HIPAA and the Information Blocking Rule: What It Means and How to Comply

Information Blocking Definition

The Information Blocking Rule, established under the 21st Century Cures Act, prohibits any practice by an actor that is likely to interfere with the access, exchange, or use of electronic health information (EHI) by an authorized person or entity, unless the practice is required by law or meets a specific exception.

In plain terms, information blocking occurs when policies, technical configurations, contracts, or behaviors needlessly delay, deter, or prevent lawful sharing of EHI. Examples include unjustified delays in releasing test results, refusing to enable API-based access from patient-chosen apps, imposing unreasonable fees, or using contracts to restrict data sharing.

Covered Entities and Roles

HIPAA and the Information Blocking Rule apply to overlapping but distinct groups. Under HIPAA, covered entities include health care providers, health plans, and health care clearinghouses, along with their business associates that create, receive, maintain, or transmit protected health information on their behalf.

Under the Information Blocking Rule, the regulated “actors” are:

• Health care providers (e.g., hospitals, clinicians, laboratories, and pharmacies).
• Health IT developers of certified health IT (vendors whose products meet ONC’s health IT certified technology criteria).
• Health information networks and health information exchanges (HIEs) that facilitate data exchange among multiple unaffiliated parties.

Many organizations fit into more than one category. For example, a hospital is a HIPAA covered entity and also a “provider” actor; an EHR vendor is a business associate under HIPAA and a “developer of certified health IT” actor under the Rule. Contracts and operational decisions by business associates can contribute to information blocking risk for their clients, even when the associate is not itself an actor.

Electronic Health Information Scope

Electronic health information (EHI) generally aligns with the HIPAA designated record set—records used, in whole or in part, to make decisions about individuals. This typically includes clinical notes, problem lists, medications, allergies, lab and imaging results, care plans, discharge summaries, demographic data, billing records, and other information maintained electronically.

EHI is not limited to a single standard or dataset and may exist across multiple systems (EHRs, lab systems, revenue cycle tools, HIEs, patient portals, and cloud archives). While format may vary (structured data, documents, images, signals), you must support access, exchange, and use in a feasible manner, leveraging certified health IT and standard APIs where available.

Certain information remains excluded under HIPAA and thus outside EHI for access purposes, such as psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a legal proceeding.

Exceptions to Information Blocking

The Rule includes narrow, objective exceptions. A practice that meets all conditions of an exception is not information blocking. Document your analysis and apply criteria consistently.

• Preventing Harm: You may withhold or limit EHI if reasonably necessary to prevent substantial harm to a patient or another person, based on an individualized, clinically grounded determination.
• Privacy: You may decline to share EHI to protect an individual’s privacy when required by law, when honoring a valid preference, or when you lack a lawful basis to disclose.
• Security: You may implement security measures that are tailored, non-discriminatory, and no broader than necessary to protect EHI’s confidentiality, integrity, and availability.
• Infeasibility: You may deny or defer a request when it is infeasible (e.g., uncontrollable events, segmentation is not reasonably achievable), after making and documenting reasonable efforts.
• Health IT Performance: You may take reasonable, time-limited steps to maintain or improve the performance, safety, or reliability of health IT (e.g., system downtime, patching).
• Content and Manner: If you cannot provide EHI in the requested manner, you must offer an alternative manner and content you can reasonably provide without unnecessary delay.
• Fees: You may charge fees that are reasonable, cost-based, and tied to actual costs of enabling access, exchange, or use; anti-competitive or rent-seeking fees are not allowed.
• Licensing: You may license interoperability elements on reasonable and non-discriminatory terms; licensing cannot be used to block access.

Compliance Requirements and Best Practices

Establish Governance and Clear Policies

• Designate an executive owner and a cross-functional working group (privacy, security, compliance, IT, clinical operations, legal).
• Adopt written policies that define EHI, specify request intake and triage, outline exception use, and set decision-making and escalation paths.
• Maintain a single source of truth for process maps, response time goals, and documentation templates.

Inventory Your EHI and Designated Record Set

• Map your designated record set across all systems, archives, and data sources (including those held by business associates and HIEs).
• Identify gaps in export and API capabilities; prioritize upgrades to health IT certified technology that supports FHIR APIs and modern standards.
• Document data provenance, custodianship, and retention to streamline responses and auditing.

Operationalize Request Handling

• Offer easy request channels (portal, app, email, mail, in-person) and do not require proprietary forms.
• Verify identity with risk-based methods; do not over-collect or create hurdles.
• Default to timely release; apply exceptions sparingly, with individualized assessments and clear rationales.
• Provide EHI in the requested manner when feasible; if not, offer reasonable alternatives and explain why.

Enable Technology and Interoperability

• Deploy and test certified APIs for patient and authorized third-party app access; monitor for availability, performance, and error resolution.
• Use standards (FHIR, OAuth 2.0/OpenID Connect) and maintain developer-friendly documentation and onboarding without unnecessary delays or fees.
• Coordinate with HIEs to support event notifications, query-based exchange, and trusted framework participation.

Align Contracts and Fees

• Review business associate agreements, licensing, and vendor terms to remove anti-competitive clauses or undue restrictions on data sharing.
• Set fee schedules that reflect reasonable, cost-based charges and publish them for transparency.

Train, Monitor, and Improve

• Train staff on HIPAA right of access, the minimum necessary standard, and how it interacts with the Rule.
• Track metrics (request volumes, turnaround times, exception rates) and perform periodic audits.
• Log decisions and maintain evidence to support exception use, security controls, and risk analyses.

Enforcement and Penalties

The Office of Inspector General (OIG) investigates information blocking allegations. Health IT developers of certified health IT and HIEs may face civil monetary penalties—potentially significant per violation—when the OIG determines information blocking occurred.

Health care providers are subject to disincentives rather than OIG civil monetary penalties. Consequences can include adverse impacts on participation in federal programs (such as scoring or payment adjustments in interoperability-related programs), corrective action plans, and reputational harm. All actors may also face contractual remedies, state enforcement, or private disputes arising from noncompliance.

Maintain thorough records, cooperate with investigations, and remediate root causes quickly; these steps reduce risk and demonstrate a culture of compliance.

Relationship Between HIPAA and Information Blocking

HIPAA establishes privacy and security standards and grants individuals a right of access to their records. The Information Blocking Rule complements HIPAA by requiring actors to enable timely access, exchange, and use of EHI for patients and authorized stakeholders, using interoperable methods, unless a specific exception or legal requirement justifies a limitation.

Key intersections to remember:

• HIPAA’s minimum necessary standard does not apply to disclosures to the individual or to disclosures for treatment; do not cite minimum necessary to withhold EHI in these contexts.
• Psychotherapy notes and information compiled for litigation are excluded from the designated record set and thus from EHI access obligations.
• Business associates should not use contract terms, proprietary formats, or licensing to impede lawful sharing; align agreements with the Rule’s fees and licensing exceptions.
• Compliance with HIPAA alone is not enough—actors must also meet the Rule’s interoperability and exception criteria.

Conclusion

To comply with HIPAA and the Information Blocking Rule, define your EHI and designated record set, enable interoperable access through health IT certified technology, apply narrow exceptions only when justified, and document every decision. Strong governance, aligned contracts, staff training, and continuous monitoring are the cornerstones of sustainable compliance and patient-centered data sharing.

FAQs.

What constitutes information blocking under HIPAA?

Information blocking is a Cures Act concept, not a HIPAA term. It occurs when an actor’s practice is likely to interfere with the access, exchange, or use of electronic health information without a legal requirement or valid exception. HIPAA intersects because many blocking scenarios involve misunderstanding HIPAA (for example, citing “minimum necessary” to deny a patient’s own access), but the prohibition itself comes from the Information Blocking Rule.

How do the information blocking exceptions apply?

Exceptions are narrow safe harbors. You must meet all elements of the relevant exception, document your rationale, and apply it consistently and no broader or longer than necessary. The eight exceptions cover preventing harm, privacy, security, infeasibility, health IT performance, content and manner, fees, and licensing.

Who must comply with information blocking regulations?

Actors include health care providers, health IT developers of certified health IT, and health information exchanges or networks. HIPAA covered entities and business associates should align their policies and contracts because many will either be actors themselves or control processes that affect an actor’s compliance.

How can patients access their electronic health information?

Patients can view, download, or transmit their EHI via portals or authorized apps that connect through standard APIs, or they may request copies by mail, email, or in person. Identity verification should be reasonable, formats should be convenient when feasible, and responses should be timely; fees, if any, must be reasonable and cost-based.