By the EHR Association Information Blocking Compliance Task Force

This blog marks the beginning of a series by the EHR Association on information blocking – what it is and what the “reasonable and necessary activities” are that constitute exceptions as defined by ASTP/ONC regulations. Given that it has been five years since the initial release of information blocking regulations and the recent renewal of focus on enforcing the law, this is an opportune time for a refresher on the topic.

Our goal with this series is to educate our membership and other impacted stakeholders on information blocking requirements and exceptions. This first installment shares the history and description of information blocking requirements. Future blogs will illustrate how we expect exceptions to be used and will highlight ambiguities and/or challenges with the framework that we believe will be insightful to regulators and other interested parties. 

History of Information Blocking

The prohibition against information blocking originated in 2016 with the passage of the 21^st Century Cures Act (see Section 4004, beginning on page 144). It establishes information blocking as a practice that “is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information” (EHI). 

The rule states that when undertaken by health IT developers, exchanges, or networks, information blocking occurs when those entities know or should know that “such practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of” EHI.

The rule states that when undertaken by health IT developers, exchanges, or networks, information blocking occurs when those entities know or should know that “such practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of” EHI. The bar for healthcare providers is slightly lower, as misconduct only occurs if it is by a provider who “knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use” of EHI. “Should know” is not a standard applied to providers.

The rule goes on to describe information blocking practices as including those that:

• Restrict authorized access, exchange, or use under applicable State or Federal law for treatment and other permitted purposes, including transitions between certified health IT; 
• Implement health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI; and 
• Implement health IT in ways that are likely to restrict the access, exchange, or use of EHI with respect to exporting complete information sets or transitioning between health IT systems; or
• Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.

The statute prohibits regulated actors from information blocking unless the action being taken is required by law or identified as a “reasonable or necessary activity” by the HHS Secretary.

The statute prohibits regulated actors from information blocking unless the action being taken is required by law or identified as a “reasonable or necessary activity” by the HHS Secretary. Other provisions of the 21^st Century Cures Act make avoiding information blocking a Condition of Maintenance of Certification in ONC’s certification program. 

Prior to the publication of Cures, ONC issued Information Blocking in 2015. The report identified challenges with interoperability between providers for treatment purposes, citing issues including certified health IT that required providers to use a particular Health Information Service Provider (HISP) rather than working with the HISP of their choice. Another was the accusation that hospitals or health systems block information to control referral patterns.

The first implementation of these provisions was in attestations required of providers in MIPS and PI. When submitting data for those programs, providers make attestations that match the practices described in the rule. Information blocking itself was not defined in the regulation nor implemented until the May 2020 final rule, which also defined regulated actors and eight exceptions: 

1. Safety
2. Privacy
3. Security
4. Infeasibility
5. Health IT Performance
6. Content and Manner
7. Fees
8. Licensing

The regulation underwent a staged rollout, starting with the prohibition of information blocking of USCDI version 1 data classes. That was followed by a more comprehensive requirement specific to the fuller definition of EHI. 

Response Themes

Immediate patient access to their health information was a key theme across the industry in response to that regulation. The inclusion of notes and lab results in USCDI v1 prompted a surge in the implementation of Open Notes and the rapid sharing of provider notes with patients in patient portals and via patient-facing FHIR APIs. 

Immediate patient access to their health information was a key theme across the industry in response to that regulation … Another significant theme was the removal of delays in the electronic release of lab results to patients through a patient portal or via FHIR APIs.

Another significant theme was the removal of delays in the electronic release of lab results to patients through a patient portal or via FHIR APIs. Previously, it was common for providers to review lab results prior to making them available to the patient, or to introduce a delay to permit the provider to review if merited by the results. Discussion in the final rule and subsequent FAQs identified delaying the release of results as a practice that might implicate information blocking. As a result, many providers moved to the immediate release of results, with some highly publicized examples where patients would have preferred to learn of their results through another channel.

In response to some of the examples and complaints, Oregon, California, Tennessee, and Kentucky passed state laws requiring the release of potentially life-changing lab results to be delayed before making them electronically available, adding to the implementation’s complexity.

In December 2023, ONC published the regulation known as HTI-1, which updated several information blocking-related definitions, added two new conditions to the Infeasibility Exception, reframed the Content and Manner Exception as the Manner Exception, and introduced the TEFCA Manner Exception. The subsequent HTI-2 Final Rule, issued in December 2024, did not alter the TEFCA Manner Exception; however, it did adopt TEFCA-related definitions. 

Additionally, the HTI-3 Final Rule, effective in December 2024, revised the Privacy Exception and Infeasibility Exception and introduced the Protecting Care Access Exception.

Enforcement Complexities

Under the 21st Century Cures legislative language, enforcement of information blocking regulations is to be carried out by the HHS OIG.  OIG began doing so in September 2023 for health IT developers, health information networks, and health information exchanges. The agency subsequently began investigating claims against providers in August 2024.  (ONC frequently discusses information blocking enforcement and other related activity on its blog, HealthITBuzz.)

Adding to the complexity of information blocking regulations is the enforcement of state laws, particularly those that involve permissive laws that allow providers to withhold EHI in certain situations. State laws that permit withholding of EHI, even if not explicitly required by law, could be considered information blocking under the Cures Act if they interfere with access, exchange, or use of EHI, unless a specific exception applies. Some examples include state laws regarding privacy or sensitive information, such as those related to mental health or HIV, all of which can impact how information blocking rules are applied. 

Lawsuits based on assertions of information blocking that pursue local or district court adjudication processes rather than following the statutory requirements of HHS OIG investigations have caused additional confusion.

Conclusion

We hope this background on the information blocking legislation and evolution is helpful. Our next blog in this series is planned on the Manner Exception.