Information Sharing Under The 21st Century Cures Act

Information Sharing Under The 21st Century Cures Act

By Barbara Carr, RHIA

On March 16, 2022 Verisma hosted a webinar on Information Sharing and the 21st Century Cures Act presented by Elisabeth Myers, MBA, Deputy Director, Office of Policy, HHS Office of the National Coordinator (ONC). The ONC oversees regulations concerning information sharing and interoperability of electronic health information (EHI). Information sharing is at the heart of the 21st Century Cures Act’s information blocking rules.

The Information Blocking regulation went into effect on April 5, 2021. While we should all be fully compliant with the regulations by now, the fact is that in 2022, the regulation will expand the definition of EHI beyond the current United States Core Data for Interoperability Version 1 (July 2020 Errata) (USCDI v1) data set. As defined by the Information Blocking rule, the EHI definition is as follows:

  • “Electronic Health Information (EHI) means electronic protected health information (ePHI) to the extent that the ePHI would be included in a designated record set as these terms are defined for HIPAA.

The expansion is “only” PHI that is in an electronic format. It does not include paper documentation even though that documentation may be scanned into the electronic record (PDFs). EHI is the discreet data that is used to make medical decisions. Noted in the webinar is that EHI is “electronic health information (ePHI) to the extent that it would be included in a designated record set”. Further explained during the webinar was that EHI “is individually identifiable health information, that is maintained in electronic media or transmitted by electronic media”. If the ePHI is included in any of the following records and not in the exclusions such as psychotherapy notes, then it would be considered EHI:

  • Medical records and billing records of a provider about an individual
  • Enrollment, payment, claim adjudication, and case or medical management record systems maintained by or for a health plan.
  • Records used in whole or in part to make decisions about individuals

What is not EHI was explained as well. For example, such things like psychotherapy notes, information complied in anticipation of, or for use in, a civil, criminal or administrative action or proceeding, employment records health information, and de-identified protected health information.

Organizations should be looking at what they now include in their designated record set policy and revise if necessary, to ensure the that their policy includes the full scope of EHI in preparation for the October 6, 2022 expansion of the EHI definition beyond the current USCDI v.1 definition.

More details and explanation of the Information Blocking Regulation was shared with the attendees. Points that have caused some questions from health care providers and others in the health IT field were clarified. Information Blocking applies to “actors”. Actors are:

  • Health Care Providers
  • Health It Developers of Certified Health IT
  • Health Information Networks (HINs)
  • Health Information Exchanges (HIEs)

Exceptions to the Information Blocking Rule, which have caused a lot of questions from “actors”, in particular the “Infeasibility Exception” where it is not considered information blocking if it is infeasible for an actor to respond to a request. One example would be if it would be impossible for an actor to segment out psychotherapy notes from the EHI. Another would be the cost to comply would be prohibitive. Other examples were given as well as resource information available on ONC’s Cures Act Final Rule website, where attendees can find more information.

What should you do if you are experiencing information blocking? As directed by the Cures Act, the National Coordinator has implemented a standardized process for the public to submit reports on claims of information blocking. The report can be submitted through the Information Blocking Portal at:

The second part of the presentation was focused on the Trusted Exchange Framework and Common Agreement (TEFCA). TEFCA as stated in the 21st Century Cures Act – Section 4003(b). While we do exchange EHI now, not all EHI exchanges enable exchange from another exchange. TEFCA was established to provide a technical floor for nationwide interoperability and to simplify connectivity for organizations to securely exchange information to improve care while enabling individuals to gather their health care information.

While TEFCA alone could be a webinar in and of itself, we did learn how it will be organized and were given detailed information to help us understand how TEFCA will operate. The Recognized Coordinating Entity (RCE) is the entity selected by ONC that will enter into agreements with Health Information Networks (HINs) that qualify and elect to become Qualified HINs. The RCE will act as a governing body that will operationalize TEFCA requirements on. The QHINs in turn will connect directly to each other to facilitate nationwide interoperability. Each of the QHINs will connect participants and sub participants to each other. Permitted exchange purposes are: Treatment, Payment, Health Care Operations, Public Health, Government Benefits Determination, and Individual Access Services.

The webinar provided a wealth of information and examined both interoperability and TEFCA clearly for participants to understand what to expect going forward with information sharing in 2022.

Information Blocking Regulations: ONC 2022 Update

Information Blocking Regulations: ONC 2022 Update

Date: March 16, 3:30 pm – 4:30 pm EDT


Elisabeth Myers, MBA
Deputy Director, Office of Policy, HHS Office of the National Coordinator for Health Information Technology

The Information Blocking regulation went into effect on April 5, 2021. While we should all be fully compliant with the regulations, the fact is that in 2022, the scope of information sharing will expand from the current United States Core Data for Interoperability Version 1 (July 2020 Errata) (USCDI v1) data set to all Electronic Health Information (EHI) in the designated record set. In addition, the Trusted Exchange Framework and Common Agreement (TEFCA) Version 1 was released on January 18, 2022. The overall goal of TEFCA is to establish a model for securely sharing clinical information.

What does TEFCA mean and how will this impact the exchange and sharing of EHI going forward? How will this help facilitate the exchange of EHI among healthcare information networks? In addition, what does “all EHI” mean in terms of the regulation and what does this mean for healthcare organizations and payers charged with information sharing?

Hear from the Office of the National Coordinator for Health Information Technology regarding what to expect in 2022 and the status of ONC’s Information Blocking Regulations as they pertain to access, exchange, and use of electronic health information.

Learning Objectives:

  • Understand Information Sharing in 2022 and Subsequent Years
  • Learn about TEFCA and its implications for healthcare networks sharing of EHI.
  • Learn how covered entities should adopt and adapt for compliance in the coming year and identify specific impacts for release of information.

Pre-Approved for 1 AHIMA CEU Credit.



HIPAA and Information Blocking: Understanding Regulatory Intent Against the Ever-Changing Environment

HIPAA and Information Blocking: Understanding Regulatory Intent Against the Ever-Changing Environment

By Linda Kloss

HHS officials discussed the nuances of how Right of Access is handled under the HIPAA Privacy and Information Blocking Rules in last week’s Verisma-sponsored Webinar HIPAA Right of Access and Information Blocking.[i]  We are grateful to Elisabeth Myers, Deputy Director, Office of Policy, HHS Office of the National Coordinator and Timothy Noonan, Deputy Director for Health Information Privacy, HHS Office for Civil Rights for customizing a presentation to compare and contrast Right of Access elements of the two Rules, spotlighting areas that have generated questions. I urge everyone to access the Webinar archive as it is a very useful reference. 

The laws giving rise to Right of Access regulations were passed two decades apart (HIPAA in 1996, 21st Century Cures in 2016). Both are complex multi-part laws dealing with health system effectiveness from different perspectives. HIPAA focuses on health insurance and administrative functions while 21st Century Cures focuses on facilitating clinical research and improved therapeutics. How their regulatory framework handles Right of Access reflects different contexts and purposes. The Information Blocking Rule concerns electronic health information which Myers and Noonan described as a “a subset of the protected health information (PHI)” covered by the Privacy Rule.

Myers and Noonan underscored another helpful distinction that can guide compliance. Access to protected health information under the HIPAA Privacy Rule is governed by permissions.  Patients, of course, have a right to access and they or their legal designees grant permission for release to third parties. The Rule grants permission to use protected health information (PHI) for treatment, payment and healthcare operations and specifies other parties who are granted permission under certain circumstances. The Information Blocking Rule picks up where permissible requests leave off and assumes that electronic PHI (ePHI) be shared unless the request meets one of eight exceptions. This distinction reminds us that we should be advocates for legitimate and customer friendly access. We should focus on eliminating barriers,  reducing turnaround times, and shifting to e-release whenever possible. 

The Rules differ in their breadth of who must comply. Under the HIPAA Privacy Rule, we deal with covered entities (providers, health plans, and clearinghouses) and their Business Associates. The definitions of providers are aligned under the two Rules. The list of “Actors” who must comply with the Information Blocking Rule includes health information exchange entities and technology developers. This is a welcome expansion that better reflects who is involved in today’s health information ecosystem. EHR vendors, private exchanges, or other entities will no longer be able to block the exchange of health information needed for continuity of care.

Information Blocking aligns to HIPAA regarding timelines for release. Myers and Noonan reinforced that the Rule reads no later than 30 days. We should be doing all we can to reduce turnaround times by putting in place systems and workflows to avoid any “unnecessary delay.”   We were reminded that such delays are currently resulting in enforcement action by OCR, the nineteenth such action announced earlier this month. Enforcement for Information Blocking Rule will be administered by HHS’s Office of the Inspector General and the rules for this have yet to be released or approved.

Fees for ePHI are handled similarly in both Rules. Reasonable, cost-based fees for labor are allowable. The Information Blocking Rule adds a requirement that they be uniformly applied and not anticompetitive. The trend is that providers are making access available to patients on a no fee basis and this is driving adoption of use of Apps such as Verisma’s Request App ™ (VRA), a practice very much in line with the intent of both Rules. 

Verisma recognized the rapidly changing landscape by sponsoring Health Information Access Week, June 14-18. The OCR-ONC Webinar was a highlight of the week along with guest bloggers covering topics from consumer advocacy to HIM leadership. The Information Blocking Rule and proposed changes to the Privacy Rule underscore once again the need to upgrade ROI practices with technologies, including access and management tools, to stay ahead of the curve.   

We continue to grapple with a patchwork of federal and state laws and regulations concerning health information and privacy. The Information Blocking Rule provides some much needed modernization, particularly in bridging to a broader cast of actors. For ROI, HIM, and Compliance experts, the Right of Access is inviolable. At the same time, we know that when a custodian discloses PHI, today’s protections for individuals fall far short of where they should be. I know we will sort out how to comply with Information Blocking and future modifications to the Privacy Rule. But I also know that our work won’t be done until we can help people have real choice in how they want to handle their confidential health information, in identifiable and deidentified formats, when it moves beyond the protections of current law. 

[i] Please e-mail Davy Simanivanh at to receive a recording of the webinar.

Enterprise Access and Disclosure Management: Your Opportunity to Lead

Enterprise Access and Disclosure Management: Your Opportunity to Lead

This first Health Information Access Week has brought together a range of perspectives on serving consumers, mitigating risks and deploying technology. We’ve been privileged to learn from experts who bring a lifetime of experience and insight to the changing challenges of  access and disclosure.  I am closing out this week with some reflections about leadership and management of access and disclosure operations. It is my belief that there is an urgent need for HIM leaders to address the health information access and disclosure disparities within their organizations. This is a key stepping stone to being able to modernize our approaches.  We have the expertise to do this and the time is now.

As a HIM leader, I made it one of my goals to achieve centralized health information access regardless of where the patient may have been treated within the healthcare organization. I view this as having three benefits: improved patient satisfaction, risk reduction and cost savings. It was clear to me several years ago, that HIM professionals needed to broaden our thinking beyond the hospital’s four walls and reach out to our physician practice administration, outpatient satellite and other facilities that make up our health system. Ultimately, the entire organization can benefit from centralizing the release of healthcare information.   

In leading the charge at Einstein Health in Philadelphia, I first called a meeting of our Hospital Administration staff, Physician Practice administrators, Risk Management and Compliance.

I described a recent scenario where an elderly patient had to go to three separate locations to acquire the healthcare information they needed for an upcoming appointment with a specialist. I then posed questions regarding why we persisted in this approach. All the patient’s information was stored in our Clinical Information System (CIS) regardless of location of treatment. Everyone agreed this was not ideal and agreed to work with me on a solution. 

The physician practices, at the time, were all doing their own individual release of information with various copy vendors, or their own in-house staff. There was no tracking, and very little quality control. At that time, all the HIM Departments were being handled by one vendor and covered by the same policies. Therefore, it was decided that we would tackle the practices first.

We started with bringing our release of healthcare information vendor to the table and put them to the task of working with us on a solution for the physician practice locations first. Since there are over 200 locations, this was a large change project. A project plan was developed, and a team of key stakeholders was assigned carry out the project. After 6 months of planning and strategizing, the first group of practices went live, followed by the next group, until all practices were handled by one group of release of information staff. Our vendor staffed the central location. 

Once we standardized and centralized the physician practices, we were able to move quickly with outpatient locations. In all, it took about 18 months to accomplish. In the end it was merged into one centralized release of healthcare information site. Now a patient can make one request for their information, which is then processed all at the same time, and delivered to the patient via whatever media and route they have specified. We were able to monitor quality and track all released information. We reduced costs and duplication of effort. Patients were less frustrated and more satisfied with our service. 

Risk and Compliance are less concerned with surprises and have one place to go to check on any issues. We are far less likely to receive a complaint and if we do, we have protocols to  resolve any before they become investigations. Importantly, having a standard way of handling access and disclosure across the enterprise, positions the organization to broaden the scope of release of information. For example, it possible to handle access requests from financial services, case management, utilization review and other health system function that rely on access to information.  When going through our release of information we are assured of the same quality control and tracking.

This experience not only helped me grow as a HIM leader but helped to expand my role in the organization beyond the HIM borders.  I was given more opportunities to work across the organization to streamline other processes. All this really helped fulfill my own goals to grow within my organization. 

In the end, I believe it is up to us as HIM leaders to have the vision, and then use our leadership to organize and lead others towards that vision.

Barbara Carr, RHIA a Verisma Advisor formerly served as Assistant Vice President Health Information Management at Albert Einstein Health Network in Philadelphia and as Corporate Director of Health Information Management at ChristianaCare, Wilmington, DE.


Bridging Access to Clinical and Financial Information – Opportunities and Challenges

Bridging Access to Clinical and Financial Information – Opportunities and Challenges

In 2020, The Office of the National Coordinator’s (ONC) and the Centers for Medicare and Medicaid Services’ (CMS) released Regulations for Interoperability and Patient Access as required by the 21st Cures Act. Regulations increase access to medical information through application programing interfaces (API) to empower patients in their health care decisions. The API allows information to be shared and exposed within a consumer’s application-based solution of choice (e.g., wellness app). The information is portable, provides ability to share clinical information with care team, caregiver or other party and better understand healthcare costs and financial obligations. 

The focus has been on the Information Blocking Regulations issued by ONC, but the companion CMS Interoperability and Patient Access Rules also have important implications. ONC information blocking allows consumers health information access from a provider setting. However, health insurers have most of their enrollee’s financial and clinical information across care settings (i.e., provider, hospital, pharmacy, laboratory, or other setting that submits claims to health insurer) to provide a more complete picture of the consumer’s healthcare experience. 

The CMS rules require CMS-regulated plans to provide a patient access API, provider directory API and payer-to payer API by January 1, 2021. However, enforcement has been delayed to July 1, 2021. 

Patient Access API

Medicare Advantage, Medicaid, Children’s Health Insurance Program (CHIP) and Qualified Health Plan (QHP) on the federal exchanges are required to provide the Patient Access API. This API includes adjudicated claims (including Pharmacy), enrollee cost-sharing, encounter information, provider remittances, select clinical data, including lab results, formularies or preferred drug lists. 

The health insurer provides updates within 24 hours of receiving an encounter or processing a claim containing the cost and services provided to a patient. This financial information will assist consumers in tracking submitted claims, expected and current financial responsibility, in and out-of-network deductible amounts and other financial information for themselves and their dependents.  

The clinical information includes clinical notes that are written to track patient progress, inform other medical staff and explain treatment options. Typically, these notes are written using medical terminology and abbreviations that may not be familiar or understandable. The evolution of documentation narratives toward the inclusion of easy-to-understand layman’s terms and description of the patient and clinician team interaction and decision making will increase the value of the medical information to the consumer. This information needs to be boiled down into brief, understandable and actionable problem lists for the patient that add value, not burden.

Commercial payers may consider voluntarily providing this API to empower their enrolled consumers and assist providers participating in their alternative payment models. Value-based care, including capitation payment shift more of the medical risk to the provider including costs that occur outside of the facility or system. Therefore, providers need costs and clinical information across provider settings for attributed patients. 

Provider Directory API

Medicare Advantage, Medicaid, Children’s Health Insurance Program (CHIP) fee for service and managed care entities are required to provide the Provider Directory API. This API requires the provider names, addresses, phone numbers and specialties. An effective provider API will inform consumers what providers are in the health insurer’s network and if the provider is in the consumer’s specific health plan. 

Payer to Payer API

Medicare Advantage, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) managed care entities and Qualified Health Plans (QHP) on the federal exchanges are required to provide the Payer to Payer API. This API requires an individual’s past health insurer to transmit their claims and encounter information, and subset of clinical information to their new health insurer. This sharing of history allows a longitudinal medical record to be compiled no matter how many times a consumer changes their health insurance. 

Commercial payers may consider voluntarily providing this API to maintain longitudinal records and ensure new enrollees are in the appropriate wellness programs and receive any gaps in current care.    

ONC and CMS’s information sharing requirements allow vendors and payers to enable a one stop shop that is secure, easy to access, actionable and meet a priority consumer need. This may include promotion of wellness through integration with wearables, reduce redundant paperwork at provider settings, make payments, appeal claim payment, store and share medical records for a chronic patient or their caregiver, provide dashboard with tracking/monitoring of hospital at home activities, maintain current drug list, order medical supplies, access care through telemedicine and more from the comfort of home. 

Expanded access to health information, including insurance-related information, has the potential to be inform and transform. Getting accurate and useful information to securely flow to consumers, across provider organizations, between providers and payers and payer to payer will be the work of healthcare over the next decade. This will be a heavy lift for consumers,  covered entities, vendors and business associates. For decades I have worked on the standards and policies to enable us to realize this vision.  Still, I have no illusion that this will be accomplished without significant challenges and protecting privacy and security will be among the most vexing. It’s an all hands on deck time to learn to use information for the benefit of consumer health and health services. 

Tammy Banks, MBA is a Healthcare Consultant with ImpactQue and previously served as Vice President Interoperability Program Development for Optum and as Director Practice Management Center and Payment Advocacy for the American Medical Association.  Outstanding Leadership and Distinguished Service Awards from WEDI.


It’s Block and Tackle:  Are Consumers and Providers Ready for the Heavy Lifting?

It’s Block and Tackle: Are Consumers and Providers Ready for the Heavy Lifting?

It seems not too long ago I was living a completely normal “mom life.” Normal routines, happy family, and happy life. Eight years ago, seems like yesterday. Our world changed with one routine doctor’s visit and with one diagnostic test. I can remember that day very clearly. I can remember every detail. My 11-year-old adopted daughter was diagnosed of Cystic Fibrosis. How could this diagnosis be found so many years after birth? Believe it or not, it is not that uncommon. Since that day, we live a very different kind of normal.  Our lives and routines have changed dramatically. My now 19-year-old daughter is acutely aware of her diagnosis and plays a very active role in her care and the maintenance and review of her electronic health information. She often tells everyone “Personal health information is saving Grace.” She generates and shares quite a bit of data collected by medical equipment, wearables, and other devices. My daughter’s chronic diagnosis requires her to be seen by multiple providers in-state and often across state lines. She is intimately involved in the collection, review, and sharing of her personal and electronic health information.

Our quest for interoperability is ongoing and while many believe interoperability exists, that is not always true or at least not true in every circumstance. It is often a challenge to receive access to every element of electronic health information required for care. APIs exist but are often underutilized placing the burden on the consumer. We have access to electronic health information, but it is often not comprehensive or interoperable. Electronic health information should not be leveraged to hold consumers hostage to a particular provider, service, or location. Recommended lean data sharing solutions are not appropriate for every consumer. In addition, provider utilization of legacy systems can interfere or prevent exchange of electronic health information. These systems may have checked the boxes for meaningful use but lack the capability to provide meaningful exchange of information. The challenges faced by providers and consumers are perplexing. Many times, we continue to rely on paper records to be transferred from provider to provider. Believe it or not, we still maintain scanned and indexed copies of health records to support care and in many cases the provider will request that we share. Technology is invisibly integrated into our daily lives. I am amazed that in 2021 I can electronically unlock the doors of my home and car, track items in my refrigerator, bank, shop, and be seen by a physician digitally but still struggle with electronic access to complete health information.

Information Blocking Final Rule removed intentional obstacles to patient access to electronic health information. The long-awaited rule handed patients greater control over information sharing and use of electronic health data. But will it really live up to consumer expectations? In conversations with providers, I have often been told that “our vendor will accommodate our data sharing needs.”  What does that mean? Will your vendor meet the consumer’s need for electronic health information? Will meeting the providers need, improve the quality of care for patients? I believe it can, but the journey will not be an easy lift. The burden cannot be placed solely on the vendor. It is a heavy lift that will require an ongoing commitment to an interoperable system that supports health information exchange and embraces education. Providers and consumers alike will play an important role in leading change.

For the 21st Century Cures Act to reach its potential as a catalyst for better healthcare and outcomes, advocating for and adoption of a systemic free-flow of electronic health information with a consumer-centric focus will be required. It should be a partnership between provider and consumer. Health Information Management (HIM) professionals can play a key role in accessing organization readiness and ongoing compliance. The HIM professional’s vast knowledge of HIPAA, electronic data access and exchange, as well as privacy and security standards position HIM professionals to be leaders in developing organization policies and educational programs that will benefit providers and consumers. Deliberate attention must be given to the eight exceptions outlined in the Cures Act related to information blocking. Aiding providers and consumers in understanding these exceptions are essential in achieving a successful partnership. Knowledge is key to access innovation and in mitigating future challenges.

Angela Kennedy, EdD, MBA, RHIA is CEO, Commission on Accreditation for Health Informatics and Information Management Education and former Professor and Chair, Health Informatics and Information Management Program, Louisiana Tech University.  She is a Past President of AHIMA and in recent years has become a Consumer Advocate.