By |September 2nd, 2020|Blog|0 Comments

Understanding the Exceptions to Information Blocking

For several decades, it has been the belief of many people within the healthcare industry and federal government that the digitization of healthcare information is the key to improving patient care while simultaneously reducing the cost of that care. They envision a world where an individual's health information flows freely between patient, provider, payer, researcher, and regulator. They hypothesize first that improved care will come from providers and patients having the information necessary to make appropriate and timely diagnosis and treatment decisions and second that cost savings will come from reduced friction in the flow of information, transparency or visibility into the cost of care, and the opening up of the healthcare market to increased competition.

This belief has driven much of the healthcare thinking and legislative activity since 1996’s Health Insurance Portability and Accountability Act (HIPAA). Beginning in 2011, it also resulted in the distribution of billions of dollars in federal incentives to qualified healthcare professionals and hospitals for the meaningful use of ONC-certified EHRs under the Health Information Technology for Economic and Clinical Health Act (HITECH). Despite the legislative action and investment, the hoped-for benefits of improved care and reduced cost remain elusive.

In late 2013, a study was completed for the Agency for Healthcare Research and Quality (AHRQ) by JASON, an independent panel of experts. The results published in a paper titled A Robust Health Data Infrastructure found that:

  • The current lack of interoperability among data resources for EHRs is a significant impediment to the exchange of health information and the development of a robust health data infrastructure. Interoperability issues can be resolved only by establishing a comprehensive, transparent, and overarching software architecture for health information.
  • The goals of improved healthcare and lowered healthcare costs can begin to be realized if health-related data can be explored and exploited in the public interest, for both clinical practice and biomedical research. That will require implementing technical solutions that both protect patient privacy and enable data integration across patients.[i]

The release of this study changed the focus of the proponents of digitization. Their attention moved from the broader effort promoting the adoption of electronic health information technology to overcoming the more specific hurdles to improving interoperability. Their chosen method for doing so is imposing standards for the exchange of health information, requiring the implementation of application programming interfaces (APIs) to facilitate the exchange and punishing any resistance, referred to as information blocking.


interoperability and info blocking


Section 4003 of the 21st Century Cures Act officially defines “interoperability” as health information technology that:

  1. enables the secure exchange of electronic health information with, and use of electronic health information from, other health information technology without special effort on the part of the user;
  2. allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and
  3. does not constitute information blocking, as defined in section 3022(a).

ONC has stated that “without special effort” as used here requires standardization, transparency, and pro-competitiveness.

Information blocking is defined in Section 4004 of the Cures Act as a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI). If a health IT developer, exchange, or network engage in the practice, it is only information blocking if they know or should know that the practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. If a healthcare provider engages in the practice, it is only information blocking if the provider knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.

Two Categories of Exceptions 

To further refine this definition, the Cures Act provides that the Secretary of HHS shall define through rulemaking, reasonable and necessary activities that do not represent information blocking. The Secretary provided this definition in the ONC Final Rule, setting out two categories of exceptions.

The first category of information blocking exceptions involves unfulfilled requests to access, exchange, or use EHI. These exceptions are listed in the ONC Final Rule as:

  1. Preventing Harm Exception
  2. Privacy Exception
  3. Security Exception
  4. Infeasibility Exception
  5. Health IT Performance Exception

For each exception in this category, the ONC Final Rule describes the conditions under which an organization can deny a request without penalty.

The second category of information blocking exceptions involves the procedures followed in fulfilling requests to access, exchange, or use EHI. These exceptions include:

  1. Content and Manner Exception
  2. Fees Exception
  3. Licensing Exception

Unlike the first category of exceptions that focused on circumstances where a request is denied, this second category focuses on the process through which a request will be honored. In other words, these exceptions target actions by an organization that might be viewed as discouraging or hindering a request as opposed to outright preventing or denying it.

As mentioned above, Section 4004 of the Cures Act defines a potential penalty of up to $1 million per violation for health IT developers and information networks determined by the Inspector General to have engaged in information blocking. Healthcare providers, on the other hand, will be referred to CMS if they have made a fraudulent attestation under the Promoting Interoperability Program or to the Office for Civil Rights (OCR) if there is a potential HIPAA violation.

For a deeper dive on this subject, I encourage you to review the on-demand recording of the webinar that my colleague Wes Morris and I recently presented. You can access it here.

Reach out to us with your questions at

[i] JASON, "A Robust Health Data Infrastructure." AHRQ, U.S. Department of Health and Human Services, April 2014,

Jon Moore