Information Blocking: What to Know About ONC’s Final Rule

The 21st Century Cures Act was signed on December 13, 2016, with the purpose to promote and fund the acceleration of research into preventing and curing serious illnesses; accelerate drug and medical device development; attempt to address the opioid abuse crisis; and try to improve mental health service delivery. The Act includes a number of provisions that push for greater interoperability, adoption of electronic health records (EHRs) and support for human services programs.


You may be wondering what Information Blocking is, and what it has to do with you and the services you provide. To start, we need to first define Information Blocking and Electronic Health Information:

Information Blocking: As defined by Congress, Information Blocking is anything that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information (EHI). The Office of the National Coordinator was given the responsibility for the implementation of the Rule.

Electronic Health Information (EHI): HHS defines electronic health information, or EHI, to mean electronically protected health information (ePHI) as defined in HIPAA, to the extent that ePHI would be included in a designated record set. Of note is that de-identified data (e.g., such as de-identified patient data collected for research purposes) is excluded from the definition of EHI and may be exchanged without concern.

Now for the question of what it means to you. The first thing to know is that until someone comes knocking on your door for information, there are no active steps your organization needs to take at this point. When you do get a request for information, Foothold will work with you on your data sharing journey and help you determine if an exemption applies. You can take comfort in the fact that AWARDS is a Certified EHR and meets the condition of certification, and will continue to do so as the CURES Act is implemented and new conditions are set. Your only job right now is to ensure you understand the rule and its exemptions, so that you know when to reach out to us for assistance. 

Background Information

This landmark legislation was a bipartisan bill, passed by a Republican Congress and signed by a Democratic President. At the time, it was called the “most important bill of the year.” While the bill is largely known to help fund efforts such as precision medicine, it contains some provisions to improve healthcare IT — most notably, in relation to nationwide interoperability and information blocking. A number of sections of the law focus on “improving quality of care for patients,” with interoperability a main concern. One of the major themes of the Act is the strong emphasis on providing patients access to their electronic health information that is “easy to understand, secure and updated automatically.” It has taken many years for much of the law to become reality. However, on May 1st, 2020, ONC’s Cures Act Final Rule on Information Blocking was officially published. The release of this rule has rightfully created a wave of comments, concerns, jubilation, and other emotions throughout the healthcare industry.  

It is also helpful to look at the genesis of the Information Blocking Rule. There is not one single answer, but instead a variety of different forces involved. Over the past number of years, the emphasis has been on making sure that individuals have access to their own health information. That health information could be used in a variety of ways to improve care and address patient safety issues. With this increased emphasis on health literacy and individual health promotion, there has been an explosion of interest in the development of healthcare apps with companies seeking data to meet the needs of patient/consumer-focused applications. Having the ability to access this information and make it available to individuals and practitioners became a priority to the Federal Government, which is reflected in the CURES Act.

Information Blocking in the World Of Behavioral Health And I/DD

If the new Cures Information Blocking Rules have not been at the top of your “need to learn about” list, you are likely not alone. In the world of Behavioral Health and I/DD services, there have been strict rules surrounding the release of behavioral health information, a lack of data standardization, and a relative lack of external access to data. While most of the healthcare world has very sophisticated standardized data sets with full interoperability functionality, the Behavioral Health and I/DD provider community as a whole does not have these two attributes.

Yes, there are pockets of sophisticated data sets and a few providers whose EHRs have sophisticated interoperability functionality, but the majority of data generated is free text and not standardized. Moreover, the adoption of certified EHRs is not on par with the adoption rates of certified EHRs for primary care and other specialty areas. Primarily, this is because the majority of Behavioral Health and I/DD practitioners were not eligible professionals covered by the Meaningful Use program.  

While the impact of the Information Blocking Rules on the Behavioral Health and I/DD world is not completely clear at this point in time, it is clear that the demand for data in the primary care setting and other specialty areas has already exploded. With the primary impetus of this Rule being to address issues with the ability to access, transmit, and consume this information in a relatively easy way, it is likely only a matter of time before the demand for data in the Behavioral Health and I/DD world will grow exponentially like it has in the primary care world. 

There have been many concerns with the gathering of PHI for these applications, the obvious ones are privacy and security, standardization of data, and protocols from a technical perspective. But there is also the responsibility to provide this information in a consumable and timely manner. Many of these concerns are addressed in the Rule, but time will tell how they play out, and Foothold will continue to monitor these concerns closely. We will continue to be your guide in this process, helping you understand the basics, and working closely with you when you receive formal requests for information.

Information Blocking Details

It is important to realize that Information Blocking is more than just a nebulous set of conditions that pertains to certification, and rather is now a relatively well-defined practice with penalties and exceptions. If you are deemed to have blocked information for any reason other than the acceptable exceptions, you are liable for significant fines. Note that compliance is not required until six months after publication in the Federal Register. So what do you need to know?

Key Pieces of Information in the Rule

In the Final Rule, ONC defines and outlines information blocking and/or those activities that are considered likely to interfere with the access, exchange, or use of EHI, by “actors”. Actors are defined as healthcare providers, Health IT developers of Certified Health IT, and Health Information Exchanges (HIEs) and Health Information Networks (HINs). In the Final Rule, ONC defines some additional key terms, including “electronic health information,” (EHI) which updates the general definition of “protected health information” (PHI) under HIPAA. For developers of EHRs, the Rule also provides guidance on how they must comply with these information blocking provisions as a “Condition of Certification.” 

Information that Can Be Requested and What Has to Be Shared

This can get somewhat complicated, because another part of the CURES act marks a shift from Common Clinical Data Set (CCDS) to the United States Core Data for Interoperability (USCDI). The deadline for Health IT developers to update their software to the USCDI standard is 24 months after publication of the Cures Act in the Federal Register. This will mean the USCDI and the CCDS will coexist in some fashion for the next two years. The USCDI will receive regular annual updates, expanding the data set standard for exchange. The USCCI includes new data classes and elements, including support for: provenance of data, clinical notes, pediatric vital signs, address, email and phone number.  

information sharing

Exceptions to Information Blocking

One of the most critical pieces of the Final Rule was the creation of eight exceptions to information blocking, for when actors should not or do not have to exchange EHI with other actors other entities, such as other actors requesting information. These exceptions are as follows: 

1) Preventing Harm Exception

It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.

2) Privacy Exception

It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy, provided at least one of the following conditions are met:

  • Precondition not satisfied.
  • Health IT developer of certified health IT not covered by HIPAA.
  • Denial of an individual’s request for their EHI consistent with HIPAA.
  • Respecting an individual’s request not to share information. 

3) Security Exception

It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the security of EHI, provided certain conditions are met. 

4) Infeasibility Exception

It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.

The practice must meet one of the following conditions:

  • Uncontrollable events.
  • Segmentation.
  • Infeasibility under the circumstances.

The actor must provide a written response to the requestor within 10 business days of receipt of the request with the reason(s) why the request is infeasible.

5) Health IT Performance Exception

It will not be information blocking for an actor to make health IT temporarily unavailable or to degrade the health IT’s performance, provided certain conditions are met.

6) Content and Manner Exception

It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.

  • Content Condition: Establishes the content an actor must provide in response to a request to access, exchange, or use EHI in order to satisfy the exception.
  • Manner Condition: Establishes the manner in which an actor must fulfill a request to access, exchange, or use EHI in order to satisfy this exception.

7) Fees Exception

It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.

8) Licensing Exception

It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met:


Many of the topics covered in this summary were done at a very high level, and each carries significantly more detail to them. If you are interested, I am happy to discuss any and all of this in further detail – just reach out and ask to speak to me. The key takeaway to remember here is that Foothold is your partner in Information Blocking and we are here to help.