Skip to content

21st Century Cures Act: Information Blocking Now In Effect

April 8, 2021

Pursuant to 45 C.F.R. § 171.103, “information blocking” is defined as a practice conducted by a provider that is not required by law but “is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” Currently, the definition of “electronic health information” or “EHI” is limited to the elements listed in the United States Core Data for Interoperability Standard (the “USCDI”). The full list of USCDI elements is available here. After October 6, 2022, the definition of EHI expands to apply to all protected health information that is transmitted or maintained electronically, which will include all records maintained by or for the provider, and will only exclude psychotherapy notes and certain records compiled for use in a civil or criminal action.

As of April 5, 2021, covered actors, including healthcare providers and practices, are subject to new privacy regulations located at 45 C.F.R. Part 171 prohibiting “information blocking.” These new regulations were published by the Department of Health and Human Services (“HHS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) pursuant to a final rule published on May 1, 2020, and later modified by an interim final rule published on November 4, 2020 in response to the coronavirus pandemic, to implement certain portions of the 21st Century Cures Act, which was signed into law on December 13, 2016.   

Information Blocking Exceptions

In other words, initially, actors that interfere with access to EHI will only be considered information blocking with respect to categories of data currently identified in the USCDI.  After October 6, 2022, the definition expands to include everything in the patient’s record including medical records, billing records, and information created by other providers and a provider must make available everything in the electronic record in response to a request.

The ONC has issued guidance that providers are not necessarily required to implement certain technology standards or provide medical records within a specified timeframe of hours or days. Instead, the ONC and HHS have opined that whether an action constitutes information blocking will be determined on a case-by-case basis.  However, if the provider makes it more difficult for a patient to access EHI and the provider’s action is not required by law or covered by an exception, the practice will likely constitute information blocking.  For example, a provider may want to withhold sharing test results until the provider is able to discuss the results with the patient. If withholding the sharing of test results until such results are discussed with the patient is not required under state law, it may constitute information blocking.

The ONC published eight exceptions to provide protection for certain practices. If all of the conditions of the exception are met, that practice or activity will not constitute information blocking.

By way of example, one of the exceptions provides that it will not be information blocking if a provider does not fulfill a request for EHI because of the infeasibility of the request. This infeasibility exception provides protection for a provider when they do not have the means necessary to comply with a request. To meet this exception, the request must be infeasible due to either an uncontrollable event such as a public health emergency, the requested EHI cannot be segmented, or if the provider can show through a written record that the request is infeasible under the circumstances. To meet the infeasibility exception, the provider must give written notice to the requestor within ten business days regarding why the request is infeasible. This exception will not apply if the provider cannot respond within ten days.

All eight information blocking exceptions are briefly described below. These practices will not constitute information blocking, provided all of the conditions of the applicable exception are met:

1. Preventing harm: practices that are reasonable and necessary to prevent harm to a patient or another person (45 C.F.R. § 171.201);

2. Privacy: not fulfilling a request to access, exchange, or use EHI in order to protect an individual’s privacy (45 C.F.R. § 171.202);

3. Security: interfering with the access, exchange, or use of EHI in order to protect the security of EHI (45 C.F.R. § 171.203);

4. Infeasibility: not fulfilling a request to access, exchange, or use EHI due to the infeasibility of the request (45 C.F.R. § 171.204);

5. Health IT performance: taking reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT (45 C.F.R. § 171.205);

6. Content and manner: limiting the content of response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI (45 C.F.R. § 171.301);

7. Fees: Charging fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI (45 C.F.R. § 171.302);

8. Licensing: licensing interoperability elements for EHI to be accessed, exchanged, or used (45 C.F.R. § 171.303).

Additional information about each exception, including each exception’s requirements, are available here.

General Recommendations

Providers should work with their technology staff to identify their capabilities and limitations. ONC recommends working with those responsible for implementing electronic health record (“EHR”) technology to verify that it is currently connected to meet standards and interoperability has not been restricted.  As a general rule, all EHR requests that are permitted by state and federal law should be fulfilled in a timely manner taking into consideration the technological and personnel capabilities of the provider.

In addition, the new regulations do not establish a time frame for “timely” access, so in addition to working with technology staff, providers should continue to look to HIPAA and state privacy laws.  For example, pursuant to Section 181.102 of the Texas Health and Safety Code, Texas law currently requires providing requested records within fifteen days if the provider uses an EHR system capable of fulfilling a request.  

Finally, providers should review all internal existing policies, agreements, and practices currently in place that could restrict or delay sharing EHI.  Providers may want to consider adopting a separate policy or procedure manual for information blocking requirements and exceptions, and providing training for employees on the new requirements.  If you need assistance with drafting an information blocking policy or revising your existing policies, please contact our Firm.