Understanding the Information Blocking Rule: Compliance & Exceptions
The HHS Office of the National Coordinator for Health Information Technology (ONC)’s final rule on information blocking under the 21st Century Cures Act goes into effect on April 5, 2021. On and after that date, all medical practices, health information networks and exchanges, and EHR vendors will be subject to information blocking rules.
What is information blocking?
Information blocking is defined by the ONC as “a business, technical, and organizational practice that prevent or materially discourage the access, exchange or use of electronic health information (EHI) when an Actor knows, or should know, that these practices are likely to interfere with access, exchange, or use of EHI.”
This resource page provides an overview of what information blocking is, a description of information blocking exceptions, a policy review checklist, an on-demand webinar on the topic, an embedded slide deck from the presentation, and a list of deep-dive resources from the AMA and the Sequoia Project.
On-Demand Information Blocking Webinar
Click below to view our information blocking webinar on-demand, or toggle through the presentation slide deck on the right. To view the pdf in full screen, click here.
What is Electronic Health Information (EHI)?
EHI includes Electronic Protected Health Information (ePHI) that is in a designated record set.
Designated Record Set includes:
- Medical and Billing records of patient; and
- Other records used by a clinician to make decisions about patients.
EHI does NOT include:
- Psychotherapy notes;
- Deidentified data; or
- Information compiled in reasonable anticipation of legal proceedings.
Requisite Intent for Physicians & Other Clinicians
Requisite intent for physicians is when the physician knows that a practice is unreasonable and likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, even if no harm materializes.
A physician organization, for instance, may have a policy that restricts access to patient lab results for a certain amount of time. Even if patients are not aware there is a delay between when the results are available to the physician and when they are made available to the patient, a practice that is merely “likely” to interfere with the access, use, or exchange of EHI could be considered info blocking. Note that physicians are not held to the same “should know” standard as in the case with EHR vendors.
Physicians must know their actions would likely interfere, prevent, or materially discourage access, exchange, and use of EHI to be considered information blocking.
High-risk info blocking actions include interfering with:
- Patients who seek to access their own EHI;
- Clinicians who seek EHI for treatment or quality improvement;
- Payers who seek EHI to confirm a clinical value; or
- Patient safety and public health.
What are some examples of information blocking?
Internal policies more restrictive than regulations: “A health system’s internal policies or procedures require staff to obtain an individual’s written consent before sharing any of a patient’s EHI with unaffiliated providers for treatment purposes even though obtaining an individual’s consent is not required by state or federal law.”
Misunderstanding the law: “A health system incorrectly claims that the HIPAA Rules or other legal requirements preclude it from exchanging EHI with unaffiliated providers.”
Engineering difficult EHI flow: “A hospital directs its EHR developer to configure its technology so that users cannot easily send electronic patient referrals and associated EHI to unaffiliated providers, even when the user knows the Direct address and/or identity (i.e., National Provider Identifier) of the unaffiliated provider.”
Unnecessary delays: “A health care provider has the capability to provide same-day access to EHI in a form and format requested by a patient or a patient’s health care provider, but takes several days to respond.”
Requiring to adopt non-interoperable EHR: “A health system insists that local physicians adopt its EHR platform, which provides limited connectivity with competing hospitals and facilities. The health system threatens to revoke admitting privileges for physicians that do not comply.”
Discrimination against EHI vendors: “A health care provider imposes one set of fees and terms to establish interfaces or data sharing arrangements with several registries and exchanges, but offers another more costly or significantly onerous set of terms to establish substantially similar interfaces and arrangements with an HIE or HIN that is used primarily by health plans that purchase health care services from the provider at negotiated reduced rates.”
What practices are NOT considered information blocking?
It is not information blocking if a practice is..,
- Required by Law (e.g., statutes, regulations, court order, binding administrative decisions, settlements, tribal law, etc.)
- Done by the actor without the required level of intent
- Covered by the eight (8) exceptions included in the final rule
What are the eight exceptions?
Section 4004 of the Cures Act authorizes the Secretary of HHS to identify reasonable and necessary activities that do not constitute information blocking.
In the final rule, HHS defined eight categories of reasonable and necessary activities that do not constitute information blocking, provided certain conditions are met. The exceptions support seamless and secure access, exchange, and use of EHI and offer actors—clinicians, health IT developers, health information exchanges (HIEs) or networks (HINs)—certainty that practices that meet the conditions of an exception will not be considered information blocking.
A practice that does not meet the conditions of an exception would not automatically constitute information blocking. Such practices would not have guaranteed protection from civil monetary penalties or appropriate disincentives and would be evaluated on a case-by-case basis to determine whether information blocking has occurred.
The exceptions are divided into two classes:
- Exceptions that involve not fulfilling requests to access, exchange, or use EHI; and
- Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.
Exceptions that involve not fulfilling requests to access, exchange, or use EHI
Preventing Harm Exception: It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
Privacy Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.
Security Exception: It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met.
Infeasibility Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.
Health IT Performance Exception: It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met.
Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI
Content and Manner Exception: It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.
Fees Exception: It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.
Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.
Seven Steps to Comply with the Information Blocking Rule
- Start an information blocking compliance workgroup. That is, identify an organizational leader and create a multi-disciplinary information blocking compliance team (e.g., legal, clinical, IT) to identify, assess, implement and advocate for organizational compliance.
- Review, update, and, if necessary, create organizational policies, procedures, and processes for compliance.
- Train workforce members on information blocking compliance, including assessment of workforce member knowledge following the training. Training should be ongoing and not be a one-time event. Health care providers should consider combining their information blocking training with their HIPAA compliance training.
- Implement a complaint process for identification and reporting of information blocking complaints (including anonymous reporting).
- Monitor, investigate, and enforce compliance through regular risk assessments and complaint investigations. Remediate any issues, including implementing corrective action plans and disciplining workforce members, as appropriate.
- Identify and assess any vendors that exchange, use, or access EHI and request confirmation of the vendor’s own compliance program and confirmation that the vendor does not engage in information blocking.
- Review and amend, as necessary, contracts and agreements that impose restrictions on the other party’s access, exchange, or use of EHI for compliance with the regulatory safe harbors.
A more in-depth implementation checklist is available through The Sequoia Project.
Enforcement & Penalties
The enforcement body that enforces the Information Blocking Rule is the Office of the Inspector General (OIG).
Penalties differ by actor:
- Civil Monitory Penalty (CMP) of up to $1 million per violation if an actor is a Health IT Developer of Certified Health Information Technology (CHIT) or Health Information Network (HIN)/Health Information Exchange (HIE)
- OIG will refer clinicians to an appropriate agency (e.g., CMS or OCR) to be subjected to appropriate disincentives.
About This Resource
This article, webinar, and slide deck were developed in collaboration with Reza Ghafoorian, MD, JD. He is the founder of G2Z Law Group, PLLC, and a healthcare attorney. With over 10 years of experience, he counsels clients on health law and health care regulations, including, fraud and abuse, such as antikickback statutes and Stark Law, privacy and security, such as HIPAA and HITECH statutes, reimbursements, CMS appeals, and telemedicine/telehealth. To contact Dr. Ghafoorian, email firstname.lastname@example.org or call (202) 656-8387.