What Healthcare Providers Need to Know About Information Blocking

Our Net Health compliance experts assembled this FAQ to help our customers understand information blocking. If you would like to download the information, click here. 

What is information blocking in Healthcare?

In general, information blocking is a practice by a health IT developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of Health and Human Services (HHS) as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI). Reference 45 CFR §171.103.

What are examples of information blocking?

• Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law;
• Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI;
• Limiting or restricting the interoperability of health IT, such as disabling or restricting the use of a capability that enables sharing EHI with users of other systems or restricting access to EHI by certain types of persons or purposes that are legally permissible, or refusing to register a software application that enables patient access to their EHI (assuming there is not a legitimate security reason that meets the conditions of the Security Exception, mentioned further below);
• Implementing health IT in ways that are likely to restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems. This would include acts that make transitions between certified health information technologies more challenging (e.g., an EHR vendor charging excessive fees or using tactics to delay a practice’s switch from their EHR to another vendor’s EHR);
• Acts that lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT; 6. Restrictions on access, exchange, and use, such as may be expressed in contracts, license terms, EHI sharing policies, organizational policies or procedures or other instruments or documents that set forth requirements related to EHI or health IT, such as Business Associate Agreements (BAAs); and 7. Rent-seeking (e.g., gaining larger profits by manipulating economic conditions) or other opportunistic pricing practices.

What kind of information must be shared under this rule?

Any requested health information unless it meets one of the exemptions/exceptions.

Are there any exceptions?

There are two categories of info blocking exceptions:

Category 1: Exceptions that involve not fulfilling requests to access, exchange, or use electronic health information (EHI)

• Preventing Harm Exception: It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.
• Privacy Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI to protect an individual’s privacy, provided certain conditions are met.
• Security Exception: It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI to protect the security of EHI, provided certain conditions are met.
• Infeasibility Exception: It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.
• Health IT Performance Exception: It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met.

Category 2: Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI:

• Content and Manner Exception: It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the way it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.
• Fees Exception: It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.
• Licensing Exception: It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.

Who must comply?

The Cures Act specified four types of entities referred to as “Actors” who must comply with info blocking requirements:

• Health care providers;
• Health IT developers of certified health IT
• Health Information Networks (HINs) or HIEs (HIN and HIE are combined into one defined type in the Final Rule)

Who is a health care provider?

Same meaning as “health care provider” at 42 U.S.C. 300jj. This includes hospital, skilled nursing facility, nursing facility, home health entity or other long term care facility, health care clinic, community mental health center, renal dialysis facility, blood center, ambulatory surgical center, emergency medical services provider, Federally qualified health center, group practice, pharmacist, pharmacy, laboratory, physician, practitioner, provider operated by, or under contract with, the IHS or by an Indian tribe, tribal organization, or urban Indian organization, rural health clinic, a covered entity ambulatory surgical center, therapist, and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the Secretary.

Is there a timeline for compliance?

All Actors have been subject to the Information Blocking rules and regulations as of April 5, 2021, with a requirement to be able to share USCDI data elements electronically.  As of October 2022, actors must be able to share all EHI electronically.  By December 2022, all actors must be able to share all EHI via FHIR API.

How will this rule be enforced?

The rule is not clear on enforcement date, enforcement mechanism, and whether it applies to certain provider types, such as assisted living (especially medical model), hospice, etc. On the provider types question, specificity from a facilities’ point of view for hospice or assisted living is more difficult because of variations in the organizational structure which may also be impacted by other laws such as state licensing requirements. However, if a facility or an individual care provider within that facility is a HIPAA-covered entity, the organization or the individual is a health care provider under the information blocking provisions.

The Office of Inspector General (OIG) is working on rulemaking for enforcement and penalties for Health IT developers and will do the same for care providers afterward.

Why are colleagues talking about USCDI data elements?

The United States Core Data for Interoperability (USCDI) is a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange. The information blocking definition (45 CFR §171.103) provides that before October 6, 2022, electronic health information (EHI) is limited to the subset of EHI represented by the data elements identified by the USCDI standard. On and after October 6, 2022, the information blocking regulations in 45 CFR part 171 pertain to all EHI as defined in 45 §CFR 171.102.

What is EHI?

The Cures Act Final Rule defines EHI as electronic protected health information (ePHI) as set out in the Health Insurance Portability and Accountability Act (HIPAA). In short, EHI is any information used to make a decision about a patient’s treatment or health care or used for payment of healthcare services. Currently, the requirement to share patient health information is limited to patient data represented by the USCDI. The USCDI data elements represent a limited subset of EHI. Reference 45 CFR §171.102.

Is Billing and Payment information considered EHI?

Yes, HIPAA states that a group of records “…that is a provider’s medical and billing records about an individual or a health plan’s enrollment, payment, claims adjudication, and case or medical management record systems” constitute EHI. Reference 45 CFR §164.501.

Moreover, HIPAA defines “health care provider” as: “Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule.” Reference 45 C.F.R. §§ 160.102, 160.103; see Social Security Action § 1172(a)(3), 42 U.S.C. § 1320d-1(a)(3).

As a provider, what do I need to do now to comply?

By actively responding to information requests and offering to provide only the information content requested that you currently have, in a format and manner that is available and feasible to you at the time without delay, unless the request meets any of the above-mentioned exemptions or exceptions.

When information is requested, you should provide the information in whatever means or capabilities are available to you, like patient/family portals, available APIs, personal health record apps, send as encrypted email attachments, etc.

Am I required to update my IT infrastructure and connections to other providers to comply with the rule?

Providers must comply with requests for only the information content that they have, in a manner that is feasible to them at the time of the request, regardless of the IT infrastructure, health IT systems they use (or not), etc., unless they meet an exception.

Do Health Care Providers need to purchase new technology to comply with this rule?

No! To the best of our knowledge, providers who did not receive Health IT Adoption Incentives through the HITECH Act are not required to purchase new technology or upgrade their existing technology to comply. You just need to make the best effort to comply with requests providing the information you have, if/when permissible, in the format that you currently have it, and in a manner that is feasible within your current information systems’ capabilities.

What is Open Notes?

OpenNotes is an industry-led coalition that is focused on a set of principles they have defined which include certain technical approaches. The ONC rule does not reference or endorse that organization or any such principles. Clinical notes are one of the types of information included under both the United States Core Data for Interoperability (USCDI) and the broader definition of electronic health information (EHI). Clinical notes may already be considered protected health information under HIPAA’s definition of a designated record set and therefore are already subject to a patient’s right of access. In addition, the information blocking provisions do not set any specific requirements around the technology or standards required for EHI, including clinical notes.

Where can I find more information?

Information Blocking FAQ from HealthIT.gov

HealthIT.gov – Information Blocking

HL7 FHIR Financial Module

USCDI from HealthIT.gov

What is Information Blocking?