<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

How the Newly Enacted ONC and CMS Healthcare Rules Affect You

Two new rules enacted in 2020 affect healthcare providers, insurers, and other healthcare industry constituents by preventing information blocking, enabling patient access using smartphones, promoting interoperability, and other provisions. This introduction outlines what you need to know about the new requirements to begin working toward compliance.

Healthcare Regulatory Landscape

Since the enactment of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, hospitals, medical centers and other healthcare providers have learned to understand the regulations, apply them to their organizations, maintain and prove their compliance, and remain up-to-date with changes and additions to the law.

The primary objective of HIPAA was to enable healthcare records to accompany patients as they changed health insurance plans and doctors throughout the course of their lives. This objective led, logically, to the creation of digital or electronic health records, which have made that portability much easier and more seamless over time.

Even today, however, the healthcare industry struggles with the twists and turns of HIPAA, its Privacy and Security Rules, and new rules enacted to clarify or reinforce existing rules. It’s complicated, sometimes redundant, and very difficult to navigate, especially for smaller healthcare practices.

Patients’ Rights to Access Records

Among many other provisions aimed at protecting individuals’ healthcare records, the HIPAA Privacy Rule also gave patients the right to inspect, review and receive a copy of their medical records and billing records held by health insurers and healthcare providers. 

Patients have a right to access both paper and electronic medical records, with the two notable exceptions of psychotherapy notes and any information collected for use in a civil or criminal proceeding. The rule enables modest fees to be charged for reproducing paper records. Generally, electronic records have been provided at no charge.

Despite having a legal right to do so, some patients have experienced problems in accessing their records.

Providers Have 30 Days to Deliver

The HIPAA Privacy Rule allows healthcare providers and insurers up to 30 days to supply patients with the requested records.

Since compliance with the Privacy Rule became effective in 2004, some patients have experienced difficulty in accessing their medical records. Some providers have denied access or extended the length of their response far beyond the 30-day window. This form of non-compliance is known as information blocking.

According to the Office for Civil Rights (OCR), an agency of the U.S. Department of Health and Human Services (HHS), patient problems in obtaining access to their own records is the third most common consumer complaint received by the OCR.

Confused about HIPAA banner - we simplify hipaa 24by7securityInformation Blocking Investigated and Fined

Consider just two examples of hundreds of information blocking incidents. In 2015, the Connecticut State Attorney General investigated information sharing practices at Epic Systems after they were accused of using electronic health records (EHRs) to control patient referrals and send patients back to their networks. As a result, in a state law that took effect on October 1, 2015, Connecticut became the first state to make information blocking illegal.

In 2019, HHS levied its first fine for information blocking when a patient complained that her Florida hospital took nine months to fulfill her request for her child’s prenatal records. Bayfront Health St. Petersburg was required to pay a fine of $85,000 to the Office for Civil Rights and submit to monitoring by the OCR for one year.  In 2020, OCR settled numerous other investigations on the right of access, to support individuals' right to timely access to their health records, and levied fines of tens of thousands of dollars on each healthcare entity involved.

Information blocking incidents and information sharing problems have not gone unnoticed by Health and Human Services. This is why, in February of 2019, two agencies of HHS proposed two new rules aimed at ensuring smoother interoperability among insurers, healthcare providers, and electronic health records systems, and eliminating information blocking to ensure patient access. The rules were enacted in 2020 and the first is already in effect.

The Two New Rules and What They IntendExcerpt from HHS press release March 2020

Issued by the Office of the National Coordinator for Health Information Technology (ONC), the program rule on Interoperability, Information Blocking, and ONC Health IT Certification implement the 21st Century Cures Act passed in 2016. Known officially as the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, in this post we’ll refer to it as the ONC Rule.

Quote about new CMS rule by Seema Verma, CMS AdministratorThe other rule, issued by the Centers for Medicare & Medicaid Services (CMS), is titled CMS Interoperability and Patient Access. We’ll refer to this as the CMS Rule.

Together, the new rules reinforce current requirements for interoperability and patient access and take them a step further by requiring public and private healthcare entities to share health information with patients and other parties electronically, or digitally, while keeping that data private and secure, as required by the HIPAA Privacy and Security Rules. 

The new rules require the healthcare industry to adopt standardized application programming interfaces (APIs), which are fundamental to smartphone applications, to help individuals easily access their electronic health information using their smartphones.

How Smartphones Have Changed the Game

As of September of 2019, there were more than 260 million smartphone users in the U.S. At the same time, Millennials became the largest generation in America. More so than Baby Boomers, Millennials are tethered to their smartphones and mobile applications, as generations following them are expected to be.

The widespread use of smartphones and other highly portable digital devices, by patients as well as by doctors and nurses, have given rise to trends in telehealth, virtual appointments, and remote care services. During the COVID pandemic, healthcare providers have had to rapidly expand these services in order to continue to provide medical care.

In this digital realm where the smartphone is king, it is vital that healthcare providers adopt the use of APIs that can support electronic health information sharing securely and privately. While APIs have spurred innovation in many industries, the healthcare industry has lagged behind, according to an article in the HIPAA Journal.

The new HHS rules mandate the development of APIs in healthcare to advance the objectives of interoperability and patient access, stating that the use of APIs will:

  • Enable healthcare providers to easily share a patients’ electronic health records with other healthcare organizations who use different EHR systems.
  • Enable patients to instruct that their healthcare data, including medical records, be sent to a third-party health app if they desire.
  • Enable patient data contained in electronic health records to be provided to patients at no additional cost when it is accessed electronically. (Records may continue to be provided in paper form, if so requested, and a modest fee may still be charged.)

Your practical guide to HIPAA compliance 24By7Security

Implementation and Compliance Dates to Know

Most members of the healthcare industry need to be aware of the implementation dates for the new rules, as the timeframe is fairly short. This includes hospitals, medical centers, healthcare practices and other healthcare providers, health information exchanges, health information networks, EHR systems, health insurers, and developers of certified health information technology. The impact is industry-wide.


The ONC Rule took effect on June 30, 2020.


  • Compliance with information blocking provisions and several conditions of certification, including APIs, is required by November 2, 2020.
  • By May 1, 2022, compliance is required with other provisions of the rule, including a number of allowable exceptions, as well as implementation of electronic health information (EHI).
  • By May 1, 2023, export capability for EHI must be implemented.


The CMS Rule takes effect on January 1, 2021.


  • Beginning on this date, Medicare Advantage, Medicaid, CHIP, and plans on the federal Exchanges will be required to share claims data and other health information with patients through a Patient Access API.
  • Enforcement of rule requirements starts on July 1, 2021.
  • Beginning in November 2021, CMS may publish the names of clinicians and facilities believed to be engaged in information blocking, including participants in the Promoting Interoperability category of the Merit-based Incentive Payment System (MIPS).
  • As of April 1, 2022, states are required to send enrollee data daily, for beneficiaries enrolled in both Medicare and Medicaid, to improve coordination of care for this population.

ONC Act Timeline

The ONC Rule: What Else You Should Know

Following are some other important elements of the ONC Rule as outlined by the HHS press release announcing the final rules. It is not an inclusive list.

  • Healthcare providers must avoid any EHI accessibility restrictions that constitute information blocking, which could range from limiting patient access to their data, to interoperability problems that make it difficult for providers to share information with each other as needed.
  • Certain reasonable and necessary activities have been identified as exceptions to the Rule. Watch for a future post about these.
  • The Rule also prohibits information blocking practices, including anti-competitive behaviors, by health information networks and developers of certified health information technology (IT).
  • The new Rule requires that providers who use certified health IT are able to communicate about health IT usability, user experience, interoperability, and security using screenshots and video, which are considered critical forms of communication for such issues.

The CMS Rule: What Else Should You Know?

Following are some other important elements of the CMS Rule noted in the HHS press release, although not an inclusive list.

  • Health plans in Medicare Advantage, Medicaid, CHIP, and in the federal Exchanges must share claims data electronically with patients.
  • The Patient Access API will enable claims and other health information to be shared with patients in a safe, secure, understandable, user-friendly electronic format.
  • The Patient Access API could potentially be used to integrate a health plan’s information to a patient’s electronic health record.
  • A new Condition of Participation (CoP) for all Medicare and Medicaid participating hospitals requires them to send electronic notifications to another healthcare facility or community provider when a patient is admitted, discharged, or transferred.


The new rules from the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS) were enacted primarily to further promote interoperability among healthcare providers, insurers, and other stakeholders; prevent information blocking; and enable patient access to electronic health information by smartphone. There are other provisions as well, and exceptions to the rules, of course.

The new rules are known as the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program and the CMS Interoperability and Patient Access rule, respectively. The ONC Rule took effect on June 30, 2020, and the CMS Rule will become effective on January 1, 2021. Timeframes for initial compliance are short.

If you are affected by either rule, but aren’t sure what actions to take, the 24By7Security team can help you better understand, effectively navigate, and successfully implement the required actions. Our analysts and auditors are highly experienced in healthcare regulations and can help you achieve compliance. With the clock already ticking, the time to act is now.


Rema Deo
Rema Deo

As CEO and Managing Director of 24By7Security, Inc., Rema is a highly experienced and credentialed information security professional. Among her certifications are PCI Qualified Security Assessor (QSA) from PCI SSC, Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2, Certified Information Security Manager (CISM), and Certified Information Security Auditor (CISA) from ISACA. She also holds a certificate in Cybersecurity: Technology, Application, and Policy from the Massachusetts Institute of Technology, and Certified Data Privacy Practitioner (CDPP) from Network Intelligence. She earned her MBA from Symbiosis Institute of Business Management in Pune, India, and her Bachelor of Commerce degree from the University of Bombay. Be sure to follow the 24By7Security Blog for valuable insights from Rema and her colleagues.

Related posts

May, 17 2022
May, 10 2022
May, 3 2022

Comments are closed.

Measure the Effectiveness Of Your Cybersecurity Awareness Program
Five Steps to Become ISO 27001 Certified - And Why You Should
Subscribe to our Blog!