Go to AAD Home
Donate For Public and Patients Store Search
Go to AAD Home
Main menu
Membership
Meetings & Education
Practice management
Clinical & quality
Publications & apps
Career development
Advocacy
Back
Account
Pay dues
Member ID
Join the AAD
Member benefits
Find a member
AAD governance
Support AAD
Community Programs
AAD Help Center
2026 Annual Meeting
2026 Innovation Academy
Academy meetings archive
Professional education
Claim CME & view transcript
Upcoming events
Residents & medical students
Patient education materials
DataDerm
Coding Resource Center
MIPS & fee schedule
Teledermatology
EHR & health tech
Insurance & drugs
Compliance & practice scope
Managing your practice
Contact PM staff
Clinical guidelines
Quality measures
DataDerm
Quality & patient safety
Clinical Community
Clinical care resources
Position statements
JAAD
JAAD International
JAAD Case Reports
Dermatology World
DermWorld Insights & Inquiries
Derm Coding Consult
DermWorld Meeting News
Impact Report
Other publications
Academy Apps
Career launch
Job board
Burnout & wellness
Diversity
Awards, grants, and scholarships
Leadership Institute
Volunteer opportunities
Ethics & professionalism
Take action
Advocacy priorities
State advocacy resources
Legislative Conference
Position statements
Promote the specialty
Key Contacts
Patient advocate resources
SkinPAC
Advocacy Update
Welcome!
Advertisement
Advertisement

Information blocking rules for physicians and other health care providers

Robert M. Portman, JD, MPP

Legally Speaking

Robert M. Portman, JD, MPP, is a health care attorney with Powers Pyles Sutter & Verville, in Washington, DC, and serves as legal counsel for the AAD and AADA.

By Allyn Rosenberger, JD, MPH, Jason Qu, JD, and Rob Portman, JD, MPP, August 1, 2024

Every month, DermWorld covers legal issues in “Legally Speaking.” This month’s authors are health care attorneys with Powers Pyles Sutter & Verville PC in Washington, D.C. Portman is also outside general counsel for the AAD and AADA.

Since 2021, federal law has prohibited physicians and other health care providers from interfering with the access, exchange, or use of electronic health information (EHI), a practice known as “information blocking.” Late last year, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) and CMS released a proposed rule that would, for the first time, penalize certain physicians and non-physician providers if they commit information blocking. In anticipation of these penalties being finalized, dermatologists should familiarize themselves with the types of EHI that must be readily accessible to patients and other requestors under the information blocking rules.

To guide AAD members in that effort, the following article provides an overview of the relevant information blocking requirements and exceptions, as well as the proposed penalties for non-compliance and their applicability.

Information blocking requirements

The 21st Century Cures Act and its regulations (the Information Blocking Regulations) prohibit physicians and other health care providers, as well as health IT developers and health information exchanges/networks, from engaging in “information blocking.” The Information Blocking Regulations define information blocking as a practice that is likely to prevent, materially discourage, or otherwise inhibit the access, exchange, or use of electronic health information. EHI is electronic protected health information (ePHI) in a designated record set, as those terms are defined in HIPAA regulations. This typically includes medical, billing, and case management records, as well as other records physicians use to make decisions about patients. It excludes psychotherapy notes.

A physician violates the prohibition against information blocking if the physician knows that their actions (or failures to take action) are (i) unreasonable and (ii) likely to interfere with the access, exchange, or use of EHI, even if no harm materializes. While physicians are not required to proactively make EHI available to patients who have not requested their data, once a patient requests their EHI, a failure or unreasonable delay in providing access may be considered information blocking. Other particularly high-risk information blocking activities may include interference with:

  • Payers seeking EHI to confirm clinical value.

  • Requests of EHI for patient safety or public health.

  • Other physicians or providers requesting EHI for treatment or quality improvement.

The Information Blocking Regulations do not mandate the use of specific technologies; nor do they require that data be provided in a specific manner. Examples of potential violations arising from the manner in which EHI is provided include:

  • A physician or provider requiring a patient’s written consent before sharing the patient’s EHI with other physicians or providers for treatment purposes.

  • A physician or provider taking several days to provide a patient with their EHI when the physician or provider had the ability to provide same-day access.

  • A physician or provider that implements health information technology (IT) in nonstandard ways that are likely to increase the burden of accessing, exchanging, or using EHI.

  • A physician or provider that disables or restricts the ability of their health IT system to share EHI with other systems.

Physicians can also experience information blocking themselves when, for example:

  • Accessing patient records from their own institutions or other physician or providers.

  • Connecting their electronic health record (EHR) systems to local health information exchanges.

  • Migrating to a new EHR system.

  • Linking their EHRs with a clinical data registry.

Practice management resources

Check out the Academy’s practice management resources at staging.aad.org/practice.

Exceptions

Eight exceptions to the information blocking rules address circumstances under which it is reasonable or necessary for physicians or health care providers to limit the access, exchange, or use of EHI. If a physician satisfies at least one exception, the physician will not be subject to the enforcement actions detailed below for that circumstance. However, the exception — and the facts and circumstances associated with it — must be well-documented before a physician may claim it.

Exceptions for not fulfilling information requests:

1. Preventing harm: The physician or health care provider reasonably believes that not fulfilling an EHI request will substantially reduce a risk of harm to a patient or another person.

2. Privacy exemption: The physician or provider does not fulfill an EHI request to protect an individual’s privacy. For example, some state laws impose preconditions before a physician can release information about HIV status information or reproductive health care. A physician can and should restrict the access, exchange, or use of such information until they have complied with the required preconditions.

3. Security: The physician or provider does not fulfill an EHI request for reasons directly related to safeguarding the confidentiality, integrity, and availability of EHI.

4. Infeasibility: The physician or provider does not fulfill an EHI request due to legitimate practical challenges beyond their control such as those related to technological capabilities, legal rights, or unreasonable cost.

5. Health IT performance: The physician or provider does not fulfill an EHI request because they are taking reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT.

Exceptions for procedures for fulfilling information requests:

6. Content and manner: Under certain circumstances, the physician or provider may limit or alter the content of its response or the manner in which it responds to an EHI request.

7. Fees: Under certain circumstances, a physician or provider may charge fees for accessing, exchanging, or using EHI. Such fees must be based on objective and verifiable criteria, uniformly applied, reasonably related to the costs of providing access to the EHI, and not be based on whether the requestor is a competitor of the physician or provider.

8. Licensing: A physician or health care provider’s practice of licensing interoperability elements for EHI to be accessed, exchanged, or used will not be considered information blocking if the practice meets certain timing requirements and licensing conditions.

Failure to fall under an exception does not automatically mean that a physician is engaging in information blocking. Instead, the physician would be evaluated under the specific facts and circumstances to determine whether they had the requisite “knowing” intent and whether their actions rose to the level of unreasonable interference required to violate the information blocking prohibition.

Enforcement

Health IT developers and health information exchanges/networks are already subject to civil monetary penalties of up to $1 million for information blocking. However, physicians are not subject to these fines. The Proposed Rule would instead establish “disincentives” for physicians who have been determined by the Office of Inspector General (OIG) to have committed information blocking. Notably, the proposed enforcement rule would only apply to hospitals, Merit-Based Incentive Payment System (MIPS) clinicians, and Accountable Care Organization (ACO) Shared Savings Program (SSP) participants.

The following chart provides a summary of the proposed disincentives, which do not vary based on the severity of the information blocking conduct. Penalties also do not vary based on the number of instances of information blocking within an applicable performance period, as the penalties apply for a whole performance period.

Existing OIG regulations have established the following enforcement process:

Entity typeAppropriate enforcing agencyPenaltyImpact

MIPS
clinician

CMS

Score of zero on the Promoting Interoperability performance category.

Potential for payment penalty in MIPS program performance period.

Hospital

CMS

Will not receive ¾ of annual market basket update for being a meaningful EHR user.

Median disincentive amount of $394,353, dependent on size of base of the inpatient prospective payment system (IPPS) payments.

ACO
participant

CMS

Prohibited from participating in SSP for one year.

Loss of potential revenue attributable to participation in SSP.

1. Investigation. The OIG investigates an information blocking complaint, in consultation with ONC.

2. Referral. When the OIG determines that information blocking has occurred, it will refer the claim to the appropriate enforcing agency, such as HHS.

3. Imposition of disincentives. The enforcing agency will impose appropriate disincentives and send notice to the physician or health care provider. HHS has not proposed allowing physicians to submit a corrective action plan before imposing penalties. HHS also does not discuss any appeal mechanisms in the Proposed Rule.

4. Public posting. Once a penalty has been imposed by the agency, the ONC will post on its public website information about actors that have committed information blocking.

Interaction with HIPAA

HHS has made it clear that the Information Blocking Regulations were designed to be consistent with HIPAA. They do not require the disclosure of EHI that HIPAA would not already permit. However, if a physician is permitted to provide access, or exchange or use EHI under HIPAA, then the Information Blocking Regulations also require the physician to facilitate EHI requests, assuming they are not prohibited by law and that no exception is available.

Learn more about HIPAA compliance at the Academy's HIPAA Resource Center.

Conclusion

While physicians have been prohibited from information blocking for several years, they have not been subject to any enforcement action. That could soon change for MIPS clinicians and ACO SSP participants who would be subject to proposed disincentives for violating the information blocking prohibition. The AAD will continue to monitor this issue closely and update members when such disincentives are finalized, and when HHS proposes disincentives for other categories of clinicians.

Want more Legally Speaking?

Check out archives of the most popular Legally Speaking articles.

This article is provided for informational and educational purposes and is not intended to provide legal advice and should not be relied upon as such. Readers should consult with their personal attorneys for legal advice regarding the subject matter of this article.

Additional DermWorld Resources

In this issue

From the Editor
Few words make a dermatologist grimace more than ‘iPLEDGE.’

What’s hot
This month’s news from across the specialty

Clinical Applications
What are treatment recommendations for managing CCCA?

Feature
Putting the pieces together

Derm Coding Consult
CMS releases 2024 first and second quarter NCCI edits

Ask the Expert
Medicare physician payment reform

Feature
iPLEDGE update: Changes ahead

Answers in Practice
Easing administrative burdens

Feature
Making lemonade

From the President
Your Academy’s educational content is unmatched.

Asked and Answered
What is the AAD Clinical Community?

Donor Spotlight
Shawna Flanagan, MD, FAAD

Facts at your Fingertips
DataDerm annual report: Demonstrating the power of data

Classifieds
Classifieds
Advertisement

The American Academy of Dermatology is a non-profit professional organization and does not endorse companies or products. Advertising helps support our mission.

Opportunities

Advertising | Sponsorship

Advertisement
Advertisement
Advertisement