CMS and ONC Proposed Information Blocking Rules Overview and Key Considerations

CMS and ONC Proposed Information Blocking Rules Overview and Key Considerations

By Bhavesh Modi, JD; Sarah Churchill Llamas, JD; and Michael Marron-Stearns, MD, CPC, CFPC


On February 11, 2019, two offices of the US Department of Health and Human Services (HHS)—the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS)—released proposed rules1,2 aimed at enhancing the interoperability of electronic health information (EHI) and increasing patient access to health information. Both rules address “information blocking” practices as defined in the 21st Century Cures Act3 (see Figure 1). This brief article will outline selected provisions that would have significant implications across a broad spectrum of healthcare.

Figure 1. Information Blocking Definition

Preventing or materially discouraging the access, exchange, or use of electronic health information, including business, technical, and organizational practices when the actor knows or should know these practices are likely to interfere with the access, exchange, or use of electronic health information.

Practices covered include:

  • Contract terms, policies, or business or organizational practices that restrict authorized use under applicable State or Federal law of electronic health information or restrict the authorized exchange under applicable State or Federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified electronic health record technologies.
  • Charging unreasonable prices or fees (such as for health information exchange, portability, interfaces, and full export of health information) that make accessing, exchanging, or using electronic health information cost-prohibitive.
  • Developing or implementing health information technology in nonstandard ways that are likely to substantially increase the costs, complexity, or burden of sharing electronic health information, especially in cases in which relevant interoperability standards or methods to measure interoperability have been adopted by the Secretary.
  • Developing or implementing health information technology in ways that are likely to lock in users or electronic health information such as not allowing for the full export of health information; lead to fraud, waste, or abuse; or impede innovations and advancements in health information access, exchange, and use, including health information technology-enabled care delivery.

Exceptions include practices that:

  • Are required by applicable law
  • Are identified as necessary to protect patient safety, to maintain the privacy or security of individuals’ health information, or to promote competition and consumer welfare.


Source: The definition of information blocking in this side bar is a summary of the definition of information block laid out in the text of the 21st Century Cures Act.

The CMS Proposed Rule

The proposed rule from CMS seeks to modify the Conditions of Participation (CoP) for hospitals and critical access hospitals by requiring these participants to send electronic notifications to designated providers when patients are admitted, discharged, or transferred (ADT) to healthcare facilities or providers. These requirements will only be imposed on hospitals that currently possess electronic health record (EHR) systems capable of producing event notifications. Failure to comply with this mandate would put hospitals at risk for monetary penalties and potentially other sanctions, including their eligibility to participate in Medicare. While this provision may benefit the transitions of care for patients, it may impose a substantial technical and resource burden on hospitals, including the need to identify, verify, and communicate with the appropriate provider resource.

CMS proposes mandating that covered entities implement technologies that support application programming interfaces (APIs) capable of using the Fast Healthcare Interoperability Resource (FHIR) HL7 standard and an “updated” version of the consolidated Clinical Document Architecture (cCDA), referred to as the United States Core Data for Interoperability (USCDI) standard. These changes would allow for seamless sharing of patient data between traditional healthcare data silos and patients, payers, providers, and other entities. By facilitating the dissemination of EHI, CMS seeks to increase care coordination between hospitals and other healthcare providers. The APIs would allow for seamless and near-real-time sharing of clinical data and administrative data across the healthcare spectrum.

CMS posits that access to claims and encounter data would result in a more holistic understanding of a patient’s interaction with the healthcare system, which, in turn, could result in the identification and resolution of the patient’s non-adherence to a care plan. While this proposal seems to be advantageous on its face, it may serve as a catch-22 by preventing the enrollment of non-adherent patients in certain programs, such as accountable care organizations. It also has the potential to create a massive surge in codified, structured, and unstructured data available to patients, providers, and other stakeholders. Normalizing data from multiple disparate sources can be a valuable clinical exercise, but it has the potential to augment challenges currently faced by healthcare systems.4 Stakeholders should monitor whether and how these implications are addressed during the rulemaking process.

The ONC Proposed Rule

The ONC Proposed Rule promulgates the information blocking provisions of the 21st Century Cures Act and enumerates seven “reasonable and necessary activities” that do not constitute information blocking (see Figure 2). While many of these exceptions are aimed at promoting privacy or patient safety—and are to be expected—special attention should be paid to the §171.202 privacy exception stating it would not be information blocking for an actor to follow “certain practices not regulated by HIPAA but which implement documented and transparent privacy policies.” Under this exception, it would not be information blocking for an actor to withhold the sharing of information as long as they were complying with enumerated internal policies or procedures and were outside the purview of HIPAA. Consequently, stakeholders should evaluate existing policies and procedures to see how they compare to ONC’s proposed exceptions. Additionally, stakeholders should consider developing written policies or procedures relating to privacy and information sharing in order to fall under this specific exception. Given the “reasonable and necessary” lens through which these exceptions are viewed, stakeholders should pay special attention to the situational examples promulgated in the ONC’s Final Rule for a clearer picture of how these exceptions may be applied in practice.

Figure 2. Seven “Allowed” Activities (Proposed)

The seven activities identified in the ONC NPRM where sharing information can be withheld, or fees charged that would not be considered information blocking:

  1. Preventing harm to patients or other individuals
  2. Promoting privacy
  3. Promoting security
  4. Recovering costs reasonably incurred to make the API technology available
  5. Infeasible requests for data
  6. License conditions that the data discloser or API technology supplier imposes on the app developer and which are reasonable and non-discriminatory
  7. System maintenance.

Healthcare entities, health IT developers, health information exchanges, health information networks, payers, and other members of the healthcare ecosystem will need to undergo policy revisions, implement new technologies and provide education, training, and support to staff members on the facets of the information blocking rules once finalized. Failure to comply with these provisions will lead to offenders being publicly identified on a “wall of shame” and potentially facing severe financial implications under the 21st Century Cures Act and the ONC’s Proposed Rule. The proposal empowers the HHS Office of Inspector General to investigate claims of information blocking and to issue civil monetary penalties up to $1,000,000 per violation.

Special attention should also be given to the ONC’s proposals regarding remuneration for application programming interface (API) technology suppliers’ (i.e., a health IT developer) permitted fees. Under the proposal, API technology suppliers are limited in the amount and to whom they may charge fees; however, there is no prohibition on who may pay an API supplier’s fee. This allows an API technology supplier and API data provider (produces the data, i.e., a healthcare provider) to negotiate and settle on a fee, but for an API data user (i.e., a third-party software developer) to actually pay the negotiated-upon fee. This potentially may take the API user out of the fee negotiation, yet still be responsible for paying the fee. While these fee arrangements would be subject to the “reasonably incurred” requirement of the Proposed Rule, what is “reasonably incurred” for an API technology supplier and an API data provider may not be applicable to an API data user. Third-party software developers subject to the proposed rule should look to the final rule for clarification on this potential inequity in the reasonably incurred fee remuneration provisions.

Both proposed rules should be released in their finalized form by early fall of 2019. Based on what has been proposed, healthcare stakeholders should be prepared for potentially disruptive changes tied to how EHI is shared with patients and healthcare entities.

  1. Department of Health and Human Services. “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.” Federal Register (84 FR 7424), March 4, 2019.
  2. Centers for Medicare and Medicaid Services. “Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans in the Federally-Facilitated Exchanges and Health Care Providers.” Federal Register (84 FR 7610), March 4, 2019.
  3. US Congress. 21st Century Cures Act. HR 34, 114th Congress, second session. 2016.
  4. Ibid.
  5. Meyer, Melanie et al. “HIM’s Central Role in Health Information Exchange Using C-CDA.” Journal of AHIMA 89, no. 10 (November-December 2018): 24–27.


Michael Marron-Stearns, MD, CPC, CFPC ( is CEO of Apollo HIT, LLC.

Sarah Churchill-Llamas, JD ( is a Shareholder of Winstead P.C.

Bhavesh Modi, JD ( is an attorney at Winstead P.C.