Get In Touch

21st Century Cures Act: Software and Compliance

Updated - 10 Mar 2025 15 min read
xtatic logo green
Grigor Peykov Technical Copywriter at XTATIC HEALTH
21st Century Cures Act: Software and Compliance

Passed in 2016, the 21st Century Cures Act (The Cures Act) (1) introduced changes intended to increase medical and biometrical research funding and help the Food and Drug Administration (FDA) review drugs and medical devices. 

This article will explore the details of the Cures Act and explain its significance to the healthcare industry.

Impact of the act on software development

The Cures Act gives specific attention to the uses of software in healthcare, specifically in electronic health records (EHR), healthcare analytics, and healthcare apps

In essence, the 21st Century Cures Act promotes innovations in clinical software, while ensuring effectiveness and safety in patient care.

How is the impact achieved?

The Cures Act has made some key regulatory changes that help software development. Such regulatory changes include:

  • Interoperability: The Cures Act promotes the development of interoperable software that facilitates easier information sharing between different systems. The Act encourages software developers to develop their apps for standardized data sharing. As a result, the care each patient receives can be coordinated much easier.
  • Less confusion: Some healthcare software falls within the oversight of the FDA. However, it is unclear exactly which type of software is governed by the FDA and which falls under other agencies. 21st Century Cures Act aims to specifically exclude certain types of software from the jurisdiction of the FDA and provides more clarity. Therefore, software developers now better understand what type of healthcare software will be regulated by the agency.

  • Patient access: The legislation gives patients easier access to their medical information through software. It promotes the development of portals and patient-facing apps that allow them to view medical records and test results. This enhances patient engagement and improves data transparency.

  • Real-world evidence: The 21st Century Cures Act establishes a precedent in regulatory decision-making. The Act facilitates the use of real-world evidence by software in clinical trials. Data from wearable medical devices, EHRs, and other software sources can now help approve new treatments or medical products. As a result, clinicians can develop new treatments faster.

The Cures Act brings these improvements from some key existing medical software policies in the US legislation. Each of these policies will be discussed separately and in depth

How the Cures Act improves interoperability

How the Cures Act improves interoperability

Interoperability is the ability of different computer devices and pieces of software to communicate with each other. In the healthcare field, the main concern is the timely and secure integration of electronic healthcare data. Yet, this goal is not always reached because many companies develop their software separately.

The free market allows companies to develop software and hardware independently, leading to multiple versions of software. These differences often cause errors when systems are not designed to work together, which can negatively impact patient care.

The Cures Act introduces a solution to this problem by calling for the following measures to stop these issues:

  • Certification requirements: The Cures Act introduced new certification standards that every vendor must meet. In the certification program, software must meet a minimum threshold of interoperability to be certified under the new legislation. 
  • Application programming interface (API) functionalities: Part of the minimum requirement is the inclusion of API software into each application. An API is the “key” that allows different apps to communicate. In practice, this means that EHRs, healthcare software, and other health devices must have common interfaces that allow data to be easily shared.
  • Promoting the Fast Healthcare Interoperability Resources (FHIR): The Cures Act promotes the establishment of one common standard for exchanging medical data – the FHIR. This standard enables the secure transmission of critical patient data, including lab results, allergies, and medications, across different systems.
  • Oversight by the National Coordinator for Health IT (ONC): The 21st Century Cures Act authorizes the ONC to establish and enforce compliance with the legislation. The ONC grants certifications to businesses that meet interoperability standards. Additionally, its regulations empower the National Coordinator to investigate potential violations of the Cures Act.
  • Maintaining security: While interoperability is a key goal of the Cures Act, the legislation also prioritizes privacy and security. To meet certification criteria, software must maintain strong, up-to-date security measures during data transmission. Developers must also comply with other regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).
  • Provider directory services: To help with security, the Act mandates the development and upkeep of a directory service. That service gives healthcare providers up-to-date information about other healthcare providers. These healthcare professionals communicate information to the right individuals or organizations.
  • Promoting healthcare exchange networks. The Act encourages the development of health information networks (HIEs) and regional health information organizations (RHIOs). They serve as the middleman between healthcare providers for sharing medical data. As a result, these organizations improve connectivity and secure data exchange

These features ensure that the software developed after the Cures act has a high degree of interoperability.

Practical benefits of interoperability 

These measures create a unified healthcare network. However, simply listing regulatory changes without highlighting their practical benefits serves little purpose.

Examples of the benefits of increased interoperability are outlined below.

Improved patient care and safety

A greater level of interoperability means that healthcare professionals can easily access the complete patient history of an individual under their care. They can also search for relevant data in more places easily, contributing to a more informed decision.

Fewer administrative hurdles

Software with strong interoperability can help reduce treatment duplication and streamline insurance eligibility checks. It also minimizes time lost on administrative tasks by reducing compatibility issues between different systems.

Reduced costs

Quicker administration and fewer duplications of treatment or issues ensure a lower cost of services for both healthcare providers and patients. Thus, the out-of-pocket expenses for individuals are reduced.

All of these benefits arise only from improved interoperability. However, the 21st Century Cures Act improves other areas of healthcare software

Less confusion around software regulations

Less confusion around software regulations

Under the Federal Food, Drug, and Cosmetic Act (FD&C Act) (2), software can be seen as a medical device.

Namely, if the software “is intended to be used for one or more medical purposes without being part of a hardware device“(181 section 201(h) FD&C Act), it is considered a medical device.

This classification is often viewed as unfavorable because it requires software developers to submit a premarket notification to the FDA, demonstrating the safety and effectiveness of the device. The result is longer timeframes for product launches and additional costs from these delays. 

Consequently, many software developers faced uncertainty about whether their software qualified as a medical device, which not only slowed down their development process but added an extra layer of complexity.

Thankfully, the Cures Act introduced some limitations on the FDA’s jurisdiction. 

Some types of software were excluded from the definition of a medical device:

  • Software intended for administrative support of a health care facility (FDCA § 520(o)(1)(A));
  • Software intended for maintaining or encouraging a healthy lifestyle and unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition (FDCA § 520(o)(1)(B));
  • Software intended to serve as electronic patient records to the extent that such records are intended to transfer, store, convert formats, or display the equivalent of a paper medical chart (FDCA § 520(o)(1)(C));
  • Software intended for transferring, storing, converting formats, or displaying clinical laboratory test or other device data and results, findings by a health care professional concerning such data and results, general information about such findings, and general background information about such laboratory test or another device, unless this certain software function is intended to interpret or analyze clinical laboratory test or other device data, results, and findings (FDCA § 520(o)(1)(D))
  •  Software for clinical support.

Developers creating software in these five areas thus have the certainty about which federal regulations govern their software and can adjust accordingly. Yet, some caveats do apply even in these five areas.

For example, software in the fourth category still counts as a medical device when intended to store, transfer, display, or convert medical information

Similarly, software under the final rule would also be considered as such a device if it is intended to acquire, process, or analyze a medical image or a signal from an in vitro diagnostic device or a pattern or signal from a signal acquisition system, it would not be exempt from the device definition.

Exceptions in the Cures Act

Despite these clarifications, software developers remained uncertain about the legal status of their products. To address this, an amendment to the 21st Century Cures Act provided final guidance. 

It outlined eight types of software explicitly not classified as medical devices:

  • Calculator or data processing modules for clinical use: Apps or software tools made to carry out different computations and data processing duties associated with clinical information and medical practice.
  • Continuous glucose monitor’s (CGM) secondary displays: Devices or programs that show real-time glucose readings and patterns from a CGM device to people with diabetes or others who care for them. With the help of these auxiliary displays, people can track blood glucose levels in addition to using a smartphone app or primary CGM receiver.
  • Automated indirect immunofluorescence microscope and software-assisted systems: Technology is utilized in laboratory medicine and medical diagnostics to identify and examine infectious pathogens and autoimmune disorders. These technologies integrate advanced software algorithms with automated microscopy hardware to optimize the precision, velocity, and effectiveness of immunofluorescence experiments.
  • Medical device data systems: Products, either software or hardware, used to transfer, store, show, and gather medical data from medical equipment. These systems, which offer a way to organize and use the data produced by numerous medical devices for therapeutic purposes, are a crucial part of contemporary healthcare.
  • Home uterine activity monitors: Medical technologies allow pregnant people to be comfortable in their homes while tracking and recording their uterine contractions. Medical practitioners prescribe these devices to monitor contractions in particular circumstances. Their primary purpose during pregnancy is to assess uterine activity.
  • Medical image storage devices: Unique hardware or storage options made to handle, organize, and preserve medical images produced by different medical imaging modalities. These instruments are vital in medical settings, where medical imaging is an essential component of patient diagnosis, treatment planning, and monitoring.
  • Medical image communications devices: Also called medical image communication systems are specialized technologies used in healthcare settings. Healthcare professionals and institutions to view, share, and transmit medical images and related patient data. These gadgets facilitate effective communication and teamwork for patient care, diagnosis, and treatment planning.
  • Picture archiving and communications systems: Solutions for specialized health information technology that are used to collect, store, retrieve, distribute, and manage patient data and medical pictures

The Cures Act makes it clear these devices explicitly do not fall under the FDA’s jurisdiction. This clarity means developers know under which regulation to create their work plan for producing software.

Yet, the Cures Act did not leave out protection for patients as well.

Protections against information blocking

Information blocking was common practice before the 21st Century Cures Act was passed. This is a broad term for all types of actions that intentionally prevent or hinder the ability to share electronic health information between healthcare providers or individuals.

The most severe violations included charging excessive fees for access to information and refusing to share data with authorized individuals, even upon request.These practices directly impacted patients through worse care or lack of information that would help inform their decisions. While the exact form of withholding information varied, it generally benefited the distributor of the data.

The Cures Act addresses this issue by banning practices that constitute information blocking. Under the proposed rule, the ONC prohibits any action likely to interfere with the access, exchange, or use of protected electronic health information (EHI).

This prohibition applies to two groups. First, health IT vendors, health information exchanges, health information networks, and developers who knowingly engage in practices that interfere with EHI access. Second, healthcare providers who know their practice are likely to interfere with EHIs.

Legitimate reasons to block information

This broad definition of information blocking would cover any potential situation of abuse. 

However, it can cover situations that might be legitimate restrictions of information. The Cures Act does not require data providers to share information if they have a legitimate interest in restricting it.

This is by design as the law recognizes that not all information should be shared. Nevertheless, only a short list of actions will justify restrictions to access to information. 

These exceptions are:

  • Healthcare providers can restrict information for the prevention of harm. Secrecy for the sake of public interest and preventing harm to parties or society, in general, can justify restricting access or interfering with information. An example would be temporarily restricting information against an outbreak of a virus to track it and access it if it is not dangerous but might cause panic. 
  • Ensuring secure privacy is also seen as a legitimate reason to limit data transmission. While information providers are under a general obligation to provide EHI, they are under no obligation to provide information if that will violate other federal or state laws. For example, HIPAA regulations may specify that certain information is restricted and a vendor may not be forced to share that information.
  • Ensuring the security of the software is also seen as an issue of paramount importance. This is simply a clause that permits a certain level of restrictions on information to ensure security. 
  • No healthcare provider can be punished when transmission is infeasible. This exception does recognize that sometimes sharing information is impossible or impractical. When there is a legitimate reason, the data holder is not required to comply with requests to share or exchange EHIs.
  • Another practical exception is for maintenance. IT developers may need time to maintain certain software functions of their apps. When such maintenance is needed to maintain efficiency or even improve it, they take the software down temporarily. This exception protects such actions to not disincentivize the maintenance of healthcare software.
  • Other necessary measures are the content and manner exceptions. This is a broad exception specifying what kinds of information must be shared in response to a request to access, exchange, or use EHIs. This exception clarifies, for example, that some information may not be reasonably needed and thus may be withheld.
  • Legislators also permit restricting information to ensure fees are being paid. This exception is intended to help support businesses by permitting fees related to the development or provision of technologies that enhance interoperability. Of course, practices such as opportunistic fees, rent-seeking, or others limiting access for purely monetary gain do not fall within this exception.

Lastly, another protection provided to the developers of software is the licensing exception. The Cures Act does recognize the importance of copyrights for developers. This exception does permit actors to protect their innovations by using copyright protections. 

This also includes the ability to charge royalties for the use of their software, provided they are within a reasonable range.

8 types of software that are explicitly not considered medical device

The benefits of protection against information blocking

These protections against anyone who committed information blocking have a profound impact on the patient’s quality of care. These benefits are achieved in several ways.

The most obvious is the increased transparency. Patients have the right to know how their information is being processed or shared. This will help inform their decisions as to which treatments to undergo or which healthcare provider to trust.

Another less-known benefit is the second opinion support. Patients who are unhappy with their current treatment or wish to receive the opinion of more than one specialist have greater access to their medical records. Therefore, they can easily share that information with other healthcare professionals.

Lastly, less information blocking means reduced costs. Practices that restrict information often hide it between paywalls. Consequently, providers and patients need to pay to access the information, increasing costs. Removing those paywalls means reducing the costs for providers and patients alike. 

All of these practices facilitate better services for the patient. However, the Cures Act does not only benefit healthcare providers or patients. This legislation also promotes innovation through real-world evidence.

Using real-world evidence (RWE)

Real-world evidence in healthcare refers to any data gathered from real-world patients’ experience, their medical history, and their treatment as opposed to information collected in clinical trials. 

RWE provides information on the effectiveness and value of medical technologies or treatments used in routine practice. Real-world evidence is data that complements the findings in randomized clinical trials.

Examples of RWE include data from EHR, wearable medical devices, pharmacy records, etc.

The 21st Century Cures Act introduced requirements for the FDA to evaluate the use of RWE for the new indication of a previously approved drug. RWE can also be used to satisfy post-approval study requirements.

The use of real-world data has several benefits over clinical trials:

  • Diversity of data: Unlike a clinical trial scenario, which has strict criteria for which data can and cannot be included, RWE can be used to gather information from a broad range of patients. This diversity provides a better understanding of how treatments will perform in practice, where there are patients with widely varying demographic characteristics.
  • Longitudinal data: Real-world evidence can be gathered from patient outcomes continuously. This allows for the long-term assessment of the effectiveness of treatments or practices, including the tracking of safety concerns. These types of results are impossible to capture with short-term clinical trials.
  • Safety surveillance: RWE can help monitor the safety of healthcare products and determine side effects that have not been detected during the clinical trials. Especially when it comes to post-market surveillance, the RWE is invaluable for ensuring no drugs or software have serious adverse health consequences for patients.
  • Clinical guidelines: RWE provides information on how software will handle a real-world situation. This better understanding of the medical effects in practice can help better inform the development of guidelines for treatment.
  • Precision medicine: Real-world evidence can also help develop software or treatments for individual groups of people. The more practical data received from RWE can help identify subgroups of people that might have gone unnoticed by clinical trials. Healthcare developers can then create software that helps with these people’s specific needs.

As a result of the 21st Century Cures Act, RWE will likely be utilized to a much greater degree. This will be one more tool for researchers to help better identify and solve problems among various groups of people.

Conclusion

The 21st Century Cures Act provides a wide array of new provisions that help patients access their personal information or help researchers with innovations

However, the act also introduces new requirements, such as changes to the certification requirements of the software.

Therefore, a software developer must now be mindful of how the new regulations govern their software. This article only covers the surface of the new legislation and cannot cover every individual case. However, people who wish to remain compliant with US regulations will always benefit from a trusted partner.

xtatic logo green

Grigor Peykov

Grigor is an experienced copywriter specializing in medical software, devices, and regulatory compliance across various jurisdictions.

What’s your goal today?

wyg icon 01

Hire us to develop your
product or solution

Since 2008, BGO Software has been providing dedicated IT teams to Fortune
100 Pharmaceutical Corporations, Government and Healthcare Organisations, and educational institutions.

If you’re looking to flexibly increase capacity without hiring, check out:

On-Demand IT Talent Product Development as a Service
wyg icon 02

Get ahead of the curve
with tech leadership

We help startups, scale-ups & SMEs create cutting-edge healthcare products and solutions by providing them with the technical consultancy and support they need to break through.

If you’re looking to scope and validate your Health solution, check out:

Project CTO as a Service
wyg icon 03

See our Case Studies

Wonder what it takes to solve some of the toughest problems in Health (and how to come up with high-standard, innovative solutions)?

Have a look at our latest work in digital health:

Browse our case studies
wyg icon 04

Contact Us

We help healthcare companies worldwide get the value, speed, and scalability they need-without compromising on quality. You’ll be amazed of how within-reach top service finally is.

Have a project in mind?

Contact us

Read this next

chat user icon

Hello!

Did you know that BGO Software is one of the only companies strictly specialising in digital health IT talent and tech leadership?

Our team has over 15 years of experience helping health startups, Fortune 100 enterprises, and governments deliver leading healthcare tech solutions.

If you want to explore your options, would you like to book a free consultation call today?

Yes

It’s a free, no-obligation, fact-finding opportunity. You’ll have a friendly chat with our team, ask any questions, and see how we could help in detail.