Changes in Healthcare Information Regulation: Information Blocking

Liam Kenney

Associate Editor

Loyola University Chicago School of Law, JD 2021


On November 3, 2020 new rules from the Health and Human Services Department concerning information blocking in healthcare will come into effect. The rules are an implementation of the 21st Century Cures Act (“Act”) which is the latest in the government’s effort to lower costs and allow for greater patient access to electronic health information (“EHI”). The Act aims to prevent covered healthcare providers from restricting the flow of EHI in inappropriate ways. Violations of the new Act may result in considerable civil fines.

The Act will apply to a variety of entities in the healthcare industry including healthcare providers, health information networks, health information exchanges, and health information technology developers of “certified health IT (although this does not include providers that develop their own health IT for personal use). The Act will have an extensive reach as “healthcare providers” in this instance will include virtually all entities that render healthcare services such as hospitals, clinics, long-term care facilities, practitioners, physicians, group practices, and more.

What is information blocking?

Information blocking is defined as, “a practice… likely to interfere with access, exchange, or use of electronic health information (“EHI”).” Under the Act, a violation occurs when a healthcare provider “knowingly” acts in a way that “is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information” unless (i) the practice is required by law, or (ii) the practice fits within one of the exceptions listed below. (45 C.F.R. § 171.103(a)). This can happen when a provider delays, ignores, imposes unreasonable conditions on, or refuses requests to share EHI. Such requests can come from patients, payors, or other providers. Under the new rules an increase in the cost or complexity of accessing and sharing EHI may also violate the Act and lead to penalties. Analysis surrounding a potential violation will focus on the particular facts and circumstances of each case in order to determine whether the provider acted with the requisite intent, etc.

As noted above, certain exceptions to the rules exist. The Act does not attempt to prevent information blocking in instances such as those required by law, where the provider did not possess the required knowledge, and eight regulatory exceptions. These regulatory exceptions are designed to allow for reasonable and necessary actions of providers and include preventing harm, protecting patient privacy, protecting EHI security, when access is not feasible, temporary blocks to allow for IT maintenance and system improvement, content and manner exceptions, fees, and licensing issues.

What can healthcare entities do to ensure compliance?

It is doubtful that enforcement of the Act will begin on November 3. It will most likely be delayed for a few months due to the pandemic and lag from implementation. However, providers should be aware of potential issues and look to implement policies and procedures now so that they are in compliance when enforcement begins. Because the scope of the new rule is large, providers should identify the departments most likely to deal with information blocking issues such as IT, records, compliance, and contracting. Individuals within the identified departments should then be trained and educated on how to make and respond to information requests under the new rules. Providers must focus on responding to information requests in an appropriate manner. Providers should also look to ensure that employees that handle such matters are educated about the provisions of the Act and are able to apply the correct rules while allowing for an appropriate and timely response.

Providers should review their existing EHI policies and procedures surrounding information requests by patients and third parties and make updates to their practices to ensure they are compliant with the new rules. The actions of the provider should not unreasonably restrict or deny the flow of EHI by causing delays or creating roadblocks to the sharing of such information. Furthermore, the functionality of the provider’s EHI system itself should be analyzed. Updates should be made to enable functionality in a way that does not impede EHI that may result in an instance of information blocking under the Act

The new rules under the Act may allow for a better patient experience through greater access to EHI. Providers should use this as an opportunity to identify how they can obtain and make use of EHI to improve the flow of information and operate more effectively and efficiently. This can benefit future patients and allow providers to operate on a more competitive level.

Creators of the Act state that its purpose is to allow for patients and providers to have increased access to secure health information and to “increase innovation and competition by fostering an ecosystem of new applications to provide patients with more choices in their healthcare.” If successful, this may greatly increase the EHI experience of both patients and healthcare providers. While headaches may come with adjusting to the new rule, providers should look to take advantage of the Act in ways that increase the efficiency of their own systems and benefit the patients that they serve.