21st Century Cures Act: Software and Compliance

Updated - 04 Jul 2024 15 min read
Grigor Peykov Technical Copywriter XTATIC HEALTH
21st Century Cures Act: Software and Compliance

Passed in 2016, the 21st Century Cures Act (The Cures Act) (1) introduced changes intended to increase medical research funding and help the Food and Drug Administration (FDA) review drugs and medical devices. 

This article will dive into the intricacies of The Cures Act and establish why it is so important to the healthcare industry.

Impact of the act on software development

This act gives specific attention to the uses of software in healthcare, specifically in electronic health records (EHR), healthcare analytics, and healthcare apps

Through this focus, the 21st Century Cures Act promotes innovations in clinical software, while ensuring effectiveness and safety in patient care

How is the impact achieved?

Here are the main areas of influence:

  1. Interoperability: The Cures Act promotes the development of interoperable software, facilitating easier information sharing between different systems. Software developers are encouraged to develop their apps to allow for a standardized sharing of data. As a result, the care each patient receives can be coordinated much easier.
  2. Less confusion: Some healthcare software falls within the oversight of the FDA. Examples of such software are apps that help professionals make clinical decisions. However, the extent as to how far the jurisdiction of the agency extends is unclear. This 21st Century Cures Act aims to restrict this encompassing oversight specifically by excluding certain types of software from the jurisdiction of the FDA. Therefore, software developers now have a better understanding as to what type of healthcare software will be regulated by the agency.
  3. Patient access: The legislation empowers patients with easier access to their information through software. The legislation encourages the development of portals and patient-facing apps that help patients access their medical records or test results. As a result, patient engagement and the degree of data transparency are increased in the process.
  4. Real-world evidence: The 21st Century Cures Act establishes a precedent in regulatory decision-making to facilitate the use of real-world evidence by software in clinical trials. Data from wearable medical devices, EHRs, and other software sources may be used to help approve new treatments or medical products. As a result, clinicians can develop new treatments faster.

All of these improvements come from the changes the Cures Act introduces into existing medical software policies in the US legislation. Each of these impacts will be discussed separately and in-depth

How the Cures Act improves interoperability

How the Cures Act improves interoperability

Interoperability, more broadly, is the ability for different computer devices and pieces of software to communicate with each other. In the healthcare field, the main concern is the timely and secure integration of electronic healthcare data so it can improve outcomes of health and human services.

As the free market permits many companies to develop software and hardware independently, this necessarily will create many different versions of software. These differences have a significant effect on patient care.

The Cures Act introduces a solution to this problem by calling for the following measures to stop these issues:

  • Certification requirements: The new law introduced new certification standards that every vendor must meet. In the certification program, software must meet a minimum threshold of interoperability to be certified under the new legislation. It is for the vendors themselves to demonstrate that capability
  • Application programming interface (API) functionalities: Part of the minimum requirement is the inclusion of API software into each application. An API is the “key” that allows different apps to communicate. In practice, this means that EHRs, healthcare software, and other health devices must have common interfaces that allow this data to be easily shared.
  • Promoting the Fast Healthcare Interoperability Resources (FHIR): The Cures Act promotes the establishment of one common standard for exchanging medical data – the FHIR. This standard permits the transmission of important patient data discreetly – data such as lab results, allergies, medications, etc. across different systems.
  • Oversight by the National Coordinator for Health IT (ONC): The 21st Century Cures Act grants the authority to the ONC to establish and oversee compliance with the legislation. Namely, the ONC is responsible for granting the aforementioned certificates. Further, the ONC health regulations also include looking into signals for violations of the Cures Act.
  • Maintaining security: While interoperability is one of the main goals of the new legislation, the Cures Act upholds the need for privacy and security. Part of the certification criteria is that software must maintain up-to-date and robust security measures during the transmission of information. Software developers must also keep in mind standards from other laws like the Insurance Portability and Accountability Act (HIPAA).
  • Provider directory services: To help with security, the Act mandates the development and upkeep of a directory service. That service gives health care providers up-to-date information about other healthcare providers. These healthcare professionals communicate information to the right individuals or organizations.
  • Promoting healthcare exchange networks. The Act encourages the development of health information networks (HIEs) and regional health information organizations (RHIOs). They serve as the middleman between healthcare providers for sharing medical data. As a result, these organizations improve connectivity and secure data exchange

Unlock Business Opportunities Navigate the 21st Century Cures Act

Stay compliant with the expertise of BGO professionals, ensuring your business aligns seamlessly with the new legislation.

iso certifications logo hl7 logo hippa logo gmp logo fda logo gdpr logo

Practical benefits of interoperability 

The above described measures create a cohesive network of healthcare services. 

Just some of the improvements that this increased interoperability can bring are:

  • Improved patient care and safety: A greater level of interoperability means that healthcare professionals can easily access the complete patient history of an individual under their care. They can also search for relevant data in more places easily, contributing to a more informed decision
  • Fewer administrative hurdles: Issues such as the duplication of treatment and issues with accessing insurance eligibility can be mitigated with software that has a great degree of interoperability. Time lost in administrative tasks can also be reduced as fewer issues will arise when having to work with different types of health software.
  • Reduced costs: By ensuring quicker administration and fewer duplications of treatment or issues, interoperativity ensures a lower cost of services for both healthcare providers and patients. Thus reducing the out-of-pocket expenses for individuals

All of these benefits arise only from improved interoperability. However, the 21st Century Cures Act improves other areas of healthcare software

Less confusion around software regulations

Less confusion around software regulations

Under the Federal Food, Drug, and Cosmetic Act (FD&C Act) (2), a software can be seen as a medical device.

Namely, if the software “is intended to be used for one or more medical purposes without being part of a hardware device“(181 section 201(h) FD&C Act), it is considered a medical device.

This classification is often viewed as unfavorable because it requires software developers to submit a premarket notification to the FDA, demonstrating the safety and effectiveness of the device. This leads to longer timeframes for product launches and incurs additional costs. 

Consequently, many software developers faced uncertainty about whether their software qualified as a medical device, which not only slowed down their development process but also added an extra layer of complexity.

Thankfully, the Cures Act introduced some limitations on the FDA’s jurisdiction. 

Namely, some types of software were excluded from the definition of a medical device:

  1. Software intended for administrative support of a health care facility (FDCA § 520(o)(1)(A));
  2. Software intended for maintaining or encouraging a healthy lifestyle and unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition (FDCA § 520(o)(1)(B));
  3. Software intended to serve as electronic patient records to the extent that such records are intended to transfer, store, convert formats, or display the equivalent of a paper medical chart (FDCA § 520(o)(1)(C));
  4. Software intended for transferring, storing, converting formats, or displaying clinical laboratory test or other device data and results, findings by a health care professional concerning such data and results, general information about such findings, and general background information about such laboratory test or another device, unless this certain software function is intended to interpret or analyze clinical laboratory test or other device data, results, and findings (FDCA § 520(o)(1)(D))
  5.  Software for clinical support.

Developers creating software in these five areas thus have the certainty about which regulations govern their software and can adjust accordingly. Yet, some caveats do apply even in these five areas.

For example, software in the fourth category still counts as a medical device when intended to store, transfer, display, or convert medical information

Similarly, software in the fifth category would also be considered as such a device if it is intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system, it would not be exempt from the device definition.

Exceptions in the Cures Act

Such caveats still mean that software developers were still unsure about the legal status of their software. 

To help clarify the matters, an amendment to the 21st Century Cures Act introduced 8 types of software that are explicitly not considered medical devices:

  • Calculator or data processing modules for clinical use: Apps or software tools made to carry out different computations and data processing duties associated with clinical information and medical practice.
  • Continuous glucose monitor’s (CGM) secondary displays: Devices or programs that show real-time glucose readings and patterns from a CGM device to people with diabetes or others who care for them. With the help of these auxiliary displays, people can track blood glucose levels in addition to using a smartphone app or primary CGM receiver.
  • Automated indirect immunofluorescence microscope and software-assisted systems: Technology is utilized in laboratory medicine and medical diagnostics, specifically in the identification and examination of infectious pathogens and autoimmune disorders. The aforementioned technologies integrate advanced software algorithms with automated microscopy hardware to optimize the precision, velocity, and effectiveness of immunofluorescence experiments.
  • Medical device data systems: Products, either software or hardware, are used to transfer, store, show, and gather medical data from medical equipment. These systems, which offer a way to organize and use the data produced by numerous medical devices for therapeutic purposes, are a crucial part of contemporary healthcare.
  • Home uterine activity monitors: Medical technologies allow pregnant people to be comfortable in their own homes while tracking and recording their uterine contractions. These devices are typically prescribed by medical practitioners to monitor contractions in particular circumstances. Their primary purpose during pregnancy is to assess uterine activity.
  • Medical image storage devices: Unique hardware or storage options are made to handle, organize, and preserve medical images produced by different medical imaging modalities. In medical settings, where medical imaging is an essential component of patient diagnosis, treatment planning, and monitoring, these instruments are vital.
  • Medical image communications devices: Medical image communication systems, also called medical image communication devices, are specialized technologies used in healthcare settings to make it easier for healthcare professionals and institutions to view, share, and transmit medical images and related patient data. These gadgets are essential to contemporary healthcare because they facilitate effective communication and teamwork for patient care, diagnosis, and treatment planning.
  • Picture archiving and communications systems: Solutions for specialized health information technology that are used to collect, store, retrieve, distribute, and manage patient data and medical pictures

8 types of software that are explicitly not considered medical device

These combined measures mean that software developers know better under which regulation to create their software.

Yet, the Cures Act did not leave out protection for patients as well.

Protections against information blocking

A common practice before the 21st Century Cures Act was information blocking. This is a broad term for all types of actions that intentionally prevent or hinder the ability to share electronic health information between healthcare providers or individuals.

The worst form of these practices included charging exorbitant fees for such information, refusing data access to other authorized individuals even after a request, etc. These practices directly impacted patients through worse care or lack of information that would help inform their decisions. While the exact form of withholding information varied, it generally benefited the distributor of the data.

The Cures Act introduced a solution to the problem by prohibiting a range of actions that constitute information blocking. Namely, the ONC prohibits any act that will likely interfere with the access, exchange, or use of protected electronic health information (EHI). 

This prohibition applies to 2 groups:

  • Health IT dealers, health information exchanges, health information networks, or developers who know their conduct is likely to interfere with access to EHIs.
  • Healthcare providers who know their practice are likely to interfere with EHIs.

Legitimate reasons to block information

This broad definition of information blocking would cover any potential situation of abuse. 

However, it would also cover situations that might be legitimate restrictions of information

This is by design as the law specifies only a short list of actions that will be justified restrictions to the access to information. 

These exceptions are:

  • Healthcare providers can restrict information for the prevention of harm. Secrecy for the sake of public interest and preventing harm to parties or society, in general, can justify restricting access or interfering with information. An example would be temporarily restricting information against an outbreak of a virus to track it and access it if it is not dangerous but might cause panic. 
  • Ensuring secure privacy is also seen as a legitimate reason to limit data transmission. While information providers are under a general obligation to provide EHI, they are under no obligation to provide information if that will violate other federal or state laws. For example, HIPAA regulations may specify that certain information is restricted and a vendor may not be forced to share that information.
  • Ensuring the security of the software is also seen as an issue of paramount importance. This is simply a clause that permits a certain level of restrictions on information to ensure security. 
  • No healthcare provider can be punished when transmission is infeasible. This exception does recognize that sometimes sharing information is impossible or impractical. When there is a legitimate reason, the data holder is not required to comply with requests to share or exchange EHIs.
  • Another practical exception is for maintenance. IT developers may need time to maintain the software functions of their apps. When such maintenance is needed to maintain efficiency or even improve it, they take the software down temporarily. This exception protects such actions to not disincentivize the maintenance of healthcare software.
  • Other necessary measures are the content and manner exceptions. This is a broad exception that is intended to bring clarity as to what kinds of information must be shared in response to a request to access, exchange, or use EHIs. This exception specifies for example, that the response to such a request may not be in the requested form or that some information not reasonably needed may be withheld.
  • Legislators also permit restricting information to ensure fees are being paid. This exception is intended to help support businesses by permitting fees related to the development or provision of technologies that enhance interoperability. Of course, practices such as opportunistic fees, rent-seeking, or others limiting access for purely monetary gain do not fall within this exception.

Lastly, another protection provided to the developers of software is the licensing exception. The Cures Act does recognize the importance of copyrights for developers. This exception does permit actors to protect their innovations by using copyright protections. 

This also includes the ability to charge royalties for the use of their software, provided they are within a reasonable range.

The benefits of protection against information blocking

These protections against information blocking have a profound impact on the patient’s quality of care. These benefits are achieved in several ways.

The most obvious is the increased transparency. Patients have the right to know how their information is being processed or shared. This will help inform their decisions as to which treatments to undergo or which healthcare provider to trust.

Another that is not so commonly thought of is the second opinion support. Patients who are unhappy with their current treatment or wish to receive the opinion of more than one specialist have greater access to their medical records. Therefore, they can easily share that information with other healthcare professionals.

Lastly, less information blocking means reduced costs. Practices that restrict information often hide it between paywalls. This means that healthcare providers and patients need to pay to access that information, increasing costs. 

All of these practices facilitate better services for the patient. However, the Cures Act does not only benefit healthcare providers or patients. This legislation also promotes innovation through real-world evidence.

pattern 2

Stay ahead with theSoftware Requirements

Position your business for success by understanding the evolving software requirements.

Using real-world evidence (RWE)

Real-world evidence in healthcare refers to any data gathered from real-world patients’ experience, their medical history, and their treatment as opposed to information collected in clinical trials. 

RWE provides information on the effectiveness and value of medical technologies or treatments used in routine practice. Real-world evidence is data that complements the findings in randomized clinical trials.

Examples of RWE include data from EHR, wearable medical devices, pharmacy records, etc.

The 21st Century Cures Act introduced requirements for the FDA to evaluate the use of RWE for the new indication of a previously approved drug. RWE can also be used to satisfy post-approval study requirements.

The use of real-world data has several benefits over clinical trials:

  • Diversity of data: Unlike a clinical trial scenario, which has strict criteria for which data can and cannot be included, RWE can be used to gather information from a broad range of patients. This diversity provides a better understanding of how treatments will perform in practice, where there are patients with widely varying demographic characteristics.
  • Longitudinal data: Real-world evidence can be gathered from patient outcomes continuously. This allows for the long-term assessment of the effectiveness of treatments or practices, including the tracking of safety concerns. These types of results are impossible to capture with short-term clinical trials.
  • Safety surveillance: RWE can help monitor the safety of healthcare products and identify side effects that have not been detected during the clinical trials. Especially when it comes to post-market surveillance, the RWE is invaluable for ensuring no drugs or software have serious adverse health consequences for patients.
  • Clinical guidelines: RWE provides information on how software will handle a real-world situation. This better understanding of the medical effects in practice can help better inform the development of guidelines for treatment.
  • Precision medicine: Real-world evidence can also help develop software or treatments for individual groups of people. The more practical data received from RWE can help identify subgroups of people that might have gone unnoticed by clinical trials. Healthcare developers can then create software that helps with these people’s specific needs.

As a result of the 21st Century Cures Act RWE will likely be utilized to a much greater degree. This will be one more tool for researchers to help better identify and solve problems among various groups of people.


The 21st Century Cures Act provides a wide array of new provisions that help patients access their personal information or help researchers with innovations

However, the act also introduces new requirements like changes to the certification requirements of the software.

Therefore, a software developer must now be mindful of how the new regulations govern their software. This article only covers the surface of the new legislation and cannot cover every individual case. However, people who wish to remain compliant with US regulations will always benefit from a trusted partner.

What’s your goal today?

wyg icon 01

Hire us to develop your
product or solution

Since 2008, BGO Software has been providing dedicated IT teams to Fortune
100 Pharmaceutical Corporations, Government and Healthcare Organisations, and educational institutions.

If you’re looking to flexibly increase capacity without hiring, check out:

On-Demand IT Talent Product Development as a Service
wyg icon 02

Get ahead of the curve
with tech leadership

We help startups, scale-ups & SMEs create cutting-edge healthcare products and solutions by providing them with the technical consultancy and support they need to break through.

If you’re looking to scope and validate your Health solution, check out:

Project CTO as a Service
wyg icon 03

See our Case Studies

Wonder what it takes to solve some of the toughest problems in Health (and how to come up with high-standard, innovative solutions)?

Have a look at our latest work in digital health:

Browse our case studies
wyg icon 04

Contact Us

We help healthcare companies worldwide get the value, speed, and scalability they need-without compromising on quality. You’ll be amazed of how within-reach top service finally is.

Have a project in mind?

Contact us
chat user icon


Did you know that BGO Software is one of the only companies strictly specialising in digital health IT talent and tech leadership?

Our team has over 15 years of experience helping health startups, Fortune 100 enterprises, and governments deliver leading healthcare tech solutions.

If you want to explore your options, would you like to book a free consultation call today?


It’s a free, no-obligation, fact-finding opportunity. You’ll have a friendly chat with our team, ask any questions, and see how we could help in detail.