Things to Know about Information Blocking

The Assistant Secretary for Technology Policy and Office of the National Coordinator for Health IT (ASTP/ONC) information blocking regulations apply to three categories of actors: health IT developers of certified health IT; health information exchanges and health information networks; and health care “providers,” which includes hospitals, skilled nursing facilities, health care clinics, group practices, long term care facilities, federally qualified health centers, rural health clinics, and laboratories. See ONC’s resource on information blocking actors for more information about actors.

As it pertains to health care physicians, “information blocking” is defined as the intentional withholding of patient health information – either from “provider” to “provider” or “provider” to patient. “Information Blocking,” as used throughout this FAQ, references the information blocking provisions of the 21st Century Cures Act. The aim of these regulations is to provide patients more control of their health data and enhance patient care improving the physician’s ability to collect and utilize information for the benefit of their patients and practice. This expanded access will also result in improvements in the patient-physician relationship, including enhanced trust, transparency, communication, and shared decision-making.

No, information blocking pertains only to the access, exchange, and use of EHI. This should be contrasted to HIPAA, which covers paper, electronic, and verbal data as protected health information (PHI). Individuals still have the right to access their paper records under existing HIPAA rules. Where an individual requests a paper copy of PHI maintained by the practice, it is still expected that the practice will be able to provide the individual the paper copy requested.

The information blocking regulations serve to improve the access to and sharing of a patient’s health record, there are situations ASTP/ONC has established nine exceptions when reasonable and necessary activities would not constitute information blocking. The first category of exceptions involves unfulfilled requests to access, exchange, or use EHI: Preventing Harm Exception; Privacy Exception; Security Exception; Infeasibility Exception; and Health IT Performance Exception. The second category involves the procedures followed in fulfilling requests to access, exchange, or use EHI: Manner Exception; Fees Exception; and Licensing Exception. The third category involves practices related to actors’ participation in the Trusted Exchange Framework and Common Agreement (TEFCA): TEFCA Manner Exception.

Actors have the burden of proving that their practices restricting the free flow of health information fit within one of the nine exceptions. Exceptions apply on a case-by-case basis and will require substantial documentation that will be evaluated by ASTP/ONC and the Office of the Inspector General (OIG). More details on each exception can be found on the ASTP/ONC FAQ page.

EHI is defined as electronic protected health information (ePHI) to the extent that it would be included in a designated record set (with exceptions including psychotherapy notes or legal proceedings), regardless of whether records are used or maintained by or for a HIPAA covered entity. The type of information that must be shared may differ if, for example, the patient is an adolescent. Please reference ATSP/ONC’s “Understanding Electronic Health Information (EHI),” for more details.

Yes. The Office of Inspector General (OIG) is charged with investigating allegations of information blocking and determining whether a violation has occurred. On July 1, 2024, HHS released a final rule establishing disincentives for practitioners using authorities for programs administered by CMS (effective as of July 31, 2024) and outlined the process by which OIG investigates a claim of information blocking. For more information, please see ASTP/ONC’s overview and common questions. In the case of innocent mistake, OIG has confirmed that it will not bring enforcement actions against actors who lack the requisite intent for information blocking.

The CMS Interoperability and Patient Access regulations promote patient access and exchange of their clinical data and claims data across CMS-contracted payers. Additionally, CMS requires access to physician directory information and requires physician organizations, including hospitals, to send admission, discharge, and transfer notifications to the patient’s care team.

A physician participating in CMS’ Promoting Interoperability (PI) program is required to attest they are in good faith implementing and using their EHRs to exchange data. If a health system is found to have falsely attested, it could potentially owe back the incentive funds and could be liable for penalties under the False Claims Act. ASTP/ONC will also publish on a public website information about actors who have been determined by OIG to have committed information blocking.

The aim of the information blocking regulations is to improve the access to and sharing of a patient’s health record. Information blocking exceptions should be a reserve rather than a default. Physicians should view each data exchange request or encounter as a “share unless” situation, rather than a “permitted sharing” situation. The “unless” should be captured by the exceptions detailed below, with an understanding that the applicability of each exception is dependent upon several other conditions being met. It is also important to note that exceptions apply on a case-by-case basis and will require substantial documentation that will be evaluated by ASTP/ONC and the Office of the Inspector General (OIG). Actors, including physicians, have the burden of proving that practices restricting the free flow of electronic health information fit within one of the nine exceptions to information blocking. Additional information can be found on the ASTP/ONC exceptions resource.

Category 1: exceptions that involve not fulfilling requests to access, exchange, or use (AEU) EHI.

• Preventing Harm Exception – practices that are reasonable and necessary to prevent harm to a patient or another person.
• Security Exception – interfering with AEU to protect the security of EHI.
• Health IT Performance Exception – taking reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT.
• Privacy Exception – not fulfilling a request to AEU to protect an individual’s privacy.
• Infeasibility Exception – not fulfilling a request due to the infeasibility of the request.

Category 2: exceptions that involve procedures for fulfilling AEU requests.

• Manner Exception – limiting the content of a response or the manner in which the request is fulfilled.
• Fees Exception – charging fees, including fees that result in a reasonable profit margin, for AEU of EHI, provided those fees are based on the physician’s costs, applied in a non-discriminatory manner, and complies with Conditions of Certification in § 170.402(a)(4) (Assurances – certification to “EHI Export” criterion) or § 170.404 (API).
• Licensing Exception – licensing interoperability elements for EHI to be AEU, provided licensing conditions are met.

Category 3: exceptions that involve practices related to actors’ participation in the Trusted Exchange Framework and Common Agreement (TEFCA).

• TEFCA Manner Exception – fulfilling AEU or EHI only via TEFCA.

Yes. Like the exceptions, practices that constitute information blocking may take different forms. Actors should refrain from practices that restrict authorized AEU under applicable state or federal law, such as failing to transition between certified health IT versions, as well as implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of AEU. Practices that, for example, fail to export complete information sets or impede innovations and advancements in health information AEU, including care delivery enabled by health IT, may be found to be information blocking.

It is important that physicians ensure their technology aligns with the 21st Century Cures Act mandates. Physicians will also want to confirm their systems are compliant and should review specific functionalities related to information exchange. Below are a few features a physician may want to look for in an EHR system.

• Compatibility with HL7 Fast Healthcare Interoperability Resources (FHIR®) Release 5.
• Optimized patient portal features that allow easy sharing and downloading of records.
• Ability for patients to share or link their information to third parties, such as smartphone applications and other mobile health applications.
• Ability to document when EHI is not provided when requested, along with the documentation necessary to support the appropriate exception.

Yes, it would likely be considered interference when any delay occurs in providing a patient’s EHI via an API. APIs can enable systems to send or retrieve data that can update a patient’s record, as well as send information from one system to another. You and your staff should be prepared to provide information on how patients can go about accessing their information through an app of their choosing. If your EHR currently lacks the capabilities to provide access to these types of connections, you should discuss with your vendor when it is anticipated that your EHR supports API integration. For a resource on APIs and patient access to information, please visit here.

It may occur that a patient receives laboratory results, for example, ahead of the opportunity for a physician to review and discuss with the patient. To mitigate concerns, a physician should provide anticipatory guidance to patients regarding their unique medical situation and what any exchange or report may mean for them. Physician practices may also find it helpful to designate specific people to channel patient inquires and concerns to the appropriate person(s). Perhaps the best approach, however, is to discuss everything in the note with the patient to minimize surprise, shock, and confusion.

Yes, patients do have a right to amend information in their medical record. Current federal privacy laws mandate all patient amendment requests to the medical record be completed no later than sixty (60) days after the request is received; however, there may also be applicable state and local guidelines affecting the timeframe. You should also note that your organization may require you to track these requests via processes specific to your practice. It is important to review and confirm organizational understanding of the process for fulfilling these amendment requests.

EHI is defined as electronic protected health information (ePHI) to the extent that it would be included in a designated record set (with exceptions including psychotherapy notes or legal proceedings), regardless of whether records are used or maintained by or for a HIPAA covered entity.

EHI incorporates the terms “electronic protected health information” (ePHI) and “designated record set” (DRS), as they are defined by HIPAA. The definition of EHI specifically excludes psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, regardless of whether the group of records are used or maintained by or for a covered entity. Like ePHI, the data that constitutes EHI is not tied to a specific system in which the EHI is maintained. Health information that is de-identified consistent with the requirements of the HIPAA Privacy Rule (at 45 CFR 164.514(b)) is not included in the definition of EHI for the purposes of information blocking. Thus, any individually identifiable health information that is transmitted by or maintained in electronic media is EHI to the extent that the information would be included in the designated record set.

Health information that identifies or reasonably could be used to identify an individual (individually identifiable health information) with certain exclusions such as Family Educational Rights and Privacy Act (FERPA) education or treatment records and employment records of a covered entity. Such health information not only identifies the individual, such as demographic information, but also relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or payment for care. The information may be maintained or transmitted in any form or media (e.g., electronic, paper, or oral).

Any PHI that is maintained or transmitted in electronic form.

Medical records and billing records about individuals; enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; and/or other records that are used, in whole or in part, to make decisions about individuals.

Any item, collection, or grouping of information that includes PHI.