Live Webinar | Costing and Managerial Accounting
Live Webinar | Legal and Regulatory Compliance
Live Webinar | Health Plan Payment and Reimbursement
Live Webinar | hfma:content/topic/behavioral_ethics
Blog | Electronic Health Records

Expanded information-blocking rules under the 21st Century Cures Act are here

Blog | Electronic Health Records

Expanded information-blocking rules under the 21st Century Cures Act are here

HHS has not heeded a late plea from provider advocacy groups to postpone implementation of the expanded provisions.

Hospitals and health systems are among the healthcare industry stakeholders that will be affected when expanded rules on information blocking take effect Oct. 6.

As defined in 2016 legislation known as the 21st Century Cures Act, information blocking refers to practices that interfere with access to, exchange of, or use of electronic health information (EHI). Among the goals of the legislation are to enhance patient access to health data and improve interoperability.

Since April 2021, EHI in the context of the regulations has been limited to elements contained in the United States Core Data for Interoperability (version 1). But going forward, EHI can mean any electronic protected health information (ePHI) included in the HIPAA definition of a designated record set (DRS), such as billing records, claims and case management records.

“One point that we’ve emphasized to healthcare providers is that ‘the ePHI in your DRS constitutes your EHI’ for the purposes of the information-blocking regulations,” Steven Posnack, deputy national coordinator for health information technology, wrote in a recent blog post.

There are eight categories of exceptions that establish circumstances where information blocking continues to be permitted. Providers have expressed confusion over how some of the exceptions apply in practice.

Other frequently asked questions have pertained to the level of technology that may be required to fully comply.

“The information-blocking [IB] regulations do not require IB actors to adopt or use certain technologies or platforms,” Posnack wrote. “IB actors may use ‘patient portals,’ other web interfaces, application programming interfaces, and a multitude of technologies and platforms to make EHI available for access, exchange or use.” Nor does compliance require use of officially certified health IT, he added.

Penalties for providers remain unclear

Enforcement is another area of ambiguity. The U.S. Department of Health and Human Services (HHS) still has not announced the penalties for providers that violate information-blocking rules. For health information networks, health information exchanges (HIEs) and developers of certified health IT, the proposed maximum penalty is $1 million per violation. That penalty has yet to be finalized in published regulations, and regardless, it’s expected that potential penalties for providers won’t be as steep.

Based on the applicable knowledge standard for assessing violations, there also may be more wiggle room for providers to plead ignorance to an alleged violation than there is for developers and HIEs. The latter groups can be penalized for circumstances in which they “should know” that a violation would occur, whereas for providers, it has to be evident that they knew they were engaging in impermissible information blocking. HHS and the Office of the National Coordinator for Health Information Technology (ONC) have emphasized that it will be necessary to adjudicate potential violations on a case-by-case basis.

ONC reported that between April 2021 and August 2022, there were 487 claims of information blocking submitted through a designated portal. Of those, 452 were deemed to have been possible instances of information blocking, thus triggering a review. Of the 487 submissions, 371 were brought against providers.

Asking for more time

In late September, the College of Healthcare Information Management Executives and nine other provider advocacy groups wrote to HHS requesting that implementation of the rules be delayed by another year, but the department appears intent on proceeding as scheduled. The groups also recommend that provider violations be addressed via “corrective action warning communications” before penalties are levied or a formal investigation is launched.

“A chief factor limiting compliance readiness is the widespread inability to support access, exchange, and use of EHI. There is no clear definition of EHI and there is a lack of a technical infrastructure to support its secure exchange,” the groups wrote.

They noted that smaller providers, especially, may need to rely on their vendors to ensure compliance, and “vendor readiness is lagging.” Vendors also have until Dec. 31 to install necessary upgrades, and that’s nearly three months after the expanded compliance deadline for providers.

The groups also raised a concern about conflicts between the information-blocking rules and the Medicare and Medicaid Promoting Interoperability programs. Compliance in those programs requires a provider to attest that it is not engaging in information blocking.

“These statements will take on new meaning once Oct. 6 arrives, creating fear that they will attest to something they are not sure they have met,” the groups wrote. “For providers/clinicians outside of the PI program, the burden of compliance could be even greater, especially if they are not using a certified EHR technology.”

HHS and its sub-agencies should “engage in more education targeted to the provider/clinician community with a particular focus on small, medium and lesser-resourced organizations,” they wrote.

About the Author

Nick Hut

is a senior editor with HFMA, Downers Grove, Ill. (

Sign up for a free guest account and get access to five free articles every month.


Related Articles | Electronic Health Records

Executive Roundtable | Cost Effectiveness of Health

Optimize the cost effectiveness of health through prioritizing the patient experience

Read up on various strategies from several health system executives, including taking full advantage of EHR, reducing expenses, improving patient experience and so forth.

Blog | Risk Management

Healthcare News of Note: Healthcare cybersecurity professionals are unsure they have enough resources

Healthcare News of Note for healthcare finance professionals is a roundup of recent news articles: Healthcare is one of the least confident industries when it comes to having the resources to ward off cyberattacks, the new 988 Suicide & Crisis Lifeline sees a 28% hike in use in its first month, and Mayo Clinic, Rochester, is No. 1 in a global list of “best smart hospitals.”

Article | Electronic Health Records

Most healthcare organizations want to augment current EHR workflows and would consider flexible outsourcing contracts

This pulse survey shows that there is no one-size-fits-all solution for managing today’s revenue cycle challenges. Savvy healthcare organizations know they need a combination of actionable insights and high-performance work teams to be successful.

Sponsored Content | Revenue Cycle

Revenue Cycle Operations Research Summary Report

HFMA, with sponsorship by Currance, surveyed 110 healthcare CFOs and revenue cycle, finance and accounting executives to understand how satisfied healthcare providers are with their current revenue cycle operations, and what they find most valuable.