Health IT Legislation

21st Century Cures Act

There are many provisions of the 21st Century Cures Act (Cures Act) that will improve the flow and exchange of electronic health information. ONC is responsible for implementing those parts of Title IV, delivery, related to advancing interoperability, prohibiting information blocking, and enhancing the usability, accessibility, and privacy and security of health IT. ONC works to ensure that all individuals, their families and their health care providers have appropriate access to electronic health information to help improve the overall health of the nation’s population.

In addition to supporting medical research, advancing interoperability, clarifying HIPAA privacy rules, and supporting substance abuse and mental health services, the Cures Act defines interoperability as the ability exchange and use electronic health information without special effort on the part of the user and as not constituting information blocking. 

ONC focuses on the following provisions as we implement the Cures Act:

  • Section 4001: Health IT Usability
  • Section 4002(a): Conditions of Certification
  • Section 4003(b): Trusted Exchange Framework and Common Agreement
  • Section 4003(e): Health Information Technology Advisory Committee
  • Section 4004: Identifying reasonable and necessary activities that do not constitute information blocking

ONC is also supporting and collaborating with our federal partners, such as the Centers for Medicare & Medicaid Services, the HHS Office of Civil Rights, the HHS Inspector General, the Agency for Healthcare Research and Quality, and the National Institute for Standards and Technology.


The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) ended the Sustainable Growth Rate formula and established the Quality Payment program (QPP). The QPP rewards high-value, high-quality Medicare clinicians with payment increases, while reducing payments to clinicians who do not meet performance standards. The Quality Eligible clinicians have two tracks to choose from in the Quality Payment Program based on their practice size, specialty, location, or patient population:

  • Advanced Alternative Payment Models (APMs) or
  • The Merit-based Incentive Payment System (MIPS)

Under MACRA, the Medicare EHR Incentive Program, commonly referred to as meaningful use, was transitioned to become one of the four components of MIPS, which consolidated multiple, quality programs into a single program to improve care. Clinicians participating in MIPS earn a performance-based payment adjustment while clinicians participating in an Advanced APM may earn an incentive payment for participating in an innovative payment model.


The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 [PDF - 266 KB] provides HHS with the authority to establish programs to improve health care quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange. Learn more about select portions of the HITECH Act that relate to ONC’s work.


Section 618 of the Food and Drug Administration Safety and Innovation Act (FDASIA) of 2012 directed the Secretary of Health and Human Services, acting through the Commissioner of the U.S. Food and Drug Administration (FDA), and in consultation with ONC and the Chairman of the Federal Communications Commission, to develop a report that contains a proposed strategy and recommendations on an appropriate, risk-based regulatory framework for health IT, including medical mobile applications, that promotes innovation, protects patient safety, and avoids regulatory duplication. The Health IT Policy Committee formed a FDASIA workgroup and issued recommendations to ONC, FDA, and FCC as of the September 4th, 2013 HIT Policy Committee meeting.

View the full collection of FDASIA Section 618 related activities.

Read the draft FDASIA Health IT Report Proposed Risk Based Regulatory Framework report [PDF - 438 KB] for public comment. Additional activities related to the draft report, including public meetings and instructions on how to submit public comments will be made available on an ongoing basis.


The Health Insurance Portability and Accountability Act (HIPAA) of 1996 protects health insurance coverage for workers and their families when they change or lose their jobs, requires the establishment of national standards for electronic health care transactions, and requires establishment of national identifiers for providers, health insurance plans, and employers.

The HHS Office for Civil Rights administers the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule describes what information is protected and how protected information can be used and disclosed. The HIPAA Security Rule describes who is covered by the HIPAA privacy protections and what safeguards must be in place to ensure appropriate protection of electronic protected health information.

The Centers for Medicare & Medicaid Services administer and enforce the HIPAA Administrative Simplification Rules, including the Transactions and Code Set Standards, Employer Identifier Standard, and National Provider Identifier Standard. The HIPAA Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules.

Affordable Care Act

The Affordable Care Act of 2010 establishes comprehensive health care insurance reforms that aim to increase access to health care, improve quality and lower health care costs, and provide new consumer protections.