The 21st Century Cures Act: What it is and Implications for Digital Health Data

November 30, 2022
3 minute read

The way we store, manage, and share health data is changing.

It’s not just changing because technology is advancing. It’s changing because it has to—by law. 

The 21st Century Cures Act became US law in 2016, but some of the rules that it created were only finalized in 2020. That means that many provisions of the Act—and especially those about sharing health data—have come into force only recently. 

So what are those rules? And how will they affect sharing health data?

Here’s your quick guide on the 21st Century Cures Act, with a specific focus on how it impacts data sharing in the health field. 

What is the 21st Century Cures Act?

Legislators passed the Cures Act with the intention to “​​accelerate the discovery, development, and delivery of 21st-century cures, and for other purposes.”

It’s a big law and touches many aspects of healthcare in the U.S., including increasing funding for the National Institute of Health (NIH), regulating how health researchers disclose information about their subjects and changing how the FDA regulates research to approve new drugs among many other impacts. In addition, it sets a vision for improving the quality and accessibility of information so that Americans can make informed healthcare decisions while also minimizing reporting burdens on affected healthcare providers and payers. 

The specific requirements for electronic health data are detailed in the following two rules:

  1. The Office of the National Coordinator for Health Information Technology (ONC)’s Cures Act Final Rule. (We’ll call this the “ONC Cures Act Final Rule”). This rule advances interoperability and supports electronic health information sharing between providers. It applies specifically to healthcare providers.  
  2. The Centers for Medicare & Medicaid Services (CMSs) Interoperability & Patient Access Rule (CMS 9115-F). (We’ll call this the “CMS Interoperability & Patient Access Rule”). This rule also has provisions that support interoperability, but it also empowers patients to access their own data. This rule applies to both payers and providers. 

What do the rules say?

Both rules are detailed and comprehensive, but here’s a brief description of the provisions that are directly related to digital health data. 

The ONC Cures Act Final Rule

This rule is aimed at increasing patient access to their health records and making it easier for health records to be shared between providers and systems. Here are some of the standards that the ONC Final Rule establishes for healthcare providers. 

  • Data standards for interoperability. The rule helps support different organizations’ software working together by creating a standard framework for how health data is stored and exchanged. It creates the United States Core Data for Interoperability (USCDI) standard for data and specifies that all clinical data must be exchanged using HL7 FHIR RV 4 APIs. 
  • Access to health information. The rule specifies that patients should be able to access their own health information in the way they want it, including in digital form. The rule requires that providers offer digital health information over the web, including via smartphone applications.
  • Information blocking. Information blocking happens when an actor interferes with the access, exchange, or use of electronic health information (see complete definition here). The rule prohibits information blocking (with some exceptions). 

The CMS Interoperability & Patient Access Rule

The CMS Interoperability & Patient Access Rule is meant to make it easier for patients to access their own data. It specifically relates to patients in MA organizations, Medicaid and CHIP FFS programs, Medicaid managed care plans, CHIP managed care entities, and QHP issuers on the FFEs. The rule applies to both healthcare providers and payers in those networks. 

The rule has several main themes:

  • Patient access. The rule establishes that the organizations covered by the rule must implement APIs to allow their patients access to their own health information. Some of the information that must be available include adjudicated claims, clinical data, and lab results. The APIs have to follow the standards set in the ONC final rule. 
  • Data sharing. The rule helps support sharing of medical data between organizations by, for example, requiring that payers share health information with other payers at a patient’s request.

21st Century Cures Act timeline

The Cures Act and its rules will require many organizations to upgrade their technical infrastructure, so legislators didn’t make all the rules effective immediately. Instead, they gave a series of deadlines to have the right processes and policies in place. Here’s a brief overview of that timeline:

  • December 13, 2016: The 21st Century Cures Act was signed into law. 
  • June 30, 2020: The ONC and CMS final rules go into effect.
  • April 5, 2021: Information-blocking rules go into effect.
  • December 15, 2021: Developers of certified health technology must submit testing plans for technology infrastructure.
  • April 1, 2022: Attestations to Conditions of Certification (CoC) Begin.
  • October 6, 2022: All electronic health information must be made available and shareable.
  • December 31, 2022: All APIs must be active with HL7 FHIR standards.
  • March 15, 2023: Certified health technology companies must submit the results from their real-world tests.
  • December 31, 2023: All electronic health records must be able to be exported—either to a patient or by bulk exports to another provider or insurer. 

What are APIs and what do I need to be compliant with them?

Application programming interfaces (APIs) are basically a connection between two pieces of software. In the context of health data, APIs help one organization transfer health data to another organization or to an application on a patient’s smartphone. 

They’re the critical piece of technological infrastructure that payers and providers will need to stay compliant with the 21st Century Cures Act. 

But don’t worry—APIs can be less daunting than they sound. The Marble API takes care of all your data connections for you. We make sure that we’re following all the latest regulations so you can feel confident that you’re compliant. 

With Marble, you can meet your legal obligations without getting lost in your data connections. 

Unlock health data with the Marble API. Get started →

We unlock health data.

Use our powerful and versatile API to build the future of health data.

Get Started