Demystifying the 21st Century Cures Act: Healthcare Provider Obligations and Risks

Patient portals once offered limited access to medical information. Today, under the 21st Century Cures Act, healthcare providers are required to make a broad range of electronic health information available to patients immediately and without delay. While this increased transparency supports patient engagement, it also introduces new operational, compliance and liability risks for healthcare organizations.

Providers are now navigating a delicate balance between timely disclosure, clinical judgment, patient safety and regulatory compliance. Releasing test results and clinical notes before a provider can review or discuss them may lead to confusion, increased patient anxiety and heightened exposure to complaints or claims.

Understanding how the Cures Act reshapes patient access, information blocking rules and associated risks is essential for healthcare leaders who want to remain compliant while protecting their organizations.

What is information blocking?

Information blocking is referred to in a subsection of the Cures Act as a practice that prevents, materially discourages, or otherwise interferes with the patient’s right to access their electronic healthcare information.

Because of the legislation, the Office of the National Coordinator for Health Information Technology, (ONC) issued an extensive outline addressing the compliance mandates for information blocking. A complete copy of those guidelines can be found on the ONC website.

Under the longstanding rules of HIPAA, providers are given 30 days to provide a patient with access to their medical records upon receipt of a written request. Under the information blocking regulations, providers need to provide free access “without delay” to an expansive range of electronic personal health information to be compliant with the regulation.

Enforcement is expected to begin at the end of 2023, and those compliance checks will expose healthcare providers to potential disincentives.

HIPAA vs. the Information Blocking Rule

One of the most common sources of confusion for healthcare providers is the difference between HIPAA’s medical record access rules and the information blocking requirements under the 21st Century Cures Act.

Under HIPAA, providers generally have up to 30 days to respond to a patient’s request for access to medical records. This framework was designed around formal requests and manual record delivery.

The information blocking rule, however, significantly changes that standard. It requires healthcare providers to make a broad set of electronic health information (EHI) available to patients immediately and without delay when the information exists in electronic form and the technology is in place.

Key distinctions include:

• HIPAA focuses on responding to patient requests for records.
• The Cures Act focuses on proactive, real-time access through patient portals.
• HIPAA allows reasonable delays; the information blocking rule does not, unless a specific exception applies.
• Compliance with HIPAA alone does not ensure compliance with the Cures Act.

Providers who rely solely on HIPAA-based policies may unintentionally expose their organizations to regulatory scrutiny and enforcement actions related to information blocking.

Understanding Healthcare Information Blocking Exceptions

While the information blocking rule emphasizes immediate patient access, the regulations recognize that unrestricted disclosure is not appropriate in every circumstance. The Office of the National Coordinator for Health Information Technology (ONC) outlines specific exceptions that allow providers to restrict access to electronic health information without violating the rule.

Some of the most relevant information blocking exceptions for healthcare include:

• Preventing Harm Exception: Allows providers to restrict access if releasing the information is reasonably likely to cause harm to the patient or another person.
• Privacy Exception: Applies when disclosure would violate privacy laws or patient preferences.
• Security Exception: Permits restrictions necessary to safeguard electronic health information.
• Infeasibility Exception: Recognizes situations where access is not technically or operationally feasible.
• Health IT Performance Exception: Applies when access issues are related to system maintenance or performance limitations.

These exceptions are narrowly defined and must be applied consistently. Most importantly, providers must clearly document the reason for restricting access and demonstrate that the action meets the criteria of the applicable exception.

Improper use or blanket application of exceptions can create additional compliance and liability risk. Healthcare organizations should ensure staff are trained to recognize when an exception applies and understand the documentation required to support that decision. Detailed information on all exceptions is outlined by the ONC.

What patient information must be shared?

According to the United States Core Data for Inoperability (USCDI), all clinical notes must be shared if the technology is currently in place. That list includes:

• Consultation Notes
• Discharge Summary Notes
• History and Physical
• Imaging Narratives
• Laboratory Report Narratives
• Pathology Report Narratives
• Procedure Notes
• Progress Notes

Common Information Blocking Pitfalls for Providers

Even well-intentioned healthcare organizations can inadvertently engage in information blocking. As enforcement increases, providers must understand where breakdowns commonly occur in the patient information release process.

Some of the most frequent information blocking risks include:

• Delaying the release of test results or clinical notes so a provider can review them first. While clinically understandable, automatic delays may violate the “without delay” requirement of the information blocking rule.
• Manual workflows or approval queues that slow the posting of electronic health information (EHI) to patient portals.
• Inconsistent portal practices across departments or service lines, leading to uneven access for patients.
• Overly broad privacy restrictions that limit patient access without qualifying for a recognized exception under the rule.
• Failure to document the rationale when access is restricted due to safety, privacy, or security concerns.
• Assuming HIPAA timelines still apply, rather than aligning policies with the 21st Century Cures Act requirements.

Addressing these pitfalls requires more than technology. Providers must align policies, staff training and documentation practices to ensure patient access obligations are met while minimizing healthcare compliance risk.

What are the top three risks of providing open notes access?

According to the American Journal of Medicine, clinicians’ concerns over providing access to open notes center around three main issues:

• The ability to communicate critical results before patient access
• Compliance with information blocking vs. privacy laws
• The task of uploading prior medical records contained

There are limited exceptions in situations where a patient may learn of critical test results through an online portal before the clinician has an opportunity to review those results and communicate with the patient.

Under the Cures Act Rule, one exception allows for restricting portal access to a specific entry if they believe the patient may harm another person or themselves due to reading the information or if they need to protect the security of another person’s electronic health information (EHI). The Final Rule itself only applies to records that exist in electronic form. Providers are not under obligation to upload paper files to portals.

On the positive side of the impact, based on a survey conducted by JAMA Network, seventy-four percent (74%) of clinicians surveyed regarding open notes felt it would lead to better patient care allowing for higher patient engagement and compliance. The ability to access private health information “without delay” through electronic health records will also address one of the highest reported complaints of patients according to NCBI — that patients feel they experience a significant delay in gaining access to complete information from providers.

Need More Resources?

Providers must review their concerns and be included in discussions on process changes and potential risk exposures evolving in the healthcare community. At LHA Trust Funds, we help healthcare providers navigate compliance obligations while minimizing liability exposure related to patient portal access, information blocking and data disclosure risks.

We want to address [CD1] concerns the new requirements bring up and advise on areas that can lead to potential liability risks as healthcare providers navigate patient portal access.

Contact Director of Claims Operations Jamie Lamb at (225) 368-3817 or JamieLamb@LHATrustFunds.com to schedule a Cures Act presentation at your healthcare facility.

Disclaimer

This article is for informational purposes only and is not official technical or legal advice. The 21^st Century Cures Act and information blocking rule do not supersede any state law pertaining to privacy or data release. Healthcare providers should consult with their organization’s Health Information Management, compliance, legal, finance, and/or public relations experts and teams to find out how it applies to them.

Jamie Lamb, AIC, INS, SCLA
Director of Claims Operations

Jamie Lamb began her career in claims in 1997 and has obtained various insurance designations during her career. Her experience includes but is not limited to the management of complex claims in general liability, medical malpractice, excess coverage, and professional liability.

As the Director of Claims Operations, Ms. Lamb works closely with our members and our internal departments to assist with strategic goals and initiatives. She attended Evangel University in Springfield, Missouri, and Loyola University in New Orleans.