rule’s new data export requirements will be codified at 45 CFR §170.315(d)(10).  Health IT developers will remain eligible for certification of a health IT product that satisfies much more limited 2015 criteria for data export for up to 36 months following the date the final rule is published in the Federal Register.

Patient access to metadata – the final rule vs. ASTM E2147-18

The final rule specifically excludes metadata, including audit logs, from the scope of data subject to patient access.[12]  Nevertheless, the weight of an international ASTM standard could give attorneys in search of evidence to form the basis of a medical malpractice lawsuit the traction they need to  access to the valuable metadata contained in audit logs

Medical malpractice attorneys typically request audit reports, or audit trails, during the discovery phase of medical malpractice litigation.  Audit reports are generated from metadata contained in audit logs and can reveal clinically relevant information that doesn’t appear in the medical records.  The metadata which lies below the surface of the recorded chart shows which doctors and nurses knew about key signs, symptoms or test results, what information they knew, and when.  Audit logs also assure those who might wish to hide the truth about the care in question cannot access, alter, or destroy patient records without detection.

Discussion among attorneys often turns to whether health care providers should produce audit logs even before a medical malpractice action is filed. In some cases, the ability to identify acts or omissions of medical negligence can depend on audit log data. For example, audit logs can help prove radiology images were viewed by a particular doctor at a particular time though the reported results were never communicated to the patient.  Or, audit logs can prove entries in the medical records were altered hours to days after the events in question.  This valuable information can feasibly provide the only evidence of negligence to support a lawsuit.

The final rule incorporates into federal regulations certain provisions of the international standard ASTM E2147-18, and specifically those sections of the standard that define the key elements of data that health IT must maintain within an audit log. Interestingly however, ASTM E2147-18 also contains a provision, though not incorporated into federal regulations, requiring health care providers provide direct access to audit logs not only to attorneys who advocate for patients, but to the patients themselves.[13]

In spite of the standards set forth in ASTM E2147-18, the final rule states that a specific list of inclusions or exclusions concerning metadata or audit logs is unnecessary. Instead, the final rule reinforces the scope of data that should be available for export via hyperlink is essentially limited to the EHI a patient has a right to request and receive from their health care providers under the HIPAA Privacy Rule.[14]  More specifically, the data available for patient access is only that which meets the definition of  electronic protected health information (EHI) at 45 CFR 160.103 and only to the extent the EHI is contained in a designated record as that term is defined at 45 CFR 164.501.

Time will tell how the discrepancy between the final rule and ASTM E2147-18 will play out for injured patients and the attorneys.  Most likely, the courts will make the call on whether patients and their advocates can secure audit logs and use metadata as the basis for filing a lawsuit averring medical negligence.

Information Blocking

Every medical malpractice attorney has battled health care providers who reject HIPAA compliant requests for medical records on unreasonable grounds. Likewise, hospitals and doctors’ offices send medical charts that are clearly incomplete.  Critical medical records are often conspicuously missing.  We may never know entirely what if any information medical providers are withholding from our clients and our firm.

The final rule intends to stop health care providers from withholding a patient’s full and complete electronic health record through patient-focused provisions designed to prevent information blocking.  Information blocking is any practice a health care provider knows is unreasonable and likely to “interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” [15]

The final rule’s information blocking provisions are implicated whenever a practice interferes with access, exchange or use of EHI for any one of a multitude of purposes.  This includes the practice of health care providers interfering with patient access, exchange, or use of their EHI.  Along these lines the final rule highlights the need for healthcare providers to grant patients access to medical records without charge:

“We specifically emphasize that practices that involve an actor charging an individual a fee to access, exchange, or use their EHI would be inherently suspect, as discussed in more detail in the Fees Exception (section VIII.D.2.b), as there are few, if any, legitimate reasons for an actor to charge an individual for access to their EHI.”[16]

Within its “Fees Exception” provision the final rule identifies circumstances when a health care provider, health IT developer, or similar actor is permitted to recover costs reasonably incurred for the access, exchange, or use of EHI without violating the information blocking provisions of the rule. [17] Still, the final rule makes clear the fee exception does not apply to health care providers subject to the HIPAA Privacy Rules.  Accordingly, a health care provider who charges a patient more than the reasonable, cost-based fees for access to the electronic health record would violate the final rule’s information blocking provisions.  The “reasonable, cost-based fees” a health care provider can charge for patient access to their electronic health record remain those fees set forth at 45 CFR 164.524(c)(4), specifically, the cost of:

  • Labor for copying the protected health information (PHI) requested by the individual, whether in paper or electronic form;
  • Supplies for creating the paper copy of the records or electronic media (e.g. CD or USB drive) in the event the individual requests the electronic record on portable media;
  • Postage, when applicable, and;
  • Preparation of an explanation or summary of the PHI, if agreed to by the individual

Consistent with current law, health care providers cannot charge search and retrieval fees, or costs not listed above, even if a state law authorizes such costs.[18]

The final rule recognizes the process of securing medical records is increasingly based on internet apps and E-mail.  As such, the Fee Exception to Information Blocking provides no exception to the rule forbidding healthcare providers from charging any fee for “electronic access of an individual’s EHI by the individual, their personal representative, or another person or entity designated by the individual”.[19] The term “electronic access” includes any internet-method of delivery of EHI, including patient portals, patient chosen apps, E-mail, personal health apps, application programmable interface software (API’s) to connect with health IT programs.[20]

Certified health IT that captures more patient data and helps our children grow

The final rule also establishes the first version of the “United States Core Data for Interoperability” (USCDI) standard.  The USCDI replaces a previous standard known as the Common Clinical Data Set and is designed to establish a mandatory set of health care data classes and data elements that will promote the interoperability of health IT on a national scale.

For example, the final rule will add current address, previous address, phone number, phone number type and email address to the list of data elements within the USCDI and require Health IT developers to include these data elements in their Health IT systems in order to achieve certification.

But the new certification requirements go well beyond basic contact information.  In an effort to “better support the safety and quality of care delivered to children”, the final rule incorporates new pediatric vital signs into the USCDI.[21] All certified health IT, regardless of the specialty or health care setting, will be required to collect the following pediatric vital signs and growth data:

  • head occipital-frontal circumference percentile (Birth to 36 Months);
  • weight-for-length percentile (Birth to 36 Months);
  • body mass index (BMI) percentile (2-20 Years of Age); and,
  • the reference range/scale or growth curve, as appropriate

With health IT required to “capture, calculate and transmit key pediatric growth data”, the final rule will establish a new framework for electronic health records recognized as “essential not only to the care of pediatric patients, but to maintain communication between providers, patients, and parents/guardians.[22]

A step-away from drop-down and checklist medical records

The USCDI will also include a new data class entitled “Clinical Notes”.  Physicians and attorneys alike recognize communication errors are prone to occur when medical records are created almost entirely from drop-down menus or similar check-the-box type record formats. Narrative-style notes which flow from the mind of the clinician, also known as “free text” clinical notes, are often only a small portion of a patient’s electronic health record.  Even these limited narrative entries are occasionally copied and pasted from previous examinations by the same clinician, or even different clinicians.

Medical records created with drop-down menus or checklists also present difficulties in extracting narrative data for research and analysis that can improve patient care.  The issues of extracting and exchanging narrative health information are especially significant considering as much as 80% of meaningful heath information is in the form of unstructured data, much of which includes health care information recorded in free-text. [23]

The drafters of the final rule introduced a new “Clinical Notes” data class to address concerns that free-text clinical information is often missing when health information is exchanged.[24]  First, the final rule creates eight subtypes of clinical notes as the minimum bar for the Clinical Notes data class for both inpatient and outpatient settings.  The subtypes are Discharge Summary Note, History and Physical, Progress Note, Consultation Note, Imaging Narrative, Laboratory Note Narrative, Pathology Report Narrative, and Procedure Note.

Second, and in response to the concerns of clinicians as stated above, the new data class and its subtypes must be designed to enable health care providers to more fully capture and exchange clinical information through the use of free-text notes.[25]

Health care providers must have the ability to grant patients access to the EHI contained within the USCDI V.1 standard by 24 months following the publication of the final rule in the Federal Register.[26] A detailed summary of each data class and data element required under the new USCDI Version 1 standard is available via this link to the website.

Increasing patient safety by preserving communications among health IT actors

The final rule also introduces a “Communications Condition of Certification” requirement for certified health IT.  The new requirement responds to practices by health IT developers that prohibit and restrict communication in the health IT industry and, in turn, threaten patient safety. In the words of the final rule:

“Industry practices of certified health IT developers…can severely limit the ability and willingness of health IT customers, users, researchers, and other stakeholders to openly discuss and share their experiences and other relevant information about health IT performance, including about the ability of health IT to exchange health information electronically. These practices result in a lack of transparency that can contribute to and exacerbate patient safety risks, system security vulnerabilities, and health IT performance issues.”[27]

Screenshots of health IT in action represent an important aspect of communications concerning health IT.  The final rule cites to several studies which emphasize the critical role of health IT screenshots in identifying the dangerous and improper use of health IT and opportunities to improve patient safety.

In an effort to open communication and enhance patient safety, the final rule forbids health IT vendors who seek to certify their products from prohibiting or restricting communications in six protected subject areas, including “the usability of the health information technology” and “relevant information regarding users’ experiences when using the health information technology”.[28] In regard to screenshots specifically, the Final Rule concludes:

“We emphasize that the communication of screenshots is essential to protect public health and safety and that our final policies take a measured approach to responding to and addressing real and substantial threat to public health and safety. The communication of screenshots enables providers, researchers, and others to identify safety concerns, share their experiences with the health IT, learn from the problems, and then repair dangers that could otherwise cause serious harm to patients. Our position is informed both by years of experience regulating health IT and overwhelming research and academia, which is discussed below.”[29]

In comments to the proposed rule, developers and others expressed concern about preserving intellectual property and other potential harms associated with unlimited release of screenshots or video.  To address these concerns, the final rule permits health IT developers to limit the release of screenshot or video content to that quantity relevant to and necessary to communicate the particular health IT issue relevant to one of the six subject areas, e.g. a specific patient safety issue. [30]


This article offers only a glimpse into the changes implemented by the final rule for the Cures Act. The final rule’s implications are widespread, and go far beyond the realm of medical malpractice attorneys, impacting health IT developers and health care professionals.  Hopefully, we will see changes in the months and years to come that will help technology and health care unite more effortlessly, while empowering patients and health care providers to do the same for the benefit of us all.

[1] 45 CFR Parts 170 and 171 RIN 0955-AA01 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, p. 1 of 1244.

[2] Id. at pp. 7 of 1244.

[3] Currently, the Health Information Technology Advisory Committee (HITAC) is responsible for creating standards, implementation specifications, and certification criteria designed to implement a national and local health IT infrastructure, all with the goal to advance the electronic access, exchange, and use of health information.   HITAC makes recommendations to the National Coordinator for Health Information Technology, and with the National Coordinator’s endorsement, the Secretary of HHS reviews proposed standards, implementation specifications and certification criteria for adoption and publication in the Federal Register.



[6] 45 CFR Parts 170 and 171, RIN 0955-AA01, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, p. 198 of 1244.

[7] Id. at p. 202 of 1244.

[8] Id. at pp. 119, 210 of 1244.

[9] Id. at pp. 217-218 of 1244.

[10] Id. at p. 200-201 of 1244.

[11] Id. at p. 214-215 of 1244.

[12] Id. at p. 217 of 1244.

[13] ASTM E2147-18, Section 1.2, approved May 1, 2018.

[14] Id. at pp. 216-217 of 1244.

[15] 42 U.S. Code § 300jj–52

[16] Id. at pp.653-654 of 1244.

[17] Id. at pp.929-930 of 1244.

[18] Id. at p. 953 of 1244.

[19] 40 CFR § 171.302 (b)(2).

[20] Id. at pp. 957-958 of 1244.

[21] Id. at p. 121 of 1244.

[22] Id. at pp. 122-124 of 1244.

[23] Bernadette Wilson, The Challenges of Unstructured Healthcare Data, Carevoyance Blog, May 3, 2019;,

[24] 45 CFR Parts 170 and 171 RIN 0955-AA01, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, p. 124 of 1244.

[25] Id. at pp.125-126 of 1244.

[26] Id. at p. 916 of 1244.

[27] Id. at p. 311 of 1244.

[28] Id. at p. 313 of 1244.

[29] p. 357-358.

[30] Id. at pp.365-366 of 1244. 

What can we help you find?

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors