The New Patient Health Care Records ‘Blocking Rule’ Healthcare Providers Must Comply With, Becomes Effective on April 5, 2021



The Office of the National Coordinator for Health Information Technology (ONC) has released the final rule on information blocking, which becomes effective April 5, 2021. Entities that must comply with this rule include health care providers, health IT developers of certified health IT, health information networks, and health information exchanges. To find out more about the rule and the applicable exceptions, read along!

Information blocking, also known as info blocking, is the business, technical, and organizational practices that materially discourage or hinder the access, use, or exchange of electronic health information (EHI).


These practices can occur in many forms. For physicians, info blocking may be experienced when:

       trying to access patient records from other providers,

       connecting their electronic health record (EHR) systems to local health information exchanges (HIEs),

       migrating from one EHR to another, or

       linking their EHRs with a clinical data registry.

On the other hand, patients can experience this hindrance when trying to access their medical records or sending their records to another provider.


In March 2020, the Office of the National Coordinator for Health Information Technology (ONC) released a final rule for the proposed 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program. The rule was published in the Federal Register on May 1, 2020, and becomes effective on April 5, 2021.

Who is affected by this rule?

According to the Cures Act, there are four types of entities, often referred to as “Actors”, who must comply with info blocking requirements, and they include:

       Health care providers

       Health IT developers of certified health IT

       Health information networks (HINs)

       Health information exchanges (HIEs)


Starting from April 5, 2021, all of these Actors will be subject to ONC’s info blocking rules and regulations.


Thus, health care providers have to check their existing agreements, policies, procedures, and business practices to know how they may be affected by the new info blocking rules.

What is included in info blocking practices?

Info blocking practices may include but are not limited to:

       Certain practices that restrict authorized access, exchange, or use of vital information for treatment and other permitted purposes under applicable state or federal law

       The implementation of health IT in nonstandard ways, which are likely to substantially increase the difficulty in accessing, exchanging, or using EHI

       Actions that restrict the interoperability of health IT, such as restricting the use of a capability that enables users to share EHI with users of other systems, limiting access to EHI by certain types of persons or purposes that are legally permissible, and not registering a software application that enables patients to gain access to their EHI — if there is no legitimate security reason that meets the conditions of the Security Exception

       Rent-seeking actions, such as gaining larger profits by manipulating economic conditions, or other opportunistic pricing practices


With this info blocking rule, physicians must respond and release patients’ medical records — for nearly all EHI requests — unless an appropriate exception can be identified and used.

What are the exceptions to the rule?

There are many exceptions to the info blocking rules. Primarily, the exceptions are categorized into two groups:


1. Those that are related to not fulfilling requests to access, exchange, or use EHI

The exceptions under this group are as follows:

       Preventing-harm exception: This exception can be used in situations where the physician holds a reasonable belief that it will substantially reduce the risk of physical harm to a patient or another person. Such situations include:

       Refusing to share data that is corrupt, inaccurate, or erroneous.

       Refraining from sharing data arising from misidentifying a patient or mismatching a patient’s EHI.

       Refusing to disclose information that would endanger the life or physical safety of a patient or another person. This determination must have been made in the context of a current or prior clinician-patient relationship.

       Privacy exception: This exception allows an actor to avoid disclosing EHI in a way that is prohibited under state or federal privacy laws.

       Security exception: This exception covers different security reasons for not disclosing EHI. The general condition is that a practice is not info-blocking if it is directly trying to safeguard the confidentiality, integrity, and availability of EHI; tailored to the specific security risk being addressed; and implemented in a manner that is consistent and nondiscriminatory. Furthermore, actors and their security-related practices can satisfy the proposed exception via written organizational policies or determinations on a case-by-case basis under particular facts and circumstances. So, a practice must meet both:

                   •       the general conditions, and

                   •       either of the requirements for organizational policies or case-by-case determinations.

       Infeasibility exception: This exception acknowledges that there are legitimate practical challenges that may limit an Actor’s ability to comply with requests for access, exchange, or use of EHI. It could be that an actor does not have — or may be unable to obtain — the requisite technological capabilities, legal rights, or other means necessary to enable access, exchange, or use. An example is when there’s an uncontrollable event, such as a natural or man-made disaster or public health emergency. In this case, the Actor must provide a written response to the requestor within 10 business days of receipt of the request with the reason(s) why the request is infeasible.

        Health IT performance exception: This exception acknowledges that for health IT to work efficiently, it must be maintained and, in some instances, improved. This may require that health IT be taken offline temporarily. Hence, it will not be information blocking if an actor takes reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, as long as certain conditions are fulfilled.

2. Those that are related to the procedures for fulfilling requests to access, exchange, or use EHI

The exceptions under this category include:

        Content and manner exception: Under this exception, healthcare providers may choose to limit the content of the response to a request to access, use, or exchange EHI, as well as the manner in which the actor may fulfill the request.

       Fees exception: With this exception, it will not be information blocking if an actor charges a fee — even if it results in a reasonable profit margin — for accessing, exchanging, or using EHI, as long as certain conditions are met.

       Licensing exception: This exception is not likely to affect physicians and other providers. Instead, it is most likely to apply to EHR vendors.


For more information on the exception, check here.

What physicians should know

While the info blocking rules hold, physicians are still required to follow state or federal laws applicable to the release of medical records.


Another important thing to note is that documentation is a major component of a physician’s compliance with info blocking and the use of exceptions. It is important to include, in your documentation, the specific facts and circumstances associated with your decision to use an exception.


Penalties for actors found to have committed information blocking

The penalties for actors found to have committed information blocking are as follows:

       Health IT developers of certified health IT, health information networks, and health information exchanges can be liable to civil monetary penalties (CMPs) of up to $1 million per violation.

       Health care providers are liable to appropriate disincentives, which will be established by the Secretary.