What Is Information Blocking—and How Does It Relate to HIPAA?

Definition of Information Blocking

Information blocking means any practice by an “actor” that is likely to interfere with the access, exchange, or use of electronic health information (EHI) when it is not required by law or covered by an exception. In practice, it includes delays, restrictions, or technical barriers that prevent patients and authorized parties from getting the data they need.

Who is an “actor”?

• Healthcare providers (such as hospitals, physician practices, and labs).
• Developers of certified health IT.
• Health information networks and health information exchanges (HIE).

Recognized exceptions under information blocking regulations

Blocking is not presumed when a practice fits an enumerated exception designed to protect patients and operations. Key exceptions include:

• Preventing Harm: Withholding EHI to avert a substantial risk of harm to a patient or another person.
• Privacy: Respecting an individual’s privacy preferences or legal limitations on disclosure.
• Security: Implementing measures necessary to safeguard electronic protected health information (ePHI).
• Infeasibility: Inability to fulfill a request due to uncontrollable events or limitations.
• Health IT Performance: Temporary unavailability to maintain or improve system performance.
• Content and Manner: Meeting a request with the EHI and delivery method that are feasible when the ideal option is not.
• Fees: Charging reasonable, non-discriminatory fees that align with the rule.
• Licensing: Offering reasonable and non-discriminatory terms for interoperability elements.

Electronic Health Information Scope

EHI is the electronic portion of the designated record set that a provider or other actor maintains for an individual. It includes medical and billing records, enrollment, clinical notes, diagnostic data, and other information used to make decisions about the person’s care.

EHI, ePHI, and the designated record set

EHI substantially overlaps with ePHI, but it is tied to the designated record set—a HIPAA concept covering records used to make decisions about individuals. If the information is in that set and maintained electronically, it is EHI for information blocking purposes.

What is excluded?

• Psychotherapy notes kept separate from the medical record.
• Information compiled in reasonable anticipation of, or for use in, a legal proceeding.
• Data not maintained electronically (paper-only content is outside EHI, though HIPAA still applies to PHI).
• De-identified information that no longer identifies an individual.

Practical implications

Because EHI follows the designated record set, you should inventory where patient data lives across EHR modules, ancillary systems, imaging, labs, portals, and HIE connections to ensure complete, accurate release.

HIPAA Privacy Rule Provisions

The HIPAA Privacy Rule establishes how PHI may be used and disclosed and gives individuals the right to access their records. It permits uses for treatment, payment, and healthcare operations and requires the minimum necessary standard for most other disclosures.

Right of access and timelines

Individuals have the right to inspect or obtain a copy of their PHI in the designated record set. Generally, you must respond within set timeframes and provide the requested form and format if readily producible. Cost-based fees for copies are allowed but must be reasonable and not a barrier.

Security safeguards for ePHI

Under the Security Rule, you must protect ePHI with administrative, physical, and technical safeguards. Identity verification, encryption, and access controls are compatible with information blocking when they are necessary and proportionate.

How HIPAA aligns with information blocking

HIPAA allows disclosures and gives patients access; information blocking regulations push you to avoid unnecessary delays or restrictions. If a practice is required by HIPAA (for example, honoring a valid denial under the Preventing Harm framework), it typically fits within an information blocking exception.

Impact of Information Blocking on Patient Access

Information blocking rules accelerate access to EHI by discouraging throttling, queuing, or portal-only policies. Patients should be able to receive records promptly, often via APIs and apps they choose, without special effort.

Common scenarios

• Test results and clinical notes released without avoidable delay unless an exception applies.
• Third-party applications connecting through standardized APIs to retrieve EHI at the patient’s direction.
• Records shared across organizations through HIE connections to support care coordination.

Balancing speed and safety

Use the Preventing Harm, Privacy, and Security exceptions when warranted. Document the rationale, scope, and duration of any limitation to ensure patient safety without imposing broader barriers than necessary.

Legal Implications and Penalties

Developers of certified health IT and health information exchanges or networks can face civil monetary penalties of up to $1,000,000 per violation for information blocking. These penalties underscore the seriousness of obstructing access, exchange, or use of EHI.

Healthcare provider consequences

Healthcare providers do not face those civil monetary penalties but can be subject to government-defined disincentives. Consequences may include adverse impacts on Medicare program participation, loss of credit in the Promoting Interoperability or quality programs, and other programmatic actions.

Enforcement posture

Complaints may be submitted through federal portals, with investigations focused on patterns of conduct, documentation, and patient impact. Maintaining clear policies, logs of EHI releases, and exception use helps demonstrate good-faith compliance.

21st Century Cures Act Requirements

The 21st Century Cures Act prohibits information blocking by actors and directed federal agencies to advance interoperability. It also called for standardized, FHIR-based APIs so patients and authorized parties can access EHI without special effort.

Key milestones

• April 5, 2021: Compliance with core information blocking requirements begins for EHI defined initially by a limited data set (such as USCDI-aligned content).
• October 6, 2022: Scope expands to the full designated record set in electronic form (EHI).
• Subsequent years: Enforcement frameworks mature, including civil monetary penalties for certain actors and programmatic disincentives for providers.

Compliance Strategies for Healthcare Providers

1) Build governance and accountability

Designate an information blocking lead, align legal, compliance, IT, HIM, and clinical stakeholders, and set decision rights for applying exceptions. Establish a single source of truth for policies and escalation paths.

2) Inventory EHI and the designated record set

Map where EHI resides across EHR modules, imaging, labs, devices, and external systems. Confirm retention schedules and your ability to produce data in the requested form and format.

3) Update policies and procedures

• Right of access: timelines, identity verification, and acceptable delivery methods.
• Exception playbooks: criteria, documentation templates, and approval steps.
• Fee schedules: ensure charges are reasonable and non-discriminatory.

4) Strengthen technology and workflows

• Enable standardized APIs and app connections; avoid portal-only limitations.
• Automate release of results and notes with safety checks for the Preventing Harm exception.
• Implement audit logging for requests, responses, and exception use.

5) Train, monitor, and improve

Educate staff on information blocking regulations and HIPAA Privacy Rule requirements. Monitor turnaround times, denial rates, and complaints. Perform periodic audits and remediate gaps with clear action plans.

In short, align HIPAA’s patient rights with the information blocking mandate: make EHI available quickly, securely, and in the manner requested, using exceptions carefully and documenting your rationale.

FAQs.

What constitutes information blocking under HIPAA?

HIPAA itself does not define information blocking. Information blocking refers to practices that unreasonably interfere with access, exchange, or use of EHI. If a restriction is required by law or fits an exception (such as Privacy, Security, or Preventing Harm), it is generally not information blocking.

How does the 21st Century Cures Act affect information blocking?

The Act created the federal prohibition on information blocking, identified the actors covered, and directed agencies to set exceptions and API standards. It links interoperability, patient-directed access, and standardized APIs so individuals can obtain and use their EHI without special effort.

What penalties exist for information blocking violations?

Developers of certified health IT and HIEs/HINs can face civil monetary penalties up to $1,000,000 per violation. Healthcare providers face government-defined disincentives, which can affect Medicare program participation and performance scoring rather than direct civil monetary penalties.

How can healthcare providers comply with information blocking rules?

Inventory your designated record set, enable API access, release EHI promptly, and use exceptions only when justified. Update policies, set service-level targets, train staff, document decisions, and monitor metrics to demonstrate consistent, good-faith compliance with information blocking regulations and the HIPAA Privacy Rule.