top of page

Statutes Governing Health Data

The following statutes govern federal activity related to health information technology and data. Descriptions of each statute are general snapshots and are not intended to be fully inclusive explanations of each statute’s relevant provisions.


HIPAA – Health Insurance Portability and Accountability Act. Requires
the HHS Secretary to publish standards related to the privacy and
security of medical information used and disclosed by health plans,
providers and clearinghouses.


HITECH - Health Information Technology Economic and Clinical Health. Authorized CMS to spend $38 billion on EHR Incentive Programs to promote the adoption and meaningful use of HIT, statutorily authorized the ONC, established the Health IT Certification Program.


  • 2010: Meaningful Use Stage 1

  • 2012: Meaningful Use Stage 2

  • 2018: Inpatient Prospective Payment System (IPPS) and Long-Term Care Hospital (LTCH) Prospective Payment System includes policies that rebrand the meaningful use programs as the promoting interoperability (PI) program


FDASIA- Food and Drug Administration Safety and Innovation Act. Directs the FDA, with the FCC and ONC, to draft a report that proposes a regulatory framework for health IT, including medical mobile applications.


MACRA - The Medicare Access and CHIP Reauthorization Act of 2015.
Requires HHS to outline a national objective of widespread exchange of health information through interoperable certified EHR technology by December 2018 (if not, HHS must submit a report highlighting barriers to this goal and outlining federal plans to achieve the objective by December 2019).


21st Century Cures Act . The Cures Act defines interoperability, setting an expectation that all patient information stored electronically can be exchanged, and mandates specific federal agencies (FDA, AHRQ and ONC) to act to implement this goal. The Act states, “In order for health information technology to be considered interoperable, such technology must satisfy the following criteria: secure transfer, complete access to health information, no information blocking.”


It also:

  • Creates a stakeholder reporting system to review EHR usability, interoperability and security

  • Combines ONC's Health IT Policy and Standards Advisory Committees into one “HITAC

  • Gives HHS OIG authority to investigate and penalize information blocking

  • Requires HHS to educate providers about data sharing

Want to know more?


Contact Julie Barnes at​

Text or call 703-304-1756

It has been more than 2 years since the 21st Century Cures Act was passed.
bottom of page