Cures Act Medical Records Access Explained: Your Rights, Information Blocking Rules, and What Providers Must Share

Cures Act Overview

What the 21st Century Cures Act changed

The 21st Century Cures Act modernized how your health data moves by prohibiting “information blocking” and requiring certified health IT to support standardized, app-friendly access. Its goal is simple: you can get your electronic health information (EHI) when you need it, in a usable format, without unnecessary delays or obstacles.

Key timelines and scope

The Information Blocking Rule has applied since April 5, 2021. From that date through October 5, 2022, required sharing focused on the United States Core Data for Interoperability (USCDI) v1. As of October 6, 2022, the scope expanded to virtually all EHI contained in a HIPAA “Designated Record Set” (DRS), excluding psychotherapy notes and information prepared for litigation.

EHI, USCDI, and the Designated Record Set

EHI is the electronic version of information about you that would be part of a DRS—medical and billing records and other data used to make decisions about you. USCDI defines a standardized set of data classes (for example, allergies, medications, clinical notes) that certified systems must be able to exchange. Today, information blocking protections apply to the broader EHI in your DRS, not just the USCDI subset.

Patient Rights to Electronic Health Information

Your core access rights

You have the right to access, receive, and use your EHI electronically. That includes clinical notes, lab and imaging results, visit summaries, care plans, and billing details that are part of your provider’s Designated Record Set. You can also direct your information to a third party, such as a caregiver or an app you choose.

Format, cost, and timeliness

Access should be provided electronically in the format you request if it is readily producible (for example, via patient portal download, secure email, or an API-connected app). Routine delays or blanket “result-hold” policies that keep you from your data are generally not allowed under the Information Blocking Rule.

Clinical notes and results

Clinical notes are part of EHI and must not be blocked unless an exception applies. Many organizations now release notes and test results to you in near real time to support transparency and coordinated care.

Information Blocking Rule Provisions

Who is covered (“actors”)

• Healthcare providers (for example, hospitals, clinicians, clinics).
• Health information networks/exchanges (HINs/HIEs).
• Health IT developers of certified health IT (EHR and related vendors).

What counts as information blocking

Information blocking is any practice that is likely to interfere with the access, exchange, or use of EHI unless required by law or covered by an exception. The knowledge standard differs by actor: developers/HINs/HIEs “know or should know,” while providers “know” the practice is unreasonable and likely to interfere.

Common risk areas

• Unnecessary delays releasing lab results or notes.
• Contract terms or technical settings that prevent a patient-selected app from connecting to a certified API.
• Charging unreasonable fees to access or export EHI.
• Refusing to provide data in a readily available electronic format when feasible.

Healthcare Provider Responsibilities

Operational expectations

• Enable patient portal and API access so you can view, download, and transmit your EHI.
• Release results and notes promptly unless an exception applies.
• Respond to requests in a timely manner and in the electronic format requested when readily producible.

Governance, workflows, and training

• Adopt policies that map when exceptions apply and require case-by-case documentation.
• Train staff to route requests correctly, avoid blanket delays, and honor app connections through standardized APIs.
• Monitor turnaround times, patient complaints, and system settings that could inadvertently block access.

Health IT Developer Compliance dependencies

Providers rely on vendors whose certified systems must support FHIR-based APIs, EHI export, and other ONC Conditions of Certification. Vendor noncompliance can expose providers to operational risk, so contracting, testing, and change control should verify that certified capabilities remain enabled “without special effort.”

Exceptions to Information Blocking

The eight core exceptions

If all conditions of an exception are met, the practice is not information blocking. Each must be applied narrowly and documented:

• Preventing Harm: To avoid a substantial risk of harm to a patient or another person.
• Privacy: To protect an individual’s privacy (for example, honoring a valid restriction or authorization requirement).
• Security: To safeguard the security and integrity of EHI and related systems.
• Infeasibility: When fulfilling the request is infeasible despite reasonable efforts.
• Health IT Performance: Temporary unavailability or degraded performance for maintenance or performance reasons.
• Content and Manner: Limiting content or using an alternative manner when the exact request cannot be met but alternatives are offered.
• Fees: Charging reasonable, cost-based fees that are not anti-competitive or exclusionary.
• Licensing: Offering reasonable and non-discriminatory licenses to interoperability elements.

TEFCA-related safe harbors

ONC has also adopted TEFCA participation exceptions that, in defined circumstances, allow actors to fulfill certain requests via TEFCA-based exchange without it being considered information blocking.

Enforcement and Penalties

Developers, HIEs, and HINs

Health IT developers of certified health IT, HINs, and HIEs face civil monetary penalties of up to $1,000,000 per violation for information blocking. They also risk certification actions if they fail to meet ONC’s Conditions and Maintenance of Certification.

Healthcare providers

Providers are subject to HHS “disincentives,” not civil monetary penalties. Under rules finalized in 2024, when the HHS Office of Inspector General determines a provider committed information blocking, CMS may:

• Revoke “meaningful EHR user” status in the Medicare Promoting Interoperability Program for that year, affecting hospital or CAH payments.
• Assign a zero score in the MIPS Promoting Interoperability category for the performance year, lowering the overall MIPS score and future payment adjustments.
• Make an ACO, ACO participant, or ACO provider/supplier ineligible for the Medicare Shared Savings Program for at least one year.

ONC also publishes certain details online about providers that receive a disincentive. OIG prioritizes cases that cause or risk patient harm, significantly impede care, are long in duration, or cause financial loss.

Health IT Developer Compliance reminders

• Information Blocking and Assurances Conditions (no information blocking across all products and behaviors).
• API Condition (standardized FHIR APIs for patient and population services).
• Communications Condition (no “gag clauses” restricting safety, usability, or interoperability communications).
• EHI Export capability for system- or patient-population–level export where applicable.

Access Methods for Medical Records

Patient portals

Most providers offer portals where you can view, download, and transmit your EHI—often including clinical notes, lab and imaging results, medications, allergies, and visit summaries. Many results now appear quickly to support timely decision-making.

Apps via standardized APIs

Certified systems must provide standardized FHIR APIs so you can connect a patient-chosen app to your record “without special effort.” This lets you consolidate records, track trends, and share data with caregivers or new clinicians using tools you control.

Direct requests to your provider

If you prefer or if a portal/app doesn’t meet your needs, you can submit a records request directly to your provider. You can ask for an electronic copy in the format you want if it’s readily producible and direct it to a third party of your choosing.

Practical tips

• State clearly what data you want, the timeframe, and the electronic format.
• When using apps, review privacy policies and permissions before connecting.
• If access is delayed or denied, ask which exception is being applied and why.

Summary

The Information Blocking Rule makes your electronic health information accessible, app-ready, and portable. Providers, HIEs/HINs, and health IT developers must avoid practices that unreasonably interfere with access, follow narrow exceptions, and support standardized APIs. If you ask for your records electronically, you should get them—promptly, in a usable format, and without unnecessary barriers.

FAQs

What rights do patients have under the Cures Act?

You have the right to electronic access to your EHI, including clinical notes, test results, and billing information that form part of your provider’s Designated Record Set. You may choose the format when feasible (portal, secure email, or an app via API) and can direct information to a third party you designate. Psychotherapy notes and information prepared for legal proceedings are excluded.

How does the Information Blocking Rule protect patient access?

It prohibits actors from engaging in practices likely to interfere with the access, exchange, or use of EHI. Certified systems must offer standardized FHIR APIs so you can connect apps of your choice. Routine delays, anti-competitive fees, or technical/contractual barriers that keep you from your data are generally not allowed unless a specific exception applies.

What exceptions allow withholding medical records?

Eight narrowly tailored exceptions may apply: Preventing Harm, Privacy, Security, Infeasibility, Health IT Performance, Content and Manner, Fees, and Licensing. Each has detailed conditions and requires case-by-case assessment. Separately, psychotherapy notes and information created for legal proceedings are outside the EHI definition.

How are providers penalized for non-compliance?

When OIG determines a provider committed information blocking, CMS may impose disincentives, such as loss of meaningful EHR user status in the Medicare Promoting Interoperability Program, a zero score in MIPS’ Promoting Interoperability category, or ineligibility for the Medicare Shared Savings Program for at least one year. Developers, HINs, and HIEs face civil monetary penalties of up to $1,000,000 per violation.