FAQs: Interoperability and patient access

What is the information blocking rule?

On April 5, 2021, HHS issued regulations through the Office of the National Coordinator for Health Information Technology (ONC) that prohibit information blocking. Information blocking refers to actions by an ”actor” that could interfere with the access, exchange, or use of electronic health information (EHI), unless required by law or covered by a specific exception. The 21st Century Cures Act extends these regulations to health care providers, developers of certified health IT, and health information exchanges (HIEs)/health information networks (HINs).

Under HIPAA, covered entities can share protected health information for treatment, payment, or operations, but it was not required. Under the Information Blocking Rule, doctors and non-physician clinicians (NPCs) are required to share protected health information to other covered entities and other entities as directed by the patient. The Information Blocking Rule also lays out a set of exceptions (such as protecting patient privacy) where it is considered okay to not share information.

For more information regarding the exceptions (PDF) that may apply to you and your practice, please speak directly with your attorney.

What are the new penalties and disincentives for information blocking under the HHS Final Rule released on June 24, 2024?

Effective July 31, 2024, HHS will impose reimbursement penalties and other disincentives on physicians and non-physician clinicians (NPCs) found to be committing information blocking that affects their participation in Medicare programs. Previously, only developers faced penalties, but under the new rule, physicians and NPCs also face disincentives. This includes a public identification of offenders on the ONC website. Information blocking is defined as actions that obstruct access to, exchange, or use of electronic health information (EHI), unless an exception (PDF) applies.

How does the new rule impact physicians and non-physician clinicians?

The rule introduces penalties for physicians and NPCs who engage in information blocking, affecting their participation in the Medicare Promoting Interoperability Program, the Merit-based Incentive Payment System (MIPS), and the Medicare Shared Savings Program (MSSP).

• Medicare Promoting Interoperability Program: Hospitals or critical access hospitals (CAHs) that engage in information blocking will not qualify as meaningful EHR users, resulting in a payment reduction of three-quarters of the annual market basket update. For CAHs, payments will be limited to 100% of reasonable costs instead of 101%.

• Quality Payment Program: A physician found to be committing information blocking will not qualify as a meaningful user of certified EHR technology and will receive a zero score for the PI category. In group reporting, only the individual clinician committing the violation will face disincentives, not the entire group. However, if a group is found to have committed information blocking, disincentives will be applied at the group level. This disincentive affects the MIPS payment year, which comes two years later; for example, a determination in 2025 would impact the 2027 payment year.

• Medicare Shared Savings Program: An Accountable Care Organization (ACO) or its participants may be deemed ineligible for at least one year if found guilty of information blocking. This can lead to providers being removed from or barred from joining an ACO, potentially impacting the ACO’s participation in the program and resulting in lost revenue. If an ACO reapplies, CMS will review the ACO for any further violations and corrective actions.

How do I submit an information blocking claim, and what happens after submission?

Information blocking claims can be submitted online through ONC’s Report Information Blocking Portal. For details on the claim process, see the information blocking claim process (PDF). View ONC’s Information Blocking Claims: By the Numbers to see the total number of portal submissions received, number of submissions that represent claims of possible information blocking, and number of claims by type of potential actor and type of claimant.

How will OIG prioritize investigating allegations of information blocking?

OIG plans to focus on four main priorities when investigating these practices. They will prioritize cases where:

• the information blocking resulted in, is causing, or had the potential to cause patient harm;

• significantly affected a provider's ability to care for patients;

• persisted over a long period; and

• led to financial loss for federal health care programs or other government or private entities.

For more information visit the FAQs for ONC’s information blocking disincentives.

Who are the actors regulated in the final rule?

• Physicians and NPCs

• Health IT Developers of Certified HIT

• Health Information Networks (HIN) or Health Information Exchange (HIE)

Am I a covered Actor?

Review the terms and definitions available in the Heath Care Provider Fact sheet and IB Actors fact sheet (PDF).

What information must be shared?

Under the Information Blocking Rule, Electronic Health Information (EHI) refers to electronic protected health information (ePHI) that is part of a designated record set (DRS) as defined by HIPAA. After Oct. 6, 2022, physicians and other actors must share the full EHI, not just the USCDI elements. The DRS includes:

1. Medical and billing records maintained by or for a healthcare provider.

2. Enrollment, payment, claims, and case management records for health plans.

3. Records used by a covered entity to make decisions about individuals.

EHI excludes psychotherapy notes and information prepared for legal proceedings.

Visit ONC’s Understanding EHI for more information.

An actor’s practice that does not meet the conditions of an exception will not automatically constitute information blocking. Instead such practices will be evaluated on a case-by-case basis to determine whether information blocking has occurred. Learn more about information blocking exceptions (PDF).

When is it okay not to share patient information?

The Information Blocking Rule is designed to require for all covered actors to share all electronic health information (see “What Information Must be Shared”) unless an exception can be applied. The rule lays out a set of exceptions that can be applied. These exceptions cover preventing harm, protecting privacy, security issues, feasibility of sharing, and problems with software. You can read about the exception in this ONC factsheet (PDF).

When would a delay in fulfilling a request for access, exchange, or use of EHI be considered an interference under the information blocking regulation?

A determination as to whether a delay would be an interference that implicates the information blocking regulation would require a fact-based, case-by-case assessment of the circumstances. That assessment would also determine whether the interference is with the legally permissible access, exchange, or use of EHI; whether the actor engaged in the practice with the requisite intent; and whether the practice satisfied the conditions of an exception. Please see 45 CFR 171.103 regarding the elements of information blocking.

Unlikely to be an Interference: If the delay is necessary to enable the access, exchange, or use of EHI, it is unlikely to be considered an interference under the definition of information blocking (85 FR 25813). You can read more about tan unlikely situation in this ONC factsheet (PDF).

Likely to be an Interference: It would likely be considered an interference for purposes of information blocking if a health care provider established an organizational policy that, for example, imposed delays on the release of lab results for any period of time in order to allow an ordering clinician to review the results or in order to personally inform the patient of the results before a patient can electronically access such results (see also 85 FR 25842 specifying that such a practice does not qualify for the “Preventing Harm” Exception). isit the info blocking exceptions page for more information and to view exceptions.

Where do I begin with info blocking?

According to the AMA (PDF), “Physicians should strike a balance between strict regulatory compliance and exercising his/her independent professional judgment — guided by personal and professional beliefs — as to what is in the best interests of patients, the profession, and the community.”

Ensure that your practice has a compliance program and find out if it has begun work on including information on info blocking compliance. If it has not, it is critical that your medical practice focus on updating your HIPAA policies and procedures to address the info blocking rule. View information on how you would comply with information blocking (PDF).

Would the Preventing Harm Exception cover a “blanket” several day delay on the release of laboratory or other test results to patients so an ordering clinician can evaluate each result for potential risk of harm associated with the release?

The ONC has noted that the Preventing Harm Exception would not cover a “blanket” several day delay on the release of lab test results or other results and so developing policies to meet these standards regarding sharing test results with patients should be done on an individualized basis. Such individualized determinations made in good faith by an ordering clinician, in the exercise of their professional judgment and in the context of the treatment relationship within which they order the test, would satisfy the type of risk and type of harm conditions of the Preventing Harm Exception. View more information on Information Blocking FAQs.

What is a digital contact? What should we know about updating our digital contact information? Specifically, where do providers find information on how to enter or update digital contact information associated with their National Provider Identifier (NPI) in the National Plan and Provider Enumeration System (NPPES) and what fields are required to complete their entry for digital contact?

Digital contact information, also known as endpoints, provide a secure way for health care entities, including providers and hospitals, to send authenticated, encrypted health information directly to known, trusted recipients over the internet. Health care organizations seeking to engage in electronic health information exchange need accurate information about the electronic addresses (for example, Direct address, FHIR server URL, query endpoint, or other digital contact information) of potential exchange partners to facilitate this information exchange. NPPES can now capture information about a wide range of endpoints that providers can use to facilitate secure exchange of health information (85 FR 25581).

What about making office notes, lab results, and other diagnostic reports available to patients?

These should be available to patients as soon as the physician’s office receives the electronic copy in their hands. It is likely that your practice or organization already has protocols set up for releasing information. The Academy recommends members reach out to their Risk Managers or General Council to make sure policies on patient access are updated appropriately. View information on releasing lab results (PDF).

What should we know about updating our digital contact information?

As of the end of May 2021, CMS began publicly reporting providers who do not list or update their digital contact information in the National Plan and Provider Enumeration System (NPPES). This includes providing digital contact information such as secure digital endpoints like a Direct Address and/or a Fast Healthcare Interoperability Resources (FHIR) application programming interfaces (API) endpoint. Publicizing this list aims to motivate providers to ensure their secure contact details are readily available, facilitating better care coordination and data exchange.

Be sure to update your NPPES digital contact information.

Updated: Aug. 6, 2024

Additional AAD Resources