The 21st Century Cures Act Part Two: Information Blocking and Interoperability

TWo healthcare professionals working in a hospital


One of the key goals of the CURES Act, and the Office of the National Coordinator for Health Information Technology’s (ONC) associated Final Rule, is to give patients control over their own health information  by giving them unimpeded access to their data and records. This is intended to increase their engagement in care, increase safety, and decrease costs.


This goal is laudable. It is also a significant paradigm shift that will generate questions for practicing physicians as they implement the required items. For example, patients may read their physician’s notes in near real-time or see test results before their physician sees them. Physicians must understand the requirements and what they need to do to ensure compliance, avoid accusations of information blocking, and avoid potential penalties.


The CURES Act explicitly prohibits “information blocking,” (as noted in our Part One article https://www.himss.org/resources/21st-century-cures-act-part-one-overview). This practice by a healthcare provider may be defined as any activity that the provider knows “…is unreasonable and is likely to interfere with access, exchange, or use of electronic health information…” (EHI) unless required by law or otherwise excluded by rulemaking as discussed below. Collectively, the portion of the CURES Act prohibiting information blocking and its associated implementing regulations may be referred to as the Information Blocking Rule (IBR). CURES specified that the IBR be created by ONC and the Department of Health and Human Services Office of Inspector General. This left a time gap between when the CURES act was released and when details of IBR were finally defined.


Practicing physicians have long practiced under a HIPAA item that allowed for covered entities to share protected health information (PHI). Now, under the IBR, sharing is required when directed by the patient. The Rule also goes beyond just the concept of PHI and addresses EHI—the electronic PHI in a designated record set. Through October of 2022 the rule stipulates that the data that must be shared is limited to United States Core Data for Interoperability (USCDI) Version One.  However, as of October 6 2022, the information blocking definition requires the full scope of electronic PHI in the designated record set to be shared. This includes the significant majority of the medical record in most cases.


Physicians should understand that because the IBR explicitly prohibits information blocking, they must share data without delays in nearly all cases. Data sharing is intended to empower patients to be more engaged in their care and shared decision making. Ready access to their data allows patients to continuously pursue health and wellbeing beyond the confines of in-person interactions with their physicians. Similarly, the availability of data to apps expands their utility and advances the goal of patient-centric care and patient engagement, while allowing for healthy competition between app developers.


ONC’s FAQs around information blocking are a key resource in understanding the requirements overall and are well worth reviewing.


Of note, the CURES Act does not preclude the need to comply with other federal or state laws. Discussing the interaction between state laws and CURES is beyond the scope of this article; it is incumbent on physicians to understand their own state’s laws regarding data sharing and privacy.


Clinical Impact

One of the biggest changes brought by IBR is the widespread adoption of clinical notes that a patient can read in near real-time.


Well before CURES, an organization called OpenNotes® existed. OpenNotes defines itself as “the international movement that advocates for transparent communication in healthcare and studies the effects of shared notes in patients’ records. We call these open notes.” OpenNotes provides a number of resources that may be helpful to review when adjusting to the requirements of the IBR. (Confusingly, people sometimes also refer to the note release requirements of IBR as “open notes” but this shouldn’t be confused with “OpenNotes” the organization).


Although many organizations and physicians were already making results immediately accessible to patients, others had not yet adopted this approach. Clinical laboratories and medical imaging centers are included in the requirements of IBR. Thus, these entities are required to provide patients digital access to test results. Similarly, in most cases, the physician’s EHR will need to release results to a patient portal without delay. For many physicians and patients, the IBR will mean adjusting to a situation in which patients see results before physicians have had the opportunity to review, analyze, and notify the patient of the results and interpretations.


However, a patient or their representative may request a delay in the release. Thus, if a test is being ordered in a sensitive scenario, such as an imaging study to assess for cancer, it may be worth discussing with the patient if they would prefer a delay in the release of the results so that there is time to review the result and discuss it with them before the result is found on the portal. The ability to offer this will be contingent on the capabilities of an individual EHR, many of which differ in this regard. Of note, the IBR does not require an entity to notify the patient that the result is available or prompt the patient to review the result.  A patient who doesn’t want to look at their result is free to not look, or simply delay looking.



The IBR is explicit that in general data must be shared, but exceptions do exist. These exceptions should be identified on a case-by-case basis for individual patients, their circumstances, and the practicality of the requests. The reasons for each exception should be carefully documented, keeping in mind that the burden of proof rests with those who invoke the exception.


The following have been defined by ONC as exceptions:

  1. Exceptions that involve not fulfilling requests to access, exchange, or use
  • Preventing Harm Exception
  • Security Exception
  • Health IT Performance Exception
  • Privacy Exception
  • Infeasibility Exception


  1. Exceptions that involve procedures for fulfilling requests to access, exchange, or use:
  • Content and Manner Exception
  • Fees Exception
  • Licensing Exception



Two questions that are commonly raised by physicians regarding exceptions center around the Preventing Harm and the Privacy Exceptions, covered below.



Preventing Harm

The Preventing Harm Exception raises the most questions. ONC states: “It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met.”


The criteria for claiming the harm exception is limited: for a patient requesting their own EHI, withholding for harm must entail “…danger or life or physical safety of the person or other person.” If the data references another person, or is being requested by the patient’s representative, then consult the table here for the relevant threshold as those scenarios include the risk of “substantial physical, emotional, or psychological harm.” However, when the patient is requesting their own data, the threshold is the risk of actual physical harm, not emotional or psychological.


Additionally, per ONC:

  • The actor must hold a reasonable belief that the practice will substantially reduce a risk of harm.
  • The actor’s practice must be no broader than necessary.
  • The actor’s practice must satisfy at least one condition from each of the following categories: type of risk, type of harm, and implementation basis.
  • The practice must satisfy the condition concerning a patient right to request review of an individualized determination of risk of harm.



Privacy Exception

The Privacy Exception includes:

  • Not releasing records if preconditions required by state or federal law are not met, such as patient consent.
  • If the patient requests the information not be released.
  • Cases enumerated by 45 CFR 164.524(a)(1) and (2) including:
    • Psychotherapy notes.
    • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
    • When the provider is “acting under the direction” of a correctional institution and patient is an inmate and there are risks to “health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.”
    • Ongoing research where the patient has consented to the temporary denial of access to the records.
    • “An individual's access to protected health information that is contained in records that are subject to the Privacy Act, 5 U.S.C. 552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that law.”
    • “If the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.”


For most physicians in common scenarios, this last item will be the most relevant one to keep in mind.



Penalties and Enforcement

When data is not shared and an applicable exception does not exist, physicians and health systems may be subject to penalties. Complaints are received by the HHS Office of the Inspector General (OIG) which can investigate to determine if there were indeed actions taken to interfere with access, exchange, or use of EHI and potentially impose penalties.


For Health Information Networks, Health Information Exchanges, and Health IT Developers, penalties may be up to $1 million per violation. This Enforcement Regulation is not finalized yet, so although Information Blocking is in effect, and applicable to all covered actors, the enforcement piece needs to be finalized before any penalty phase can begin. The penalties for Healthcare Providers are still being established, but ONC is actively working on this and the HHS Secretary has said that enforcement is “long overdue”.


Notably ONC has released data on information blocking complaints and the significant majority are by patients about providers.



ONC is also supported by the law as having a continued role in the regulation and development of standards within health information technology (IT). ONC was charged with assisting public-private partnerships to create exchange networks of health information networks with participants making common agreements and agreeing to standards. This is referred to as the Trusted Exchange Framework and Common Agreement (TEFCA). This effort directly promotes interoperability among the country’s disparate EHR landscape, particularly those that do not allow for robust interoperability today.


Working with the National Institute of Standards and Technology (NIST) and other federal agencies, ONC was directed by CURES to work towards a "…full network to network exchange of health information." A provider directory is to be created listing those that have adopted the agreement and data exchange standards.


Health and Human Services (HHS) also has a role in this area in that they are to educate providers about health information exchanges (HIEs), with a goal of educating providers as to how they can use HIEs to support their care of patients, and to clear up misunderstandings commonly held by providers about HIEs.


Although, there is a high level of use of computerized records by physicians for the documentation of patient care, patient access to those records has frequently remained onerous. The act allows patients access to their digital health information at a low cost and via an automated process. Patients can now have that access via the app of their choice. Standardized application programming interfaces (APIs) are used for such access and are automated to the level that individuals within a clinician’s office do not need to function as intermediaries to that access.


The availability of apps for both mobile devices and computers continues to increase at explosive rates. These apps are useful across the healthcare spectrum to physicians, their offices, hospitals, and health systems, and, of course, patients. CURES calls for open APIs that allow for secure access to data for applications. Certified apps are to be made available in a safe, secure, and affordable manner. By supporting open APIs, the goal is to support innovation and increase the availability of robust apps.




What ONC's Cures Act Final Rule Means for Clinicians and Hospitals

Information Blocking FAQs

            ONC final rule


CURES Act Text:

H.R.34 - 21st Century Cures Act


HIMSS 21st Century Cures Act Resource Page

HIMSS on the 21st Century Cures Act


The Sequoia® Project

Information Blocking Compliance Resource Center


OpenNotes ®:

OpenNotes Overview


American Medical Association (AMA):

New information-blocking rules: What doctors should know


American Academy of Family Practitioners (AAFP):

Information Blocking Rule FAQ


American Academy of Pediatrics (AAP):

21st Century Cures Quick Talks (Videos)


American College of Cardiology (ACC):

What You Need to Know: Information Blocking Provisions of 21st Century Cures Act


American College of Emergency Physicians (ACEP):



American College of Obstetricians and Gynecologists (ACOG):

The 21st Century Cures Act Implementation: What Obstetrician-Gynecologists Should Know

CURES checklist


American College of Physicians (ACP):

FAQ on Information Blocking: To Block or Not Block


American Optometric Association (AOA):

21st Century Cures Frequently Asked Questions


American College of Surgeons (ACS):

Information Blocking - What Surgeons Need to Know


American Psychiatric Association (APA):

The Office of the National Coordinator: Interoperability and Information Blocking Final Rule Overview for Psychiatrists


The views and opinions expressed in this blog or by commenters are those of the authors and do not necessarily reflect the official policy or position of HIMSS or its affiliates and do not constitute legal or medical advice.