Health Care Provider Obligations and Risk Considerations Under the 21st Century Cures Act

Patient portals once had limited information available to patients, however, providers are now using them to offer an array of information to patients including laboratory results, surgical reports, and physician notes to be compliant with the 21st Century Cures Act.

Website Article EMR

While healthcare providers may think it is inappropriate to provide access to sensitive information or “bad news” before talking with a patient, the Cures Act includes a provision prohibiting “information blocking.”

Information blocking is considered a practice that prevents, materially discourages, or otherwise interferes with access to patient information. Unfortunately, that legislation did not include any guidelines or directions for providers to comply with the legislation.

The Office of the National Coordinator for Health Information Technology, (ONC) because of the legislation, issued an extensive outline addressing the compliance mandates for information blocking. A complete copy of those guidelines can be found on the ONC website here.

Under the longstanding rules of HIPAA, providers are given 30 days to provide a patient with access to their medical records upon receipt of a written request. Under the information blocking regulations, providers will now need to provide free access “without delay” to an expansive range of electronic personal health information to remain compliant beginning on October 6, 2022.

So, what information must be shared?

According to the United States Core Data for Inoperability (USCDI), eight types of clinical notes must be shared that are in effect now if the technology is in place. After October 2022, the definition expands to include all note types. The current list includes:

  • Consultation Notes
  • Discharge Summary Notes
  • History and Physical
  • Imaging Narratives
  • Laboratory Report Narratives
  • Pathology Report Narratives
  • Procedure Notes
  • Progress Notes

According to the American Journal of Medicine, clinicians’ concerns over providing access to open notes centers around three main issues: clinicians’ ability to communicate critical results before patient access, compliance with information blocking vs. privacy laws, and the task of uploading prior medical records contained.

In situations where a patient may learn of test results on a portal before the clinician has an opportunity to review those results and communicate with the patient, there are limited exceptions. Under the Cures Act Rule, it states that information can be blocked or hidden from patient access on online portals if they believe the patient may harm another person or themselves due to reading the information or if they need to protect the security of another person’s electronic health information. Detailed information on exceptions is outlined by the ONC. The Rule itself only applies to records that exist in electronic form. Providers are not under obligation to upload paper files to portals.

On the positive side of the impact, based on a survey conducted by JAMA Network, seventy-four percent (74%) of clinicians surveyed regarding open notes felt it will lead to better patient care allowing for higher engagement and patient compliance. The ability to access private health information “without delay” will also address one of the highest reported complaints of patients according to NCBI; that patients feel they experience a significant delay in gaining access complete information from providers.

Need More Resources?

Providers must review their concerns and be included in discussions on process changes and potential risk exposures evolve in the healthcare community. At LHA Trust Funds, we want to help discuss the concerns of the new requirements and advise on areas that can lead to potential liability risks.

Contact Jamie Lamb, Director of Claims Operations, at or (225)368-3817 to schedule a Cures Act Presentation at your healthcare facility.


This article is for informational purposes only and is not official technical or legal advice. State laws around data release may not supersede the 21st Century Cures Act. The Cures Rule specifically states that information need not be released to patients if such release is prohibited by other laws. Healthcare providers should consult with their organization’s Health Information Management, compliance, legal, finance, and/or public relations experts and teams to find out how it applies to them.

About the Author


Jamie Lamb
Director of Claims Operations, LHA Trust Funds

Jamie Lamb began her career in claims in 1997. Her experience includes handling multi-line claims in the areas of general liability, medical malpractice, automobile liability, commercial and personal property, excess and umbrella policies, and professional liability. Her experience comes as a former Manager and Litigation Specialist for the American National family of companies. She has been highly involved in the education and training of both internal and external customers her entire career. Ms. Lamb attended both Evangel University in Springfield, Missouri, and Loyola University in New Orleans.

Content Related to this Article


Answering Your Questions About Informed Consent in Healthcare

Here’s LHA Trust Funds’ take on informed consent and answers to frequently asked questions from our members.

Learn More


EMTALA Requirements Aren’t Just for the Emergency Department

Here are some frequently asked questions about EMTALA requirements, the responsibilities of your healthcare facility, and...

Learn More


Our 2023 Safety Stars Are Committed to Workplace Violence Prevention

View our 2023 Safety Star Award recipients and explore their workplace violence prevention solutions.

Learn More