Information Blocking Rule: What Practices Must and Must Not Do
The 21st Century Cures Act information blocking rule prohibits health care providers, IT developers, and health information networks from interfering with the access, exchange, or use of electronic health information. Enforcement against providers began with OIG penalties effective in 2024. Most non-compliance flags fall into a small number of recurring patterns.
Who Is Covered and What Counts as Information Blocking
Health care providers, certified health IT developers, and health information networks are the three categories of actors covered by the rule, defined under 45 CFR 171.
Information blocking is defined as a practice that, except as required by law or covered by an exception, is likely to interfere with access, exchange, or use of electronic health information (EHI). EHI is defined broadly to include the data within a designated record set.
The expanded EHI definition went into effect October 6, 2022, and now applies to essentially all electronic protected health information held by a covered actor.
Examples of practices commonly flagged: charging fees that exceed reasonable cost, requiring unnecessary documentation before release, deploying technology that limits export to a proprietary format, or imposing delays on portal release of test results without justification.
The Eight Exceptions
Preventing harm: Practices reasonably necessary to prevent physical harm to a patient or another person, applied case-by-case with documentation of the threat.
Privacy: Practices that comply with privacy law (HIPAA, state privacy law) where release would be inconsistent with the law.
Security: Practices reasonably necessary to mitigate a security risk to EHI.
Infeasibility: When the actor cannot fulfill the request because of technical limitations or other reasons documented at the time.
Health IT performance: Allows for reasonable maintenance windows and performance issues, with documented response.
Content and manner: Allows the actor to fulfill in a different manner than requested if the requested manner is not feasible, with conditions on what alternatives are acceptable.
Fees: Permits charging fees if they meet the reasonable cost standard and exclude profit margin on the access function itself.
Licensing: Permits licensing of interoperability elements under reasonable conditions, with restrictions on terms.
Penalties and Enforcement
OIG enforcement against health care providers began with a final rule effective in 2024. Disincentives apply rather than civil monetary penalties for providers, but the disincentives are substantial.
Disincentives include: Medicare Promoting Interoperability program adjustments, ineligibility for MIPS Promoting Interoperability category credit, and ineligibility for ACO program participation. The financial impact varies by practice but can reach hundreds of thousands of dollars per year for large groups.
Civil monetary penalties of up to $1 million per violation apply to health IT developers and health information networks. Provider penalties take the form of disincentives rather than direct CMPs.
Investigations can be triggered by patient complaints to the HHS Office of the National Coordinator (ONC) or by competitor complaints filed with OIG.
Practical Compliance Steps
Audit your patient portal and release-of-information workflow for delays. Test results, clinical notes, and discharge documents should release per your default policy unless an exception applies and is documented.
Review fee schedules for record requests against the reasonable cost standard. Charging the patient $0.10 per page can be challenged if the actual cost is lower.
Confirm that your EHR vendor supports the full Common Clinical Data Set and FHIR-based bulk export. If your contract restricts export, that may itself be an information blocking issue for the vendor.
Document any case-by-case decision to delay or restrict release. The exception is only available if the rationale was contemporaneous and specific. Retroactive justification does not satisfy the rule.
Can I delay portal release of an abnormal lab result so I can call the patient first?
The rule generally disfavors automatic delays. A short hold to call the patient first is sometimes defended under the harm exception, but only when there is a documented case-by-case reason to believe immediate release would cause physical harm. Blanket delays for all abnormal results have been flagged as likely information blocking. Coordinate with your privacy officer and document any delay.
What about adolescent records and parent access?
State law largely controls. In states with strong adolescent confidentiality laws, certain records (mental health, reproductive health) may be withheld from parent portal access. The privacy exception covers this when state law requires the restriction. Document the legal basis.
Do I have to give patients access to my private clinical notes?
Yes for clinical notes within the designated record set. Eight types of clinical notes are explicitly required to be shared under the ONC rules: consultation, discharge summary, history and physical, imaging, lab, pathology, procedure, and progress notes. Psychotherapy notes that are kept separately remain excluded.
For practices
Bring this to your own practice.
QR Rx turns every procedure into a branded recovery plan that keeps patients engaged and brings them back. Start free in minutes, or see it live in a 20-minute demo.
This blog provides general information about healthcare compliance and aftercare best practices. It does not constitute legal, medical, or regulatory advice. Consult qualified professionals for guidance specific to your practice.