Patient Health Information Blocking – 21st Century Cures Act

Patient Health Information Blocking – 21st Century Cures Act

Patient Health Information Blocking – 21st Century Cures Act

On December 13, 2016, the 21st Century Cures Act was adopted into law.  It includes a wide range of improvements to the health care system.  In May of 2020, the Office of the National Coordinator for Health Information Technology (“ONC”) issued final regulations implementing certain provisions of the Cures Act (the “Cures Act Final Rule”), which includes several requirements, one of which is a prohibition on “information blocking”.  The information blocking regulations went into effect on April 5, 2021.

Question: What is “information Blocking”?

Answer: Information blocking is a practice by an actor such as a patient EHR or a provider that is likely to interfere with, prevent, or discourage access, exchange, or use of electronic health information (EHI).  Once a request is made, patients should be granted access to their EHI without any unreasonable delay.

Question: Are there any exceptions to the information blocking provisions?

Answer: Yes. There are eight exceptions to the information blocking provision.  The Exceptions are divided into two classes

TriumpHealthResource: The office of the National Coordinator for Health Information Technology (ONC). (2021). [information blocking exceptions].

Exceptions that involve NOT fulfilling requests to access, exchange or use EHI:

1. Preventing Harm Exception
Example: An EHI request may be denied if the organization feels that denying the request will prevent harm from coming to a patient or their family member.  An actor may choose to segment sensitive records pertaining to behavioral health or substance abuse.  If an EHI request is denied or segmented, there must be appropriate documentation to justify the denial.

2. Privacy Exception:
Example: Organizations will not be required to disclose EHI in a way that is a privacy violation of an applicable State or Federal privacy law that is already in existence. An example of a privacy law that is already in existence is The HIPAA Privacy Rule: 45 CFR 164.524 (a)(1) and (2).  (

3. Security Exception:
Example: This exception is designed to cover all legitimate security practices by actors. To implement this exception, the actor must demonstrate that the denial of access to EHI is “directly related to safeguarding the confidentiality, integrity and availability of EHI; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner”. Organizations should consider updating their organizational privacy and security policies to ensure compliance with the information blocking provisions.

4. Infeasibility Exception:
Example: It will not be considered information blocking if a request for EHI cannot be fulfilled due to; natural or human made disasters, public health emergencies, public safety incidents, war, terrorist attacks, civil insurrection, or the inability to “unambiguously” segment the requested PHI.

5. Health IT Performance Exception:
Example: It will not be considered information blocking if a request for access to EHI is denied temporarily because the Health IT is offline for routine maintenance and improvements. The Health IT should not be offline for longer than necessary to perform the enhancements.

Exceptions that involve procedures for FULFILLING requests to access, exchange or use EHI:

6. Content and Manner Exception
Content Exception Example: In some instances, it is acceptable for an actor to limit the content of their response for a request to access EHI. This exception provides clarity and flexibility to organizations concerning the scope of a request for PHI. For up to 24 months after the publication of the Cures Act final rule, data requests that include EHI should, at a minimum, include the EHI data elements represented in the United States Core Data for Interoperability (USCDI standard). This exception promotes innovation and healthy competition, allowing actors to establish and maintain market negotiated terms for access use and exchange of EHI.

Manner Exception Example: In some instances, an actor may need to fulfill a request for EHI in an alternative manner. This exception applies if the actor is technically unable to fulfill the request in any manner requested or if agreeable terms cannot be reached with the requestor to fulfill the request.

7. Fees Exception
Example: It will not be information blocking for an actor to charge fees that are related to the development of technologies and delivery of services that will improve interoperability. This includes fees that consist of a reasonable profit margin, for accessing, exchanging, or using EHI.

8. Licensing Exception:
Example: It will not be considered information blocking for actors to license interoperability elements for EHI to be accessed, exchanged, or used. This exception allows for actors to protect the value of their innovations and charge reasonable royalties.

Question: Do information blocking provisions require actors to have certified health IT or upgrade their current certified health IT?

Answer: No. Information blocking regulations do not require actors to have or use certified health IT.  As of April 5, 2021, actors are not required to immediately upgrade their current certified health IT.

Question: Are healthcare providers subject to the information blocking regulations even if they do not use any certified health IT?

Answer: Yes. The information blocking regulations apply to healthcare providers regardless of whether any of the health IT that the provider uses is certified under the ONC Health IT Certification Program. When it comes to EHI, the law does not distinguish between certified and non-certified health IT systems.

Question: Are actors required to proactively make all electronic health information (EHI) available through patient portals?

Answer: No. The information blocking regulations do not require actors to proactively make EHI available to patients that have not requested it. However, once a patient does request access, their EHI it must be made available without delay.

Question: Are actors such as healthcare providers expected to release test results to the patient portal or application programing interface (API) as soon as the results become available to the ordering clinician?

Answer: Actors are not required to proactively make electronic health information available. However, once a request to access is made is made, actors must TIMELY respond to the request. A delay or unnecessary impediment could implicate information blocking provisions.

Question: Are nursing, pharmacy, or other professions’ clinical notes included in the definition of “electronic health information”?

Answer: Yes. Electronic health information does not specifically include or exclude notes or other clinical observations based on the type or specialty of the professional who authors them.

Question: What are the penalties for information blocking by an actor?

Answer: As of April 5, 2021, health IT developers of health IT and HINs/HIEs will be subject to penalties of up to $1M per violation. Health care providers are treated differently under the law. They may face “appropriate disincentives” that are yet to be set forth by the HHS Secretary.