Access Legal & IG Quarterly Update – Q3 2024

Access Legal & IG Quarterly Update – Q3 2024

Adam Koonce, ACP, Manager, Legal Research

This quarter’s legal and information governance update covers legislation extending from the 21st Century Cure’s Act that impacts the maintenance, security, and availability of health care data and medical records, and the growing coverage of personal and consumer data legislation complimenting HIPAA and other federal healthcare data protection requirements.

Throughout the update, we’ve included notations in italics, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients.

Continue reading to become informed of the latest regulatory and provisional information you need to do your job as efficiently and confidently as possible!


United States 21st Century Cure’s Act

When the Cure’s Act was passed in 2016, it had several goals related to improving patient access to records, improving a computer systems or a software’s ability to exchange information, and improving usefulness of medical information for both patients and healthcare providers.

The Cure’s Act accomplishes this through some key requirements:

  • Ensuring patients have immediate access to certain categories of clinical notes in electronic health records (EHR):
    • Consultation notes
    • Discharge notes
    • Imaging narratives
    • Lab report narratives
    • Medical History and Physical notes
    • Pathology report narratives
    • Procedure notes
    • Progress notes
  • Encouraging software application development based on a principle of allowing patients both full and portable access to their health care information by requiring EHR data formats be more compatible across various software platforms to enable easier sharing of data. These are referred to as the interoperability requirements.
  • Prohibiting both healthcare providers and healthcare IT developers from using or creating software and computer systems capable of preventing, restricting, or delaying a patient’s access to their medical data. Of the nine exceptions, the most relevant include cases where privacy, security, and the prevention of harm are a consideration.

The requirements of the Cure’s Act began to take effect in April of 2021, but the reason the Cure’s Act became relevant again is twofold; the passage of the OIG Final Rule on Health Data, Technology, and Interoperability (HTI-1) in June of 2023 taking effect in March of 2024, and the release of the HHS Final Rule on Disincentives for Health Care Providers That Have Committed Information Blocking in June 2024 taking effect in July of 2024.

Under the OIG rule, an entity that is a developer of certified health information technology, offers certified health IT, is a health information exchange (HIE), or is a health information network (HIN) could be liable for a $1 million penalty for each action or practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI).

Under the HHS rule, a health care provider that OIG determines has committed information blocking under HTI-1 can have disincentives placed on them in addition to the $1 million penalty. [Codified in 45 C.F.R. § 171.1000]

Those disincentives include:

(1) stripping an eligible hospital or critical access hospital (CAH) of its meaningful electronic health record (EHR) user status

  • Potential loss of $43,720 over five years under Medicare, and $63,750 over six years under Medicaid

(2) stripping a Merit-based Incentive Payment System (MIPS) eligible clinician who is also a health care provider of its meaningful EHR user status

  • Potential loss of Medicare payment bonuses historically around 2%, but as recently as 2022 as high as 8.25% for payments in 2024

(3) removing or denying approval to participate in the Medicare Shared Savings Program for at least a year to accountable care organizations (ACOs) who are health care providers, ACO participants, and ACO providers/suppliers

  • Potential loss of the 50% average share of Medicare cost savings returned to providers and organizations that have shown continued efforts in reducing costs to Medicare.

While the disincentives seem more like penalties, there are companies that specialize in providing services and support to help modernize and simplify the task of organizing, storing, securing, and managing healthcare records.

Some of the services these companies offer include;

  • helping healthcare organizations archive their historical patient data from any legacy system freeing up system space while meeting security and retention compliances,
  • decommissioning legacy systems and enabling the retirement of other EHR, EMR and ERP systems ensuring retention of patient data required by federal regulations such as HIPAA and state laws,
  • migrating legacy patient, financial and departmental data to a new system by transforming or converting data to formats more compatible with Cure’s requirements.

The Cure’s act and HIPAA do much of the heavy lifting for healthcare records management legislation, but state level privacy legislation also plays a roll filling in gaps on how to address other kinds of data or health data that is not covered by HIPAA.

This is where states begin to play a growing role in privacy protections.

State Health Care Legislation

As I have noted before, the passage of privacy legislation is accelerating. The number of personal and consumer data protection laws in the United States is at 19, and seven of them were signed in 2024. While each privacy law is similar, the way each state defines and categorizes certain kinds of data can be very different.

Conveniently for records managers, and perhaps to avoid legislative conflicts, all 19 states have thus far consistently included language to exclude Health Insurance Portability and Accountability Act (HIPAA) related information in the exemption sections of the personal or consumer data laws.

Many states are legislating personal data privacy, while excluding HIPAA related information, by targeting information like consumer, personal or personally identifiable, sensitive, or biometric information and data.

With the quickening of personal and consumer data legislation, several states also passed standalone legislation or amendments to existing data privacy legislation to cover health data beyond that covered by HIPAA.

The Washington My Health My Data Act [WASH. REV. CODE ANN. §§ 19.373.005 — 19.373.900] effective March 31, 2024, introduces comprehensive protections for consumer health data not covered by HIPAA. It requires entities to obtain affirmative consent before collecting or sharing health data, implements robust security measures [§ 19.373.020 & .030], and provides consumers with rights to access [§ 19.373.040], delete [§ 19.373.040], and restrict the use of their health data [§ 19.373.070].

An authorization for the sale of patient data is required to be retained for 6 years.

[WASH. REV. CODE ANN. § 19.373.070]

Similar to Washington, Nevada has enacted the Nevada Consumer Health Data Privacy Law [NEV. REV. STAT. §§ 603A.495 — 603A.550] effective 3/21/2024, mandates entities obtain explicit consent before collecting or selling consumer health data [§ 603A.500], provides for the ability to delete data at the consumer’s request [§ 603A.505], and ensures consumers retain access to their data [§ 603A.510].

An authorization for the sale of patient data is required to be retained for 6 years.

[NEV. REV. STAT. § 603A.535]

Connecticut has enacted the Connecticut Data Privacy Act [CONN. GEN. STAT. §§ 42-515 — 42-530] effective 7/1/2023, mandating personal data controllers provide consumers with the ability to access, delete, and be provided with data in a portable manner at the consumer’s request [§ 42-518]. The Protection Act also provides for reasonable administrative, technical, and physical data security for consumer information [§ 42-520], and extends protections requiring consent from a data owner for possession, use, and sale of their consumer health data [§ 42-526].

Data controllers shall retain data protection assessments of the sale of personal data, and the processing of personal data, personal data for purpose of profiling, and sensitive data.

[CONN. GEN. STAT. §42-522]

Data controllers that conduct data protection assessments shall maintain documentation for the longer of 3 years beginning on the date on which processing operations cease, or as long as such controller offers an online service, product or feature.

[CONN. GEN. STAT. § 42-529b]

Each of these states, and the 16 other states with personal privacy legislation capturing healthcare data not covered by HIPAA, can issue fines or penalties through the state’s attorney general for failing to comply with the legislation. Each act exposes an organization to liabilities between $2,000 and $25,000 per incident or violation. A modern healthcare data management system is becoming increasingly necessary and all but unavoidable to limit liability from compliance with all the data legislation passed in the last few years and will continue to be passed in the future.


To learn more about archiving patient data from legacy systems, decommissioning legacy systems, or migrating patient, financial and departmental data to a new system compatible with Cure’s requirements, request a call from a Triyam expert.

Triyam, an Access company, provides an enterprise-wide solution for data management. Triyam’s solution allows customers to optimize legacy data access and ensure retention compliance. For more information on Triyam, visit https://www.triyam.com/contact-us.