Information blocking /

Information Blocking: What No One Is Talking About

Learn everything you need to know about information blocking.

Read Time
Chapter 1

What is Information Blocking?

Information blocking is the practice of restricting the access, exchange, or use of EHI from patients, on an unfair basis. Unfair restrictions include:

Inability to Share Data
Fees Exceeding Costs
Slow Turnaround Times

Although the Cures Act Final Rule focuses on information blocking related to patient access to EHI, information blocking can occur between numerous actors. It can occur between a patient and a healthcare provider or between a healthcare provider and a health IT developer. If information is blocked between a physician and a vendor, essential medical treatments for patients could be delayed.

The issue of information blocking in healthcare technology has been addressed in various regulatory actions, most notably the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH) and the 2016 Cures Act.

The HITECH Act and the Cures Act have worked to give patients more control over their health information and to standardize health technology. They have implemented standards that impact patient access, use, and exchange of EHI.

How the HITECH Act Impacted Information Blocking

The 2009 HITECH Act set aside $27 billion in financial incentives for healthcare providers and facilities to implement electronic health record (EHR) systems.

The HITECH Act resulted in a dramatic increase in EHR adoption. According to the HIPAA Journal, in 2008 only 10% of hospitals had adopted EHRs, but by 2017 96% of hospitals had adopted them. It also helped ensure that EHRs were compliant with HIPAA and security rules.

The HITECH Act Final Rule was later published in 2013 to address the issues that the EHR expansion caused for HIPAA regulations. The Final Rule requires the Department of Health and Human Services (HHS) to complete yearly audits to ensure that participating parties comply.

The 2009 HITECH Act was the first step towards a more accessible healthcare system for patients and providers alike, but it would take seven more years until the next step was taken.

How the Cures Act Impacted Information Blocking

The 2016 21st Century Cures Act was designed to help accelerate medical product development and bring innovations to patients faster and more efficiently. It hoped to improve clinical trial processes, mental health services, EHI interoperability, and research initiatives by:

  • Reducing administrative issues that may delay clinical trials
  • Improving data sharing among researchers
  • Increasing privacy measures for those who volunteer in clinical trials
  • Improving the timeliness of mental health services
  • Adoption of and improvement of EHR implementations
  • Encouraging the use of a diverse range of clinical trial volunteers

This is not an exhaustive list of all that the Cures Act sought to accomplish, but it was successful in its overall goal of bringing patients and their concerns to the forefront of medical development.

Notably, the Cures Act first defined “interoperability” for health IT:

The term ‘interoperability’, concerning health information technology, means such health information technology that enables the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user [and] allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law.

The definition above implies that the practice of information blocking is incongruent with interoperability, and in 2020 ONC released the Cures Act Final Rule, further specifying the patients’ rights to access their EHI without being hindered by information blocking practices. As with any new federal law, actors should be aware of the state and local laws where they are operating.

The Cures Act Final Rule extended the compliance deadline, which gave healthcare providers and health IT developers until October 6, 2022, to comply with the Cures Act.

Chapter 2

What is Electronic Health Information?

Electronic health information is the digital aggregate of a patient’s medical data and a key component of the Cures Act.

Electronic health information can be accessed by patients through various online platforms. This not only allows the patient to keep track of their own health records and advocate for themselves but also helps healthcare providers keep accessible records as well.

In the original version of the Cures Act, ONC listed the standardized data elements in a patient’s EHI, but as of October 6, 2022, the definition of information blocking no longer limits what’s considered EHI to the data elements represented in the United States Core Data for Interoperability version 1 (USCDI v1).

Electronic Health Information vs. Electronic Health Records

One might be inclined to use EHI and EHR interchangeably, but they are distinct terms that refer to different things. EHI, as defined in the HIPAA Privacy Rule, refers to “protected health information” that is transmitted or maintained electronically, to the extent that it would be individually identifiable and included in a designated record set (DRS). A DRS is a group of records maintained by or for a health plan or provider.

An electronic health record (EHR) is a digital version of a patient’s paper chart. EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users. While an EHR does contain the medical and treatment histories of patients, an EHR system is built to go beyond standard clinical data collected in a provider’s office and can be inclusive of a broader view of a patient’s care.

EHI is likely to be included in a patient’s more encompassing EHR, bringing the necessity of interoperability to the forefront of the conversation. Keeping the data flowing between the physician's office, insurance provider, EHR vendor, and ultimately back to the patient without major time delays or excessive fees leads to better healthcare and a better patient experience.

Chapter 3

Who is Impacted by Information Blocking Restrictions?

While the impact of the Cures Act is felt across the entire healthcare industry, a few actors are impacted more than others. In the context of information blocking, the Cures Act most dramatically affects those who deal with patient data and EHI, specifically healthcare providers and health IT developers. Given that the Final Rule put a major emphasis on the patient, it can be said that the patient is also largely impacted by this law.

Healthcare Providers and Facilities

Healthcare providers can be affected by information blocking, but they can also be perpetrators. As a result, providers are required to implement new policies to avoid information blocking. It is important that the implementation of new policies not be viewed with a negative connotation. The Cures Act gives healthcare providers more freedom regarding the access, use, and exchange of EHI.

Here are some of the changes that will impact healthcare providers:

  • Easier to respond to patient data requests
  • Termination of excessive fees and contractual obligations to continue using EHR systems
  • Clearer regulations regarding what constitutes information blocking and exceptions to information blocking regulations on the physician's part
  • Better choices for interoperability solutions for practices between EHR systems, calendar applications, diagnosis tools, and other digital applications and systems that may be used daily

Healthcare IT Developers

Due to the electronic nature of information blocking, healthcare IT developers will be under the most scrutiny when it comes to Cures Act compliance. It is important to note that information blocking includes acts and omissions, meaning actively blocking information and failing to include information are both considered to interfere with EHI.

Cures Act regulations will impact Healthcare IT Developers by requiring developers to:

  • Reprogram current EHR platforms to provide higher-quality interoperability
  • Design smartphone apps that allow for easy and secure patient access
  • Standardize interfaces so that information is accessible to those of all abilities
  • Adapt interfaces and software to comply with regulations
  • Lower fees and terminate unfair contractual obligations for physicians' continued use of EHR systems.

There are many unknown ways in which medical IT developers will be affected by the Cures Act, and other ONC laws still to come. Still, compliance at every step only increases the value of the product that is being developed.


The Cures Act, and specifically the Final Rule, was written to help patients gain more control over their EHI. Patients may have had to jump through multiple hoops to access, use or exchange their EHI, which not only causes delays in care but immense frustration with the healthcare system.

That frustration is often channeled toward the healthcare providers, who then channel their frustration toward their tech vendors charged with making health information accessible. Thanks to the Cures Act, here are a few ways the patient experience may improve:

  • Ease of exchange of patient EHI, especially in the case of specialists
  • Reduction or elimination of fees to access, exchange or use personal EHI
  • Smartphone applications for quick and secure access to personal EHI, while following HIPAA regulations
  • The ability for patients to choose which data of theirs an app can receive
  • Increased transparency of care outcomes and costs
  • The ability for patients to manage costs and shop for care
Chapter 4

Common Information Blocking Examples

Information blocking happens frequently, and providers may not even realize it is happening. Here are several situations that are considered information blocking:

  • Charging patients excessive fees that are not equal to the labor used to make the EHI available.

  • Limiting the length of time that a provider or patient can access information. For example, if the fees only grant one-time access or if the records are only available for a short window such as 48 hours.

  • Refusing to allow a patient reasonable access to EHI interfaces or platforms.

  • Restricting authorized access. For example, allowing only certain healthcare professionals to access the information or inputting unfair authorization processes.

  • Restrictions on how the EHI can be exchanged or shared. For example, through a lack of interoperability or file type specifications.

  • Charging healthcare providers excessive fees to switch from one EHR to another. Specifically, charging to export the data so that a physician can begin using a new EHR.

  • Using non-standardized language or technology to limit accessibility.

  • Implementing terms and conditions that limit, restrict and discourage access and use from several parties.

This list is not exhaustive, and unfortunately, there are many more ways in which information blocking can occur.


Top 5 Challenges with Interoperability in Healthcare

Read more
Chapter 5

How Information Blocking Created Opportunities for Health IT Developers

The Cures Act presents an opportunity for health IT developers to innovate new ways to provide interoperability in APIs and EHRs. The Cures Act creates a more competitive environment for developers to come up with processes that offer better access and exchange of health data.

Marketplace competition mitigates expense issues, which are more burdensome for smaller or more rural practices. EHR adoption can be costly, but competition in the market drives the price down for some platforms, allowing lower-earning medical practices to start using quality systems.

The Cures Act also respects the intellectual property (IP) of EHR developers. According to ONC:

“Certified EHR developers are permitted to first negotiate agreeable terms in the open market for the licensing of their IP that is needed for the access, exchange, and use of EHI. If they are unable to reach an agreement, developers can meet their regulatory obligations through specified alternative means. Health IT developers also may restrict certain communications under the Certification Program that include IP so long as the restrictions are no broader than necessary and meet other specified limitations.”

Cures Act Certification for Health IT Developers

The Cures Act requires ONC to establish certain Conditions and Maintenance of Certification requirements for health IT developers under the ONC Health IT Certification Program. According to these conditions, a health IT developer who participates in the ONC Health IT Certification Program may not take any actions that constitute “information blocking.” The Final Rule also added three new criteria to provide a more comprehensive certification:

  • Electronic Health Information export: Developers are required to ensure health IT products are capable of exporting the EHI that can be stored by the product at the time of certification.
  • Standardized FHIR-based API for patient and population services: To increase accessibility, the Cures Act has required health IT developers to not only create an access application but also to establish two services. One service would be single-patient focused and the other would be multi-patient focused. This new criterion will be required by December 31, 2022.
  • Privacy and Security Transparency Attestations: Adopt two new privacy and security certification criteria, encrypt authentication credentials and two-factor authorization, requiring transparency attestations as part of the update to the privacy and security certification framework.

These criteria, among others, allow for EHRs, APIs, and other EHI-related technologies to standardize their systems and improve interoperability.

Chapter 6

Exceptions to Information Blocking

Although the emphasis is on preventing information blocking, there are circumstances where the Cures Act allows it. Exceptions are made on a case-by-case basis and do not apply to all requests. These exceptions were introduced to provide clarity to actors, notably healthcare providers and health IT developers, that if they engage in any of the following acts they would not be committing information blocking.

The eight information blocking exceptions are split into two categories as outlined by the Cures Act:

  • Exceptions that involve not fulfilling requests
  • Exceptions that involve procedures for fulfilling requests

Exceptions for Not Fulfilling Requests

These exceptions occur when a physician does not fulfill a request to access, exchange or use a patient's electronic health information. There are five exceptions listed in this category in the Cures Act:

  • Preventing harm: If a healthcare provider denies the access, exchange, or use of EHI to prevent harm to another, then it is not considered information blocking. An example of this is a physician who blocked an abusive parent from accessing the information on their adolescent child.  

  • Upholding privacy: A physician can practice information blocking to protect the privacy of an individual. The most common situation where this happens is a patient or individual that requests that their EHI is not shared. Not sharing EHI to uphold HIPAA regulations is also not considered information blocking.

  • Upholding security: If a healthcare provider denies the access, exchange, or use of EHI to protect the security of the EHI interface, then it will not be considered information blocking. This happens if the individual requesting information does not have a secure connection, firewall, or other technology security implementations.

  • Infeasibility: A physician can practice information blocking if providing access is infeasible. An infeasible action due to an uncontrollable event includes a public health emergency or natural disaster. Another example of infeasibility is a request to segment information when segmentation is not possible through the EHR platform.

  • Health IT performance: Healthcare professionals can deny access, exchange, or use of EHI if the technology is temporarily unavailable. EHR platforms and APIs, just like many technologies, require time offline to update or receive maintenance. This is only acceptable when certain provisions are met to ensure that the time the EHI is unavailable is beneficial to overall IT performance. Like all of these exceptions, it will be ruled on a case-by-case basis.

EHI Request Procedural Exceptions

There are also exceptions for denying access, use, or exchange of EHI due to procedural limitations. Three exceptions fall into this category:

  • Content and manner: It will not be considered information blocking for an actor to limit the content of the use, exchange, or access of EHI, ie scope of EHI and if they need to fulfill the request alternately.
  • Fees: Actors, like physicians and health IT developers, can charge reasonable fees for accessing, exchanging, and using EHI without it being considered information blocking; however, the fees cannot be opportunistic or exclusive. The fees should be for the use of further development and innovation by the actor.
  • Licensing: Actors will not be charged with information blocking if it is in pursuit of licensing interoperability features for EHI to be accessed, exchanged, or used. This is applicable for those companies who have developed an especially innovative EHR interface and wish to protect these by charging royalties or other licensing fees.
Chapter 7

Information Blocking Penalties

Health IT developers, healthcare professionals, and all relevant actors should have plans in place to comply with the Cures Act information blocking rules. If actors do not follow Cures Act regulations, they could be subject to Civil Monetary Penalty (CMP).

Information blocking occurrences can be reported to ONC for investigation. When ONC receives an information blocking claim, they share the claim with the Office of the Inspector General (OIG), which has the authority to investigate claims of potential information blocking across all types of actors: health care providers, health information networks, health information exchanges, and health IT developers.

CMPs have not been finalized, but for Health Information Networks (HINs), Health Information Exchanges (HIEs), and Health IT Developers, penalties could be up to $1 million per violation. The penalties for Healthcare Providers are still being established. In April 2022, ONC acknowledged that closing the enforcement gap and establishing the penalties for providers was a priority.

Chapter 8

Cures Act Compliance

Complying with the Cures Act is essential to achieving the law’s goal to accelerate medical product development and bring new innovations to patients who need them quickly and efficiently.

Health IT developers and EHR platforms can complete a few different actions to begin compliance with the Cures Act. Here are some considerations when it comes to the Cures Act and compliance:

  • Analyze current compliance through the support of legal counsel.
  • Draft a report on ways in which software or APIs need to be adapted in order to prevent information blocking.
  • Host employee training programs to get all staff members up to speed on what information blocking is.
  • Innovate ways in which interoperability can be achieved in more seamless capabilities, especially through the development of smartphone applications as outlined by the Cures Act.
  • Examine how the competition will continue to drive the industry and the company in light of new regulations.

Overall, Health IT developers need to look for ways to improve their software and interfaces so that interoperability becomes the main focus even beyond the Cures Act.

Questions for EHR Vendors

The best thing that physicians can do to comply with the Cures Act is to familiarize themselves with the rules and exceptions since the collection of EHI starts with them at the point of care. Familiarity with regulations also empowers physicians and healthcare providers to hold their EHR providers accountable for complying with regulations.

Visit the developer's website to see if they have information on how they are adapting to the Cures Act. If you cannot seem to find any information on how they intend to comply, contact a representative. Here are some questions you can ask the representative to learn more:

  • How does the company currently fit within Cures Act regulations?
  • How does the company plan to comply with and adapt to information blocking regulations?
  • Where can I find a detailed analysis of current and future implementations regarding information blocking and the Cures Act?

Be sure to research which IT developers are at the forefront of innovation when it comes to interoperability. Choosing an EHR with a competitive edge may put you ahead of new compliance standards.

EHR Data Management

Managing EHR data often requires a completely separate technological entity. Collect, standardize, and deliver health data through Datavant. Datavan's software connects directly to your customer's EHR or PM system database.

We are a company on a mission to improve healthcare by delivering data that matters.

Here are some of the capabilities of Datavant:

  • Quick and easy integrations with tons of EHRs with only a few clicks.
  • Data translation to a standard data model.
  • Easily accessible application for managing connections and quality control
  • API-enabled data accessibility
  • Compliance to regulations
Connect to multiple EHR systems

Get standardized data from your customers in minutes with Datavant.

Learn more