The CURES Act was signed into law on December 13, 2016. Statistics show, however, that many healthcare workers are still unaware of this legislation.


What is the CURES Act? In a nutshell, the CURES Act of 2016 seeks to increase choice and access for both patients and providers. It detailsEight Mandatory Medical Record Categoriesof information that must be made available to patients, ranging from things like consultation or visit summaries to lab and imaging reports.

In addition, the Act seeks to ease regulatory burdens associated with use of electronic health record system and health information technology. It includes focus on advancing interoperability and supporting Application Programming Interfaces (API), and details requirements to avoid engaging in “information blocking,” which refers to the prevention of/interference with access, exchange, or use of electronic health information. Since this is a rather generalized definition, the CURES Act provides eight categories of reasonable and necessary activities that do not constitute information blocking, given certain conditions are met, called the Information Blocking Exceptions. These are significant, as they offer a roadmap for healthcare companies to avoid liability while navigating an ever-evolving legislative landscape.


The law and its subsequent additional rules went into effect in January 2022, and healthcare entities have a grace period through October 2022 to have their new or augmented systems in place. Here are a few of the potential hazards your business may encounter along the way to compliance with the policies of the CURES Act:

  1. HIPPA Laws, Data Breach & Patient Confidentiality
  2. Back-Up System Failure
  3. Misinformation/Management Errors


With all this in mind, you can manage the obstacles that lie in the way of your success. Here’s what you can do to help your organization manage risk and successfully embrace the CURES Act:

  1. Adopt the Right Mindset: The CURES Act presents an opportunity to gain further insight into the health of patients and the individual environmental factors that shape it. This information is integral to the evolution and future innovation of healthcare and healthcare companies.
  2. Develop a Business Plan: A formal business plan will guide steady and consistent implementation of compliance efforts, especially when tailored to your organization’s specific goals and challenges.
  3. Conduct a Risk Assessment: Various privacy, security, and safety risks can emerge when sharing and accessing patient data from consumer applications. Risk assessment considerations include an organization’s insufficient security standards, as well as risk of harm to patients when third-party apps act inappropriately. From a compliance standpoint, organizations face risks as they aim to preserve data privacy without conflicting with information-blocking regulations. Consultations about risk management and patient safety help mitigate these day-to-day liabilities.
  4. Establish an API Governance Policy: Apply Governance Unilaterally: A well-crafted governance policy can enable efficient API integration without putting the organization at risk. Consistently applying the governance policy/vetting process to all third-party apps significantly limits the likelihood of unauthorized access to or use of private information through an app, and simultaneously serves to justify the instances where the organization must deny third-party access due to risk concerns.
  5. Educate. Educate: Moving forward, stakeholders, staff and patients need to be informed and continually reminded of the new policies, especially in terms of the “Eight Mandatory Medical Record Categories” and the Information Blocking Exceptions.


Risk is a reality, and our Napa River experts are here to help. Contact us so, together, we can move your business forward.


Dedicated and available team members are ready to help you.

Jose L. Guzman, Jr.

Vice President & Director, Risk Management

Email Jose

Rebecca Weber, JD

Vice President & Chief Claims Officer

Email Rebecca

Bonnie Katubig

Healthcare Claims Manager

Email Bonnie

Francine A. Thomas

Assistant Vice President & Risk Manager

Email Francine

Suzanne Shields