We recently conducted a webinar focused on helping covered entities untangle recent changes within the  21st Century Cures Act. Here are some highlights and insights from our key speakers.


The Cures Act was created to combat information blocking and permit patients' unobstructed and secure access to their healthcare records. Information blocking has been an ongoing issue as health entities needlessly withhold or complicate access to electronic health information (EHI) and thus create a major hurdle for nationwide interoperability.

The Cures Act Changes at a Glance:

  • Commands healthcare information systems to permit easy and secure access to EHI “without special effort”
  • Broadens definition of EHI to include electronic protected health information (ePHI) defined under HIPAA
  • Mandates Health Level 7 Fast Healthcare Interoperability Resources (HL7 FHIR) API standards to permit individuals easy and unrestricted access to their EHI
  • Requires payers to support structured HL7 API exchanges
  • Instructs vendors to provide patients with mobile access to EHI through computer and smartphone applications

What Must Organizations Know About EHI October 6th Deadline?

Previously, electronic health information (EHI) was confined to records falling under the U.S. Core Data for Interoperability (USCDI) Version 1, limiting patients’ access to portions of their health records. As of October 6, 2022, EHI’s definition will be expanded to include all of the designated record set (DRS) as detailed in HIPAA. Under HIPAA, the DRS is a group of records maintained by or for a covered entity (CE). Under HIPAA Privacy Rules, patients bear the right to unrestricted access, upon request, to their EHI.


“The smaller facilities are really struggling to be able to meet some of this interoperability requirements as they just don’t have the resources or expertise.” – Debi Primeau


HIPAA Designated Record Sets Include:

  • Medical records
  • Billing records
  • Payment and claims records
  • Health plan enrollment records
  • Case management records
  • Other records used, in whole or in part, by or for a covered entity to make decision about an individual

After October 6, any patient data included in DRS will be subject to the information blocking regulations. However, enforcements by the HHS Office of Inspector General (OIG) will not include penalties and disincentives until rulemaking is finalized.

Exceptions are permitted, but they carry strict guidelines. Jonathan Friesen, chief privacy officer at Geisinger Health System, suggested that CEs should “err on the side of providing access,” unless there is “reasonable belief that releasing that record will cause significant physical harm or death to the patient or another individual.”

Codifying Your DRS

Covered entities must clearly define their DRS for the October 6 deadline to preserve Cures Act complianceand be sure not to confuse legal medical records with DRS. Though you may find some overlap, each contain unique data used for different purposes. Kelly McLendon, RHIS, CHPS, an HIM practitioner and thought leader for over 43 years, warned hospitals and larger organizations “that part of your designated record set may not reside within your EHR and that data, if they're electronic in format, are also subject to the regulation.”

ehr-genericCommunicate with Your EHR Vendor

Many covered entities are grappling with lack of interoperability that is needed to ready them for the Cures Act’s requirements. Communication with your EHR vendor is key to preserve compliance. This is particularly true for smaller organizations. Founder and president of Primeau Consulting Group, Debie Primeau, said, readiness may be a challenge for “organizations that may or may not be a part of a large Epic- or OCHIN-supported EHR vendor. The smaller facilities are really struggling to be able to meet some of this interoperability requirements as they just don’t have the resources or expertise.”

Practical Steps Towards Compliance for October 6

  1. Read the rule
  2. Gather multi-department group to identify individuals within the organization whom the rule will affect
  3. Conduct an assessment of all your systems
  4. Define your DRS
  5. Review policies and procedures for necessary updates
  6. Evaluate information blocking possibilities and revise accordingly
  7. Ensure you are sufficiently collaborating the multi-department group to extract all details
  8. Develop communication and education plans, both internally, and externally with patients

Beyond Compliance

Compliance readiness for the October deadline should be on all covered entities critical priority list. Compliance is an essential underpinning for patient care, patient satisfaction and trust. And yet there is another consideration that isn’t often discussed: the potential to create business value that comes from the exchange of data. Genzeon’s GM of Healthcare, Harsh Singh, said, “This act is here for a reason, which is to enable that value creation to happen as more clinical data is shared and more data is accessible and available. There are better decisions to be made across care management, there are better decisions to be made at patient level for their own care. This interchange of data in a standardized format is important. More focus on compliance is one piece of it, but actually enabling the value creation, that comes with exchange of data. Let's not seek out the concept of minimum viable compliance, but really, truly go get the business value that's out there.”

Learn more and dive deeper into demystifying the Cures Act and how covered entities can prepare for the deadline:


cures-act-webinar-tmb-1Watch the full webinar