In December 2016, the 21st Century Cures Act was signed into law, making national headlines for creating new programs and advancing regulatory reforms to speed the development and approval of new drugs and medical devices. Other provisions in the bipartisan law sought to address the opioid crisis, support precision medicine, and increase access to behavioral health services.
Still, the most important part of the Cures Act for the health IT industry and most healthcare providers focused on advancing health data interoperability through a combination of new and/or revised programs, mandates, and rules. Given the importance of these provisions and since it has now been over five years since the law was enacted, let’s check in on the status of the key health IT provisions of the 21st Century Cures Act.
Finally, a final rule
The Cures Act tasked the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) with writing the new health IT regulations. ONC took its first shot at doing so by issuing a proposed rule in 2019. Then, following an extended public comment period, in March 2020 ONC released a 1,244-page final rule aptly titled, “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.” The ONC regulation established compliance or implementation deadlines for most of the rule’s major provisions at six, 24, and 36 months from the rule’s initial effective date (June 30, 2020). However, ONC later delayed most of those deadlines in response to the COVID-19 pandemic.
As it stands now, some of the health IT rules called for by the Cures Act are in effect, others are in effect but are not being enforced, and others still have yet to be written. Thus, it is fair to say that the Cures Act is definitely still a work in progress.
Next, let’s consider the status of three critical parts of the law: (1) EHR certification updates, (2) information blocking, and (3) the trusted exchange interoperability framework.
EHR certification updates
Many of you may remember (even if you hope to forget!) that the Meaningful Use (MU) EHR Incentive Program came in three stages. For each stage, EHR vendors were required to demonstrate that their products met a list of certification criteria (product functions) to obtain federal certification status. In turn, physicians were required to “upgrade” their EHR software to the next level of certified edition and then meet the reporting objectives required for each stage.
Meaningful use ended several years ago, but many of its compliance obligations (including the use of certified EHR technology aka CEHRT) were rolled into the Medicare Access and CHIP Reauthorization Act (MACRA) law’s Quality Payment Program (QPP). As such, individual clinicians and groups subject to the QPP—Merit Based Incentive Payment System (MIPS) or Advanced Alternative Payment Models (APMs)—are still required to use CEHRT.
Enter the Cures Act, which included a long list of new EHR certification criteria (product functions) and program requirements (specific business practices and actions) that EHR companies must meet to maintain federal certification. EHR products that pass the government-sponsored test that demonstrates they meet the new requirements earn the designation of being certified for the 2015 Edition Cures Update***.
Under the ONC final rule, this 2015 Edition Cures Update will be the only CEHRT accepted in the QPP and other federal programs as of January 1, 2023. This means that providers participating in the QPP or other programs that require CEHRT will have to upgrade to the 2015 Edition Cures Update edition of an EHR before the end of this year. (Please note: Some federal programs such as MIPS only require 90 days of CEHRT per calendar year, so the upgrade deadline will be as late as October 2, 2023 in many cases.)
Another way to think of this Cures Act EHR update: meaningful use stage four. That’s because even though the MU program ended years ago, this will be the fourth time since 2011 that some physicians will have to upgrade their EHRs to a new edition of CEHRT to keep pace with federal regulations.
As defined under section 4004 of law, information blocking is generally a practice by a certified EHR company, health information network, health information exchange, or health care provider that, except as required by law or specified by HHS as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI). ONC’s 2020 final rule defined each of these terms in detail and identified eight categories of reasonable and necessary activities that generally do not constitute information blocking.
In the final rule and through subsequent sub-regulatory guidance documents, ONC also described several scenarios that likely would trigger information blocking. Perhaps the most controversial of those requires healthcare providers to immediately release lab or test results to patients through patient portals without allowing time for consultation or provider communication of the results.
As for implementation, the ONC final rule originally set the applicability date for the information blocking regulations as November 2, 2020, but that was later moved to April 5, 2021. The rules did go into effect on that date, but until October 6, 2022, they are limited in scope by only pertaining to electronic health information (EHI) as identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard. Furthermore, even though the rules went into effect in April 2021, they are not being enforced. This is because the HHS Office of the Inspector General (OIG) has yet to issue a final rule to establish enforcement dates and policies pertaining to the civil monetary penalties that health IT developers, networks, and exchanges will be subject to, and HHS has yet to establish “appropriate disincentives” for healthcare providers.
Until these enforcement and disincentive rules are finalized, information blocking will technically remain in effect, but for practical purposes also remain unenforced.
Trusted Exchange Framework and Common Agreement (TEFCA)
In an effort to try to nudge national health information networks like Carequality and CommonWell to connect with one another, Section 4003(b) of the Cures Act required ONC to publish a Trusted Exchange Framework and Common Agreement (TEFCA) for voluntary industry participation. As intended under the law, The Trusted Exchange Framework would describe a common set of non-binding, foundational policies and practices that could help facilitate exchange among networks, while the Common Agreement would establish the infrastructure model and governing approach for users in different networks to share clinical information under a set of mutually agreed-to rules.
To this end, ONC released draft TEFCA documents for public comment in both 2018 and 2019. In 2019, ONC also issued a Notice of Funding Opportunity and subsequently awarded a government contract to The Sequoia Project to serve as the Recognized Coordinating Entity (RCE) that would develop, update, implement, and maintain the Common Agreement. Then, following an extensive review of public comments, in January 2022 ONC published the first final version of TEFCA.
With this release, The Sequoia Project also took steps to begin implementing TEFCA, saying that entities would “soon” be able to apply for Qualified Health Information Network (QHIN) designation under the agreement. Following the submission and approval of QHIN applications, The Sequoia Project said it expects QHINs to be able to sign the Common Agreement and be onboarded for operational data exchange in late 2022. Thus, TEFCA is in the early stages of implementation and seems poised to “soon” be in the operational phase also.
It’s hard to believe it has been over five years since the 21st Century Cures Act became law. But, as we just learned, the key health IT provisions in the law are still a work in progress that have not yet been fully implemented. For those of us tracking the rules and interested to see if the law delivers on its promise of advancing interoperability and data exchange… here’s to the next five years.
For more information on the 21st Century Cures Act, listen to our podcast.
***In March 2022, NextGen Healthcare announced that its NextGen® Enterprise EHR achieved the Office of the National Coordinator for Health Information Technology (ONC-Health IT) 2015 Edition Cures Update Health IT certification via Drummond Group LLC, an Authorized Certification Body (ACB). This made NextGen Healthcare the first EHR developer to certify a complete EHR solution to the 2015 Edition Cures Update criteria. To learn more about NextGen Healthcare Enterprise EHR’s 2015 Edition Cures Update certification, please see here.