hipaa-interoperability
HIPAA Interoperability — Cures Act, ONC, and CMS Requirements
Overview
The 21st Century Cures Act (Public Law 114-255, 2016) fundamentally changed the interoperability landscape by prohibiting information blocking and mandating standardized API-based patient access. The ONC Health IT Certification Program (45 CFR Part 170) and the CMS Interoperability and Patient Access Final Rule (CMS-9115-F, 85 FR 25510, May 1, 2020) together require health IT developers, healthcare providers, health information exchanges (HIEs), and health information networks (HINs) to support seamless data exchange while maintaining HIPAA privacy and security protections. The Trusted Exchange Framework and Common Agreement (TEFCA), launched operationally in December 2023, establishes a nationwide framework for health information exchange with defined exchange purposes and privacy requirements.
Regulatory Framework
21st Century Cures Act — Information Blocking
- Section 4004: Defines information blocking as a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI)
- Actors covered: Health IT developers of certified health IT, HIEs, HINs, and healthcare providers
- EHI definition: As of October 6, 2022, EHI is the electronic protected health information (ePHI) in a designated record set as defined under HIPAA (45 CFR §171.102), plus any other electronic health information identified by the Secretary