The ONC Cures Act Final Rule

December 28th, 2020

The Office of the National Coordinator for Health Information Technology (ONC) Cures Act Final Rule hardly rolls off the tongue, but it’s bringing important changes to the world of healthcare. Its provisions aim to improve interoperability and facilitate smoother data exchange.

ONC Cares Act Final Rule

Although these changes would be beneficial to certain aspects of the healthcare experience, there are also some potential drawbacks associated with the ONC Cures Act Final Rule. The most controversial aspect is that it allows patient health information to be shared with third-party app developers, outside of the bounds of HIPAA regulations. This access outside of HIPAA’s regulatory environment could lead to a rise in health-related data breaches.

The 21st Century Cures Act and How It Relates to the ONC Cures Act Final Rule

The 21st Century Cures Act was passed by Congress in 2016, containing a wide range of changes to health legislation. One small aspect of the 21st Century Cures Act was its drive toward improving the interoperability and access to health information. This led to the Department of Health and Human Services (HHS) introducing two related rules that aim to meet these goals.

One of these was the ONC Cures Act Final Rule, which brings changes to its health information certification program. These focus on improving the data exchange between healthcare patients, their providers, and payers. This will be facilitated by APIs that aim to enhance data access and interoperability.

The other rule was developed by another division of HHS, the Centers for Medicare and Medicaid Services (CMS). The CMS Interoperability and Patient Access Rule applies to Medicaid, Medicare Advantage, CHIP, and qualified health plan issuers on federally-facilitated exchanges. This rule uses the CMS’ authority to push for many of the same interoperability and access measures, but focuses on the above entities instead. We’ve covered the CMS Interoperability and Patient Access Rule in depth at the link above.

The final versions of these rules were published in May of 2020. The earliest requirements will begin applying in January 2021, while others will come into play over the following years.

What Is the ONC Cures Act Final Rule?

Alongside the CMS Interoperability and Patient Access Final Rule, the ONC Cures Act Final Rule aims to give patients greater control over their healthcare records. The HHS believes that it can deliver “…affordability and quality through transparency and competition…” by bringing smoother exchange of data between entities, and enhanced patient use of smartphone apps.

The rule is pushing the development of a range of third-party apps, which patients will be able to choose from to get on-demand access to some information in their medical records. These apps will be able to access data through inter-operable APIs, which will allow patients to check out details about their test results, medications and clinical notes. This smoother information flow aims to help patients compare possible treatments and costs from various providers, while also giving them greater understanding into their expected health outcomes.

Healthcare providers and payers will also be able to choose third-party apps that best suit their needs, with the idea that this will drive innovation in the industry. Once they have already set up their patient access systems, these apps may also drive down costs for healthcare providers and payers. If patients can access the necessary information through the apps, then it will reduce their need to contact staff members.

Another key component of the ONC Cures Act Final Rule is that it includes provisions to stop anti-competitive behavior. Organizations that block access to patient data will be publicly listed, allowing patients to make more informed decisions and choose providers who grant them better data access.

Security and HIPAA Compliance: What Does the ONC Cures Act Final Rule Change?

There are many potential benefits that could come with the ONC Cures Act Final Rule and the CMS Interoperability and Patient Access Final Rule. Despite the positives of increased access and competition, these rules also push healthcare data into uncharted territory.

Up until now, sensitive patient data has generally been guarded by the strong protections of HIPAA regulations. Under these new rule changes, HIPAA will not apply when third-party app developers access health data through the APIs. There are other privacy laws that place protections on this data, however these vary according to circumstance and state.

The major worry is that allowing access to health information under this patchwork of regulation will lead to a Wild West of data breaches and privacy violations. Healthcare data is incredibly sensitive and detailed, which makes it highly prized by hackers.

By putting this data into the hands of third-party app developers without the comprehensive protections of HIPAA legislation, we could see a significant rise of poor privacy and security practices, culminating in a greater number of attacks and sloppy handling of data. Not only could these breaches harm the affected patients, but they may also reduce trust in the institutions that are responsible.