Two final rules related to 21st Century Cures Act released during pandemic

Do not overlook these new additions.

Effective 60 days after publication in the Federal Register, covered entities and business associates alike need to understand these final rules, including the new HL7 FHIR API Capability Standards.

As part of the 21st Century Cures Act (the “Act”), the Centers for Medicare and Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information (“ONC”) were required to develop policies to advance interoperability through data sharing and identifying activities, which are not considered to block information. Fundamentally, the CMS Final Rule and ONC Final Rule (“Final Rules”) aspire to foster competition, while simultaneously expanding a patient’s access to and control over his/her health information. In keeping with HIPAA’s Privacy Rule and Security Rule, “[e]nsuring the privacy and security of patient information is a top priority for CMS.”

Trending: Establishing empathy via telemedicine

These Final Rules are dense. And, as of the time of this article, the Final Rules have not been published in the Federal Register. There are a few items of note, which covered entities, business associates and patients alike need to appreciate. The starting points for appreciating the Final Rules include the following:

  • Secure application programming interfaces (“APIs”) – specify how software components should interact.

  • Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1 – beginning on January 1, 2021, Medicare Advantage, Medicaid, CHIP and plans on the federal Exchanges will be required to support this standard that allows a patient to access claims and various information related to his/her medical encounter (i.e., cost or clinical information), via a third-party app of his/her choice.

  • API could be used to integrate a health plan’s information into a patient’s EHR.

Read More: Coding for Telemedicine Visits

Additionally, the Final Rules require the establishment of a Provider Directory API amongst CMS-regulated payers. This particular API strives to provide third-party app developers with ability to connect patients with a wide selection of provider options, as well as assisting providers find other providers for care coordination.

One caveat that both providers and third-party app developers should be aware of – HHS guidance, which is consistent with Ciox Health, LLC v. Azar, No. 18-cv-0040 (D.D.C. (Jan. 23, 2020). As HHS indicates on its website:

Q: Does a HIPAA covered entity that fulfills an individual's request to transmit electronic protected health information (ePHI) to an application or other software (collectively "app")1 bear liability under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) for the app's use or disclosure of the health information it received?

A: The answer depends on the relationship between the covered entity and the app. Once health information is received from a covered entity, at the individual's direction, by an app that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules. If the individual's app – chosen by an individual to receive the individual's requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app. For example, the covered entity would have no HIPAA responsibilities or liability if such an app that the individual designated to receive their ePHI later experiences a breach.

If, on the other hand, the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.

In sum, there is a lot to digest. Covered entities and business associates need to consider more than just the Final Rules. Patients should also be educated and given choices that are approved instead of opening the floodgates to ransomware attacks and malware being installed through “any third-party app” that a patient chooses. 

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website,