Attorney Articles | The 21st Century Cures Act Final Rules

Articles by Legal Department Staff

The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.

The 21st Century Cures Act Final Rules

In this article Ann Tran-Lien, JD., provides a general overview of the two Final Rules issued by the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS) as the next phase of the 21st Century Cares Act.

Ann Tran-Lien, JD
Managing Director Legal Affairs
The Therapist
January/February 2021

You may have heard rumblings of a federal law that calls for greater access to clinical records. There has also been buzz over a federal law that pertains to electronic health records (EHR). In May 2020, two new federal rules were released, but they do not require LMFTs to automatically make all of their clinical notes “open” to their patients, and they do not require all LMFTs to keep EHR. In fact, the rules will not affect most LMFTs, and they won’t change much about how most LMFTs keep records or respond to patients’ requests for records.

What Are the Rules?
In May 2020, the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS) issued separate but related Final Rules as the next phase of the 21st Century Cures Act. The Final Rules are intended to improve electronic health information (EHI) interoperability1 and make it easier for patients to access their health records.

Keep in mind that patients already have the right to access, exchange, and release their treatment records, whether in electronic or paper form, under both HIPAA2 and California law.3 For further reading on a patient’s right to access/release treatment records, see the articles “A Patient’s Right to Access Mental Health Records Under HIPAA” and “Patient Records Under California Law: The Basics,” both available on the CAMFT website. The Final Rules are intended to enhance patients’ rights of access by promoting innovation in the healthcare technology industry so that information is delivered more conveniently to both patients and healthcare providers. This article will provide a general overview of both Rules as they relate to healthcare providers.

The ONC Final Rule
Basically, the ONC Final Rule updates certification requirements for health information technology (health IT) developers and provides new guidelines to ensure that healthcare organizations and providers using certified health IT4 can communicate effectively and seamlessly (most LMFTs do not use certified health IT in their practice). The Rule also finalizes new standards to prevent “information blocking” practices (discussed below). This is the part of the Rule that affects most healthcare providers (LMFTs are not specifically included but may work for healthcare organizations that are affected). It is important to note that the Rule, including the information-blocking provisions, only applies to electronic health records/information. The next step of changes to be implemented are for applicable healthcare organizations to share clinical data through application programming interfaces (APIs), which are software intermediaries that allow two applications to talk to each other (e.g., a provider’s EHR communicating/coordinating with a third-party smartphone app).

Who Must Comply With the ONC Final Rule?
The Rule applies to three different categories of “actors”:

  1. Healthcare providers who maintain HER specifically mentioned in the Rule
  2. Health information networks or health information exchanges
  3. Health IT developers of certified health information technology

This article will focus on the part of the Final Rule most relevant to healthcare providers: the information-blocking provisions.

As broadly defined in the Rule, “healthcare providers” includes a long list of provider types and healthcare organizations. If the healthcare provider meets the definition, they would have to comply with the information blocking provisions regardless of whether any of the health IT or EHR vendors they use are certified under the ONC Health IT Certification Program.5

For detailed information on actors, visit sites/default/files/cures/2020-03/InformationBlockingActors.pdf.

Are LMFTs “Actors” Under the Rule?
The list of healthcare providers defined in the Rule as actors does not specifically include licensed marriage and family therapists.6 However, LMFTs working in certain healthcare settings that maintain EHR will most likely be impacted by the Rule’s information-blocking provisions. Some examples:

  • Private practices owned by a licensed psychologist or licensed clinical social worker, or psychologist/clinical social worker corporations that maintain EHR (licensed psychologists and LCSWs are among the groups of practitioners included in the Rule)
  • Community mental health centers7
  • Hospitals, including psychiatric and rehabilitative hospitalsF
  • Federally qualified health centers (FQHCs)

To see if your organization meets the definition of healthcare provider, review the ONC Fact Sheet: cures/sites/default/files/cures/2020-08/Health_ Care_Provider_Definitions_v3.pdf.

What Does This Mean for Healthcare Providers Who Are Actors Under the Rule?
Healthcare providers/organizations that are actors must refrain from engaging in “information blocking” and share patient EHI with third-party payers, other healthcare providers, and smartphone apps (when implemented) as permitted by the patient or by law.8 Unless an exception applies (see below), EHI must be made available to the patient “without delay.”9

What Is “Information Blocking”?
For healthcare providers, information blocking is a practice that is likely to interfere with the accessibility, exchange, or use of EHI. “Interfere with” means to prevent, materially discourage, or otherwise inhibit.10 Some examples of information blocking:

  • A healthcare provider unnecessarily slows or delays a patient’s or other healthcare provider’s access to or exchange of EHI. No exception can be shown.
  • A healthcare provider refuses to release EHI to another treatment provider for the purpose of treatment or diagnosis because the patient has not provided written authorization. No exception can be shown. (An important note: per HIPAA and California laws, where the law permits disclosure/release of EHI, the ONC Rule requires the disclosure/ release. In this example, healthcare providers are permitted to share treatment information with each other for the purpose of diagnosis or treatment of the patient without a written authorization from the patient. While HIPAA would have allowed the provider to make the decision as to whether to disclose, the ONC now requires the provider to release the information to the other provider upon request, unless one of the exceptions discussed below applies.)

Although the Final Rule does not apply directly to LMFT practices, there are LMFTs who work in settings that may fall under the definition of actors. CAMFT recommends that LMFTs working in applicable organizations/ practices that keep EHR discuss with their employers whether/how the Rule affects their clinical records, recordkeeping obligations, and privacy practices.

What Is Considered “Electronic Health Information”?
The ONC finalized the definition of EHI to align it with the definition of “electronic protected health information” in a designated record set as defined per HIPAA, regardless of whether the records are used or maintained by a HIPAA-covered entity. If an actor does not maintain EHI, the Rule does not apply. From April 5, 2021, to October 6, 2022, the types of clinical information that are subject to the information-blocking provisions in the Rule are limited to the EHI identified in the U.S. Core Data for Interoperability (USCDI).  They include the following:11

  • Consultation notes  
  • Discharge summary notes
  • History and physical notes
  • Imaging narrative
  • Laboratory report narrative
  • Pathology report narrative
  • Procedure notes
  • Progress notes

For therapists who work for actors this means:

  • Counseling session start and stop times
  • Modalities and frequencies of treatment furnished
  • Results of any clinical/psychological tests
  • Any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date The following are not included as EHI: 
  • Psychotherapy notes as defined by HIPAA, meaning process notes documented by a mental health professional. 
  • This includes process notes where a therapist is analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and where they are separated from the rest of the individual’s medical record. 
  • Information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding. 

What Are the Exceptions?
The U.S. Department of Health and Human Services (HHS) created eight (8) exceptions for when actors can refuse to allow access to a patient’s EHI or the exchange or use of it.

Each exception has specific conditions the actors must satisfy to avoid triggering information-blocking concerns. If the actor can show that they satisfied at least one exception, then their refusal to offer access to a patient’s EHI, or the exchange or use of it, would not be treated as information blocking.

The main points of each exception are highlighted below. For a detailed list of the exceptions and conditions, visit InformationBlockingExceptions.pdf.

1) Preventing Harm Exception: An actor is allowed to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met. A key condition is that the actor must hold a reasonable belief that the practice will substantially reduce a risk of harm. The harm must be reasonably likely to endanger the life or the physical safety of the patient or another person (consistent with HIPAA).

For example: A provider denies the patient’s personal representative access to the patient’s EHI based on the provider’s determination in the exercise of professional judgment that granting that access poses a risk of substantial harm to the patient.

2) Privacy Exception: It is not information blocking when an actor denies a request to access, exchange, or use EHI in order to protect an individual’s privacy as required by state or federal law, provided certain conditions are met. A key condition is that the actor is required by law to fulfill a precondition, such as a patient’s authorization. For example: A provider does not disclose the patient’s EHI because they have not obtained patient authorization. It is important to note that under the ONC Final Rule, if the law permits disclosure a provider who refuses to disclose EHI may be engaged in information blocking.

3) Security Exception: An actor may safeguard and protect the confidentiality and security of EHI provided certain conditions are met. A key condition is that the practice is implemented in a consistent and nondiscriminatory manner.

For example: A provider requires verification of a person’s identity before granting access to EHI.

4) Infeasibility Exception: An actor does not fulfill a request for EHI because of its infeasibility, provided certain conditions are met. There may be practical challenges that limit a provider’s ability to comply with the request. It may be that they do not have or are unable to obtain the technological capabilities or legal rights necessary to enable access to or the exchange of EHI.

Examples: A provider is using an EHR vendor that has not yet provided instant-access technological capability for patients—most EHR vendors that psychologists and LCSWs in private practice use are not certified with ONC and therefore may not have this capability. A provider cannot provide access to EHI because of a public health emergency or an Internet service interruption. A provider is unable to separate the requested EHI from EHI that cannot be made available because of the preventing-harm exception.

5) Health IT Performance Exception: An actor can take reasonable and necessary measures to make health IT temporarily unavailable for the benefit of the overall performance of the health IT, provided certain conditions are met. (This is more relevant to health IT developers.)

6) Content and Manner Exception: An actor can limit the content of its response to a request to access, exchange, or use EHI, or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met. For example: If a provider is asked to provide EHI that their EHR is not capable of supplying, or if the request requires the use of a specific technology that the provider does not have, the provider is then able to provide EHI in an alternative manner agreed upon by the provider and the requesting party/patient.

7) Fees Exception: It is not information blocking for an actor to charge fees, including those that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.

8) Licensing Exception: An actor may condition access to and use of its interoperability elements for accessing EHI on acceptance of a license agreement, if its licensing program is applied in a nondiscriminatory manner and meets certain additional conditions. (This is more relevant to health IT developers.)

What Happens When Actors Don’t Comply?
Currently, the Rule does not include specific enforcement identified for healthcare providers. They will be referred to the appropriate agency and subject to “appropriate disincentives” as set forth by HHS. Health IT developers and health information networks may be subject to a civil monetary penalty not to exceed $1,000,000 per violation.

Many actors have been taking steps to comply with the Rule’s information-blocking standards, including seeking advice/counsel on the requirements and exceptions in the Final Rule; checking with their EHR vendors; reviewing and revising policies on how patients can access their EHI under both HIPAA (if applicable) and ONC; and implementing consistent, nondiscriminatory organizational policies for denials/documentation.

Visit the ONC’s website for an overview of the Rule, its complete text, and fact sheets:

The CMS Final Rule
The CMS Rule addresses many of the same interoperability and patient access issues as the ONC Rule, but it applies to different sets of entities/providers:

  • Medicare Advantage (MA)
  • Medicaid (in California, Medi-Cal) fee-forservice programs and Medi-Cal managed care plans (MCPs)
  • CHIP FFS and managed care entities
  • Qualified health plan (QHP) issuers on federally facilitated exchanges

The CMS Rule encourages interoperability, innovation, and patient empowerment by requiring the following (mostly on the part of payers/plans):

  • Patient access to health data via APIs. All applicable payers (as noted above) are required to implement and maintain a secure, standards-based API that allows patients to easily access their claims information, including costs and clinical information, through third-party apps of their choice.
  • Payer-to-payer data exchange. All applicable payers (plans) will have to exchange certain patient clinical data at patients’ request. This will allow patients to take their information with them as they move from payer to payer over time.
  • Access to provider directories via APIs. Applicable payers, including Medi-Cal FFS and Medi-Cal managed care plans, are required to make provider directory information publicly available via an API.
  • “Conditions of participation,” notices. Hospitals are required to send electronic event notifications of a patient’s admission, discharge, and/or transfer to another healthcare facility or practitioner.
  • Public reporting of providers that may be information blocking. CMS will publicly report applicable clinicians and hospitals that are suspected of information blocking. CMS has made a fact sheet of its Final Rule available at fact-sheets/interoperability-and-patient-access fact-sheet.,

Because of the COVID-19 pandemic, the ONC issued a statement pushing the implementation date for its information blocking standards back to April 5, 2021 (with later compliance dates for other aspects of the Rule), and CMS pushed its implementation date back to June 1, 2021.

LMFTs who work for certain healthcare organizations will most likely see practices change in terms of how patient treatment information is being accessed, exchanged, and used. For now, the Rules will not change how most LMFTs in other settings maintain their records and respond to records requests. CAMFT will continue to monitor the Rules and provide members with updates.


At a Glance

LMFTs working in a mental health center/clinic Does your organization meet the definition of community mental health center as defined in 42 USC § 300x–2(b)(1)? Do you maintain EHR? If yes to both, the ONC Rule’s information-blocking provisions apply to you. See If yes, inquire with your employer about any changes to policies and procedures on recordkeeping and responding to patients’ requests for electronic health information.
LMFTs working in other healthcare organizations such as Kaiser Medical Group and in hospitals that maintain EHR Check with your employer to see if they are an actor under the Rule. See
Consider discussing with your employer the implementation of consistent
and nondiscriminatory policies that take into account case-bycase requests for mental health information and whether any exception applies.
Psychologists and LCSWs who maintain EHR You are listed as an actor in the regulation and must comply with the ONC Rule’s information-blocking provisions even if you don’t use health IT that is certified by the ONC.  



Ann Tran-Lien, JD, is a staff attorney and the Managing Director of Legal Affairs at CAMFT. Ann is available to answer member calls regarding legal, ethical, and licensure issues.


1 Section 4003 of the 21st Century Cures Act. The term “interoperability,” with respect to health information technology, means such health information technology that “(A) enables the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user; (B) allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and (C) does not constitute information blocking as defined in section 3022(a).”

2 45 CFR § 164.524

3 California Health & Safety Code §§ 123100-123149.5

4 For more information about certified health IT see https://www.

5 See

6 The Secretary of HHS has discretionary authority to expand the definition to any other category of providers determined appropriate.

7 As defined in 42 USC § 300x–2(b)(1)).

8 ONC/HHS acknowledged that switching EHR systems is costly and burdensome for healthcare providers and organizations. Thus, HHS will require health IT developers to make available the electronic export of all EHI they produce and electronically manage in a computable format. The EHI export certification criteria require that all EHI produced and electronically managed by a developer’s health IT be readily available for export to an individual patient upon their request for treatment data, and to all patients when a healthcare provider or organization seeks to change health IT systems.

9 ONC/HHS indicates that “unnecessary delays or response times” that affect the timeliness of EHI may be considered information blocking, depending on the facts and circumstances.

10 45 CFR 171.102

11 Before October 6, 2022, an actor must respond to a request to access, exchange, or use EHI with the requested EHI that can be identified by the data elements represented in USCDI. On and after October 6, 2022, an actor must respond to a request to access, exchange, or use EHI with EHI as defined in 45 CFR 171.102 (HIPAA).

This article is not intended to serve as legal advice and is offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in this article.