New Information Blocking Rules

Effective October 6, 2022—Limitations on the scope of electronic health information have been lifted, and the information blocking regulations have gone into full effect.

Key Takeaways:

Beginning October 6, 2022 surgeons must share electronic patient records and other information as defined under regulations set forth as part of the 21st Century Cures Act
Healthcare providers, hospitals, electronic health record (EHR) vendors, health information exchanges (HIE) and health information networks (HIN) are all subject to Office of the National Coordinator for Health Information Technology’s (ONC’s) regulations and, therefore, must comply
Physicians who interfere with the access, exchange, or use of EHI could be considered information blockers and subject to disincentives set forth by the government; other non-compliant actors may be subject to civil monetary penalties.
The ONC designated 8 exceptions to the information blocking If a surgeon meets the requirements for an exception, they may not be subject to information blocking enforcement and penalties
It is important for surgeons to familiarize themselves with the information blocking requirements and exceptions and ensure their practice is, and remains, in compliance

History and Background

The 21st Century Cures Act (the Cures Act) was signed into law in 2016 to accelerate medical research and innovation. A key element of the legislation aims to improve the flow and exchange of electronic health information by advancing interoperability, prohibiting information blocking, and enhancing the usability, accessibility, and privacy and security of health information technology.

Defining Data

In March 2020, the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) finalized regulations to define data access and interoperability requirements set forth in the Cures Act. While both rules support increased exchange, seamless and secure access, and use of EHI through a variety of mechanisms, the ONC regulation includes provisions that address information blocking

Regulations Now in Effect

The information blocking regulations went into effect in April 2021. The regulations initially applied to a limited set of data known as the U.S. Core Data for Interoperability v. 1 (USCDI), but beginning October 6, 2022, expanded significantly to include all EHI. Actors subject to the regulations who engage in an information blocking practice could be subject to penalties or other disincentives. As of December 2022, the U.S. Department of Health and Human Services has not yet finalized any enforcement mechanisms related to information blocking. Nevertheless, it is important to make sure your practice has implemented a process to evaluate and comply with information blocking requirements.

What Is Information Blocking?

The Cures Act defines information blocking as, “a practice that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information,” except as required by law or covered by an exception defined by the Secretary of HHS.

A physician can only be considered to be engaging in information blocking if they are aware that their actions are unreasonable and will likely interfere with the exchange of the data.

Common examples of information blocking may include the following, depending on the facts and circumstances:

Disabling or restricting the use of a capability that enables users to share EHI with users of other
Placing excessive fees on consumers for creating unique EHR interfaces or connecting with other HIT systems or
Configuring or implementing technology in ways that limit the types of data that can be exported or used from the technology, such as using non-standard implementation methods.

*Physicians can also experience information blocking from their own institutions or when trying to access patient records from other providers.

Keep in mind, physicians are not required to proactively make data available to patients who have not requested it. But, once a patient requests their EHI, a delay in the release or availability of EHI, may be considered an interference under the information blocking regulation. Also keep in mind that the information blocking regulations are not tied to the use of specific technologies, including the use of federally certified health IT (sometimes referred to as Certified EHR Technology or CEHRT), nor do they require the provision of data in a specific standard or manner.

How Is Electronic Health Information (EHI) Defined?

ONC defined EHI in its Final Rule as the electronic protected health information (ePHI) in a designated record set (as defined in the Health Insurance Portability and Accountability Act (HIPAA) regulations) regardless of whether the records are used or maintained by or for a covered entity.

The designated set typically includes:

Patient medical and billing records;
Other records used by physicians to make care decisions about patients

Who Must Comply with the Information Blocking Requirements?

As specified by the Cures Act, the information blocking restrictions apply to the following “Actors”:

Providers (for example, hospitals and physicians)
Health IT developers
Health information exchanges/networks (HIE/HINs)

Are There Exceptions to the Information Blocking Regulations?

The ONC designated 8 exceptions to the information blocking provisions. These exceptions apply to certain practices that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, but would be reasonable and necessary if certain conditions are met. If an actor meets these conditions, which are essentially internal documentation requirements, these practices will not be subject to information blocking enforcement and penalties.

Information Blocking Exceptions

Preventing Harm Exception

It is not information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to patients or another person, provided certain conditions are met.

Objective: This exception recognizes that the public interest in protecting patients and other persons against unreasonable risks of harm can justify practices that are likely to interfere with access, exchange, or use of EHI.

Privacy Exception

It is not information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided certain conditions are met.

Objective: This exception recognizes that if an actor is permitted to provide access, exchange, or use of EHI under a privacy law, then the actor should provide that access, exchange, or use. However, an actor should not be required to use or disclose EHI in a way that is prohibited under state or federal privacy laws.

Security Exception

It is not information blocking for an actor to interfere with access, exchange, or use of EHI in order to protect the security of EHI.

Objective: This exception is intended to cover all legitimate security practices by actors, but does not prescribe a maximum level of security or dictate a one-size-fits-all approach.

Infeasibility Exception

It is not information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request.

Objective: This exception recognizes that legitimate practical challenges may limit an actor’s ability to comply with requests for access, exchange, or use of EHI. An actor may not have—and may be unable to obtain—the requisite technological capabilities, legal rights, or other means necessary to enable access, exchange, or use.

Health IT Performance Exception

It will not be information blocking for an actor to take reasonable and necessary measures to make HIT temporarily unable or to degrade the HIT’s performance for the benefit of the overall performance of the HIT.

Objective: This exception recognizes that for health IT to perform properly and efficiently, it must be maintained, and in some instances improved, which may require that health IT be taken offline temporarily. Actors should not be deterred from taking reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of health IT.

Content and Manner Exception

It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange or use EHI.

Objective: This exception provides clarity and flexibility to actors concerning the required content (i.e., scope of EHI) of an actor’s response to a request to access, exchange, or use EHI and the manner in which the actor may fulfill the request. This exception supports innovation and competition by allowing actors to first attempt to reach and maintain market negotiated terms for the access, exchange, and use of EHI.

Fees Exception

It will not be information blocking for an actor to charge fees, including fees that result in reasonable profit margin, for access, exchanging, or using EHI.

Objective: This exception enables actors to charge fees related to the development of technologies and provision of services that enhance interoperability, while not protecting rent seeking, opportunistic fees, and exclusionary practices that interfere with access, exchange, or use of EHI.

Licensing Exception

It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used.

Objective: This exception allows actors to protect the value of their innovations and charge reasonable royalties in order to earn returns on the investments they have made to develop, maintain, and update those innovations.

Additional details and conditions for each exception can be found in the ONC Information Blocking Exceptions Fact Sheet.

Upon Request, What Information Are Clinicians Required to Make Available?

ONC has clarified that non-final clinical information, such as draft clinical notes and laboratory results pending confirmation, may not be appropriate to disclose or exchange until they are finalized. However, should those data be used to make health care decisions about a patient, the data would fall within the “designated record set” and the definition of EHI. If the data point falls within the definition of EHI, any practice that would interfere with legally permissible access, exchange, or use of EHI could be considered information blocking.

Note that psychotherapy notes are excluded from the definition of EHI for purposes of the information blocking regulations.

What Format Is Required to Fulfill an EHI Request?

An actor may fulfill a request for EHI, first in the manner requested and, if not, in an alternate manner agreed upon with the requestor. If an alternate manner is agreed upon, to ensure compliance the actor should follow the guidance under the Manner Condition of the “Content and Manner exception.”

The Content and Manner exception establishes the content and manner in which an actor must fulfill a request to access, exchange, or use EHI, as well as the situations where the fulfillment of an EHI request in an alternative manner (other than what is requested) will not be considered information blocking.

Do Physicians Have to Share All EHI They Have in Order to Fulfill an EHI Request, or Only the EHI That Is Requested?

Fulfillment of an EHI request should be based on the request itself. Keep in mind that any practice that may restrict or influence the scope of EHI that is requested may constitute interference and could be subject to the information blocking regulation.

How Much Time Does a Physician Have to Fulfill an EHI Request?

Under the information blocking regulations, actors are not required to proactively make any EHI available to patient or others who have not requested it. However, once a request to access, exchange, or use EHI is made, actors must respond to the request in a timely manner. For example, this could be fulfilled by making tests available to patients through a patient portal. In some circumstances this could mean a patient would have access to EHI at the same time as the ordering clinician.

Delays in the fulfillment of an EHI request could implicate the information blocking provisions. In these cases, interference determinations would require a fact-based, case-by-case assessment. However, if a delay is necessary, it is unlikely to be considered an interference under the information blocking definition. Examples of a necessary delay include ensuring that the release of the EHI complies with state law, or if EHI must be manually retrieved and moved from one system to another. In contrast, a practice such as a health care provider instituting an organizational policy that imposes delays on the release of a lab result for any number of days to allow for physician review of the results would likely be considered information blocking.

When Do the New Information Blocking Requirements Go into Effect?

The information blocking regulations took effect on April 5, 2021. As mentioned, from April 5, 2021 through October 5, 2022, EHI for purposes of the information blocking definition, was limited to a subset of EHI identified by the data elements represented in the USCDI v.1 standard. However, as of October 6, 2022, actors must make all requested EHI available, not just the subset represented by the USCDI.

While the information blocking regulations are now in effect, penalties and other disincentives for those who engage in information blocking have not yet been finalized.

What Are the Penalties for Non-Compliance?

The Cures Act authorizes penalties for information blocking depending on the actor type:

Health IT developers of certified health IT and HINs/HIEs will be subject to civil monetary penalties (CMPs) for engaging in information Although OIG has proposed to impose a maximum penalty of up to $1 million per violation, it has not yet finalized these penalties in regulation as of December 2022.
- Also note that health IT developers of certified health IT are subject to an “information blocking” Condition of Certification under the ONC Health IT In other words, they may lose their federal certification status if they engage in information blocking.
Healthcare providers who engage in information blocking may be subject to “appropriate disincentives,” as set forth by the HHS As of December 2022, the Secretary has not yet proposed regulations to define or implement these disincentives.

While the information blocking compliance date for all actors is April 5, 2022, enforcement will not begin until the civil monetary penalties and disincentives are finalized through rulemaking.

ONC has made clear that each case of information blocking will be determined on its own unique facts. The OIG is responsible for investigating claims of information blocking, and to the extent OIG determines a provider has been involved in information blocking, it will refer that provider to the appropriate federal agency for disincentives. ONC has stated that typically OIG will not pursue penalties for actors who make innocent mistakes or for accidental conduct.

If I Encounter Information Blocking, How Do I Submit a Complaint?

If you believe you’ve experienced information blocking, ONC encourages you to report it through its Information Blocking Portal. Note that the Cures Act provides for specific confidentiality protections under the law.

For more information on what happens to a claim once it is submitted to the portal, click here.

Additional Resources

ONC Final Rule

ONC Information Blocking Resources, which includes fact sheets, FAQs, blogs and presentations