Last week, the Center for Medicare & Medicaid Services (CMS) finalized long-awaited regulations on Interoperability and Patient Access (the “CMS Rule”) to require Medicare Advantage plans, Medicaid and Children’s Health Insurance Program (CHIP) managed care plans, state agencies, and Qualified Health Plan (QHP) issuers on federally-facilitated exchanges (“CMS Payers”) to provide patients easy access to their claims and encounter information, as well as certain clinical information, through third-party applications of their choice. On the same day, the Office of the National Coordinator for Health Information Technology finalized its rules on Interoperability, Information Blocking, and the ONC Health IT Certification Program (the “ONC Rule”) related to the 21st Century Cures Act (Cures Act). The CMS Rule and ONC Rule have far-reaching impacts.

As individuals and organizations covered by the rules are considering how they may facilitate their access to health information to support patients, health care providers, and others, it is important to understand when provisions in the rules will be effective and timing and what acts may constitute violations of these rules.  To help clients get familiar with these deadlines, we are providing this summary chart of compliance requirements and applicable deadlines to help your organization prepare for upcoming enforcement of the ONC Rule and the CMS Rule.  For legal advice tailored to the specific needs of your organization, please reach out to Jodi Daniel, head of the firm’s Digital Health Practice at

As you read the chart, you should keep the following in mind:

  • CMS’ compliance and enforcement authorities under the CMS Rule relate to the access and exchange of patient claims and encounter data by certain CMS Payers, as well as existing contracts and agreements with state agencies, while enforcement regarding required sharing of admissions, discharge, and transfer alerts for relevant CMS providers is tied to their compliance with newly finalized Medicare Conditions of Participation.

The ONC Rule has equally important consequences:

  • Beginning six months after the ONC Rule’s publication date, the scope of “electronic health information” (EHI) subject to the ONC Rule’s requirements is limited to the USCDI between 6-24 months after the rule’s publication, then expanded to the full scope of EHI beginning 2 years from the rule’s publication date. Enforcement of requirements for certified health IT developers for conditions and maintenance of certification under the ONC Health IT Certification Program will be done through an ONC-established process for direct review, notice, corrective action, and possible termination from certification with respect to granting new and continued certification to health IT products.
  • The Cures Act authorized the Office of Inspector General (OIG) to investigate claims of information blocking and to issue civil monetary penalties (CMPs) for violations by certified health IT developers and health information networks/health information exchanges. The OIG still needs to propose rules related to these CMPs for public notice and comment, and in fact, they appear to be under review at OMB, and would still be subject to public notice and comment.  The ONC Rule noted that actors will not be subject to CMP penalties until these CMP rules are final.
  • The Cures Act also authorized OIG to refer health care providers to an appropriate agency, including ONC or CMS, for “appropriate disincentives,” which were not further defined in the Cures Act. The Cures Act states that the Secretary must identify these disincentives through notice and comment rulemaking, which has not yet occurred.

In addition to these forthcoming enforcement authorities, we note that OIG continues to work with DOJ regarding prosecution of false attestations related to the Health IT Certification Program as violations of the False Claims Act (see, e.g., the Practice Fusion case).

Stay tuned for more analysis and insight on the CMS Rule and ONC Rule, as the industry comes to terms with their imminent impact on their patient health data exchange practices.