Skip to main content
Kareo and PatientPop are now Tebra. Becoming Tebra will take time and we appreciate your patience as we transition to the new brand experience.Learn More
Tebra Help Center

21st Century Cures Act FAQs

Updated: 08/10/2023|Views: 2093

Answers to the most common 21st Century Cures Act questions.

Question Answer
What is the 21st Century Cures Act and what does it require? The 21st Century Cures Act (Cures Act) was enacted for a variety of reasons across the care continuum. The Cures Act fosters innovation in health care technology to deliver better information while promoting visibility into the services, quality, and costs of health care.

The two rules that are important to Tebra’s customers are (1) Implementing Interoperability and (2) Information Blocking. The specific provisions include:
  • Prohibit health IT developers from participating in any action that constitutes information blocking;
  • Bar health IT developers from prohibiting or restricting communications about EHI related to certain subjects; and
  • Require API developers and their technology to promote an open and competitive marketplace.
Where can I find more information about compliance with the Cures Act? Many physician associations (e.g., AMA and MGMA) publicly provide additional information on compliance with the Cures Act.
What is information blocking? Information blocking is defined as:

A practice by a healthcare provider, health IT developer of certified health information technology, or health information network (HIN)/health information exchange (HIE) that is likely to interfere with access, exchange, or use of electronic health information (EHI), except as required by law or specified by the Secretary of Health and Human Services (HHA) as a reasonable and necessary activity.

The rule should have been named “Information Sharing” because the goal is for patients to have access to their information. For exclusions to sharing, review the exception FAQ.
What information constitutes electronic health information (EHI)? The Cures Act requires EHI to be shared electronically with patients. The definition of EHI comes from, but is slightly broader than, the HIPAA concept of a “designated record set,” which includes all medical and billing records about a patient. However, initially, the information blocking requirements of the Cures Act only related to EHI as defined by the United States Core Data for Interoperability (USCDI). Currently, the USCDI definition of EHI includes only specific medical information, not billing records. In addition to the elements in the current Common Clinical Data Set (CCDS) which serves as the foundation of the Summary of Care and Referrals used by physicians to transmit patient data, USCDI has recently announced that EHI also includes the following clinical note categories: (1) history and physicals, (2) progress notes, (3) procedure notes, (4) consult notes, (5) imaging reports, (6) laboratory reports, (7) pathology reports, and (8) discharge summaries (typically found in hospital settings).

Tebra has updated its application to capture all the data elements required by USCDI v1 and certified to the 2015 Cures Update in December 2022.



USCDI v2 and USCDI v3 have been finalized and Tebra will be required to implement these updates, and certify, in 2025.

USCDI v2 adds three data classes and 22 data elements in support of advancing health equity.


USCDI v3 adds two additional data classes and 20 data elements. 


As a provider, do I have to make all EHI available to my patients? While there is no requirement for providers to make EHI available to patients who have not requested it, a delay in the release or availability of EHI in response to a request for legally permissible access to or exchange or use of EHI may be considered an interference. In addition, providers need to be aware of the HIPAA obligations to provide patients with access to their records.
Is Tebra software complaint with the requirements of the Cures Act? As part of our 2015 ONC certification, Tebra allows the sharing of health information through our patient portal. If a patient has access to Tebra’s patient portal, he or she has access to the EHI defined by the USCDI, with the exception of the USCDI clinical note category. For other categories of EHI, Tebra can provide access through other means. Tebra  utilizes other technologies to provide patient access to EHI, including a secure ShareFile service through which exports of EHI may be shared.

As requirements under the Cures Act continue to evolve, Tebra will develop additional processes to facilitate EHI access, exchange, and use.
Where can I submit a request for EHI? Please submit a request for EHI using the Cures Act Request Form.
Can third parties request access to patients’ EHI? The Cures Act will allow third parties, such as technology vendors or payers seeking patient information, to request EHI on behalf of patients. Future access for such parties will likely occur through an electronic interface. However, providers must still meet the requirements of state laws regarding access to medical records and HIPAA’s patient right of access obligations.
Are there any exceptions to providing a patient or their representative access to EHI? Yes, the Information Blocking Regulations provide for eight (8) exceptions when a physician would not have to provide access to EHI. Those exceptions are:
  • Preventing Harm Exception: It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
  • Privacy Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.
  • Security Exception: It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.
  • Infeasibility Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.
  • Health IT Performance Exception: It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met.
  • Content and Manner Exception: It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.
  • Fees Exception: It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.
  • Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.
How do I know if an exception applies? Physicians may want to have written policies that help them know how to appropriately respond to requests for EHI. To the extent the physician is relying on the EHR to implement the access requests, the physician should work with Tebra to set up electronic rules that can be followed. For example, flagging/indicating which type of EHI should not be shared with patients (e.g., psychotherapy notes).
What happens if I don’t comply with the Information Blocking Regulations? The Cures Act provides for significant penalties for healthcare providers, vendors and HIE/HIN parties that fail to comply with the prohibition on information blocking. The OIG has the authority to enforce these regulations, however, the OIG’s enforcement regulations are not yet final.
Do I have to verify my compliance with the Information Blocking Regulations? Maybe. If you are participating in the Merit-based Incentive Payment System, you will be required to attest that you:
  • Did not knowingly or willfully limit or restrict the compatibility or interoperability of certified EHR technology;
  • Implemented technologies, standards, and policies reasonably calculated to ensure that the EHR technology conforms with applicable health IT requirements and specifications; and
  • Responded in good faith to requests for EHI.
  • Was this article helpful?