What Is 21st Century Cures Act?
The 21st Century Cures Act is a 2016 federal law that, among many other provisions, established information blocking prohibitions and patient access requirements for electronic health information, enforced under the ONC Cures Act Final Rule.
- Practices should configure EHRs to release results to the patient portal at the same time they release to the ordering provider unless one of the exceptions applies.
- Document the basis for any delayed release.
21st Century Cures Act
Also known as: Cures Act; Cures Act of 2016
The 21st Century Cures Act is a 2016 federal law that, among many other provisions, established information blocking prohibitions and patient access requirements for electronic health information, enforced under the ONC Cures Act Final Rule.
Definition
Signed into law in December 2016, Cures Act covers FDA drug development, NIH research, and mental health, but its most significant impact on medical billing and practice operations is the Information Blocking Rule (45 CFR Part 171, effective April 5, 2021) prohibiting health care providers, health IT developers, and HIEs/HINs from interfering with the access, exchange, or use of electronic health information (EHI). It also mandated patient access to EHI via standards-based APIs (USCDI v1, expanded to v3+). Penalties apply to health IT developers and HIEs/HINs (up to $1M per violation) under HHS OIG; provider 'appropriate disincentives' include Medicare program penalties.
Example
A practice that refuses to release imaging reports to a patient's app via the FHIR API, or delays releasing test results to the portal until the provider 'reviews' them, may violate the Information Blocking Rule unless an exception applies (e.g., preventing harm, protecting privacy, infeasibility, or content/manner preferences).
Common Misconceptions
The Information Blocking Rule does not override HIPAA — it is layered on top. HIPAA permits patient access; Cures Act requires it without unreasonable delay. The eight regulatory exceptions (Preventing Harm, Privacy, Security, Infeasibility, Health IT Performance, Content & Manner, Fees, and Licensing) define the only legal reasons to limit access.
Practical Application
Practices should configure EHRs to release results to the patient portal at the same time they release to the ordering provider unless one of the exceptions applies. Document the basis for any delayed release.
Related Terms
Information Blocking Rule
The Information Blocking Rule, codified at 45 CFR Part 171 under the 21st Century Cures Act, prohibits health care providers, health IT developers, and health information networks from engaging in practices likely to interfere with access, exchange, or use of electronic health information (EHI), subject to eight regulatory exceptions.
Read definition arrow_forwardFHIR
FHIR (Fast Healthcare Interoperability Resources) is an HL7 standard for exchanging healthcare information using modern web technologies (RESTful APIs, JSON/XML, OAuth 2.0), used for clinical data exchange, patient access APIs, and increasingly for prior-authorization and quality reporting.
Read definition arrow_forwardEHR (Electronic Health Record)
An Electronic Health Record is a digital, longitudinal record of a patient's health information maintained by a healthcare organization, designed to be shared across providers and care settings, and to support clinical decisions, billing, and quality reporting.
Read definition arrow_forwardHIPAA
HIPAA is the 1996 federal law that establishes national standards for protecting the privacy and security of individually identifiable health information held by covered entities and their business associates.
Read definition arrow_forwardWhere This Applies on MedPrecision
Need help with billing?
If this term is showing up in your denials, EOBs, or A/R aging, we can help. Get a free billing audit and we will trace the issue to its root cause.