Information Blocking Rule

The Information Blocking Final Rule went into effect in April of 2021, requiring
healthcare providers to provide and share information upon the legitimate request of
a patient or other healthcare provider without unreasonable delay.

What do healthcare providers need to know about information

The Information Blocking Final Rule is request driven—it has everything to do with
responding to a patient’s request (or request on behalf of the patient) for

Information blocking happens when a healthcare provider refuses to share patient
data upon request, or otherwise engages in behavior that interferes with the sharing
of that healthcare information. Information blocking does not supersede HIPAA.

Examples of information blocking can include:

  • When the provider refuses to share information with a non-affiliated healthcare
  • When the provider is able to complete a same-day information share but takes
  • When the provider charges a patient or a non-affiliated healthcare provider for
    access to information
  • When the provider uses a nonstandard or unusual health IT system that is likely
    to slow down communication with external providers

What are exceptions to the information blocking rule?

The Information Blocking Final Rule provides space for eight exceptions:

Exceptions that involve not fulfilling requests to access, exchange or use Electronic Health Information (EHI)

  1. Preventing harm
  2. Privacy
  3. Security
  4. Infeasibility
  5. Health IT performance


Exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI

  1. Content and manner
  2. Fees
  3. Licensing

More guidance on these exceptions is provided on the website of the Office of the
National Coordinator for Health Information Technology (ONC).

The ONC is enforcing these new rules on a case-by-case basis. Whether your
company’s practices are in compliance is something you should determine with your
IT and legal teams.

What kinds of changes should healthcare providers make to comply with the new rules?

Healthcare providers should already have policies and procedures in place for the
release of patient data. Those policies should be carefully reviewed to ensure
compliance with the information blocking rule. The policies should spell out how and
when the provider will share information, when it will refuse to share information in
accordance with the exceptions to the information blocking rule, and how these
decisions will be documented.

This is a big change in the world of healthcare information, so every provider should
take care to review its policies and procedures with its legal and IT teams.
Additionally, providers should be in communication with their EMR company and
other vendors that play a role in patient access to ensure a seamless transition to
compliance under the new law.


Contact Heather Skelton and John Gibson if you have a question about the new
information blocking rule or your company’s patient data policies.