Things to Know about Information Blocking (CMS & ONC)

The Office of the National Coordinator for Health IT (ONC) Information Blocking Rule applies to three categories of actors: developers of certified health IT; Health Information Exchanges and Health Information Networks; and health care “providers”, which includes hospitals, skilled nursing facilities, health care clinics, group practices, and laboratories. As it pertains to health care physicians, “information blocking” is defined as the intentional withholding of patient health information – either from “provider” to “provider” or “provider” to patient. “Information Blocking”, as used throughout this FAQ, references the body of works that are the information blocking provisions of the 21st Century Cures Act. Information Blocking gives patients more control of their health data, and physicians will be able to take advantage of the improved ability to collect and utilize the flow of information for the benefit of their patients and practice. This expanded right of access will also result in improvements in the patient-physician relationship, including enhanced trust, transparency, communication, and shared decision-making.

The 21st Century Cures Act mandated that patients have increased access to their electronic health information (EHI), including clinical notes, through an application of their choosing or EHR portal. Since April 5, 2021, EHI has been limited to the data elements represented in Version 1 of the United States Core Data for Interoperability (USCDI) standard: consultation notes, discharge summary notes, history and physical, imaging narratives, laboratory report narratives, pathology report narratives, procedure notes, and progress notes. As of October 6, 2022, the definition of EHI will expand to include any electronic, individually identifiable health information included in the designated record set per HIPAA access requirements. Physicians and their care teams will be responsible for the access, exchange, or use of each patient’s entire EHI, no longer limited to just the USCDI elements.

Overall, it is important for practices to have a process in place to evaluate and comply with information blocking requirements. However, please remember EHR vendors are also subject to these regulations and were required to have enabled practices, patients, and other requestors to access at least the USCDI EHI elements in April 2021. Vendors have a December 31, 2022, deadline to provide practices with upgraded EHR functionality to better enable access to EHI. We recommend health care clinicians and systems contact their EHR vendor to ask about preparations in anticipation of the October 6 EHI deadline.

No, Information Blocking pertains only to the access, exchange, and use of EHI. This should be contrasted to HIPAA, which covers paper, electronic, and verbal data as protected health information (PHI). Individuals still have the right to access their papers records under existing HIPAA rules. Where an individual requests a paper copy of PHI maintained by the practice, it is still expected that the practice will be able to provide the individual the paper copy requested.

While the end goal of the Information Blocking regulations is to improve access to and sharing of the entire record, there are situations when reasonable and necessary activities would not constitute information blocking. ONC has established eight exceptions to the Information Blocking Rule. The first category of exceptions involves unfulfilled requests to access, exchange, or use EHI: Preventing Harm Exception; Privacy Exception; Security Exception; Infeasibility Exception; and Health IT Performance Exception. The second category involves the procedures followed in fulfilling requests to access, exchange, or use EHI: Content and Manner Exception; Fees Exception; and Licensing Exception. Actors have the burden of proof that practices restricting the free flow of health information fit within one of the eight exceptions. Exceptions apply on a case-by-case basis and will require substantial documentation that will be evaluated by ONC and the Office of the Inspector General (OIG). More details on each exception can be found on ACP’s FAQ on Information Blocking: Documentation Guidelines.

As of October 6, 2022, the definition of EHI will expand from “consultation notes, discharge summary notes, history and physical, imaging narratives, laboratory report narratives, pathology report narratives, procedure notes, and progress notes” to include any electronic, individually identifiable health information included in the designated record set per HIPAA access requirements, with certain limitations. The type of information that must be shared may differ if, for example, the patient is an adolescent. Please reference ONC’s materials, “Information Blocking,” “What is Information Blocking and to Whom Does it Apply?,” “Information Blocking Exceptions,” “Understanding Electronic Health Information (EHI),” and “Information Blocking: Eight Regulatory Reminders for October 6th” for more details.

Yes. The Office of Inspector General (OIG) is charged with investigating allegations of information blocking and determining whether a violation has occurred. However, unlike other covered actors, physicians are not subject to the civil monetary penalties established. Instead, OIG will refer physician violations to the appropriate outside agency. HHS has yet to identify the agency or agencies that will handle information blocking referrals and has yet to identify the “disincentive” that will apply to physicians that engage in information blocking. In the case of innocent mistake, OIG has confirmed that it will not bring enforcement actions against actors who lack the requisite intent for information blocking.

The CMS Interoperability and Patient Access regulations promote patient access and exchange of their clinical data and claims data across CMS-contracted payers. Additionally, CMS is requiring access to physician directory information and requiring physician organizations, including hospitals, to send admission, discharge, and transfer (ADT) notifications to the patient’s care team. A physician participating in CMS’ Promoting Interoperability (PI) program is required to attest they are in good faith implementing and using their EHRs to exchange data. If a health system is found to have falsely attested, it could potentially owe back the incentive funds and could be liable for penalties under the False Claims Act. CMS will also publish on a public website all physicians and physician organizations who have either attested to or been found to be information blocking.

Communicate and Educate! – Leadership must buy in and empower team members to take action to ensure compliance. Driving change through the lens of patient-centeredness is key. Have you communicated to your team what compliance looks like for them? Does your vendor have EHR-specific resources available? Communication is key.

Identify Key Stakeholders, Subject Matter Experts, and External Resources – Many different disciplines and departments will need to be engaged as your practice comes into compliance. Consider convening a multidisciplinary change management team inclusive of clinicians, informatics experts, coding and compliance experts. Everyone needs to be on the same page and equipped with tools to succeed.

Review ONC (and CMS) Resources, and Confirm Stakeholders Understand Responsibilities – Timelines, certification requirements, and CMS rule applicability.

Review Internal EHI Practices and Policies, System Functionality, and Identify Risks, Mitigators, and Scope – Identify potentially tricky EHI scenarios that need consideration when sharing information with individuals or requestors outside of your practice, identify the risks for physicians, other clinicians, and organization staff that engage in those various EHI scenarios, develop standard note templates, availability of and access to application programming interfaces (APIs), and establish a positive organizational outlook on data access and release.

Evaluate and Plan for Documenting Exceptions – Identify specific EHI scenarios that may require the use of one of the exceptions, identify affected team members and specialty colleagues, and establish complete documentation and exchange processes.

Actions and Changes – Identify needed changes to make sure you are ready. This may also include needed contracts, agreements, and licenses.