February 7, 2023

Volume XIII, Number 38


February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

ONC Delays Timeframes for Information Blocking and Changes To Health IT Certification Program

Last week, the Department of Health and Human Services (“HHS”) Office of the National Coordinator for Health Information Technology (“ONC”) announced an Interim Final Rule with Comment Period (“IFC”) delaying compliance dates and timeframes for information blocking and the health IT certification program. This delay will come as a welcome change for “Actors” (i.e., health care providers and developers of certified Health IT) struggling to implement changes amid the COVID pandemic.


ONC issued the Cures Act Final Rule (the “Final Rule”) in March 2020 to implement the 21st Century Cures Act’s information blocking provision and establish additional health information technology (“health IT”) certification requirements. A month later, in response to concerns raised regarding the COVID-19 pandemic by health IT developers, ONC delayed effective dates for three months longer than initially proposed. The IFC expands upon these revised timeframes to give providers additional flexibility to prioritize their pandemic responses.

Key Takeaways from IFC

Key takeaways from the IFC include:

  • Information Blocking: In the Final Rule, the compliance date for 45 CFR part 171, which contains the information blocking provisions of the final rule, was November 2, 2020. The IFC moves the applicability date for the information blocking provisions to April 5, 2021.

  • Condition of Certification Requirement: The Final Rule required health IT developers of certified health IT to comply with the Information Blocking Condition of Certification requirement in § 170.401, and the Assurances Condition of Certification requirement related to information blocking in § 170.402(a)(1), beginning on November 2, 2020. Now, health IT developers must comply with the Condition of Certification requirements in § 170.401 and § 170.402(a)(1) beginning on April 5, 2021.

  • API Requirement: In § 170.404(b)(4), the Final Rule required that a Certified API Developer with Health IT Module(s) certified to the certification criteria in § 170.315(g)(7), (8), or (9) (ONC Certification Program API criteria) must comply with § 170.404(a) (API Condition of Certification requirements) by no later than November 2, 2020. The IFC similarly moves this compliance date to until April 5, 2021.

  • Suspension of Notice Requirement: In § 170.403(b), a health IT developer must not impose or enforce any contractual requirement that contravenes the requirements of the Communications Condition of Certification. Additionally, if a health IT developer has contracts that contravene the requirements of the Communications Condition of Certification, the developer must notify all affected customers, other persons, or entities that the prohibition or restriction within the contract(s) will not be enforced by the health IT developer. The IFC suspended the annual notice requirements of § 170.403(b)(1) for the 2020 year.

  • Updated Compliance Dates for 2015 Edition Cures Update Certification Criteria: The IFC extends to December 31, 2022 the 2015 Edition health IT certification criteria updates. The one exception for this is the requirement that a health IT developer must provide all of its customers of certified health IT with health IT certified to the “EHI export” certification criterion in § 170.315(b)(10), which now has an extended compliance date of December 31, 2023.

The IFC will have wide-ranging implications for health care providers and health IT developers, which will benefit from the additional flexibility. Entities operating in this area should capitalize on the additional time provided for under the IFC by reviewing their business practices and utilized technologies for compliance with the information blocking requirements. Contact the authors of this post if you have any questions.

© Copyright 2023 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 309

About this Author

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs,...

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...