21st Century Cures Act and HIPAA: What’s the Difference and How to Stay Compliant

Overview of the 21st Century Cures Act

Purpose and scope

The 21st Century Cures Act accelerates medical innovation and modernizes digital health by eliminating unnecessary barriers to data sharing. A central feature is the Information Blocking Rule, which prohibits practices likely to interfere with access, exchange, or use of Electronic Health Information (EHI).

Who must comply

The law applies to “actors”: healthcare providers, health IT developers of certified health IT, and health information networks/exchanges. Unlike HIPAA’s focus on Covered Entities and their Business Associates, the Cures Act targets behaviors that impede interoperability across the health data ecosystem.

What counts as EHI

Electronic Health Information broadly aligns with electronic protected health information that resides in a designated record set. Think clinical notes, lab results, imaging reports, and administrative data needed to make care or payment decisions—information patients expect to access electronically.

Key Provisions of HIPAA

Who HIPAA covers

HIPAA applies to Covered Entities—health plans, healthcare clearinghouses, and most providers—and to their Business Associates that handle protected health information on their behalf. Its core aim is Patient Data Privacy and security, alongside Health Information Portability.

The core HIPAA rules

• Privacy Rule: Governs permissible uses and disclosures of PHI, establishes individual rights (access, amendments, accounting), and the minimum necessary standard.
• Security Rule: Requires administrative, physical, and technical safeguards to protect electronic PHI, including risk analysis, access controls, and audit logging.
• Breach Notification Rule: Mandates timely notification to individuals, HHS, and sometimes media after unauthorized disclosures of unsecured PHI.
• Enforcement: Outlines investigations, civil monetary penalties, and corrective action plans for noncompliance.

How HIPAA intersects with portability

While “portability” originated to help individuals maintain coverage, you also advance health information portability by enabling secure, standards-based exchange of PHI between systems, plans, and apps—without compromising privacy or security.

Information Blocking and Patient Access

From “may share” to “should not block”

HIPAA primarily tells you when you may share PHI. The Cures Act adds a complementary obligation: do not interfere with lawful access, exchange, or use of EHI. Policies or fees that create friction, or technologies that throttle exchange, can be treated as information blocking.

Examples of blocking vs. good practice

• Potential blocking: unnecessary delays in releasing test results; requiring patients to pick up records in person; refusing to enable API access for a patient-selected app; charging unreasonable fees.
• Good practice: releasing results promptly with clear notifications; honoring app-mediated requests; publishing transparent turnaround times and fee schedules; documenting any applicable exception.

Patient access in the API era

The Information Blocking Rule expects you to support timely, electronic access through portals and standardized APIs, empowering patients to use their chosen tools. Coordinate HIPAA identity verification and authorization with efficient, well-documented request workflows.

Interoperability Requirements

Standards and certification

Interoperability Standards—such as HL7 FHIR-based APIs, vocabularies, and data classes—are the backbone of compliant exchange. Certified health IT must expose standardized endpoints so patients, providers, and authorized apps can retrieve and use data consistently.

Data scope and exchange modalities

Start with widely adopted data sets (for example, core clinical demographics, problems, medications, allergies, labs, vitals, and clinical notes) and expand toward the full scope of EHI in the designated record set. Support both point-to-point exchange and network-mediated sharing where appropriate.

Security and trust

Strong authentication, OAuth 2.0 authorization, and granular scopes protect access while avoiding undue burden. Maintain auditable logs of disclosures and API calls to demonstrate that privacy and security controls do not become de facto barriers to exchange.

Compliance Strategies for Healthcare Organizations

Build a unified governance model

• Designate a cross-functional lead (privacy, security, IT, compliance, clinical operations) to harmonize HIPAA and Cures Act obligations.
• Adopt policies that explicitly address the Information Blocking Rule, EHI scope, turnaround targets, and escalation pathways.

Inventory data and map the designated record set

• Create a system-level catalog of where EHI lives (EHR, portals, imaging, labs, revenue cycle, research repositories).
• Document which elements are available via APIs, which require alternative “content and manner,” and any constraints.

Operationalize patient access

• Publish clear instructions for patients and third-party apps, including identity verification, request channels, and expected timelines.
• Automate fulfillment where possible; measure and report cycle times and denial reasons to leadership.

Align vendors and contracts

• Incorporate information blocking obligations into BAAs and vendor agreements; require conformance to Interoperability Standards.
• Evaluate license terms, APIs, and export capabilities for compliance with “fees” and “licensing” exceptions.

Train, monitor, and document

• Train staff on HIPAA basics, EHI definitions, and when exceptions apply.
• Maintain evidence: request logs, timestamps, decision rationales, and risk assessments to show consistent, non-discriminatory practices.

Exceptions to Information Blocking

Exceptions recognize that privacy, safety, and feasibility matter. Use them only when criteria are met, apply them consistently, and document your rationale.

• Preventing harm: You may restrict access to reduce a reasonable risk of substantial harm to a patient or another person.
• Privacy: You may decline to share when doing so would violate patient privacy preferences or applicable law (for example, missing authorization).
• Security: You may implement and enforce security measures that are tailored, non-discriminatory, and necessary to protect EHI.
• Infeasibility: You may deny a request if it is impossible or impractical to fulfill despite reasonable efforts (for example, system downtime or uncontrollable events).
• Health IT performance: You may take reasonable, temporary steps to maintain or improve the performance of health IT (for example, during maintenance windows).
• Content and manner: If you cannot provide the exact content or manner requested, you must offer an acceptable alternative without undue delay.
• Fees: You may charge reasonable, cost-based fees that are not anti-competitive or exclusionary.
• Licensing: You may license interoperability elements on reasonable and non-discriminatory terms.

Certificates of Confidentiality in Research

What they are and why they matter

Certificates of Confidentiality protect the privacy of research participants by limiting compelled disclosure of identifiable, sensitive information. Under the Cures Act, many federally funded studies automatically receive Certificates of Confidentiality.

How Certificates of Confidentiality work

• They prohibit disclosure of identifiable, sensitive data in legal or administrative proceedings, with narrow exceptions.
• Permissible disclosures typically include participant consent, necessary medical treatment, compliance with federal research requirements, and certain public health reporting.
• They complement HIPAA by adding protections against compelled disclosure that go beyond routine privacy safeguards.

Operational tips for research teams

• Inform participants in consent forms about protections and limits under Certificates of Confidentiality.
• Segment and label research data sets; restrict access to only those with a need to know.
• Establish a subpoena response playbook and involve legal counsel promptly.
• Align data sharing plans with HIPAA, IRB requirements, and the Information Blocking Rule when EHI intersects with research records.

Conclusion

HIPAA safeguards Patient Data Privacy, while the Cures Act compels interoperability and discourages blocking. By mapping EHI, adopting standards-based APIs, using exceptions judiciously, and strengthening research protections, you can meet both regimes and deliver better, more connected care.

FAQs

What is the main difference between the 21st Century Cures Act and HIPAA?

HIPAA defines how Covered Entities and Business Associates must protect and use PHI, emphasizing privacy and security. The Cures Act focuses on eliminating practices that hinder access, exchange, or use of EHI, pushing the ecosystem toward open, standards-based interoperability.

How does the Cures Act address patient access to health records?

It requires that patients receive timely, electronic access to their EHI, including through standardized APIs that support patient-selected apps. Organizations must avoid unreasonable delays, restrictive policies, or unnecessary fees that would impede access.

What are the penalties for information blocking?

Health IT developers of certified health IT and health information networks/exchanges may face substantial civil monetary penalties—up to $1,000,000 per violation. Healthcare providers face federal disincentives and corrective actions, such as impacts within Medicare incentive programs, along with potential investigations and public reporting.

How do Certificates of Confidentiality enhance data protection under the Cures Act?

They shield identifiable, sensitive research data from compelled disclosure in legal or administrative proceedings, with limited exceptions. This added layer of protection complements HIPAA and encourages participant trust while enabling ethically responsible research and data sharing.