What Is Information Blocking? Definition, Exceptions, Examples, and Compliance

Definition of Information Blocking

Information blocking is any practice by a healthcare provider, health information network/exchange, or health IT developer that is likely to interfere with the access, exchange, or use of Electronic Health Information (EHI), unless the practice is required by law or fits an established exception. The 21st Century Cures Act created this standard to accelerate safe, trusted data sharing and patient access.

EHI generally refers to electronic health information in a patient’s designated record set, not just what appears in a clinical summary. That scope includes clinical notes, lab results, imaging reports, care plans, and administrative data used to make decisions about individuals.

Common examples of information blocking include unnecessary delays releasing test results to a patient portal, refusing to enable a certified API for third‑party apps without a valid reason, charging unreasonable fees that deter exchange, or using privacy and security safeguards as a pretext to deny legitimate requests.

Interoperability requirements—such as supporting standardized FHIR APIs, enabling Health Information Exchange, and honoring patient-directed sharing—frame how actors should provide timely, non-discriminatory access to EHI.

Overview of Information Blocking Exceptions

The regulations contain narrow Information Blocking Exceptions that recognize legitimate, pro‑patient reasons to limit or delay data sharing. To rely on an exception, you must meet all its conditions, apply it consistently, and document your rationale.

• Preventing Harm: Withhold or limit EHI to reduce a reasonable likelihood of patient or other person harm.
• Privacy: Respect an individual’s privacy choices and legal preconditions for disclosure.
• Security: Implement measures necessary to safeguard confidentiality, integrity, and availability of EHI.
• Infeasibility: Demonstrate that fulfilling the request is not feasible under the circumstances.
• Health IT Performance: Temporarily limit access to maintain or improve system performance or safety.
• Content and Manner: Provide available EHI in an alternative manner when the requested manner is not technically feasible.
• Fees: Charge reasonable, cost-based fees that do not deter access, exchange, or use.
• Licensing: Offer reasonable and non-discriminatory licensing of interoperability elements (e.g., APIs, documentation).

Preventing Harm and Privacy Exceptions

The Preventing Harm exception allows you to limit or deny EHI access when you have a reasonable belief that disclosure is likely to endanger life or physical safety, based on professional judgment and objective criteria. Examples include withholding specific information that could trigger self-harm or violence, or protecting the location of a patient in a domestic violence shelter.

The Privacy exception supports lawful, patient-centered choices and requirements. You may decline to share EHI if identity cannot be verified, required patient consent is missing under applicable law, an individual exercises a preference to restrict sharing, or disclosure would violate state or federal privacy rules. Note that the HIPAA right of access still requires timely release to the patient; minimum necessary does not restrict patient access but may apply to other disclosures.

Security and Infeasibility Exceptions

The Security exception permits practices necessary to protect EHI, provided they are tailored, consistently applied, and derived from a documented risk management process. Examples include blocking an app that fails authentication, rate‑limiting to prevent denial‑of‑service attacks, or requiring robust OAuth 2.0 authorization before enabling API connections.

The Infeasibility exception applies when you cannot fulfill a request due to uncontrollable events (e.g., natural disasters, critical outages), legal prohibitions, or technical limitations that make segmentation or extraction unreasonable. You must provide a written explanation without unnecessary delay and, where possible, offer a reasonable alternative manner or timeline.

Health IT Performance and Content Exceptions

Under the Health IT Performance exception, you may implement temporary, non-discriminatory measures to maintain or improve system availability and safety—such as scheduled downtime, emergency patches, or throttling to preserve performance—so long as they last no longer than necessary and are planned or documented.

The Content and Manner exception recognizes that the requested method of exchange may not always be feasible. If you cannot satisfy the exact manner, you must still provide EHI in an alternative, readily producible way (for example, a standards-based FHIR API, Direct exchange, or export files) without unreasonable delay. You should propose at least one viable alternative that maintains data integrity and usefulness.

Fees and Licensing Exceptions

The Fees exception allows cost-based charges tied to developing, operating, and improving interoperability services, provided fees are transparent, reasonably related to costs, and not designed to exclude competitors or discourage exchange. You cannot charge patients for electronic access to their own EHI, and you must avoid discriminatory pricing.

The Licensing exception permits reasonable and non-discriminatory (often FRAND-style) licensing of interoperability elements such as APIs, schemas, and documentation. Terms should be offered within a reasonable time, avoid anti-competitive restrictions, and allow Health Information Exchange and Health IT developer compliance activities that promote interoperability.

Compliance Strategies for Information Blocking

Build a comprehensive compliance program that integrates privacy, security, and interoperability requirements. Designate accountable leaders, maintain clear policies, and align your EHI release workflows with the 21st Century Cures Act and related rules.

• Governance: Appoint an information blocking lead, define escalation paths, and integrate oversight with HIPAA privacy and security officers.
• Policies and SOPs: Document how each exception is evaluated, including checklists, approval steps, and required evidence.
• Request Management: Centralize intake, track deadlines, and log decisions; automate releases when safe to do so.
• Technology Enablement: Implement certified FHIR APIs, test third‑party app connections, and support patient-directed exchange.
• Training and Culture: Educate clinicians, HIM, and IT teams on EHI scope, exceptions, and patient rights; simulate common scenarios.
• Contracts and Fees: Standardize reasonable fee schedules and licensing terms; review BAAs and data use agreements for interoperability barriers.
• Monitoring and Response: Audit turnaround times, investigate complaints, remediate quickly, and document rationale for any limited disclosures.

In practice, prioritize patient access, use exceptions sparingly with strong documentation, and design workflows that make the interoperable path the easiest path. Doing so advances safe data sharing while maintaining robust privacy and security safeguards.

FAQs

What constitutes information blocking under the 21st Century Cures Act?

It is any practice by a healthcare provider, health IT developer, or health information network/exchange that is likely to interfere with the access, exchange, or use of Electronic Health Information, unless required by law or covered by a specific exception. Examples include unjustified delays, disabling certified APIs for approved apps, excessive contract restrictions, or unreasonable fees that deter sharing.

What are the main exceptions to information blocking?

The eight exceptions are Preventing Harm, Privacy, Security, Infeasibility, Health IT Performance, Content and Manner, Fees, and Licensing. Each has detailed conditions; you must meet all applicable criteria, apply them consistently, and keep contemporaneous documentation supporting your decision.

How can healthcare organizations ensure compliance with information blocking rules?

Establish clear policies, train staff, and embed standardized workflows for releasing EHI quickly. Enable certified FHIR APIs, create SOPs for each exception, maintain reasonable fee and licensing terms, track metrics like release timeliness, and document every decision that limits sharing. Regular audits and swift remediation of issues are essential.

What penalties exist for violations of information blocking regulations?

Health IT developers and health information networks/exchanges may face significant civil monetary penalties (potentially up to $1 million per violation). Healthcare providers face programmatic disincentives and corrective actions tied to federal payment and quality programs, along with contractual, reputational, and compliance risks. Timely remediation and strong documentation can mitigate enforcement exposure.