Information blocking: Compliance basics for providers


Information blocking is a practice that is likely to or knowingly interferes with access, exchange, or use of electronic health information (EHI).[i] Physicians can experience information blocking when trying to access patient records from other providers. Patients can experience it when trying to send their medical records to another physician.

Information blocking can also include charging fees, using contracts, creating organizational policies, or implementing technology in custom ways that limit or delay access, exchange, or use of EHI. There are exceptions within certain boundaries.

What are the origins of the information blocking rule? When did it take effect?

Healthcare providers, while generally supportive of interoperability achievements among health information technology systems, are now subject to the 21st Century Cures Act: Interoperability, Information Blocking, and the Office of the National Coordinator for Health Information Technology Health IT Certification Program (the Information Blocking Rule).[ii]

Compliance with the Information Blocking Rule was required as of April 5, 2021, although additional implementation dates for specific subsets of EHI will be effective Oct. 6, 2022, and will cover most materials in providers’ charts, with very few exceptions.

What does the rule do?

The rule was implemented to advance interoperability and to support the access, exchange, and use of EHI, to support both physicians and patients alike. 

Who is impacted?

Two main groups are impacted by the Information Blocking Rule:

  1. Developers of certified health IT or health information networks who know, or should know, that an information-withholding practice is likely to interfere with access or exchange of the use of EHI.
  2. Providers who know their information distribution practice is unreasonable and likely to interfere with access, exchange, or use of EHI.

 What are the main exceptions to the rule?

The main exceptions are intended to promote care and prevent harm. In a circumstance where a patient may suffer harm, where privacy is at issue, where it is infeasible to comply, or where health IT performance will suffer, a provider is not obligated to comply with the rule.

Further, where the procedures for filling requests for information involve difficult content or methodology, excessive fees, or licensing issues, exceptions may also apply.

How is it phased in?

Realizing the massive changes that modifications to information exchange require, implementation is phased in over a period of years. Effective April 5, 2021, data elements[iii] contained in EHI—including allergies, clinical notes, immunizations, lab results, demographics, smoking status, and vital signs—are included. Known as United States Core Data for Interoperability USCDI v1, these data elements are a limited set of information, as noted above.

However, effective Oct. 6, 2022, the Information Blocking Rule will apply to the full scope of EHI. This generally covers all health information that is currently collected, maintained, and made available for access, exchange, and use. This applies whether the records are used or maintained by physician groups or by the other covered groups.

Exclusions are much more limited—to psychotherapy notes and information compiled for use in civil, criminal, or administrative proceedings. This broader scope of information in this full-scope second phase is referred to as a “designated record set.”[iv] This includes medical and billing records, enrollment information, payment data, claims adjudication records maintained by or for a health plan, and other records used to make decisions.[v]

How does it affect my physician group? 

Access to EHI must be provided regardless of when the information was created, whether the information is maintained in paper or electronic systems, whether the information is archived, and regardless of the source of the EHI.

Providers may take reasonable efforts to verify the identity of those requesting health information. The records must be provided in the form and format requested by the patient or a delegate, and access must be provided within 30 calendar days.

This means it is possible, for instance, that a physician organization that has a policy restricting access to a patient’s laboratory results for a certain amount of time after a physician receives them, may be engaging in a practice that is likely to interfere with access, use, or exchange of EHI—thus violating the Information Blocking Rule.

What are the penalties for noncompliance? 

The Office of Inspector General (OIG) may impose a civil monetary penalty against any individual or entity that commits information blocking. Penalties, depending on the actor, are some of the largest instituted by the federal government to date in the healthcare sector—up to and including $1 million per violation. [vi]

The OIG’s enforcement priorities will likely focus on information blocking causing potential patient harm, significantly impacting a provider’s ability to care for patients, overly lengthy transmission timeframes (beyond 30 days), or noncompliance performed with actual knowledge of a violation.

Thus far, the OIG has imposed a variety of penalty amounts, including a $25,000 penalty against a medical group for a delayed response to a patient’s request for a copy of their medical records, and a $160,000 penalty against a larger hospital system for a similar violation. Additional or separate negative payment penalty adjustments may apply under Medicare—potentially including a False Claims Act action against providers who have already attested to promoting interoperability.

What can I do to ensure compliance?

While the rule and its exceptions are complex, basic risk assessment procedures will go a long way toward ensuring both actual compliance and good faith efforts to comply.

Assigning personnel to oversee EHI requests, documenting policies and procedures for complying with requests, training staff, determining applicable exemptions, and auditing actual compliance to ensure positive trends will help to create an effective process for allowing the efficient exchange of data and avoiding penalties for noncompliance.

The full Information Blocking Rule will be in effect no later than Oct. 6, 2022.

This article was originally published in The Journal of America’s Physician Groups, Volume 16, No.1, Spring 2022

Ready to work with us? 

Contact us


[i] 45 CFR § 171.102.

[ii] 45 C.F.R. §§ 170, 171.

[iii] The Information Blocking Rule also covers the transmission of “data elements.” A data element is the most granular level at which a piece of data is exchanged. For instance, a date of birth is a data element, rather than its component day, month, or year, because date of birth is the unit of exchange.

[iv] 45 C.F.R. § 164.501.

[v] More information about the definition of information blocking and its application to the full scope of EHI may be found at the ONC’s Cures Act Final Rule FAQ page:

[vi] 42 C.F.R. § 1003.1400 Subpart N.

The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.