January 30, 2023

Volume XIII, Number 30


January 27, 2023

Subscribe to Latest Legal News and Analysis

21st Century Cures Act Information Blocking Rule: Innovative and In Effect

In May of 2020, the Office of the National Coordinator for Health Information Technology (ONC) released the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program (the Information Blocking Final Rule). The Information Blocking Final Rule implemented far-reaching health IT provisions enacted in the 21st Century Cures Act, with the goals of achieving widespread interoperability among health IT systems and improving a patient’s ability to access their medical information.

The Information Blocking Final Rule applies to three categories of “actors:”

  • Health Care Providers

  • Health Information Network or Health Information Exchange

  • Health IT Developer of Certified HealthIT

All Actors were subject to the Information Blocking Final Rule’s provisions beginning on April 5, 2021.

Information Blocking

The Information Blocking Final Rule prohibits Actors from undertaking any practice likely to interfere with, prevent, or materially discourage access to, exchange of, or use of Electronic Health Information (“EHI”).

Currently, EHI constitutes the data elements represented in the first version of the United States Core Data for Interoperability (“USCDIv1”) such as health data classes (e.g., patient demographics, clinical notes, and vital signs) and data elements (e.g., patient name, laboratory reports, and heart rate); essentially EHI constitutes information contained in a certified electronic health record (EHR). The definition of EHI will expand on October 6, 2022 to include all electronic PHI included in a patient’s designated record set, excluding psychotherapy notes; and information compiled in anticipation of litigation or administrative action.

As set forth in 45 C.F.R. Part 171, what constitutes a prohibited practice further varies based on Actor-type.

  • For health care providers, information blocking is a practice the provider knows is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.

  • For HIN/HIE or Health IT Developers, information blocking is a practice that such developer, network or exchange knows, or should know, is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.

Examples of information blocking include:

  • A health system requires staff to obtain patient written consent before sharing patient’s EHI with unaffiliated providers.

  • A hospital customizes its EHR to include barriers to sending referrals and EHI to unaffiliated providers.

  • An EHR Vendor prevents (e.g., through high fees) third-party clinical decision support application from writing EHI into the EHR.

  • Health IT Vendor discourages customer from getting data integration capabilities from a third party, claiming that it will have that same functionality soon while such functionalities are in early stages of development.

Information Blocking Exceptions

The Information Blocking Final Rule defines eight information blocking exceptions divided into two categories:

1. Exceptions that involve not fulfilling requests to access, exchange, or use EHI, and

2. Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.

These exceptions are summarized below. Note: Any Actor preparing to invoke an exception must meet all sub-exceptions enumerated in the regulations.

Information Blocking Exceptions:

When not fulfilling requests for EHI (42 C.F.R. §§ 171.200 -171.205)

  • Preventing Harm Exception:

    • Practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.

  • Privacy Exception

    • Practices implemented to protect the privacy of EHI, based in privacy laws tailored to specific privacy risks (e.g., HIPAA).

  • Security Exception

    • Practices implemented to protect the security of EHI, as long as the measures are specifically tailored to the security risk and implemented in a consistent and non-discriminatory manner.

  • Infeasibility Exception

    • Denying requests for EHI if fulfilling the request is objectively and verifiably infeasible.

  • Health IT Performance

    • Making technology temporarily unavailable for maintenance or updates.

When fulfilling requests for EHI (42 C.F.R. §§ 171.300-171.303)

  • Content and Manner Exception

    • Limiting the content of its responses to requests for access, exchange, or use of EHI or the manner in which it fulfills such a request.

  • Fees Exception

    • Charging for costs it reasonably incurs when fulfilling requests for access, exchange, or use of EHI.

  • Licensing Exception

    • When fulfilling requests, an organization may claim intellectual property rights, but it must respond to requests to license interoperability elements.


Once the information blocking provisions go into effect, HIN/HIE and Health IT Developers face up to a $1 million penalty per violation of the information blocking prohibition. The requirements will be enforced by the HHS Office of the Inspector General, which has yet to promulgate enforcement rules.  Furthermore, Health IT Developers face a Certification Ban for Certified EHR Technology. Healthcare Providers are subject to yet-to-be-defined “appropriate disincentives” for information blocking violations. These “appropriate disincentives” have not yet been published but will be determined in future rulemaking.

Key Takeaways

Now that the compliance deadline has passed, Actors should take inventory of their current procedures for receiving, making, and responding to requests to access, exchange, or use of EHI. Healthcare providers, specifically, should consider adopting “reasonable” policies, procedures, and practices, as the information blocking definition for healthcare providers requires providers to know that such a practice is “unreasonable.” Furthermore, all Actors should take inventory of current practices for denying or fulfilling requests and determine which do (or do not) fit within an enumerated exception to information blocking.

© Polsinelli PC, Polsinelli LLP in CaliforniaNational Law Review, Volume XI, Number 222

About this Author

 Iliana L. Peters Data Privacy Shareholder Polsinelli Law Firm

Iliana L. Peters believes good data privacy and security is fundamental to ensuring patients’ trust in the health care system, and to helping health care clients succeed in an ever-changing landscape of threats to data security. She is recognized by the health care industry as a preeminent thinker and speaker on data privacy and security, particularly with regard to HIPAA, the HITECH Act, the 21st Century Cures Act, the Genetic Information Nondiscrimination Act (GINA), the Privacy Act, and emerging cyber threats to health data.

For over a decade...

Adrienne A. Testa Healthcare Attorney Polsinelli Law Firm

Adrienne Testa is dedicated to providing effective, efficient and innovative legal solutions to health care clients. She leverages her deep understanding of health care issues to represent hospitals, physician groups and other health care professionals and organizations in a variety of health care matters. Adrienne works closely with seasoned Polsinelli attorneys to deliver clients strategic solutions tailored to their specific needs.

Adrienne graduated cum laude from Loyola University Chicago School of Law, where she received the Beazley Institute for Health Law and Policy...