Information Blocking

Information Blocking – General

How would any claim or report of information blocking be evaluated?

The facts and circumstances of each situation or allegation would need to be evaluated. Whether a practice constitutes information blocking depends on the unique facts and circumstances of the practice. More specifically, information blocking occurs when: an individual or entity engaging in a practice is an actor as defined in 45 CFR 171.102; the practice involves EHI as defined in 45 CFR 171.102; the actor meets the requisite knowledge standard applicable to the type of actor; the practice is likely to prevent, materially discourage, or otherwise inhibit the access, exchange, or use of EHI; the practice is not one that is required by law; and the practice is not covered by an exception under 45 CFR Part 171.

ID:IB.FAQ46.1.2022FEB

Are contractual fees for the export of electronic health information (EHI) using technology that is not certified to 45 CFR 170.315(b)(10) enforceable if the fees were agreed to prior to the applicability date of the information blocking provision?

Yes, but only to the extent that the fees for the EHI export comply with the “Fees Exception” (45 CFR 171.302). For example, if the fees to export or convert data from the technology were not agreed to in writing at the time the technology was acquired, then the “Fees Exception” would not be available and such fees could implicate the information blocking definition unless another exception applies (45 CFR 171.302(b)(4)).

Note that if the EHI export would be performed using health IT certified under the ONC Health IT Certification Program (45 CFR Part 170) to the “EHI Export” certification criterion (45 CFR 170.315(b)(10)), a fee that is charged to perform such export for purposes of switching health IT or to provide patients their electronic health information (45 CFR 171.302(b)(3)) would not qualify for the “Fees Exception”.

ID:IB.FAQ04.1.2021JUL

On April 5, 2021, can prior agreements, arrangements, or contracts still in effect implicate the information blocking definition in 45 CFR 171?

Yes. On and after April 5, 2021, any actor’s agreements, arrangements, or contracts are subject to and may implicate the information blocking regulations in 45 CFR part 171.

ID:IB.FAQ05.1.2021MAR

Do the information blocking regulations require actors to have or use certified health IT, or upgrade the certified health IT they already have, in order to fulfill a request to access, exchange, or use electronic health information?

No. The information blocking regulations do not require actors to have or use health IT certified under the ONC Health IT Certification Program. Actors subject to the information blocking regulations are not required to immediately upgrade their certified health IT (as of the applicability date (i.e., April 5, 2021)) if they also happen to participate in a separate regulatory program that requires the use of certified health IT, such as CMS’ Promoting Interoperability Programs.

Please review the questions under the "Electronic Health Information" heading for more information.

ID:IB.FAQ06.1.2021JAN

What are the applicability and enforcement dates for the information blocking regulations?

The applicability date for the information blocking regulations in 45 CFR part 171 was established in the ONC Cures Act Final Rule, and was subsequently adjusted in the ONC Interim Final Rule. The Interim Final Rule moved the applicability date from November 2, 2020 to April 5, 2021.

The Interim Final Rule also revised the information blocking definition in 45 CFR 171.103 to adjust the timeframe for the “USCDI limitation.” Before October 6, 2022, electronic health information (EHI) for the purposes of the information blocking definition is limited to the EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard.

Enforcement of the information blocking regulations depends upon the individual or entity that is subject of an enforcement action or "actor." For health IT developers and health information networks/HIEs, the HHS Office of the Inspector General posted its final rule implementing information blocking penalties. For health care providers, HHS has posted its proposed rule to establish appropriate disincentives as directed by the 21st Century Cures Act. For additional information, see the Disincentives Proposed Rule Overview fact sheet and the Disincentives Common Questions fact sheet.

Updated:

This FAQ has been updated pursuant to the HTI-1 Final Rule.

ID:IB.FAQ07.2.2024APR

If an individual asks an actor to provide a copy of the individual’s electronic health information (EHI) in some form of physical media, such as where the EHI is printed to paper or copied onto a CD or USB drive, could the individual’s request implicate the information blocking regulations and may any fees be charged?

Yes, an individual’s request for a copy of their EHI in some form of physical media, such as where the EHI is printed to paper or copied onto a CD or USB drive, could implicate the information blocking regulations. The definition of information blocking includes any practice (act or omission by an actor, as defined at 45 CFR 171.102) that is not required by law or covered by an exception and that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI) (as defined at 45 CFR 171.102). Importantly, however, any fee charged for providing this type of access to EHI that does not meet the Fees Exception (45 CFR 171.302) potentially could be considered information blocking.

We have consistently interpreted the broad definition of information blocking in section 3022(a) of the Public Health Service Act to encompass potentially any fee that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI (84 FR 752185 FR 25880). This would include any fees charged to individuals for copies of their EHI furnished on paper or on electronic media (such as CDs or USB drives). To be covered by the Fees Exception, any fee(s) charged for copies of EHI on electronic media or printed to paper must meet all of its conditions, including that fees(s) are not among the list of excluded fees at 45 CFR 171.302(b).  Of note, one of the exception’s conditions ensures alignment with HIPAA in that any fee prohibited by the HIPAA Privacy Rule for an individual’s right of access (45 CFR 164.524(c)(4)) is not covered by the Fees Exception. (84 FR 754085 FR 25886).

ID:IB.FAQ38.1.2021NOV

Would it be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to comply with federal privacy laws that require certain conditions to have been met prior to disclosure?**

No, it would not be information blocking if the actor’s practice of not fulfilling a request in such circumstances meets the Privacy Exception (45 CFR 171.202). All actors remain responsible for disclosing EHI only when the disclosure is allowed under all applicable federal laws. For example, actors who are HIPAA covered entities or business associates must comply with the HIPAA Privacy Rule and any other applicable federal laws that limit access, exchange, or use of EHI in particular circumstances. Adherence to such federal laws is not information blocking, if the other conditions of the Privacy Exception are also met.*

In particular, where federal law such as the HIPAA Privacy Rule does not permit EHI to be used or disclosed unless certain requirements (“preconditions”) are met, then an actor’s practice of not fulfilling a request to access, exchange, or use EHI when these preconditions are not met is not information blocking.*** The Precondition Not Satisfied (45 CFR 171.202(b)) sub-exception of the Privacy Exception outlines a framework for actors to follow so that the actors’ practices of not fulfilling requests to access, exchange, or use EHI would not constitute information blocking when a precondition of applicable law has not been satisfied.

One example that highlights the alignment between the HIPAA Privacy Rule and the information blocking regulations is when a law enforcement official requests records of abortions performed from a clinic. As explained in the “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care” guidance issued by the Office for Civil Rights, there are certain preconditions that must be met before this disclosure can be made: “If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.” In this example, federal law does not permit the disclosure of EHI unless certain requirements are met, and therefore, the actor’s practice not to disclose EHI would not be information blocking. We note that this is just one example of how the HIPAA Privacy Rule gives individuals confidence that their protected health information, including information relating to abortion and other sexual and reproductive health care, will be kept private. Please see the guidance from the Office for Civil Rights for additional information and examples.

A second example of the alignment between the HIPAA Privacy Rule and the information blocking regulations is in circumstances where the HIPAA Privacy Rule permits a covered entity to use or disclose EHI only following receipt of a valid HIPAA authorization from the individual (patient) or the individual’s personal representative. If an actor does not have a valid HIPAA authorization from the individual or their personal representative that permits the use or disclosure of EHI for the requested purpose, then a precondition for disclosure is not satisfied. Accordingly, the actor’s practice of not disclosing EHI would not be considered information blocking if it is consistent with the requirements of the Precondition Not Satisfied sub-exception.

To emphasize, wherever any federal law requires the authorization of the individual to disclose the EHI, an individual may always choose not to give such authorization, and an actor who does not disclose the EHI would not be information blocking if the actor meets all applicable requirements of the Privacy Exception.

* For more information on how practices would be evaluated to determine whether the unique facts and circumstances constitute information blocking, please see the following FAQ: How would any claim or report of information blocking be evaluated? (IB.FAQ46.1.2022FEB)

** It is important to remember that the information blocking exceptions defined in 45 CFR part 171 subparts B and C are voluntary, offering actors certainty that any practice meeting the conditions of one or more exceptions would not be considered information blocking. An actor’s practice that does not meet the conditions of an exception would not automatically constitute information blocking. Rather, such practices will be evaluated on a case-by-case basis to determine whether information blocking has occurred. (See, e.g., IB.FAQ29.1.2020NOV).

*** “EHI” as defined in 45 CFR 171.102 is a subset of protected health information (PHI). See 45 CFR 160.103 (definition of “protected health information”). For more information on the HIPAA Privacy Rule, who must comply with it, and its conditions for disclosures of protected health information (PHI), please see resources of the Office for Civil Rights at HHS.gov/HIPAA.

ID:IB.FAQ48.1.2023APR

Actors

Are health care providers subject to the information blocking regulations even if they do not use any certified health IT?

Yes, any individual or entity that meets the definition of at least one category of actor—“health care provider,” “health IT developer of certified health IT,” or “health information network or health information exchange” —as defined in 45 CFR 171.102  is subject to the information blocking regulations in 45 CFR part 171. The information blocking regulations in 45 CFR part 171 apply to a health care provider, as defined in the Public Health Service Act and incorporated in 45 CFR 171.102, regardless of whether any of the health IT the provider uses is certified under the ONC Health IT Certification Program.

ID:IB.FAQ08.1.2020NOV

Are health information networks (HINs) or health information exchanges (HIEs) subject to the information blocking regulation even if they do not use any certified health IT?

Yes, any individual or entity that meets the definition of at least one category of actor —“health care provider,” “health IT developer of certified health IT,” or “health information network or health information exchange” — as defined in 45 CFR 171.102 is subject to the information blocking regulation in 45 CFR part 171. The information blocking regulations in 45 CFR part 171 apply to an entity that meets the HIN or HIE definition regardless of whether any of the health IT the HIN or HIE uses is certified under the ONC Health IT Certification Program.

ID:IB.FAQ09.1.2020NOV

Is my organization a health information network (HIN) or health information exchange (HIE) for information blocking purposes?

The definition of “health information network (HIN) or health information exchange (HIE)” in 45 CFR 171.102 is a single, functional definition. We did not specifically exclude any particular entities from the definition, nor did we specifically identify particular entities in the definition. In order to determine whether your organization is a HIN/HIE for information blocking purposes, you should assess whether your organization’s functional activity meets the HIN/HIE definition in 45 CFR 171.102. The Information Blocking Actors fact sheet on HealthIT.gov presents the actor definitions in an easy-to-use format.

ID:IB.FAQ10.1.2020NOV

Is my company or organization a “health IT developer of certified health IT” for information blocking purposes?

The answer depends on whether your company or organization meets the definition of “health IT developer of certified health IT” in 45 CFR 171.102. Under the definition, an individual or entity that develops or offers health IT is a “health IT developer of certified health IT” so long as that individual or entity develops or offers at least one Health IT Module certified under the ONC Health IT Certification Program. However, the definition explicitly excludes a health care provider that self-develops Health IT that is not offered to others. The Information Blocking Actors fact sheet on HealthIT.gov presents the actor definitions in an easy-to-use format.

Updated:

This FAQ has been updated pursuant to the HTI-1 Final Rule.

ID:IB.FAQ11.2.2024APR

Do the information blocking regulations apply to an individual or entity that does not develop any products certified under the ONC Health IT Certification Program if that individual or entity resells or re-licenses select certified health IT developed by others?

Yes. For purposes of the information blocking regulation, a “health IT developer of certified health IT” is defined in 45 CFR 171.102. With the sole exception of a health care provider that self-develops certified health IT that is not offered to others, this definition is met by any individual or entity that develops or offers health IT certified under the ONC Health IT Certification Program. If an individual or entity offers certified health IT for any period of time on or after the applicability date of 45 CFR part 171, then they would be considered to be a “health IT developer of certified health IT” for purposes of their conduct during that time. The information blocking provision would not apply to conduct the individual or entity engaged in after they no longer have or no longer offer any certified health IT. However, claims of information blocking with respect to conduct occurring while the individual or entity had certified health IT could be acted upon by HHS after the individual or entity no longer had or offered certified health IT. (See also ONC Cures Act Final Rule page 85 FR 25797).

Updated:

This FAQ has been updated pursuant to the HTI-1 Final Rule.

ID:IB.FAQ12.2.2024APR

Are health plans or other payers subject to the information blocking regulation?

For purposes of the information blocking regulation in 45 CFR part 171, the term "actor" includes health care providers, health IT developers of certified health IT, and health information networks (HIN) or health information exchanges (HIE), as defined in 45 CFR 171.102. Although health plans and other payers are not specifically identified within any of these definitions, they also are not specifically excluded. To the extent an individual or entity that is a payer also meets the 45 CFR 171.102 definition of "health care provider," "health IT developer of certified health IT" or "health information network or health information exchange," that individual or entity would be considered an "actor" for purposes of information blocking. In addition, the HIN/HIE definition is a functional definition and should be reviewed for potential applicability to a health plan’s activities. The Information Blocking Actors fact sheet on HealthIT.gov presents these definitions in an easy-to-use format. (See also Cures Act Final Rule page 85 FR 25803)

ID:IB.FAQ13.1.2020NOV

Could ONC please clarify whether the information blocking regulations will apply to business associates of Health Insurance Portability and Accountability Act (HIPAA) covered entities?

In some instances, a business associate will be an actor under the information blocking regulation in 45 CFR part 171 and in other situations, it may not be an actor. The information blocking regulations in 45 CFR part 171 apply to health care providers, health IT developers of certified health IT, and health information networks (HIN) and health information exchanges (HIE), as each is defined in 45 CFR 171.102. Any individual or entity that meets one of these definitions is an “actor” and subject to the information blocking regulation in 45 CFR part 171, regardless of whether they are also a HIPAA covered entity (CE) or business associate (BA).

ID:IB.FAQ14.1.2020NOV

Electronic Health Information

When information blocking is no longer limited to the subset that is represented by data elements in the United States Core Data for Interoperability (USCDI), what information will be covered by information blocking regulations as “electronic health information (EHI)”?

We have focused the EHI definition on terms that are used in the HIPAA Rules and that are widely understood in the health care industry as well as on a set of health information that is currently collected, maintained, and made available for access, exchange, and use by actors. On and after October 6, 2022, the definition of information blocking will apply to the full scope of EHI (as defined in 45 CFR 171.102):  

Electronic health information (EHI) means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include:

     (1) Psychotherapy notes as defined in 45 CFR 164.501; or

     (2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.” (emphasis added)

EHI as defined for the purposes of information blocking is information that is consistent with the definitions of electronic protected health information (ePHI) and the designated record set (DRS) regardless of whether they are maintained by or for an entity covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules. Just like ePHI, the data that constitutes EHI is not tied to a specific system in which the EHI is maintained. We also noted in our final rule that health information that is de-identified consistent with the requirements of 45 CFR 164.514(b) is not included in the definition of EHI for the purposes of information blocking (85 FR 25804). Thus, any individually identifiable health information that is transmitted by or maintained in electronic media is EHI to the extent that the information would be included in the designated record set.

As defined in the HIPAA Rules, the designated record set comprises:

  • medical records and billing records about individuals;
  • enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan;
  • other records that are used, in whole or in part, to make decisions about individuals.

The term “record” means any item, collection, or grouping of information that includes protected health information. (45 CFR 164.501)

ID:IB.FAQ39.1.2021NOV

For the period of time when information blocking is limited to the United States Core Data for Interoperability, what constitutes a progress note for the purposes of information blocking?

As stated in the United States Core Data for Interoperability Version 1 (July 2020 Errata) (“USCDI v1”), a progress note “represents a patient’s interval status during a hospitalization, outpatient visit, treatment with a LTPAC provider, or other healthcare encounter.” Any note that meets the above definition is considered a progress note for the purposes of the information blocking regulations codified in 45 CFR part 171.

From April 5, 2021 through October 5, 2022, the definition of information blocking is limited to the subset of EHI that is represented by data elements in the USCDI v1. The initial limitation of information blocking to the subset of EHI that is described in USCDI v1 was established to create a transparent, predictable starting point for sharing EHI while actors prepare for the sharing of all EHI (85 FR 25794).        

In our final rule, we noted that clinical note types identified in the USCDI are content exchange standard agnostic, and thus they should not necessarily be only interpreted or associated with the specific C-CDA Document Templates that may share the same name (85 FR 25674-5).

For more information on EHI including clinical notes, please review the other FAQs under the Electronic Health Information heading.

This FAQ is specific to the information blocking regulations codified in 45 CFR part 171. For more information about certification of health IT under the ONC Health IT Certification Program, including certification to criteria that include the USCDI as a standard, please see the About The ONC Health IT Certification Program and 2015 Edition Cures Update Test Method pages of ONC’s website, HealthIT.gov.

ID:IB.FAQ40.1.2021NOV

Are nursing, pharmacy, or other professions’ clinical notes included in the definition of “electronic health information”?

Yes. Electronic health information (EHI), as defined in 45 CFR 171.102, does not specifically include or exclude notes or other clinical observations based on the type or specialty of the professional who authors them.

Until October 6, 2022, EHI’s scope for purposes of the information blocking definition (45 CFR 171.103) is limited to that information represented by data classes and elements within the United States Core Data for Interoperability (USCDI). Therefore, until October 6, 2022, only those notes that map to any of the eight types specified in the “Clinical Notes” data class within the USCDI would be required to be included in a response to a request for legally permissible access, exchange, or use of EHI. However, actors (health care providers, health IT developers of certified health IT, and health information networks or health information exchanges) should bear in mind that none of the eight types of clinical notes currently represented within the USCDI are limited based on the type or specialty of the professional who authors them.

Please review the other questions under this heading for more information.

ID:IB.FAQ15.1.2021JAN

Does the “electronic health information” definition’s exclusion of psychotherapy notes apply to notes of sessions conducted by a type of mental health professional other than a psychiatrist?

It depends. To the extent the content of any particular note meets the definition of “psychotherapy notes” in the HIPAA Rules (see 45 CFR 164.501), that note would be considered a psychotherapy note for purposes of information blocking. The information blocking regulations do not specify types of health care providers to be mental health professionals for purposes of applying the “psychotherapy notes” definition under the information blocking regulations. Thus, all notes that are “psychotherapy notes” for purposes of the HIPAA Rules are also “psychotherapy notes” for purposes of the information blocking regulations in 45 CFR part 171, and are therefore excluded from the definition of EHI for purposes of the information blocking regulations.  

ID:IB.FAQ16.1.2021JAN

Is non-final clinical information, such as draft clinical notes or incomplete test results that are pending confirmation, included in the definition of electronic health information (EHI) for purposes of the information blocking regulations?

It depends. Draft clinical notes and laboratory results pending confirmation are, as we discussed in the ONC 21st Century Cures Act Final Rule, examples of data points that may not be appropriate to disclose or exchange until they are finalized. However, if such data are used to make health care decisions about an individual then that data would fall within the definition of “designated record set” (see 45 CFR § 164.501), and therefore within the definition of EHI. To the extent a data point falls within the definition of EHI, practices likely to interfere with legally permissible access, exchange or use of that EHI could implicate the information blocking definition.

From April 5, 2021 through October 5, 2022, EHI’s scope for purposes of the information blocking definition is limited to the EHI that is represented by data classes and elements within the United States Core Data for Interoperability (USCDI). Therefore, during this period, interference with a request for legally permissible access, exchange, or use of non-final data points would potentially implicate the information blocking regulations only to the extent noted in the above paragraph and only to the extent that the data are within both the definition of EHI and the data classes and elements represented within the USCDI.

ID:IB.FAQ17.1.2021JAN

For the period of time when EHI is “limited to the United States Core Data for Interoperability (USCDI),” does that mean the information blocking regulations apply only to EHI that is recorded or requested according to the applicable standards within the USCDI?

No. The definition of electronic health information in 45 CFR 171.102 is not limited by whether the data is recorded or could be exchanged using any particular technical functionality or standard. The information blocking definition (45 CFR 171.103) provides that before October 6, 2022, electronic health information (EHI) is limited to the subset of EHI represented by the data elements identified by the USCDI standard. This limitation of EHI for purposes of the information blocking definition is not contingent on whether those data elements are recorded or represented using the specific content and vocabulary standards in the USCDI standard at 45 CFR 171.213. On and after October 6, 2022, the information blocking regulations in 45 CFR part 171 pertain to all EHI as defined in 45 CFR 171.102.

ID:IB.FAQ18.1.2020NOV

For the period of time when information blocking was “limited to the United States Core Data for Interoperability (USCDI),” how was an actor expected to fulfill a request for the USCDI if they did not yet have certified health IT in place that includes an API with the USCDI standard?

An actor is not automatically required to fulfill a request using the specific content and vocabulary standards identified in the United States Core Data for Interoperability (USCDI) standard for the representation of data classes and data elements, nor are they required to use certified technology or any specific functionality. The information blocking definition (45 CFR 171.103) provides that before October 6, 2022, electronic health information (EHI) is limited to the subset of EHI represented by the data elements identified by the USCDI standard. This limitation of EHI for purposes of the information blocking definition is not contingent on whether those data elements are recorded or represented using specific content and vocabulary standards in the USCDI standard in 45 CFR 171.213. On and after October 6, 2022, the information blocking regulations in 45 CFR part 171 pertain to all EHI as defined in 45 CFR 171.102.

Again, the information blocking regulations do not require the use of any specific standard or functionality. Instead, the “Manner” exception (45 CFR 171.301) outlines a process by which an actor may prioritize the use of standards in fulfilling a request for EHI in a manner that supports and prioritizes the interoperability of the data. This means that, for the purposes of information blocking, before October 6, 2022, an actor may have fulfilled a request with the EHI identified by the data elements represented in the USCDI standard, first in the manner requested and, if not, in an alternate manner agreed upon with the requestor, following the order of priority specified in the exception.

Updated:

This FAQ has been updated pursuant to the HTI-1 Final Rule.

ID:IB.FAQ19.2.2024APR

Is electronic health information (EHI) that is covered by the information blocking regulations limited by when the information was generated?

No, the definition of electronic health information (EHI) is not limited by when the information was generated. Before October 6, 2022, an actor must respond to a request to access, exchange, or use EHI with, at a minimum, the requested EHI that they have and that can be identified by the data elements represented in the United States Core Data for Interoperability (USCDI), regardless of when the information was generated. On and after October 6, 2022, an actor must respond to a request to access, exchange, or use EHI with EHI as defined in 45 CFR 171.102, regardless of when the information was generated. For example, an actor who has the necessary technical capability to do so is required to fulfill a request to access, exchange or use EHI that they have and could appropriately disclose in response to that request even if the EHI was generated before the ONC Cures Act Final Rule was published and even if the EHI was generated before the Cures Act was enacted by Congress.

ID:IB.FAQ20.1.2020NOV

Is an actor required to fulfill a request for access, exchange or use of EHI with all the EHI they have for a patient or should the amount of EHI be based on the details of the request? In addition, what if an actor only maintains some of the requested information electronically?

The fulfillment of a request for access, exchange or use of EHI, including what EHI is shared, should be based on the request. However, any activity by the actor that seeks to artificially restrict or otherwise influence the scope of EHI that may be requested may constitute interference and could be subject to the information blocking regulation in 45 CFR part 171.

In terms of fulfilling requests for EHI, it is important to remember that the requirement to fulfill requests for access, exchange, and use of EHI is in any case limited to what the actor may, under applicable law, permissibly disclose in response to a particular request. Under the information blocking regulations in 45 CFR part 171, the actor is only required to fulfill a request with the requested EHI that they have and that can be permissibly disclosed to the requestor under applicable law. However, for protected health information they have, but do not maintain electronically, all HIPAA requirements would still be applicable, including the right of access.

ID:IB.FAQ21.1.2020NOV

Interference

When would a delay in fulfilling a request for access, exchange, or use of EHI be considered an interference under the information blocking regulation?

A determination as to whether a delay would be an interference that implicates the information blocking regulation would require a fact-based, case-by-case assessment of the circumstances.  That assessment would also determine whether the interference is with the legally permissible access, exchange, or use of EHI; whether the actor engaged in the practice with the requisite intent; and whether the practice satisfied the conditions of an exception. Please see 45 CFR 171.103 regarding the elements of information blocking.

Unlikely to be an Interference

If the delay is necessary to enable the access, exchange, or use of EHI, it is unlikely to be considered an interference under the definition of information blocking (85 FR 25813).

For example, if the release of EHI is delayed in order to ensure that the release complies with state law, it is unlikely to be considered an interference so long as the delay is no longer than necessary (see also 85 FR 25813). Longer delays might also be possible, and not be considered an interference if no longer than necessary, in scenarios where EHI must be manually retrieved and moved from one system to another system (see, for example, 85 FR 25866-25887 regarding the manual retrieval of EHI in response to a patient request for EHI).

Likely to be an Interference

It would likely be considered an interference for purposes of information blocking if a health care provider established an organizational policy that, for example, imposed delays on the release of lab results for any period of time in order to allow an ordering clinician to review the results or in order to personally inform the patient of the results before a patient can electronically access such results (see also 85 FR 25842 specifying that such a practice does not qualify for the “Preventing Harm” Exception).

To further illustrate, it also would likely be considered an interference:

  • where a delay in providing access, exchange, or use occurs after a patient logs in to a patient portal to access EHI that a health care provider has (including, for example, lab results) and such EHI is not available—for any period of time—through the portal.
  • where a delay occurs in providing a patient’s EHI via an API to an app that the patient has authorized to receive their EHI.

ID:IB.FAQ22.1.2021MAR

Do the information blocking regulations (45 CFR Part 171) require actors to proactively make electronic health information (EHI) available through “patient portals,” application programming interfaces (API), or other health information technology?

“Proactively” or “proactive” is not a regulatory concept included within the information blocking regulations. Rather, the information blocking regulations focus on whether a practice (an act or omission) constitutes information blocking. Further, an important consideration is whether the practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. In this regard, we direct readers to the following FAQ, which explains when a delay in making EHI available through a “patient portal” or an API for patients could constitute an interference and thus implicate the information blocking regulations:

When would a delay in fulfilling a request for access, exchange, or use of EHI be considered an interference under the information blocking regulation?

ID:IB.FAQ23.2.2021NOV

Are actors (for example, health care providers) expected to release test results to patients through a patient portal or application programming interface (API) as soon as the results are available to the ordering clinician?

While the information blocking regulations do not require actors to proactively make electronic health information (EHI) available, once a request to access, exchange or use EHI is made actors must timely respond to the request (for example, from a patient for their test results). Delays or other unnecessary impediments could implicate the information blocking provisions.

In practice, this could mean a patient would be able to access EHI such as test results in parallel to the availability of the test results to the ordering clinician.

Please review the other questions under this heading for more information.

ID:IB.FAQ24.1.2021JAN

Is it information blocking when state law requires a specific delay in communication of EHI, or that certain information be communicated to the patient in a particular way, before the information is made available to the patient electronically?

No. The definition of information blocking (45 CFR 171.103) does not include practices that interfere with access, exchange or use of EHI when they are specifically required by applicable law (see 85 FR 25794). To the extent the actor’s practice is likely to interfere with access, exchange, or use of EHI beyond what would be specifically necessary to comply with applicable law, the practice could implicate the information blocking definition.

ID:IB.FAQ25.1.2021JAN

When a state or federal law or regulation, such as the HIPAA Privacy Rule, requires EHI be released by no later than a certain date after a request is made, is it safe to assume that any practices that result in the requested EHI’s release within that other required timeframe will never be considered information blocking?

No. The information blocking regulations (45 CFR Part 171) have their own standalone provisions (see 42 U.S.C. 300jj-52). The fact that an actor covered by the information blocking regulations meets its obligations under another law applicable to them or its circumstances (such as the maximum allowed time an actor has under that law to respond to a patient’s request) will not automatically demonstrate that the actor’s practice does not implicate the information blocking definition.

If an actor who could more promptly fulfill requests for legally permissible access, exchange, or use of EHI chooses instead to engage in a practice that delays fulfilling those requests, that practice could constitute an interference under the information blocking regulation, even if requests affected by the practice are fulfilled within a time period specified by a different applicable law.

ID:IB.FAQ26.1.2021JAN

Will educating patients about the privacy and security risks posed by third-party apps that the patient chooses be considered interference?

It will not be considered an “interference” with the access, exchange, or use of EHI if:

  • Foremost, the information provided by actors focuses on any current privacy and/or security risks posed by the technology or the third-party developer of the technology;
  • Second, this information is factually accurate, unbiased, objective, and not unfair or deceptive; and
  • Finally, the information is provided in a non-discriminatory manner.

For example, actors may establish processes where they notify a patient, call to a patient’s attention, or display in advance (as part of the app authorization process within certified API technology) whether the third-party developer of the app that the patient is about to authorize to receive their EHI has attested in the positive or negative as to whether the third party’s privacy policy and practices (including security practices) meet particular benchmarks. However, such processes must be non-discriminatory in that they must be used in the same manner for all third-party apps/developers.

The particular benchmarks an actor might identify in this example could be the minimum expectations described below, more stringent “best practice” expectations that may be set by the market, or some combination of minimum and “best practice” expectations. 

As described in the Final Rule at 85 FR 25816, all third-party privacy policies and practices should, at a minimum, adhere to the following:

  • The privacy policy is made publicly accessible at all times, including updated versions;
  • The privacy policy is shared with all individuals that use the technology prior to the technology’s receipt of EHI from an actor;
  • The privacy policy is written in plain language and in a manner calculated to inform the individual who uses the technology;
  • The privacy policy includes a statement of whether and how the individual’s EHI may be accessed, exchanged, or used by any other person or other entity, including whether the individual’s EHI may be sold at any time (including in the future); and
  • The privacy policy includes a requirement for express consent from the individual before the individual’s EHI is accessed, exchanged, or used, including receiving the individual’s express consent before the individual’s EHI is sold (other than disclosures required by law or disclosures necessary in connection with the sale of the application or a similar transaction).

ID:IB.FAQ27.1.2020NOV

Do the information blocking regulations require actors to violate existing business associate agreements in order to not be considered information blockers?

No. The information blocking regulation in 45 CFR part 171 do not require actors to violate business associate agreements (BAA) or associated service level agreements.

However, the terms or provisions of such agreements could constitute an interference (and thus could be information blocking) if used in a discriminatory manner by an actor to forbid or limit access, exchange, or use of electronic health information (EHI) that otherwise would be a permitted disclosure under the Privacy Rule.

For example, a BAA entered into by one or more actors that permits access, exchange, or use of EHI by certain health care providers for treatment should generally not prohibit or limit the access, exchange, or use of the EHI for treatment by other health care providers of a patient. See also the section discussing business associate agreements in the Final Rule at 85 FR 25812.


Correction: The wording in the second paragraph of this FAQ was corrected on 04/09/2021 to align with preamble text in the Final Rule (85 FR 25812).

ID:IB.FAQ28.2.2021APR

Is a claim of information blocking predicated on a request for access, exchange, or use of electronic health information (EHI)? In other words, does someone always have to ask an actor for EHI before the actor’s practice could violate the information blocking definition?

No. Facts and circumstances will determine whether the information blocking regulations are implicated. Information blocking is defined, in relevant part, as a practice that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI (see 45 CFR 171.103; and 45 CFR 171.102 for the definition of “interfere with”).

A “practice” is further defined as an “act or omission” (45 CFR 171.102). As such, any act or omission, whether or not in response to a request for access, exchange, or use of EHI, could implicate the information blocking regulation if the act or omission interferes with, prevents, or materially discourages the access, exchange, or use of EHI. For example, as specified in section 3022(a)(2)(C) of the Public Health Service Act, added by the 21st Century Cures Act, the practice of implementing health information technology in ways that are likely to restrict access, exchange, or use of EHI with respect to exporting complete information sets or transitioning between health IT systems could be considered information blocking. Similarly, the practice of including a contract provision that restricts access, exchange, or use of EHI could, under certain circumstances, implicate the information blocking regulations (see 85 FR 25812 for further discussion of contracts that may implicate the information blocking regulations). Further, omissions, including, but not limited to the following, could similarly implicate the information blocking regulations under certain circumstances: failure to exchange EHI; failure to make EHI available for use; and not complying with another law that requires access, exchange, or use of EHI.

ID:IB.FAQ37.1.2021NOV

Would not complying with another law implicate the information blocking regulations?

If an actor is required to comply with another law that relates to the access, exchange, or use of EHI (as defined in 45 CFR 171.102), failure to comply with that law may implicate the information blocking regulations. This FAQ provides two examples of laws where non-compliance by an actor may implicate the information blocking regulations.  

Example 1 – ADT Notifications

In the Centers for Medicare & Medicaid Services (CMS) Interoperability and Patient Access Final Rule (85 FR 2551025602-03), CMS modified the Conditions of Participation (CoPs) to require hospitals (42 C.F.R. § 482.24(d)), psychiatric hospitals (42 C.F.R. § 482.61(f)), and critical access hospitals (CAHs) (42 C.F.R. § 485.638(d)) to send electronic patient event notifications of a patient’s admission, discharge, and transfer (ADT) to another health care facility or to another provider or practitioner (“ADT notifications”). The CMS regulations do not require such hospitals to first receive a request for access, exchange, or use of EHI for the obligation to send the ADT notification to be triggered. Thus, if a hospital (an “actor” under 45 CFR 171.102) does not comply with the regulatory requirement to send the ADT notification, its noncompliance could be an interference with the access, exchange, or use of EHI under the information blocking regulations. 

Example 2 – Public Health Reporting

Where a law requires actors to submit EHI to public health authorities, an actor’s failure to submit EHI to public health authorities could be considered an interference under the information blocking regulations. For example, many states legally require reporting of certain diseases and conditions to detect outbreaks and reduce the spread of disease. Should an actor that is required to comply with such a law fail to report, the failure could be an interference with access, exchange, or use of EHI under the information blocking regulations.

Please see the following FAQ for more information on how practices would be evaluated to determine whether the unique facts and circumstances constitute information blocking: How would any claim or report of information blocking be evaluated?

ID:IB.FAQ43.1.2022FEB

Can an actor grant a patient’s request to delay the release of a patient’s test result(s) (e.g., laboratory or image result(s)) to the patient without implicating the information blocking regulations?

It would likely not be an interference when an actor follows an individual patient’s, or patient’s representative’s, request to delay release of the patient’s electronic health information (EHI) to the patient or to the patient’s representative. 

In the preamble to the 21st Century Cures Act final rule, we recognized that “some delays may be legitimate” (85 FR 25813) and not an interference (as defined in 45 CFR 171.102). However, the unique facts and circumstances of each situation would need to be evaluated. Generally, a delay should be for no longer than necessary to fulfill each patient’s request (see 85 FR 25813; see also 85 FR 25878 and 45 CFR 171.301(b)(2)(i)). 

When assessing whether a delay may be information blocking, facts indicating that an actor created extended or unnecessary delays may be evidence of an actor's intent to interfere with, prevent, or materially discourage access, exchange, or use of EHI (85 FR 25813). For example, when an actor delays the release of EHI in response to a patient’s request, relevant considerations for assessing whether the delay may be information blocking could include, without limitation, whether: the patient and actor agree on the timeframe or conditions for the delay (e.g., after 3 days or upon their clinician’s review, respectively), the timeframe or conditions are met, and there were no extended or unnecessary delays in meeting the timeframe or conditions.

Please see the following FAQ for more information on how practices would be evaluated to determine whether the unique facts and circumstances constitute information blocking: How would any claim or report of information blocking be evaluated?

Please also see the following FAQ regarding when a delay in making EHI available through a “patient portal” or an application programming interface (API) for patients could constitute an interference and thus implicate the information blocking regulations: When would a delay in fulfilling a request for access, exchange, or use of EHI be considered an interference under the information blocking regulation? 

ID:IB.FAQ45.1.2022FEB

Do the information blocking regulations (45 CFR Part 171) require actors to make patients aware of newly available electronic health information (EHI)?

There is no specific regulatory provision under the information blocking regulations that expressly requires actors to make individuals aware of newly available EHI, whether from a recent clinical encounter or newly available historical EHI not previously accessible to a patient. In most circumstances, practices to notify patients (e.g., by text alert or email) about newly available EHI or stopping such notifications would likely not be considered information blocking.
 
Please see the following FAQ for more information on how practices would be evaluated to determine whether the unique facts and circumstances constitute information blocking: How would any claim or report of information blocking be evaluated?

ID:IB.FAQ44.1.2022FEB

If an actor requires third-party applications (“apps”) to be vetted1 by them for security reasons before allowing patients to use such apps to receive EHI via API technology certified to the Standardized API certification criterion, is that practice likely to be an interference under the information blocking regulations? 

Yes. For API technology (i.e., a Health IT Module) to be certified to the Standardized API certification criterion (§ 170.315(g)(10)), it must incorporate a number of security requirements, including the use of OAuth2 (see, e.g., 85 FR 25741). In addition, the Standardized API certification criterion focuses on “read-only” responses to patient directed requests for EHI to be transmitted (see 85 FR 25742, “C. Standardized API for Patient and Population Services”). This means there should be few, if any, security concerns about the risks posed by patient-facing apps to the disclosing actor's health IT systems (because the apps would only be permitted to receive EHI at the patient's direction from the certified API technology). Thus, for third-party applications chosen by individuals to receive their EHI from API technology certified to the Standardized API certification criterion, there would generally not be a need for “vetting” the security of the app and such vetting actions would likely be an interference (85 FR 25815).

We do note, however, that actors, such as health care providers, have the ability to conduct whatever “vetting” they deem necessary of entities (e.g., app developers) that would be their business associates under HIPAA before the entities start using or maintaining EHI on behalf of the actor. In this regard, covered entities must conduct necessary vetting in order to comply with the HIPAA Security Rule (85 FR 25815).

[1] “Vetting,” in the context of third party applications (apps), includes a determination regarding the security features of the app, such as whether the app poses a security risk to the actor's API (85 FR 25815).

* For more information on how practices would be evaluated to determine whether the unique facts and circumstances constitute information blocking, please see the following FAQ: How would any claim or report of information blocking be evaluated? (IB.FAQ46.1.2022FEB)

ID:IB.FAQ51.1.2023MAY

Exceptions – General

If an actor does not fulfill a request for access, exchange, and use of EHI in “any manner requested” that they have the technical capability to support, is the actor automatically an information blocker unless they satisfy at least one of the information blocking exceptions?

Not necessarily. The information blocking exceptions defined in 45 CFR part 171 are voluntary and offer actors certainty that any practice meeting the conditions of one or more exceptions will not be considered information blocking. However, an actor’s practice that does not meet the conditions of an exception will not automatically constitute information blocking. Instead, such practices will be evaluated on a case-by-case basis to determine whether information blocking has occurred.

Whether information blocking occurred in a particular case would be based on whether:

  • the individual or entity engaging in the practice is an "actor" as defined in 45 CFR 171.102;
  • the claim involves "EHI" as defined in 45 CFR 171.102;
  • the practice was required by law;
  • the actor's practice met the conditions of an exception under 45 CFR 171;
  • the practice rose to the level of an interference under 45 CFR 171; and,
  • the actor met the requisite knowledge standard.

Please note, the knowledge standard varies based on the type of actor.  For health care providers, the standard is that the actor “knows that such practice is unreasonable and is likely to interfere with access, exchange, or use of electronic health information.” For health IT developers of certified health IT and health information networks (HINs) or health information exchanges (HIEs), the standard is that the actor “knows, or should know, that such practice is likely to interfere with access, exchange, or use of electronic health information.” In addition, we recommend review of the examples included in the Final Rule of what is and is not considered interference at 85 FR 25811.

Updated:

This FAQ has been updated pursuant to the HTI-1 Final Rule.

ID:IB.FAQ29.2.2024APR

How is an actor expected to fulfill a request for the USCDI under the Manner Exception if they do not yet have certified health IT in place that supports the Cures Act Final Rule updates necessary to include the USCDI in certified technology?

The “Manner” exception does not require the use of any specific standard or functionality. Instead, the “Manner” exception (45 CFR 171.301) outlines a process by which an actor may prioritize the use of standards in fulfilling a request for EHI in a manner that supports and prioritizes the interoperability of the data. This means that, for the purposes of information blocking, before October 6, 2022, an actor could have fulfilled a request with the EHI identified by the data elements represented in the USCDI standard, first in the manner requested and, if not, in an alternate manner agreed upon with the requestor, following the order of priority specified in the exception.

Updated:

This FAQ has been updated to reflect the effective date of the HTI-1 Final Rule.

ID:IB.FAQ30.2.2024APR

Manner Exception

Is portable document format (PDF) considered a “machine-readable format” for purposes of the alternative manner condition of the Manner exception?

It depends. The Manner Exception, in particular the last provision of the “alternative manner” (45 CFR 171.301(b)(1)(iii)), does not specify the particular file extensions or outputs that must be supported. Instead, as a last alternative to make electronic health information (EHI) accessible, exchangeable, or useable, this specific provision within the exception requires actors to produce EHI in a “machine-readable format, including the means to interpret the electronic health information, agreed upon with the requestor.” If it is necessary to produce a PDF for the purpose of meeting this provision, the PDF should be an interpretable, machine-readable output. While this may be possible for some PDFs, other PDFs, such as those that include EHI as images, generally might not be an interpretable, machine-readable output.  

One way a PDF could be a machine-readable format would be if it was structured so that the data it conveyed could be consumed by another software program using consistent processing logic, consistent with the National Institute of Standards and Technology’s definition of “machine-readable.” If a data output format is structured so that the EHI it conveys is machine readable, then that output format is a machine-readable format, regardless of the file extension.

Updated:

This FAQ has been updated pursuant to the HTI-1 Final Rule.

ID:IB.FAQ41.2.2024APR

Privacy Exception

Would it be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to comply with federal privacy laws that require certain conditions to have been met prior to disclosure?**

No, it would not be information blocking if the actor’s practice of not fulfilling a request in such circumstances meets the Privacy Exception (45 CFR 171.202). All actors remain responsible for disclosing EHI only when the disclosure is allowed under all applicable federal laws. For example, actors who are HIPAA covered entities or business associates must comply with the HIPAA Privacy Rule and any other applicable federal laws that limit access, exchange, or use of EHI in particular circumstances. Adherence to such federal laws is not information blocking, if the other conditions of the Privacy Exception are also met.*

In particular, where federal law such as the HIPAA Privacy Rule does not permit EHI to be used or disclosed unless certain requirements (“preconditions”) are met, then an actor’s practice of not fulfilling a request to access, exchange, or use EHI when these preconditions are not met is not information blocking.*** The Precondition Not Satisfied (45 CFR 171.202(b)) sub-exception of the Privacy Exception outlines a framework for actors to follow so that the actors’ practices of not fulfilling requests to access, exchange, or use EHI would not constitute information blocking when a precondition of applicable law has not been satisfied.

One example that highlights the alignment between the HIPAA Privacy Rule and the information blocking regulations is when a law enforcement official requests records of abortions performed from a clinic. As explained in the “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care” guidance issued by the Office for Civil Rights, there are certain preconditions that must be met before this disclosure can be made: “If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.” In this example, federal law does not permit the disclosure of EHI unless certain requirements are met, and therefore, the actor’s practice not to disclose EHI would not be information blocking. We note that this is just one example of how the HIPAA Privacy Rule gives individuals confidence that their protected health information, including information relating to abortion and other sexual and reproductive health care, will be kept private. Please see the guidance from the Office for Civil Rights for additional information and examples.

A second example of the alignment between the HIPAA Privacy Rule and the information blocking regulations is in circumstances where the HIPAA Privacy Rule permits a covered entity to use or disclose EHI only following receipt of a valid HIPAA authorization from the individual (patient) or the individual’s personal representative. If an actor does not have a valid HIPAA authorization from the individual or their personal representative that permits the use or disclosure of EHI for the requested purpose, then a precondition for disclosure is not satisfied. Accordingly, the actor’s practice of not disclosing EHI would not be considered information blocking if it is consistent with the requirements of the Precondition Not Satisfied sub-exception.

To emphasize, wherever any federal law requires the authorization of the individual to disclose the EHI, an individual may always choose not to give such authorization, and an actor who does not disclose the EHI would not be information blocking if the actor meets all applicable requirements of the Privacy Exception.

* For more information on how practices would be evaluated to determine whether the unique facts and circumstances constitute information blocking, please see the following FAQ: How would any claim or report of information blocking be evaluated? (IB.FAQ46.1.2022FEB)

** It is important to remember that the information blocking exceptions defined in 45 CFR part 171 subparts B and C are voluntary, offering actors certainty that any practice meeting the conditions of one or more exceptions would not be considered information blocking. An actor’s practice that does not meet the conditions of an exception would not automatically constitute information blocking. Rather, such practices will be evaluated on a case-by-case basis to determine whether information blocking has occurred. (See, e.g., IB.FAQ29.1.2020NOV).

*** “EHI” as defined in 45 CFR 171.102 is a subset of protected health information (PHI). See 45 CFR 160.103 (definition of “protected health information”). For more information on the HIPAA Privacy Rule, who must comply with it, and its conditions for disclosures of protected health information (PHI), please see resources of the Office for Civil Rights at HHS.gov/HIPAA.

ID:IB.FAQ48.1.2023APR

If an individual requests that their EHI not be disclosed, is it information blocking if an actor does not disclose the EHI based on the individual’s request?*

No, if the actor’s conduct satisfies the requirements of the information blocking regulations, such as the Privacy Exception (45 CFR 171.202). For example, the sub-exception Respecting an Individual’s Request Not to Share Information permits an actor, unless the disclosure is required by law, to honor an individual’s request not to provide access, exchange, or use of the individual’s EHI, which aligns with the individual’s right to request a restriction on disclosures of their protected health information under the HIPAA Privacy Rule (45 CFR 164.522(a)(1)).

Separately, if an actor has privacy or security concerns about disclosing EHI to an app/app developer with which an individual may choose to share their EHI, an actor may educate the individual about such concerns consistent with the following FAQ: Will educating patients about the privacy and security risks posed by third-party apps that the patient chooses be considered interference?

* For more information on how practices would be evaluated to determine whether the unique facts and circumstances constitute information blocking, please see the following FAQ: How would any claim or report of information blocking be evaluated? (IB.FAQ46.1.2022FEB)

ID:IB.FAQ47.1.2023APR

If an actor, such as a health care provider, operates in more than one state, is it consistent with the information blocking regulations for the health care provider to implement practices to uniformly follow the state law that is the most privacy protective (more restrictive) across all the other states in which it operates?

Yes, if the actor satisfies the requirements of the information blocking regulations, such as the Precondition Not Satisfied sub-exception of the Privacy Exception (45 CFR 171.202(b)).** For purposes of the information blocking regulations, health care providers and other information blocking actors operating under multiple state laws, or state and tribal laws, with inconsistent legal requirements for EHI disclosures may choose to adopt uniform policies and procedures so that the actor only makes disclosures of EHI that meet the requirements of the state law providing the most protection to individuals’ privacy (45 CFR 171.202(b)).** Essentially, the Precondition Not Satisfied sub-exception establishes conditions under which an actor may adopt policies to satisfy state laws with more restrictive preconditions and apply those policies in all the jurisdictions in which they operate. 

To illustrate, consider a scenario in which an actor operates in two states, “State A” and “State B.” State A forbids disclosure of certain EHI, such as EHI specific to reproductive health care, to another health care provider, who is also currently treating the individual, without first obtaining written authorization from the individual. This scenario assumes State B’s law does not require authorization from the individual for disclosure of reproductive health care EHI for treatment purposes. In this scenario, an actor subject to the laws of both State A and State B can, consistent with the Privacy Exception (see 45 CFR 171.202(b)(3)), adopt uniform privacy policies and procedures that result in the actor disclosing EHI only when the individual has provided written authorization for a specific disclosure (consistent with the more privacy-protective requirements of State A’s law) of EHI about them for treatment purposes across the actor’s operations in both State A and State B. If the actor’s policies, procedures, and actions are consistent with the requirements of the Precondition Not Satisfied sub-exception (45 CFR 171.202(b)), the actor’s practices would not be considered information blocking – even though the actor’s uniform privacy policies and procedures may deny or delay access, exchange, or use of EHI in State B that (under laws in force in State B) would not require specific written authorization.

In a second, similar scenario, State A’s law sets more privacy protective or more “stringent”  requirements (“preconditions”) than both State B’s law and the HIPAA Privacy Rule for disclosures of EHI[1] for particular purposes (such as disclosing information related to reproductive health care for law enforcement purposes[2]). An actor operating in States A and B can meet the requirements of the Precondition Not Satisfied sub-exception (45 CFR 171.202(b)(1) through (3)) in order to have confidence that disclosing EHI only when the disclosure is consistent with the most privacy protective (most restrictive or most “stringent”) preconditions (in this example, State A’s) across all their operations in both State A and State B would not be considered information blocking.

[1]EHI” as defined in 45 CFR 171.102 is a subset of protected health information (PHI). See 45 CFR 160.103 (definition of “protected health information”). For more information on the HIPAA Privacy Rule and its conditions for disclosures of protected health information (PHI), please see resources of the Office for Civil Rights at HHS.gov/HIPAA.

[2] For example, see “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care,” which discusses the permissibility of disclosures for law enforcement purposes under the HIPAA Privacy Rule.

** It is important to remember that the information blocking exceptions defined in 45 CFR part 171 subparts B and C are voluntary, offering actors certainty that any practice meeting the conditions of one or more exceptions would not be considered information blocking. An actor’s practice that does not meet the conditions of an exception would not automatically constitute information blocking. Rather, such practices will be evaluated on a case-by-case basis to determine whether information blocking has occurred. (See, e.g., IB.FAQ29.1.2020NOV).

ID:(IB.FAQ49.1.2023APR)

Preventing Harm Exception

In which patient access cases does the Preventing Harm Exception recognize “substantial harm” ?

The Preventing Harm Exception at 45 CFR 171.201 relies on the same types of harm as apply for a covered entity to deny access to protected health information under the HIPAA Privacy Rule (see 45 CFR 164.524(a)(3)). Where an actor's practice, based on an individualized (45 CFR 171.201(c)(1)) determination of risk, is likely to interfere with a patient's or patient representative's access, exchange, or use of the patient's EHI, the type of harm (45 CFR 171.201(d)) needed for the exception to apply depends on who is seeking access to the EHI, and what EHI they are seeking to access.4

The table below shows the type of harm recognized under the Preventing Harm Exception for several commonly encountered patient access scenarios.1

Access, exchange, or use of patient's EHI

EHI for which access, exchange, or use is affected by the interfering practice is

Applicable type of harm1

Regulation Text References

Patient exercising own right of access

Patient's EHI

Danger to life or physical safety of the patient or another person

§ 171.201(d)(3), referencing HIPAA Privacy Rule § 164.524(a)(3)(i)

Patient's EHI that references another person

Substantial harmto such other person

§ 171.201(d)(2), referencing HIPAA Privacy Rule § 164.524(a)(3)(ii)

Patient's personal representative as defined in HIPAA Privacy Rule (45 CFR 164.502) exercising right of access to patient's EHI (for example, parent of a minor child)2

Patient's EHI

Substantial harmto the patient or to another person

§ 171.201(d)(1), referencing HIPAA Privacy Rule § 164.524(a)(3)(iii)

Patient's EHI that references another person

Substantial harmto such other person

§ 171.201(d)(2), referencing HIPAA Privacy Rule § 45 CFR 164.524(a)(3)(ii)

Notes:

1 - For simplicity of presentation, this table focuses only on patient access use case examples where risk has been determined on an individual basis (45 CFR 171.201(c)(1)). Where the risk arises from data that is known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason (45 CFR 171.201(c)(2)), the exception's applicable type of harm conditions (45 CFR 171.201(d)(3) and (4)) recognize only danger to life or physical safety of the patient or another person.

2 - For more information about the definition of a “personal representative” under the HIPAA Privacy Rule, please see https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html

3 - “Substantial harm” includes “substantial physical, emotional, or psychological harm” (see, for example, HIPAA Privacy Rule preamble at 65 FR 82556).

4 - In order for the Preventing Harm Exception to cover any practice likely to interfere with access, exchange, or use of EHI based on an individualized (45 CFR 171.201(c)(1)) determination of risk, the practice must also satisfy requirements in 45 CFR 171.201(a)(b)(e), and (f).

For more information about the Preventing Harm Exception, please reference the ONC Cures Act Final Rule preamble discussion and the other FAQs under the Preventing Harm Exception heading.

For more information about the HIPAA Privacy Rule, the Privacy Rule individual right of access, or grounds for denial of access under the Privacy Rule, please visit the Health Information Privacy section of the HHS website.

ID:IB.FAQ42.1.2022FEB

Where the patient is a minor and to avoid breaching the patient’s confidentiality and trust with the provider, will the Preventing Harm Exception cover an actor’s practices that interfere with a parent or legal representative’s access, exchange, or use of the minor’s EHI?

No. Unless an actor reasonably believes a practice that interferes with a parent or other legal representative’s requested access, exchange, or use of the minor’s electronic health information (EHI) will substantially reduce a risk of at least substantial harm to the patient or another person, the Preventing Harm Exception is not designed to cover that practice.

The Privacy Exception contains a sub-exception (45 CFR 171.202(e)) that covers practices respecting an individual’s request not to share information, subject to certain conditions.

ID:IB.FAQ31.1.2021JAN

Do the Preventing Harm Exception requirements for the type of harm align with the HIPAA Rules?

Yes. The Preventing Harm Exception’s type of harm condition relies on the same types of harm that serve as grounds for reviewable denial of an individual’s right of access under the Privacy Rule (45 CFR 164.524). (See ONC Cures Act Final Rule preamble Table 3—Mapping of Circumstances Under § 171.201(d) to Applicable Harm Standards.)

In most instances, including where a practice interferes with a patient’s own or the patient’s other health care providers’ legally permissible access, exchange, or use of the patient’s electronic health information (EHI), coverage under the Preventing Harm Exception requires that the risk be of physical harm. (See 45 CFR 171.201(d)(3) and (4).)

However, the Preventing Harm Exception’s type of harm condition applies a “substantial harm” standard for practices interfering with a patient’s representative’s requested access, exchange, or use of the patient’s EHI and to the patient’s or their representative’s access to other persons’ individually identifiable information within the patient’s EHI in some circumstances. (See 45 CFR 171.201(d)(1) and (2)).

ID:IB.FAQ32.1.2021JAN

Would the Preventing Harm Exception cover a “blanket” several day delay on the release of laboratory or other test results to patients so an ordering clinician can evaluate each result for potential risk of harm associated with the release?

No. Blanket delays that affect a broad array of routine results do not qualify for the Preventing Harm Exception. The Preventing Harm Exception is designed to cover only those practices that are no broader than necessary to reduce a risk of harm to the patient or another person.

As we discussed in the Cures Act Final Rule, a clinician generally orders tests in the context of a clinician-patient relationship. In the context of that relationship, the clinician ordering a particular test would know the range of results that could be returned and could prospectively formulate, in the exercise of their professional judgment, an individualized determination for the specific patient that:

  • withholding the results of the particular test(s) from the patient would substantially reduce a risk to the patient’s or another person’s life or physical safety
    - or -
  • that withholding the results of the particular test(s) from a representative of the patient would substantially reduce a risk of substantial harm to the patient or another person.

Such individualized determinations made in good faith by an ordering clinician, in the exercise of their professional judgment and in the context of the treatment relationship within which they order the test, would satisfy the type of risk and type of harm conditions of the Preventing Harm Exception. Actors, including but not limited to the ordering clinician, could implement practices in reliance on such determinations and the Preventing Harm Exception would cover such practices so long as the practices also satisfy the other four conditions of the exception.

ID:IB.FAQ33.1.2021JAN

Will the Preventing Harm Exception cover practices interfering with a patient’s access, exchange, or use of their EHI only for the purposes of reducing an imminent or immediate risk of harm? 

No. The reasonable belief condition does not include a requirement that the harm be expected to occur within a particular time period or that the likelihood of the harm be high enough to be considered “imminent.” (See 45 CFR 171.201(a)). The Preventing Harm Exception’s reasonable belief condition requires an actor engaging in a practice likely to interfere with a patient’s access, exchange, or use of their own EHI to have a reasonable belief that the practice will substantially reduce a risk to life or physical safety of the patient or another person that would otherwise arise from the affected access, exchange, or use.

ID:IB.FAQ34.1.2021JAN

Where the patient is a minor and to reduce a risk of harm other than physical abuse, will the Preventing Harm Exception cover an actor’s practices that interfere with a parent or legal guardian’s access, exchange, or use of the minor’s EHI?

Yes, where the risk of harm has been determined on an individualized basis and all other conditions of the Preventing Harm Exception are met. For example, the practice must be no broader than necessary and the actor must reasonably believe the practice will substantially reduce the risk of harm. (For all the conditions of the Preventing Harm Exception, please see 45 CFR 171.201.)

For purposes of the Preventing Harm Exception, a parent or legal guardian would be considered a patient’s legal representative. The Preventing Harm Exception’s type of harm condition applies a “substantial harm” standard for practices interfering with a patient’s representative’s requested access, exchange, or use of the patient’s EHI. (See 45 CFR 171.201(d)(1)).

The type of harm conditions for Preventing Harm Exception coverage of practices interfering with patients’ and their representatives’ access to EHI on the basis of an individualized determination of risk are specifically aligned with the HIPAA Privacy Rule’s grounds for reviewable denial of an individual’s right of access under the Privacy Rule. (See also ONC Cures Act Final Rule preamble discussion and Table 3—Mapping of Circumstances Under § 171.201(d) to Applicable Harm Standards).

ID:IB.FAQ35.1.2021JAN

Enforcement

What are the applicability dates and enforcement dates for the information blocking regulations?

The applicability date for the information blocking regulations in 45 CFR part 171 was established in the ONC Cures Act Final Rule, and was subsequently adjusted in the ONC Interim Final Rule. The Interim Final Rule moved the applicability date from November 2, 2020 to April 5, 2021.

The Interim Final Rule also revised the information blocking definition in 45 CFR 171.103 to adjust the timeframe for the “USCDI limitation.” Before October 6, 2022, electronic health information (EHI) for the purposes of the information blocking definition is limited to the EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard.

Enforcement of the information blocking regulations depends upon the individual or entity that is subject of an enforcement action or "actor." For health IT developers and health information networks/HIEs, the HHS Office of the Inspector General posted its final rule implementing information blocking penalties. For health care providers, HHS has posted its proposed rule to establish appropriate disincentives as directed by the 21st Century Cures Act. For additional information, see the Disincentives Proposed Rule Overview fact sheet and the Disincentives Common Questions fact sheet.

Updated:

This FAQ has been updated pursuant to the HTI-1 Final Rule.

ID:IB.FAQ36.2.2024APR

How does the HHS Office of Inspector General’s (OIG’s) Information Blocking investigative and enforcement authority apply to actors?

Under section 4004 of the 21st Century Cures Act (Cures Act), the HHS OIG has authority to investigate any claim that health care providers, health information networks (HINs) and health information exchanges (HIEs), and health IT developers of certified health IT (collectively defined as “actors” in 45 CFR 171.102) have engaged in information blocking.

For actors HHS OIG determines have committed information blocking, enforcement consequences depend upon the actor involved.

  • For health IT developers of certified health IT and HINs/HIEs (as defined in 45 CFR 171.102), the Cures Act subjects these entities to civil monetary penalties if HHS OIG determines they committed information blocking. Under the Cures Act, these penalties could be up to $1 million per violation. The HHS OIG has issued a final rule on this enforcement authority.
  • For health care providers (as defined in 45 CFR 171.102) the Cures Act authorizes the Secretary of Health and Human Services to establish appropriate disincentives through notice and comment rulemaking. HHS has posted a final rule to establish appropriate disincentives as directed by the 21st Century Cures Act. For additional information, see the Disincentives Final Rule Overview fact sheet  and the Disincentives Common Questions fact sheet .  

Updated:

This FAQ has been updated pursuant to the Provider Disincentives Final Rule.

ID:IB.FAQ50.3.2024AUG

Reporting Claims of Information Blocking

If I experience information blocking, how do I submit a complaint to HHS?

Anyone who believes they may have experienced or observed information blocking by any health care provider, health IT developer of certified health IT, or health information network or health information exchange is encouraged to share their concerns with us through the Information Blocking Portal on ONC’s website, HealthIT.gov.

Please see the other questions under this heading for more information about reporting claims of potential information blocking. For more information about applicability dates and enforcement dates for the information blocking regulations, please review the question(s) under the “Enforcement” heading.

Updated:

This FAQ has been updated to reflect that we have passed the applicability date (4/5/2021) for the information blocking regulations, and to simplify the internal reference in the final paragraph.

ID:IB.FAQ02.2.2021JUL

What happens after I report information blocking through the Information Blocking Portal on ONC’s website, HealthIT.gov?

The Cures Act, passed by Congress in 2016, directs ONC to implement a standardized process for the public to report claims of potential information blocking, and gives the HHS Office of Inspector General (OIG) the responsibility of investigating any claim of potential information blocking. Once received, ONC will confirm receipt with the submitter and the report is automatically assigned a tracking number (e.g. IB-XXX). Depending on the facts and details included in the complaint, ONC may contact the submitter for additional information.

ONC has authority to review claims of potential information blocking against health IT developers of certified health IT that may constitute a non-conformity under the ONC Health IT Certification Program. Separately, OIG has authority to investigate claims of potential information blocking across all types of actors: health care providers, health information networks and health information exchanges, and health IT developers of certified health IT. Therefore, upon receiving a claim of potential information blocking, ONC shares the claim with OIG. ONC makes every effort to share these claims of information blocking within two business days of receipt. To contact OIG about a claim of potential information blocking, please use the OIG Hotline via the web at https://oig.hhs.gov/fraud/report-fraud/index.asp or by phone at 1-800-HHS-TIPS (1-800-447-8477).  Please note that the OIG Hotline will not be able to respond to any inquiries about action taken in response to a complaint.  For more information, please see OIG’s Hotline website: https://oig.hhs.gov/fraud/report-fraud/before-you-submit/.

For more information about applicability dates and enforcement dates for the information blocking regulations, please review the question(s) under the “Enforcement” heading.

ID:IB.FAQ01.1.2021JUL

Can I report information blocking anonymously?

Yes. Anyone who chooses to report their concerns through the Information Blocking Portal can choose to do so anonymously.

However, if you do submit an anonymous report, we will not be able to contact you, and you will not be able to revisit your report, to add information or clarify your concern. Therefore, it is important to ensure you include all the information that you want us to have about your concern.

In addition, as specified  in the 21st Century Cures Act, please note that any information received by ONC in connection with a claim or suggestion of possible information blocking and that could reasonably be expected to facilitate identification of the source of the information would fall under protections in section 3022(d)(2) of the Public Health Service Act. These protections limit the public disclosure of the source of the information.

ID:IB.FAQ03.1.2020NOV