21st Century Cures Act and EHR–Compliance in 2022

By Aaron Morein

The 21st Century Cures Act, referred to as the Cures Act, includes new guidelines regarding health information exchange. Non-compliance exposes practices to fines of up to $1 million per violation. The law, passed in 2016, enacted in 2020, had a deadline for compliance extended due to COVID-19.

Let’s take a look at the Cures Act, how it’s relevant to your practice, and how to stay in compliance.

21st Century Cures Act Summary

“The most important bill of the year,” as the Senate health committee chairman referred to it, allocates over $6 billion to health agencies like the NIH, modifies aspects of drug research and development, and makes critical updates to health information policy. At a glance, the Cures Act:

  • Funds initiatives aimed to combat the opioid crisis–increasing access to treatment and overdose reversal drugs, improving prescription drug monitoring, and dependency research.
  • Funds brain disease and cancer research.
  • Facilitates the development and approval process for genetically and variant protein targeted drugs for the treatment of rare diseases.
  • Waives the requirement for researchers to provide human-subjects’ informed consent in clinical testing when the drug or device “poses no more than minimal risk” and “includes appropriate safeguards to protect the rights, safety, and welfare of the human subject.”
  • Expedites the FDA Drug Approval Process. Previously, bringing new pharmaceuticals and devices to market or adding new indications for existing ones required clinical trial data. Companies often bemoan this process. For example, moving from phase I trials to the end of phase III takes around seven years. Costs typically approach $3 billion. Under certain conditions, they may now provide other, less rigorous evidence of safety and efficacy. This includes observational studies, insurance claims data, and even anecdotal data.

Let’s take a look at those provisions relevant to electronic health records (EHR), as well as how to remain in compliance with them.

21st Century Cures Act and EHR

A central focus of the Cures Act was enhancing interoperability, which it defines as:

“health information technology that enables the secure exchange of electronic health information with and…from other health information technology without special effort on the part of the user…[and] allows complete access of all electronically accessible health information for authorized use”.

In order to further ensure interoperability, the act takes special measures to prohibit information blocking, which it defines as:

“a practice by a healthcare provider, health IT developer, health information exchange, or health information network that…is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information”.

Interoperability enhances clinical decision making and reduces duplicate tests, treatments, and medical errors. The Federal Government has focused significant resources to promote the development and adoption of interoperable technology (i.e. EHR) since the turn of the millennium. It is an ongoing process, but it has made significant headway. Information blocking practices diminished the rewards of nation-wide interoperability standards. It is an end-game bug to be dealt with.

Those practices who are found to exhibit information blocking can be exposed to fines up to $1 million per violation.

The text goes on to detail categories of reasonable and necessary activities that do not constitute information blocking. For example, preventing a patient or another person from harm, protecting an individual’s privacy, and protecting EHR’s security are potentially valid reasons to deny a request of access, exchange, or use. The Final Rule outlines a total of eight exceptions–access them here.


Zoobook Systems EHR helps practices stay in Compliance

The Office of the National Coordinator for Health Information Technology (ONC) has prioritized interoperability for nearly two decades now. A priority it remains, as new guidelines and updates will continue to roll out. Practices can struggle to keep up, finding the frequent updates to be confusing.

Compounding the problem, some medical and health record systems themselves have a difficult time adapting to new guidelines. For instance, a large proportion of practices use records formats that are designed not for exchange, but to record only what goes on in their office alone. A common example is the electronic medical record (EMR), which details a patient’s history in one practice or with one clinician.

Moreover, server-based and on-premise EHRs require local IT support to adapt to new guidelines at the expense of productivity.

Zoobook Systems designed EHR systems exclusively for mental health and addiction treatment services. It’s equipped for seamless health information exchange that ensures convenience and compliance. It’s cloud-based, too, meaning automatic software updates keep your practice agile to ever-changing regulations.

Cloud-based EHR & Server-Based EHR - Differences

Cloud-based EHR & Server-based EHR – Differences in 2022

By Aaron Morein

Healthcare providers must decide between two systems for maintaining electronic health records (EHR) and electronic medical records (EMR)–a cloud-based or a server-based system. 

One deciding, and yet often abstruse, factor is security. In recent years, cloud-based EHR has increasingly replaced server-based EHR. By 2017, already two-thirds of health systems and hospitals had adopted cloud-based technology. This industry-wide shift to practice management software has left some wondering how the security of each system compares.

Cloud-based and server-based EHR–what’s the difference?

Cloud-based EHR is accessed through the web and is maintained by a third party known as a software as a service (SAAS) provider. Server-based EHR, also known as on-premise, is stored on a server internal to the practice. Cloud-based EHR is accessible on any device that has a secure connection, whereas server-based EHR is accessible solely from devices within the personal server.

Implementing a server-based system requires hardware and software installation and necessitates a local IT department for regular management and upkeep. On the other hand, a cloud-based system requires neither installation nor IT personnel, since it is internet-based, provides live IT support, and automatically updates. Cloud-based systems therefore are less expensive, less time consuming, and require fewer personnel. 

 The costs associated with server-based EHR come with two primary advantages: (1) non-reliance on internet connectivity, and (2), more control over infrastructure configurations–i.e. where and how data is stored.

How should internet reliability factor in?

Reliable access to EHR is an essential factor of clinical productivity. So, it makes absolute sense for a practice with highly unstable internet connections to avoid web-based EHR that rely on it. However, while cloud-based EHR cannot be accessed without the internet, it will not experience system crashes the way server-based systems do. There’s also less concern for physical security, like disaster and theft recovery and data backup. Both methods have their own potential for interruptions, so there is some gray area. The most remote practices with little to no internet connection will have to  continue using a server-based system for the time being. From there, exactly how unreliable a practice’s internet needs to be to warrant a server-based system depends on factors specific to each practice, like local IT support accessibility and the resources they are willing to invest. For the majority of practices, however, cloud-based systems will provide access to EHR as or more reliably as server-based systems.

Cloud systems

How do cloud-based systems keep EHR secure?

The HIPAA Omnibus Rule, enacted in 2013, requires those cloud-based vendors that store, receive, maintain, or transmit protected health information from health plans, providers, or healthcare clearinghouses enter what’s called a “business associate agreement”. Through this agreement, the vendor becomes contractually liable for this data’s security. Since this update, cloud-based vendors have ramped sophisticated security controls operated by experts. Let’s take a look at what they offer: 

  • Physical security at cloud-service provider plants.
  • Firewalls that establish a barrier between internal and trusted networks and untrusted networks by monitoring incoming and outgoing traffic and filtering traffic based on a set of security rules. 
  • Intrusion detection systems that monitor activity within the network and analyze it for signs of violations of or threats to the security policy. Intrusion prevention systems use this information to preemptively block malicious remote file inclusions, block the offending IP address, and alert security personnel to the threat.   
  • Anti-virus software that prevents, scans, detects, and deletes viruses from the system.
  • Identity and access management which verifies the right users have appropriate access to data.
  • Automatic updates that ensure security by continuously staying ahead of potential vulnerabilities through patch maintenance. This feature also makes complying with changing regulations easy, too.
  • Data encryption which ensures that if a data breach were to occur, it is indecipherable.

The same protective measures are in place regardless of the device one uses. For this reason, cloud-based systems are the only viable way to access EHR remotely without compromising security. This is in contrast to the server-based system, which is only securely accessible within the server–i.e., the practice itself. This affords practices with cloud-based systems the flexibility to accommodate remote and virtual healthcare, while maintaining HIPAA-compliance. Post-pandemic, this is a highly advantageous security feature.

Still, it is understandable why one may be reluctant to let a third-party determine where and how EHR are stored. Patients trust their healthcare providers to protect their personal information, and providers want to honor that trust. People have a tendency to assess risks to be lower if they are under their control. We know that this cannot be true, because it would be impossible for everyone to handle everything better than everyone else. Still, we are guided by this fallacy.

Hypothetically, a practice with a server-based system, absent of budgetary concerns and hellbent on replicating the same degree of impenetrability, could implement and maintain most of these security measures to a similar degree. In reality, it is highly impractical and unlikely.

The Bottom Line

The bottom line is that a cloud-based system is the most secure method for maintaining EHR while also being cheaper and technologically easier.  A server-based system could not be expected to reproduce the same level of  security, given the prohibitive amount of resources it would require. Practices based in remote areas with highly unreliable internet may need to opt for a server-based EHR for the time being. Considering advantages in cost, time, and security, cloud-based EHR is the best choice for most practices.


Telehealth Consulting

Data-driven Insights into the Impact of Telehealth During the COVID-19 Pandemic

Since its emergence, COVID-19 has triggered a series of ongoing challenges for the healthcare system across the United States, exposing a number of core deficiencies. While the COVID-19 impact is undeniably devastating, crisis times can also be times for opportunities to highlight existing problems and unlock innovation. Mandatory social distancing, rising demand for care, and the increased cases and hospitalization have all contributed to pushing telehealth to the limelight as the safest, most convenient and interactive system between patients and clinicians in today’s novel complex setting.


Telehealth & Telemedicine: Technology Meets Healthcare


To begin with, it’s important that we define what telehealth and telemedicine mean in the context of this article.

While telehealth can simply refer to the remote provision of clinical care, it is also a broad term that encompasses all components of remote healthcare services. Telemedicine, a subset of telehealth, is defined as  “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration” according to the Office of National Coordination For Health Information Technology. Types of telemedicine services include video conferencing, mobile apps, remote patient monitoring devices, and electronic health information exchanges between a patient and a provider via email or instant messaging.

Using Telehealth During COVID19

What Are the Implications of Telehealth Adoption and Use for Health Systems and Independent Practices?


As part of the efforts to continue mitigating the risk of spreading COVID-19, save on the use of personal protective equipment (PPE), and care for patients in a safe and effective way, came the urgent need to encourage both patients and providers to utilize telehealth services. Below is a list of the most significant temporary regulatory changes and new reimbursement models associated with telehealth use during COVID-19.

Regulatory Changes for More Flexibility


The Centers for Medicare and Medicaid Services (CMS) and the federal government have modified many regulations on the use of telehealth. In this context, The CARES Act comes with a set of loosened restrictions to expand the use of telehealth. These include:

  • The availability of telemedicine is no longer restricted to patients residing in remote areas. Patients across the country can receive  home telehealth services  in any setting.
  • Previously, providers were required to be licensed in the state where their patient is located. This requirement is  now temporarily waived, meaning that as long as a provider is licensed in their home state,  they can provide telehealth services from home across state lines. State restrictions may apply.
  • Clinicians can provide remote patient monitoring (RPM) services to both new and established patients.
  • CMS has  temporarily expanded the list of services  allowed during the pandemic while also making the delivery of some services via audio-only an option. A full list of allowed telehealth and audio-only services is available on the CMS website.
  • The CMS emergency regulatory waivers have taken a non-enforcement position in temporarily loosening HIPAA privacy standards which opens up the opportunity for a variety of non-telemedicine apps and technologies that support real-time audio-visual features. The Office of Civil Rights (OCR) in particular has stated that there will be no consequent enforcement discretion against providers opting for the use of apps such as Zoom, Skype, or FaceTime which previously did not comply with HIPAA regulations and security rules. This excludes any public facing communication services such as Facebook Live, TikTok, Twitch etc.
  • The Drug Enforcement Administration (DEA) is now permitting clinicians to prescribe controlled substances based on telehealth visits during the pandemic. The Substance Abuse and Mental Health Services Administration similarly issued a set of guidelines around the provision of methadone and buprenorphine for the treatment of Opioid Use Disorder during the COVID-19 emergency.

Improved Reimbursements

Prior to the COVID-19, reimbursement for telehealth and e-health services were only made available to patients in remote areas or in a limited set of circumstances and even then, the compensation rate was nothing near in-person visits. Following the national public health emergency, CMS has issued a waiver to temporarily expand coverage and reimbursement for telehealth services on a fee-for-service basis, meaning that providers will be reimbursed for both virtual and in-office visits at the same rates. Additionally, CMS has also announced increased payments for telephone visits rates from $14–41 to $46–110 per visit to match payment for office visits.

Is Telehealth Just a Pandemic Stopgap then?


Pre-pandemic, telehealth was primarily used to reach and provide care to patients in remote areas and rural regions to facilitate access to healthcare. The recent surge in telehealth, driven by the immediate need to avoid exposure to COVID-19, has expanded telehealth use throughout the U.S. While this may point to the idea that telehealth might just be a pandemic fad, statistics suggest otherwise. Telehealth is here to stay!

Mapping the trajectory of Telehealth since COVID-19:


The last week of March 2020 witnessed a significant increase in the number of telehealth visits compared to the same period in 2019. Since then, telehealth has been rapidly gaining popularity and acceptance from patients and practitioners alike.Mom-and-Daughter-using-Telehealth

Recent data shows that 57% of providers now view telemedicine more positively, and 64% revealed that they are more comfortable using telemedicine compared to pre-pandemic. These favorable attitudes have caused a significant number of healthcare providers of different sizes to have upscaled their telehealth offerings or adopted new remote technologies to their services list to meet patient needs.

On their part, patients have similarly expressed high levels of satisfaction with telehealth services across a wide range of health care needs.  A survey on patient perspective on virtual care revealed that 77% of patients surveyed were completely satisfied with the service they received through telemedicine and e-health services. In the same survey, 75% of respondents said that they expect telehealth as an option moving forward. Interestingly enough, 35% of patients would consider switching to a different provider  for telehealth visits according to The Harris Poll.

These numbers highly suggest a growing patient demand for use of telehealth, underscoring the need for healthcare institutions and practices to upscale their telehealth offerings to meet patients’ needs and expectations. 

Will the Telehealth Momentum Keep Going Beyond the COVID-19 Crisis?


Driven by growing demand for easy-to-access and round-the-clock services, the vision of healthcare in a post-COVID world is already beginning to take shape.  The increased adoption of telehealth services during the pandemic has given patients and providers a peek into the horizon of possibilities that technology can offer them. More than ever, patients now recognize the role of telehealth in improving and managing their personal health and it now has become an expectation that healthcare practices need to live up to. Given the favorable attitudes of both patients and providers, it is anticipated that telehealth will continue to be an instrumental component of healthcare and the next years will see hybrid models of care where telehealth works to complement in-person care depending on growth in funding, adoption, policymaking, and payment regulations.


As an EHR systems provider, Zoobook Systems comes with a telehealth app to help medical practitioners meet their patients from the comfort of their homes. Ready to start teleconsultations? Request a demo today