business of pediatrics

Complying with Information Blocking Rules & the 21st Century Cures Act

Compliance with government IT laws has become so cumbersome that you lose sight of why the laws exist in the first place. The 21st Century Cures Act intends to provide patients with better access to their electronic health information (EHI) and to improve interoperability and data sharing between and among health providers. One of its main goals is to facilitate and support shared decision-making of a person’s healthcare. 

While the new rules can be a large administrative lift for practices, there are benefits -- namely that you’ll be able to receive information for patients who are referred to you. Additionally, they  help stop predatory practices of larger organizations who retain patient data with high expenses incurred to integrate and access. 

Preparing Your Practice


With all of the available individual EHR information, the administrative Office of the National Coordinator for Health IT -- or ONC -- were tasked to determine when it will be allowed to block information to and from healthcare systems and providers. Eight exceptions were identified for when it may be appropriate to block when EHI is accessed or exchanged for use. These exceptions can generally fall into one of two categories. The first set is exceptions that involve not fulfilling requests and those include preventing harm, privacy, security, and feasibility and health IT performance. The second set of exceptions focuses on fulfilling requests to access, use, and exchange EHI. 

Policies and Procedures

Start by reviewing the information blocking exceptions and define policies to use them at your practice. Determine where and how those exceptions will be documented, logged, and retained. Check out page 2 of this info sheet by the American Medical Association for some practical examples of information blocking that can impact policy changes at your practice. Everyone in your practice and organization should be taught how to recognize and act upon a request to access, exchange, or use EHI. 

Written policies provide an operative framework and reference point your practice can turn to when in doubt. Of the eight exceptions outlined by the ONC, not every one of them requires a written policy. What you must put in writing focuses on preventing harm and enforcing security and privacy, which naturally coincide with existing HIPAA policies. It’s good to look at those policies, though, and see where they complement each other. 

Data Exchange Costs

Data exchange fees are another component to evaluate. Are you charging patients to access their patient portal in any way? There could also be costs associated with back-end data access via an application programming interface (API). While many practices may be safe here, it’s recommended to take a close look at any fee structure around data exchange that you may already have. If you do have a cost associated with data exchange, such as charging for access to your patient portal, you may have an opportunity to take a fees exception. 

One key detail to remember is that it is prohibited to charge fees to patients for electronic access to their health information. You also want to think about data sharing policies and responding to requests for EHI because types of requests can have a typical and expected response time. While it’s important to have these policies and procedures documented and taught at your practice, simply having a policy written on paper doesn’t necessarily exempt you from not information blocking. People can still make allegations and it’s good to have a well-rounded policy and administrative procedure in place to mitigate and prevent issues. 

Final Considerations

The content and manner -- the official ONC term to define what information and how it’s being transferred -- are important considerations to make when prompted to fulfill a request for EHI because the context in which it’s being shared does matter and can open you up to liability. Special circumstances, such as when you’ve got scheduled downtime to perform maintenance on your EHR, should also be written into policy since you’re not going to be able to fulfill requests during that time. Always consult a legal professional for guidance before making any decisions at your practice, especially when it comes to evaluating special circumstances and the “content and manner” in which information is shared as defined by the Act. 

Frequently Asked Questions

In a recent webinar for PCC clients, our interoperability team took on key questions that providers and practice managers are facing about EHI and compliance with the ONC’s information blocking rules. We’ve edited and pared down our team’s answers to a range of questions for you to check out: 

Q: Can you give me a real life example of EHI or electronic health data?

A: Electronic health data means health information that includes patient demographic information, clinical health information. Think of anything that's on your summary of care today -- that could be defined as EHI. Specific examples include school forms, lab test results, vital signs, smoking status, or allergies and medications.

Q: Could you explain what an API is, generally how it works, and how it may be beneficial to patients? 

A: API is short for Application Programming Interface and it's an intermediary software that allows two programs to interact with each other. APIs are used everywhere in software development, it's not just limited to healthcare, though it is heavily used in healthcare to facilitate data exchange and interoperability. We could also say an API is used to transmit data to and from an outside lab vendor or hospital. The information blocking rule intends to expand APIs usage such that patients will eventually be able to use an app of their choice. This is a long-term goal of the role, and have all of their health information on their smartphone so they can access their complete health record and again, be an active part of their care. It is correct to think of this as the essence of interoperability, when patients and physicians use care health data as they wish, and it flows.

Q: Our clinicians store confidential information in various places in our EHR. Do we need to make all of those notes available to patients? 

A: Unfortunately, there isn’t an easy answer to this question because your obligation to protect the confidentiality of EHI is imposed by state law. The information blocking rule does not supersede HIPAA privacy and security rules, which establish some minimal Federal requirements. It's not a requirement of the rule to release all confidential information available to parents or their guardians. It's worth noting that while you can absolutely choose to proactively share information that might then reduce the administrative load of request on your practice, it is not a prescriptive requirement of the rule. 

Q: If a parent requests their child's entire health record to be shared electronically or via paper, am I required to share clinical notes from specialists or hospitals that were included in the patient's chart? 

A: Providers and practices should share patient data that is clinically relevant and has been requested. Requested is a key term in that answer. Again, this doesn't replace HIPAA and the minimum necessary rule. If information includes data from other practitioners, then you may share it. Conversely, if the provider believes there's a risk of harm or security when sharing the patient's data, then it’s typically best to review and apply the appropriate exception given the specific circumstances. The net of this all is that there really isn't a definitive answer. What is provided is based on the facts and circumstances of each situation. 

Q: When would a delay in fulfilling a request for access, exchange or use of EHI be considered an interference under the information blocking regulation? 

A: It would likely be considered an interference for purposes of information blocking if a healthcare provider established an organizational policy that, for example, imposes delays on the release of lab results for any period of time so that the ordering physician can review the results and personally inform the patient before the patient can electronically access such results. A blanket policy of, “We're not going to release any results for X number of days,” would likely be considered interference, when perhaps not all results warrant that extended amount of time before they're released.

Q: Will we still be able to lock labs until the physician has had a chance to sign off on them and then make them available in the portal? Or will this be considered blocking?

A: If there is a blanket policy that imposes delays on the release of lab results for any period of time, that would likely be considered information blocking. 

Q: With confidential notes in a visit, is this something that a physician can add during the visit in the visit note on an as needed basis? Or does it need to be in the visit note configured ahead of time? 

A: It’s recommended to have a generic confidential notes component in the medical summary. It would also be beneficial to have a specified component within a visit protocol configured in your EHR ahead of time. Additionally, one more that allows you to sort of organize let's say, mental health notes versus other types of confidential notes, so that if you're looking for a visit note, it's easier to find later on. If you can, pre-configuring those as components ahead of time makes the most sense.

Q: Are practices obligated to send EHI electronically, for attorney requests of patient charts, or is generating visit summaries and sending them out OK instead?

A: Absolutely, and namely because this is not provider-to-provider and the legal context changes the way that data exchange is viewed by the ONC. 

Q: Are we required to share consult letters or should patients go to the original specialist or provider of those consults?

A: In these cases, it’s best to use your clinical judgement. If it's relevant to what you're sending for someone's care, then yes, you should share those consult letters. 


The information included here is intended as considerations from PCC and it’s ideal to have a legal point person in your practice or organization who can review these policies and help answer your specific questions. Please refer to these additional resources for more information about the 21st Century Cures Act and information blocking:

ONC Final Ruling

ONC Cures Act Final Rule

ONC Information Blocking FAQs

ONC Final Ruling Fact Sheets

Spencer March

Spencer works as PCC's Digital Marketing Manager.