Frequently Asked Questions
The facts and circumstances of each situation or allegation would need to be evaluated. Whether a practice constitutes information blocking depends on the unique facts and circumstances of the practice. More specifically, information blocking occurs when: an individual or entity engaging in a practice is an actor as defined in 45 CFR 171.102; the practice involves EHI as defined in 45 CFR 171.102; the actor meets the requisite knowledge standard applicable to the type of actor; the practice is likely to prevent, materially discourage, or otherwise inhibit the access, exchange, or use of EHI; the practice is not one that is required by law; and the practice is not covered by an exception under 45 CFR Part 171.
Yes, but only to the extent that the fees for the EHI export comply with the “Fees Exception” (45 CFR 171.302). For example, if the fees to export or convert data from the technology were not agreed to in writing at the time the technology was acquired, then the “Fees Exception” would not be available and such fees could implicate the information blocking definition unless another exception applies (45 CFR 171.302(b)(4)).
Note that if the EHI export would be performed using health IT certified under the ONC Health IT Certification Program (45 CFR Part 170) to the “EHI Export” certification criterion (45 CFR 170.315(b)(10)), a fee that is charged to perform such export for purposes of switching health IT or to provide patients their electronic health information (45 CFR 171.302(b)(3)) would not qualify for the “Fees Exception”.
Yes. On and after April 5, 2021, any actor’s agreements, arrangements, or contracts are subject to and may implicate the information blocking regulations in 45 CFR part 171.
No. The information blocking regulations do not require actors to have or use health IT certified under the ONC Health IT Certification Program. Actors subject to the information blocking regulations are not required to immediately upgrade their certified health IT (as of the applicability date (i.e., April 5, 2021)) if they also happen to participate in a separate regulatory program that requires the use of certified health IT, such as CMS’ Promoting Interoperability Programs.
Please review the questions under the "Electronic Health Information" heading for more information.
The applicability date for the information blocking regulations in 45 CFR part 171 was established in the ONC Cures Act Final Rule, and was subsequently adjusted in the ONC Interim Final Rule. The Interim Final Rule moved the applicability date from November 2, 2020 to April 5, 2021.
The Interim Final Rule also revised the information blocking definition in 45 CFR 171.103 to adjust the timeframe for the “USCDI limitation.” Before October 6, 2022, electronic health information (EHI) for the purposes of the information blocking definition is limited to the EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard.
Enforcement of the information blocking regulations depends upon the individual or entity that is subject of an enforcement action or "actor." For health IT developers and health information networks/HIEs, the HHS Office of the Inspector General posted its final rule implementing information blocking penalties. For health care providers, HHS has posted its proposed rule to establish appropriate disincentives as directed by the 21st Century Cures Act. For additional information, see the Disincentives Proposed Rule Overview fact sheet and the Disincentives Common Questions fact sheet.
Updated:
This FAQ has been updated to reflect the effective date of the HTI-1 Final Rule.
Yes, an individual’s request for a copy of their EHI in some form of physical media, such as where the EHI is printed to paper or copied onto a CD or USB drive, could implicate the information blocking regulations. The definition of information blocking includes any practice (act or omission by an actor, as defined at 45 CFR 171.102) that is not required by law or covered by an exception and that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI) (as defined at 45 CFR 171.102). Importantly, however, any fee charged for providing this type of access to EHI that does not meet the Fees Exception (45 CFR 171.302) potentially could be considered information blocking.
We have consistently interpreted the broad definition of information blocking in section 3022(a) of the Public Health Service Act to encompass potentially any fee that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI (84 FR 7521, 85 FR 25880). This would include any fees charged to individuals for copies of their EHI furnished on paper or on electronic media (such as CDs or USB drives). To be covered by the Fees Exception, any fee(s) charged for copies of EHI on electronic media or printed to paper must meet all of its conditions, including that fees(s) are not among the list of excluded fees at 45 CFR 171.302(b). Of note, one of the exception’s conditions ensures alignment with HIPAA in that any fee prohibited by the HIPAA Privacy Rule for an individual’s right of access (45 CFR 164.524(c)(4)) is not covered by the Fees Exception. (84 FR 7540, 85 FR 25886).
No, it would not be information blocking if the actor’s practice of not fulfilling a request in such circumstances meets the Privacy Exception (45 CFR 171.202). All actors remain responsible for disclosing EHI only when the disclosure is allowed under all applicable federal laws. For example, actors who are HIPAA covered entities or business associates must comply with the HIPAA Privacy Rule and any other applicable federal laws that limit access, exchange, or use of EHI in particular circumstances. Adherence to such federal laws is not information blocking, if the other conditions of the Privacy Exception are also met.*
In particular, where federal law such as the HIPAA Privacy Rule does not permit EHI to be used or disclosed unless certain requirements (“preconditions”) are met, then an actor’s practice of not fulfilling a request to access, exchange, or use EHI when these preconditions are not met is not information blocking.*** The Precondition Not Satisfied (45 CFR 171.202(b)) sub-exception of the Privacy Exception outlines a framework for actors to follow so that the actors’ practices of not fulfilling requests to access, exchange, or use EHI would not constitute information blocking when a precondition of applicable law has not been satisfied.
One example that highlights the alignment between the HIPAA Privacy Rule and the information blocking regulations is when a law enforcement official requests records of abortions performed from a clinic. As explained in the “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care” guidance issued by the Office for Civil Rights, there are certain preconditions that must be met before this disclosure can be made: “If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.” In this example, federal law does not permit the disclosure of EHI unless certain requirements are met, and therefore, the actor’s practice not to disclose EHI would not be information blocking. We note that this is just one example of how the HIPAA Privacy Rule gives individuals confidence that their protected health information, including information relating to abortion and other sexual and reproductive health care, will be kept private. Please see the guidance from the Office for Civil Rights for additional information and examples.
A second example of the alignment between the HIPAA Privacy Rule and the information blocking regulations is in circumstances where the HIPAA Privacy Rule permits a covered entity to use or disclose EHI only following receipt of a valid HIPAA authorization from the individual (patient) or the individual’s personal representative. If an actor does not have a valid HIPAA authorization from the individual or their personal representative that permits the use or disclosure of EHI for the requested purpose, then a precondition for disclosure is not satisfied. Accordingly, the actor’s practice of not disclosing EHI would not be considered information blocking if it is consistent with the requirements of the Precondition Not Satisfied sub-exception.
To emphasize, wherever any federal law requires the authorization of the individual to disclose the EHI, an individual may always choose not to give such authorization, and an actor who does not disclose the EHI would not be information blocking if the actor meets all applicable requirements of the Privacy Exception.
* For more information on how practices would be evaluated to determine whether the unique facts and circumstances constitute information blocking, please see the following FAQ: How would any claim or report of information blocking be evaluated? (IB.FAQ46.1.2022FEB)
** It is important to remember that the information blocking exceptions defined in 45 CFR part 171 subparts B and C are voluntary, offering actors certainty that any practice meeting the conditions of one or more exceptions would not be considered information blocking. An actor’s practice that does not meet the conditions of an exception would not automatically constitute information blocking. Rather, such practices will be evaluated on a case-by-case basis to determine whether information blocking has occurred. (See, e.g., IB.FAQ29.1.2020NOV).
*** “EHI” as defined in 45 CFR 171.102 is a subset of protected health information (PHI). See 45 CFR 160.103 (definition of “protected health information”). For more information on the HIPAA Privacy Rule, who must comply with it, and its conditions for disclosures of protected health information (PHI), please see resources of the Office for Civil Rights at HHS.gov/HIPAA.
The Preventing Harm Exception at 45 CFR 171.201 relies on the same types of harm as apply for a covered entity to deny access to protected health information under the HIPAA Privacy Rule (see 45 CFR 164.524(a)(3)). Where an actor's practice, based on an individualized (45 CFR 171.201(c)(1)) determination of risk, is likely to interfere with a patient's or patient representative's access, exchange, or use of the patient's EHI, the type of harm (45 CFR 171.201(d)) needed for the exception to apply depends on who is seeking access to the EHI, and what EHI they are seeking to access.4
The table below shows the type of harm recognized under the Preventing Harm Exception for several commonly encountered patient access scenarios.1
|
Access, exchange, or use of patient's EHI |
EHI for which access, exchange, or use is affected by the interfering practice is |
Applicable type of harm1 |
Regulation Text References |
|
Patient exercising own right of access |
Patient's EHI |
Danger to life or physical safety of the patient or another person |
§ 171.201(d)(3), referencing HIPAA Privacy Rule § 164.524(a)(3)(i) |
|
Patient's EHI that references another person |
Substantial harm3 to such other person |
§ 171.201(d)(2), referencing HIPAA Privacy Rule § 164.524(a)(3)(ii) |
|
|
Patient's personal representative as defined in HIPAA Privacy Rule (45 CFR 164.502) exercising right of access to patient's EHI (for example, parent of a minor child)2 |
Patient's EHI |
Substantial harm3 to the patient or to another person |
§ 171.201(d)(1), referencing HIPAA Privacy Rule § 164.524(a)(3)(iii) |
|
Patient's EHI that references another person |
Substantial harm3 to such other person |
§ 171.201(d)(2), referencing HIPAA Privacy Rule § 45 CFR 164.524(a)(3)(ii) |
|
| Notes: | |||
|
1 - For simplicity of presentation, this table focuses only on patient access use case examples where risk has been determined on an individual basis (45 CFR 171.201(c)(1)). Where the risk arises from data that is known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason (45 CFR 171.201(c)(2)), the exception's applicable type of harm conditions (45 CFR 171.201(d)(3) and (4)) recognize only danger to life or physical safety of the patient or another person. |
|||
|
2 - For more information about the definition of a “personal representative” under the HIPAA Privacy Rule, please see https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html |
|||
|
3 - “Substantial harm” includes “substantial physical, emotional, or psychological harm” (see, for example, HIPAA Privacy Rule preamble at 65 FR 82556). |
|||
|
4 - In order for the Preventing Harm Exception to cover any practice likely to interfere with access, exchange, or use of EHI based on an individualized (45 CFR 171.201(c)(1)) determination of risk, the practice must also satisfy requirements in 45 CFR 171.201(a), (b), (e), and (f). |
|||
For more information about the Preventing Harm Exception, please reference the ONC Cures Act Final Rule preamble discussion and the other FAQs under the Preventing Harm Exception heading.
For more information about the HIPAA Privacy Rule, the Privacy Rule individual right of access, or grounds for denial of access under the Privacy Rule, please visit the Health Information Privacy section of the HHS website.
No. Unless an actor reasonably believes a practice that interferes with a parent or other legal representative’s requested access, exchange, or use of the minor’s electronic health information (EHI) will substantially reduce a risk of at least substantial harm to the patient or another person, the Preventing Harm Exception is not designed to cover that practice.
The Privacy Exception contains a sub-exception (45 CFR 171.202(e)) that covers practices respecting an individual’s request not to share information, subject to certain conditions.
Yes. The Preventing Harm Exception’s type of harm condition relies on the same types of harm that serve as grounds for reviewable denial of an individual’s right of access under the Privacy Rule (45 CFR 164.524). (See ONC Cures Act Final Rule preamble Table 3—Mapping of Circumstances Under § 171.201(d) to Applicable Harm Standards.)
In most instances, including where a practice interferes with a patient’s own or the patient’s other health care providers’ legally permissible access, exchange, or use of the patient’s electronic health information (EHI), coverage under the Preventing Harm Exception requires that the risk be of physical harm. (See 45 CFR 171.201(d)(3) and (4).)
However, the Preventing Harm Exception’s type of harm condition applies a “substantial harm” standard for practices interfering with a patient’s representative’s requested access, exchange, or use of the patient’s EHI and to the patient’s or their representative’s access to other persons’ individually identifiable information within the patient’s EHI in some circumstances. (See 45 CFR 171.201(d)(1) and (2)).
No. Blanket delays that affect a broad array of routine results do not qualify for the Preventing Harm Exception. The Preventing Harm Exception is designed to cover only those practices that are no broader than necessary to reduce a risk of harm to the patient or another person.
As we discussed in the Cures Act Final Rule, a clinician generally orders tests in the context of a clinician-patient relationship. In the context of that relationship, the clinician ordering a particular test would know the range of results that could be returned and could prospectively formulate, in the exercise of their professional judgment, an individualized determination for the specific patient that:
- withholding the results of the particular test(s) from the patient would substantially reduce a risk to the patient’s or another person’s life or physical safety
- or - - that withholding the results of the particular test(s) from a representative of the patient would substantially reduce a risk of substantial harm to the patient or another person.
Such individualized determinations made in good faith by an ordering clinician, in the exercise of their professional judgment and in the context of the treatment relationship within which they order the test, would satisfy the type of risk and type of harm conditions of the Preventing Harm Exception. Actors, including but not limited to the ordering clinician, could implement practices in reliance on such determinations and the Preventing Harm Exception would cover such practices so long as the practices also satisfy the other four conditions of the exception.
No. The reasonable belief condition does not include a requirement that the harm be expected to occur within a particular time period or that the likelihood of the harm be high enough to be considered “imminent.” (See 45 CFR 171.201(a)). The Preventing Harm Exception’s reasonable belief condition requires an actor engaging in a practice likely to interfere with a patient’s access, exchange, or use of their own EHI to have a reasonable belief that the practice will substantially reduce a risk to life or physical safety of the patient or another person that would otherwise arise from the affected access, exchange, or use.
Yes, where the risk of harm has been determined on an individualized basis and all other conditions of the Preventing Harm Exception are met. For example, the practice must be no broader than necessary and the actor must reasonably believe the practice will substantially reduce the risk of harm. (For all the conditions of the Preventing Harm Exception, please see 45 CFR 171.201.)
For purposes of the Preventing Harm Exception, a parent or legal guardian would be considered a patient’s legal representative. The Preventing Harm Exception’s type of harm condition applies a “substantial harm” standard for practices interfering with a patient’s representative’s requested access, exchange, or use of the patient’s EHI. (See 45 CFR 171.201(d)(1)).
The type of harm conditions for Preventing Harm Exception coverage of practices interfering with patients’ and their representatives’ access to EHI on the basis of an individualized determination of risk are specifically aligned with the HIPAA Privacy Rule’s grounds for reviewable denial of an individual’s right of access under the Privacy Rule. (See also ONC Cures Act Final Rule preamble discussion and Table 3—Mapping of Circumstances Under § 171.201(d) to Applicable Harm Standards).