Health Information Management

6 steps to prepare now for looming information-blocking requirements

Hospital and health system finance leaders should keep apprised of CMS’s progress toward finalizing regulations in this area. It is not too soon to start preparing for compliance now.

November 27, 2023 1:53 pm

The 21st Century Cures Act includes provisions aimed at identifying and stopping information-blocking practices that interfere with reasonable seamless sharing of electric health information. The Office of the National Coordinator for Health Information Technology (ONC) defines such a practice as one “likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or specified in an information-blocking exception.”a

CMS issued its proposed rule aimed at enforcing the Cures Act’s information-blocking provisions on Nov. 1, with a comment period ending Jan. 2, 2024.b

Given that the final rule will likely follow in early 2024, finance leaders should begin now collaborating with internal teams to ensure their organizations have properly prepared and tested for compliance before ONC establishes alignment requirements and potential fines. Complying with the information-blocking provisions should be seen not only as a baseline but also as an opportunity to move healthcare toward the end goal: sharing healthcare information in a more meaningful way.

Focused compliance efforts will require strategic conversations and involvement by finance, IT, compliance and health information (data) governance. In this process, finance leaders should ensure to address the following six steps.

1 Analyze the organization’s source of truth for EHI

Each facility should determine whether data contained within its EHI source of truth (usually the electronic health record [EHR] is defined, documented and entered consistently. This effort should start with making sure each of the EHR’s data elements follows the United States Core Data for Interoperability (USCDI).

USCDI Version 1 is a standardized set of 16 health data classes and 53 constituent data elements, which provides the nationally recognized base requirement. A USCDI data element is the most granular level at which a piece of data is represented in the USCDI for exchange, and a USCDI data class is an aggregation of various data elements by a common theme or use case.  Currently, most EHR vendors support only USCDI Version 1. USCDI has issued three additional versions, with Version 4 is having been published July, and the comment period for Version 5 ending in September. Versions 2 through 4 add six new data classes and 66 new date elements to those included in Version 1.

Leaders should assign experts within the organization to monitor new version changes, watch release dates and communicate with EHR vendor partners about each data class and element. Senior executives do not need to participate in these in-the-weeds conversations, but the conversations are essential to properly assess your facility’s EHI sharing capabilities. The optimal team includes representatives from IT, compliance and health information governance.

2 Define EHI for each facility

EHI is like gold — extremely valuable and usually surrounded by many other elements. And also like gold, EHI must be panned before it is shared. It is therefore the responsibility of each facility to determine which data elements will fall through the sifter and be shared, and which will not.

Leaders must work with internal teams to identify each EHI asset and establish guidelines for sharing. It also is important to identify which data assets will be received from other organizations or stakeholders.

Identifying an organization’s most valuable data assets begins with classification and data management. Data should be correctly mapped to its assigned outbound purpose to ensure proper data exchange and information sharing. Negative impacts to payment, quality reporting and other value-based initiatives occur when data mapping is incorrect or cut short.

For example, one facility mistakenly mapped the last weights of newborns discharged from the neonatal intensive care unit (NICU) as the newborns’ actual birth weights on the billing claim. Simply using the wrong data element resulted in hundreds of NICU claims denials based on failure to meet medical necessity. However, the birth weight at NICU discharge was the exact data element needed for quality outcomes reporting from the unit.

Data definitions and mapping are best performed with the end use case in mind. Knowing how data will be used is essential to appropriate mapping before engaging in information exchange. The American Health Information Management Association (AHIMA) recently partnered with The Sequoia Project to create a Data Usability Taking Root (DUTR) Guide designed to better focus the industry on data quality, usability and meaning.c This type of partnership is an important step in the right direction.

3 Strive for data consistency

One of the biggest challenges to enterprisewide information-blocking compliance is dealing with inconsistency in data definitions and terms across facilities, systems and teams. Information is too extensive, and it remains highly inconsistent in how it is received and displayed. This is a decades-old problem that won’t be solved any time soon.

Multiple facilities, disparate IT systems, siloed clinical teams and complex service matrices further complicate the issue and create more urgent data consistency challenges. For example, the most widely used formats for health information exchange in the nation today, the Consolidated Clinical Document Architecture (C-CDA) or the USCDI mentioned above — each with various versions published — are inconsistent for receiving and transferring data among vendors and organizations, negatively affecting transitions of care.

The standards’ data consistency challenges exemplify the complexity of data issues in healthcare. The onus lies with each facility and its health leaders to continually work toward standardized, succinct and relevant information wherever possible.

4 Empower every employee to become a data steward

Healthcare data is extremely valuable, and there is no one owner. Every person who enters data into a health IT system is a team player. Oversight committees serve as coaches and cheerleaders, but it’s the players on the field who ensure data integrity and make information-blocking compliance happen every day.

Best practice is for each organization to develop an information governance program and identify specific teams to:

  • Educate everyone who works with data about information-blocking compliance
  • Establish and enforce procedures to improve data consistency
  • Make enterprisewide decisions related to both inbound and outbound data sharing and exchange

5 Balance information-blocking compliance with patient privacy

Although the goal of the information-blocking provision is to expand data access and sharing, leaders should also avoid overexposing patient data. Protecting patient privacy is still mandated under HIPAA.

Organizations should determine which data elements to share and the extent to which each is usable. They should perform analyses to assess whether data is being underexposed or overexposed. The information-blocking compliance team should be asked three questions:

  • What is the minimal amount of clinical information that is helpful or relevant for this use case?
  • Is it technically possible to share (or receive) this data element?
  • Are we documenting our decisions accordingly?

The Cures Act’s information-blocking provision includes exceptions that exempt facilities from sharing data in specific cases.d Exemptions regarding requests to access, exchange or use EHI, for example, pertain to:

  • Potential harm
  • Privacy
  • Security
  • Infeasibility
  • Health IT performance

The exceptions are well documented and should be thoroughly understood across the organization.

6 Assess every stakeholder involved with information exchange

Annually, every facility should revisit, analyze and assess its information-sharing partners. The goal of sharing data is to improve patient health and reduce costs. But proper data governance requires clear understanding of all information exchange use cases and stakeholders. It therefore is important to ensure data is still required and relevant to the receiving party. The same question should be asked regarding the healthcare organization’s incoming information.

Information-blocking compliance addresses future health data goals

The foregoing six steps not only support compliance with the information-blocking rule, but also refocus the organization on data quality, integrity and accuracy of patient data contained within EHRs. While the term information blocking has a negative connotation, it is important to keep  in mind that the information-blocking provision is intended to liberate information to better service patients and other healthcare industry stakeholders.

An improved future state of health information exchange is not only necessary, but also meaningful. It is necessary that data be organized and classified to add value, minimize waste and support confident sharing across stakeholders.

A health system’s EHR, and the data contained within, is often such organizations’ biggest investment. Compliance with information-blocking protects and optimizes that investment by making the most of all EHI, by creating an asset to support organizational goals and the public good, and by providing the foundation for the digital transformation healthcare requires to remain agile, compliant and patient-centric.


a., “Information blocking,”  Content last reviewed, Nov. 16, 2023.
b. CMS, “21st Century Cures Act: Establishment of disincentives for health care providers that have committed information blocking.” Federal Register, Nov. 1, 2023.
c. The Sequoia Project, “Data usability takes root nationwide through a joint project between The Sequoia Project and AHIMA,” Press release, July 11, 2023.
d., “Information blocking exceptions,” July 2022.

Information blocking provisions of the Cures Act largely welcomed by the industry

The 21st Century Cures Act was signed into law seven years ago to accelerate the discovery, development and delivery of new medical cures. Within the Act are numerous provisions to liberate healthcare data and expand health information interoperability, with the overarching goal of “seamless and secure access, exchange and use of electronic health information (EHI),” as stated by the CMS Office of the National Coordinator (ONC).a

One of these provisions, focused on information blocking, prohibits healthcare providers, health IT developers of certified health IT, and health information exchanges (HIEs) or health information networks (HINs) from interfering with any “access, exchange, or use of EHI,” as described by the ONC.b While much of the healthcare industry is on board with this provision, there were several instances in 2023 where EHI was not shared in accordance with the law and complaints were made to the ONC.


a., “ONC’s Cures Act Final Rule,” content last reviewed Aug. 31, 2022.
b., “Information blocking,” content last reviewed Nov. 16, 2023.

7 questions for self-assessing your information blocking compliance readiness

As an essential part of their preparations for compliance with the information-blocking requirements, organizations should ask themselves the following questions:

  1. Are we using the most recent versions of U.S. standards to define EHI data classes and elements? And is someone consistently analyzing new versions as they are published?
  2. What constitutes our facility’s electronic health information asset list? Which data elements are gold nuggets, and which are not? Which are available in electronic format?
  3. Has each of our data elements been mapped for information sharing with the proper use case in mind?
  4. Are we working toward greater data standardization across our facilities, our service lines, our teams and our IT systems?
  5. Who are the people within our organization assigned to oversee information blocking compliance, andare they the right people?
  6. Are we effectively balancing the need to share information with our responsibility to protect patient privacy under HIPAA?
  7. Do we assess all the stakeholders with which we exchange information?


googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );