The ONC Cures Act Final Rule - Technical requirements summary

| Author , tagged in fhir, 21st Century Cures Act
Cloudticity, L.L.C.

The 21st Century Cures Act rolls out significant changes that will transform how the healthcare industry exchanges data at a fundamental level. The act will take advantage of new standards and technologies to empower the patient while modernizing clinical and administrative initiatives amongst payers, providers, public health agencies, vendors, and healthcare information exchanges and networks. 

Because the act was so general in it's scope upon initial publication, the Office of the National Coordinator (ONC) took steps to clarify rules surrounding interoperability and patient information blocking. This resulted in the development of the Final Rule which went into greater detail around the technical implementations needed for companies to remain compliant to the new rule. 

As a result, it will be important for covered entities and business associates to evolve their current IT infrastructure or risk having to play an expensive game of catchup once the deadlines for the requirements have arrived – or worse, face heavy fines or even lose customers. 

Key Final Rule Implementations

Because many of the requirements in the Final Rule are complex in terms of how they should be implemented according to each organization, companies should not look at Final Rule compliance as something they just have to implement only once but rather as an evolving effort that keeps up to date with policy changes as more technology is adapted in the marketplace. 

While there is no “checkbox” list of requirements to fulfill the 21st Century Cures Act, there are technical considerations that should be implemented by an organization’s health IT program. 

In this blog, we will summarize the major considerations of the Final Rule in regards to interoperability and information blocking and the impact they may have on your infrastructure. Along the way, we’ll include some excerpts from the Final Rule itself and some interpretations that can give you more clarity on how to solve the problem moving forward.

Cloud-backed API Integration for Patient Access

One of the major requirements for compliance with the 21st Century Cures Act in regards to interoperability is the API condition of certification. 

The API Condition of Certification requirement in Section 4002 of the Cures Act requires health IT developers to publish APIs that allow “health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs or successor technology or standards, as provided for under applicable law.” The requirement also states that a developer must, through an API, “provide access to all data elements of a patient's electronic health record to the extent permissible under applicable privacy laws.”   (85 FR 25739)

This condition from the Final Rule can help organizations determine how data is to be consolidated within the organization. For far too long, healthcare data has been spread out from many different sources and siloed out in many different environments. By consolidating the data, organizations can begin to normalize data formats for use across the entire IT infrastructure. 

SMART on FHIR API access across all systems will lead to better data standardization and interoperability. It will then become easier for patients to access their data while organizations remain compliant to the Final Rule. 

Standardized Data for Interoperability 

The push for interoperability as defined by the Final Rule is driving data standardization across the healthcare industry. Current standards are both technical and content-driven in scope and include:

Technical Data

      • HL7 FHIR: FHIR resources that define the content and structure of core health data through standardized applications. 
      • SMART IG/OAuth 2.0: Secure application architecture authorization for developers to access FHIR resources by requesting access tokens from OAuth2.0 authorization servers. 
      • OpenID Connect: Authentication built on top of OAuth2.0 for end-user communication. 

Content-Driven Data

      • United States Core Data for Interoperability (USCDI): Standardized set of health data classes and data elements for interoperable health information exchange across the healthcare IT ecosystem. 

We have adopted the HL7 FHIR US Core Implementation Guide STU 3.1.0 (US Core IG) implementation specification in § 170.215(a)(2). We note that we adopted the latest version of the US Core IG at the time of the final rule publication. The US Core IG defines the minimum conformance requirements for accessing patient data using FHIR Release 4 (adopted in § 170.215(a)(1)), including profiled resources, operations, and search parameters for the Data Elements required in the USCDI implementation specification (adopted in § 170.213).(85 FR 25740)

By having the ability to standardize EHR data, organizations will be able to assess what data is actually useful for the patient and then pull this data into a central repository for further transformation and analysis.

Information Blocking Stipulations

One of the more challenging aspects of The Final Rule is finding the right balance between patient access and information blocking. 

In addition, we clarified that under our proposed definition, EHI includes, but is not limited to, electronic protected health information (ePHI) as defined in 45 CFR 160.103. We noted that EHI may also be provided, directly from an individual, or from technology that the individual has elected to use, to an actor covered by the information blocking provisions. (85 FR 25803)

Because patients make the final decision on what applications obtain access to their healthcare, having a clear communications workflow present during attestation can help prevent information blocking while adhering to HIPAA’s Privacy Rule

Right of access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for:

(i) Psychotherapy notes; and

(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

(45 CFR § 164.524)

The Final Rule Adoption Challenges

If your organization is not yet ready to comply with The Final Rule, you’d better move quickly because the deadline is July 1st, 2021. However, there are a few things to keep in mind when considering a solution:

      • Complexity and timeline – at the moment, most health IT legacy systems rely on large server farms as well as teams of developers for data integration into a more interoperable format like FHIR or HL7v2.0. Because of this, there is a high cost associated with maintaining, building, and scaling these systems. While you can hire teams of developers to learn and implement an in-house solution from scratch, the sheer complexity as a result of the multiple implementation guides at different levels of maturity for each resource specification makes this a very time intensive project. 
      • Cost of traditional, third-party solutions – when instituting your own servers is not feasible, small and medium sized organizations must turn to database management vendors to store and access their data. While this is one solution, the proprietary nature of the data stored in these vendor solutions requires users to employ a mixture of add-ons and licensing fees that can quickly cause expenses to snowball. Additionally, organizations must remain customers or lose access to their own data. 
      • Legacy system issues – many legacy systems use varying types of incompatible technology that don’t scale well. Many of them lack user-friendly interfaces, making administrative tasks more complex than they need to be. Ingesting vast amounts of data into them is impractical for an organization that simply seeks to comply with Final Rule requirements in the most simple and efficient way.

Mapping Out Your Plan To Comply With The Final Rule

Given the difficulties and expenses associated with integration engines, a cloud-based solution is the only viable path forward to meet the deadline. Unlike traditional solutions, a cloud-based solution is:

      • Fast: you can deploy in moments without the need to procure, rack, and stack hardware.
      • Cost-efficient: you can align operating costs with demand, only paying for what you use.
      • Consolidated: you can add storage to your data store at any time without adding separate environments.
      • Flexible: you can access your data with open-source tools and avoid paying expensive licensing fees to maintain access.

To learn how Cloudticity Healthcare DataHub, our cloud-native integration and analytics solution, can help you quickly comply with the Final Rule, read the full white paper. Or schedule a free consultation to learn how you can meet the ONC Final Rule requirements in days instead of months.


TAGGED: fhir 21st Century Cures Act

Subscribe Today

Get notified with product release updates and industry news.