A woman and a man look at HIPAA information on a tablet together.

21st Century Cures Act and HIPAA

With increased patient access to health records, increased requests for changes might ensue.

Cures Act Overview

The new federal rule requires health care professionals to make available and share with their patients, at their request, eight types of notes and records:

  • History and physical notes
  • Consultation notes
  • Procedure notes
  • Progress notes
  • Discharge summary notes
  • Imaging narratives
  • Laboratory report narratives
  • Pathology report narratives

The rules require that this information be made available in electronic form. For many practices, the easiest way to do this is to use their new or existing EHR system. But for some practices that still use hand-written notes, scanning those notes into a secure PDF and keeping them in a digital file may be sufficient.

The Blocking Rule

Under the Cures Act, information blocking is prohibited. There are two types of information blocking. Information blocking can affect the patient, but also other health care professionals.

  • In the case of the patient, blocking might refer to a provider not allowing the patient access to their records, or not honoring a patient’s request to forward their information to another provider.
  • In the case of health care professionals, they may be denied access to information from another provider, or they might be prohibited from linking their EHRs.

Sometimes information can be denied, if the request falls into one of eight exception types provided by the Cures Act. You can find detailed information in the Cures Act Final Rules: Information Blocking Exceptions [PDF], but as an overview, they are:

  1. Preventing Harm
  2. Privacy
  3. Security
  4. Infeasibility
  5. Health IT performance
  6. Content & manner
  7. Fees
  8. Licensing

Establish a process for evaluating information requests and ensure staff members are knowledgeable about the exceptions involved.

The Patient’s HIPAA Rights

Consider this scenario: A patient calls your practice, upset with what she read in her medical records. She wants information regarding a diagnosis removed from her records. This request is not about demographic information, where changes are not an issue, but with a diagnosis resulting from a medical procedure. Should you do what they ask?

HIPAA gives the patients (and in certain circumstances, their representatives) the right to access and amend their protected health information (PHI). It is important you are familiar with this right and how it should (or should not) be accomplished prior to receiving a call like the one in the example.

With the 21st Century Cures Act (Cures Act) and the provision for open notes, effective April 2021, it is more important than ever to be compliant with requests from patients reviewing their records. The Cures Act requires healthcare providers to improve ease of access by patients to their health information.

As a result, patients may be reviewing the information in their records more frequently and more closely. Information which must be provided to patients (or their representative) includes consultation notes, procedure, discharge summaries, etc. Reviewing these notes may increase the chances of requests for amendments.

It is important for healthcare providers to comply with both HIPAA and the Cures Act. For a simple overview of both of these program visit: HealthIT Promote Patient Access

According to AHIMA (American Health Information Management Association):

Access to PHI must be granted within 30 days of the request. One 30-day extension is available. 

The patient must be advised of any extension and that extension must be documented. Any time a patient is denied access, the 30/30 day rule/extension applies. There are exceptions as to when a patient might have access such as:

  • The information is in psychotherapy notes
  • The PHI was obtained from someone other than the healthcare professional under a promise of confidentiality and access would reveal the source
  • The PHI makes reference to another person who is not a healthcare provider and access is likely to cause harm to that other person

The patient has a right to request an amendment to their records.

  • The request should be in writing, dated and signed
  • The request should provide a reason to validate the amendment
  • The request should identify the change to be made
  • The request should identify the relationship to the patient if the request is not being made by the patient (and proof provided if other than custodial parent)
  • The request is subject to a 60-day turn around with a 30-day extension
    • The patient must be advised of the extension, the reason for the delay and date action will be completed

The response to the request may be a partial or full agreement to the amendment.

Which one depends on the situation and should follow these steps:

  • The response to the request should be on a form filed with the patient’s medical records
  • The response should be completed on or before the effective date
  • The healthcare professional should provide a copy of the amended record to those individuals identified by the patient within a reasonable timeframe

The healthcare professional can deny the request for various reasons.

These may include, but are not limited to:

  • If the healthcare professional determines the PHI is accurate  and complete
  • If the information was not created by the healthcare professional being asked to make the amendment unless the originator of the information is no longer available to act on the request
  • If the information is not part of the patient’s medical or billing record

If the request to amend is denied:

  • The patient should be advised they have a right to submit a statement disagreeing with the denial.  As always, when communicating with a patient, stay away from medical jargon and use language they can understand.

State regulations may be relevant to access and amending medical records so it is always important to talk with your practice attorney.

This website uses first party and third party cookies to improve your experience and anonymously track site visits. By visiting this website, you opt-in to the use of cookies. OK