On May 1, 2020, the Office of the National Coordinator for
Health Information Technology (“ONC”) published its final
rule, commonly referred to as the “Information Blocking Rule,” implementing
certain provisions of the 21st Century Cures Act that are designed
to support the access, exchange, and use of electronic health
information (“EHI”) and prohibit information blocking.
The Information Blocking Rule became effective on April 5, 2021,
after a delay due to the COVID-19 pandemic. It applies to any
individual or entity that meets the definition of at least one
category of “actor”- a health care provider, health IT
developer of certified health IT, or health information network
(“HIN”) or health information exchange (“HIE”)
– and generally prohibits any practice that is not required by law
or permitted by an applicable exception (discussed below) that
“is likely to interfere with access, exchange or use of
[EHI]” when the applicable knowledge standard is met (the
terms “access,” “exchange” and “use”
are defined terms under the Information Blocking Rule). While the
Information Blocking Rule applies to various types of actors, this
summary offers a high-level overview of relevant considerations
specifically for health care providers.
A health care provider meets the knowledge standard under the
Information Blocking Rule when the provider “knows
that such practice is unreasonable and is likely
to interfere with access, exchange or use of [EHI].” (emphasis
added). In addition to a health care provider’s refusal to
provide patients with access to their EHI upon request, certain
unnecessary delays in providing patients access to their EHI could
potentially constitute information blocking if the requisite
knowledge standard is met. Examples include:
- A health care provider establishing an organizational policy
that imposes delays on the release of a patient’s laboratory
results for any period of time in order to allow an ordering
provider to review the results or in order to personally inform the
patient of the results before the patient is able to electronically
access the results;
- A delay in providing access, exchange, or use occurs after a
patient logs in to a patient portal to access EHI that a health
care provider has (including, for example, lab results) and such
EHI is not available-for any period of time-through the portal;
- A delay in providing a patient’s EHI via an application
programming interface to an application that the patient has
authorized to receive their EHI.
According to the ONC, this could potentially mean “a
patient would be able to access EHI, such as test results, in
parallel to the availability of the test results to the ordering
Fortunately, there are eight exceptions to the Information
Blocking Rule that are divided into two categories: exceptions
involving not fulfilling requests to access, exchange, or use EHI
and exceptions that involve procedures for fulfilling requests to
access, exchange, or use EHI. Practices that satisfy one or more of
the below exceptions will not constitute information blocking. A
practice that fails to meet all conditions of an applicable
exception will not necessarily constitute information blocking.
Such practices will be assessed on a case-by-case basis to
determine whether the practice violates the Information Blocking
Rule. The available exceptions are summarized below for
|Exceptions that involve not fulfilling
requests to access, exchange, or use EHI
|Preventing Harm Exception: It will
not be information blocking for the provider to engage in practices
that are reasonable and necessary to prevent harm to a patient or
another person, if certain conditions are met.
|The provider must reasonably believe that the practice will
substantially reduce a risk of harm;
The practice must be no broader than necessary;
The practice must satisfy at least one condition from each of
The practice must satisfy the condition concerning a patient
|Privacy Exception: It will not be
information blocking if the provider does not fulfill a request to
access, exchange, or use EHI in order to protect an
individual’s privacy, provided certain conditions are met.
|The provider’s privacy-protective practice must meet at
least one of the following sub-exceptions:
If the provider is required by law to satisfy a precondition
The provider may deny an individual’s request for access to
The provider may choose not to provide access, exchange, or use
|Security Exception: It will not be
information blocking for the provider to interfere with the access,
exchange, or use of EHI in order to protect the security of EHI,
provided certain conditions are met.
|The practice must be: directly related to safeguarding the
confidentiality, integrity, and availability of EHI; tailored to
specific security risks; and implemented in a consistent and
Additionally, the practice must either implement a qualifying
|Infeasibility Exception: It will not
be information blocking if the provider does not fulfill a request
to access, exchange, or use EHI due to the infeasibility of the
request, provided certain conditions are met.
|The practice must either be due to uncontrollable events (e.g.,
natural disaster, public health emergency, civil insurrection);
inability to segment the requested EHI; or infeasibility under the
circumstances based on certain factors.
The provider must provide a written response to the requestor
|Health IT Performance Exception: It
will not be information blocking for the provider to take
reasonable and necessary measures to make health IT temporarily
unavailable or to degrade the health IT’s performance for the
benefit of the overall performance of the health IT, provided
certain conditions are met.
|The practice must:
Be implemented for a period of time no longer than necessary to
Be implemented in a consistent and non-discriminatory manner;
Meet certain requirements if the unavailability or degradation
Certain other conditions apply for the provider’s actions
|Exceptions that involve procedures for
fulfilling requests to access, exchange, or use EHI
|Content and Manner Exception: It will
not be information blocking for an actor to limit the content of
its response to a request to access, exchange, or use EHI or the
manner in which it fulfills a request to access, exchange, or use
EHI, provided certain conditions are met.
|The provider must respond to a request to access, exchange, or
use EHI with EHI as defined in applicable regulations.
The provider may need to fulfill a request in an alternative
|Fees Exception: It will not be
information blocking for the provider to charge fees, including
fees that result in a reasonable profit margin, for accessing,
exchanging, or using EHI, provided certain conditions are met.
|The practice must meet the basis for fees condition (e.g., fees
must be based on objective and verifiable criteria that are
uniformly applied for all similarly situated classes of persons or
entities and requests).
The practice must not be specifically excluded (e.g., a fee
|Licensing Exception: It will not be
information blocking for the provider to license interoperability
elements for EHI to be accessed, exchanged, or used, provided
certain conditions are met.
|The practice must meet conditions regarding negotiating a
license (e.g., the provider must begin license negotiations with
the requestor within 10 business days from receipt of the request
and negotiate a license within 30 business days from receipt of the
request) and regarding licensing conditions (e.g., scope of rights,
reasonable royalty, non-discriminatory terms, collateral terms,
Health care providers seeking to implement the Information
Blocking Rule into their existing compliance programs should
- Reviewing and revising their existing HIPAA policies and
procedures, specifically those pertaining to individual access and
training personnel regarding the same.
- Assessing the health care provider’s use of EMR and patient
portal functionality (e.g., does the EMR include unnecessary delays
that should be corrected?).
- Reviewing and revising Business Associate Agreements to ensure
terms comply with the information blocking rules.
- Consulting with vendors to determine how the vendors plan to
comply with the Information Blocking Rule.
Violation of the Information Blocking Rule by health care
providers may result in “appropriate disincentives,”
(i.e., penalties), which have yet to be established and will be set
forth in a future rulemaking by the Office of Inspector General. We
recommend that health care providers ensure their practices
regarding responding to requests for EHI are appropriate
considering the Information Blocking Rule and implement standards
that guard against information blocking into their ongoing
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.