Patient Education and the 21st Century Cures Act

by Kelly McLendon, RHIA, CHPS
Managing Director, CompliancePro Solutions, LLC

The 21st Century Cures Act ONC information Blocking and CMS Interoperability and Patient Access rules in regards to patient education about the mobile health apps that request electronic patient information (EHI) through the APIs (Application Programmer Interfaces) that work connect to certified or non-certified EHR (Electronic Health Record) or other ancillary systems that contain patient records are very complex to understand.

There is an obligation for providers of care, payers and other covered entities to provide some type of information about the mobile health apps their patients may wish to use and this education must be consistent, focused on privacy and security, be accurate , unbiased objective and non-discriminatory. Past those guideposts, how much education and what exactly to say or not is complex and difficult to parse out of the rules. It may be that some mobile health apps that are HIPAA compliant can be more diligently vetted than non-HIPAA apps which may just have a more easily accomplished verification of their privacy and security capabilities according to their published privacy policy or notice.

Payers under the CMS Interoperability and Patient Access rules are allowed to ask for attestation by the mobile health app developer or company about their privacy and security, but if the company or the patient does not respond to the request for attestation, this can only be grounds for inclusion in the information provided to the patient, perhaps as a general recommendation not to use apps that have not completed an attestation, but ultimately it is the patient’s choice whether to use any app to request and manage their EHI.

The only way a payer can refuse to provide the information is through the use of an information blocking exception, perhaps for either privacy or security, but there are conditions that must be met in order to invoke the exceptions and they should be used with care. Whether the CMS rules also could or should apply to providers of care and other HIPAA covered entities is a choice for legal counsel to weigh in on.

Covered entities should implement and continually prepare for the 21st Century Care Act and use of mobile health apps by their patient’s. Start by building the presentations to be delivered to patients as well as your workforce and then begin to post educational material on your website and train your employees on how to address the topic.

The 21st Century Cures Act rules do have certain requirements, such as posting links to regulators and basically informing patients of their rights under the law. Covered entities must also decide when and how to evaluate mobile health apps for their patients. Do they verify, vet and/or ask for attestations?

All of these questions will take time to answer, so now is the time to begin to work these materials. It is of note that the API requirements take effect on May 1, 2022 and although there is a need for patient education prior to this date, once APIs begin to be used, it is projected at that point patient questions and internet will increase substantially.


HIPAA Privacy & Security Training
Libman Education is proud to partner with CompliancePro Solutions™ to offer this HIPAA Privacy and Security training course. Up-to-date with the latest Privacy and Security Rule versions, including Omnibus, this course is compliant with all HIPAA and related Meaningful Use criteria. Learn more here.

About the Author

Kelly McLendon, RHIA, CHPS
Kelly McLendon is a Managing Director of CompliancePro Solutions and a well-known consultant and industry expert in patient privacy and security, with specific subject matter expertise in the areas of privacy incident, detection and automation. He is also an industry expert in legal health records, HIM operations, electronic document management and EHR project planning. Kelly is author of Libman Education’s HIPAA Privacy & Security courses for Business Associates and for Providers of Health Services.

One thought on “Patient Education and the 21st Century Cures Act

  1. Debi Primeau - October 15, 2021 at 4:45 pm

    Great article, Kelly. Preparing now to help our patients understand how APP’s privacy and security practices can impact them is so important.


Leave a Reply