By Mary Butler

The government’s plan to advance information sharing in healthcare will come into sharp focus next month as the US Department of Health and Human Services (HHS) finalizes its long-awaited rules on information blocking and interoperability.

The rules will impact virtually every healthcare organization with access to electronic health information (EHI) and empower patients and caregivers with greater access to and control over their health information.

“The proposed CMS and ONC rules represent a significant shift in the exchange of health information between patients, providers, and systems,” said AHIMA CEO Wylecia Wiggs Harris. “We are aware of the impact on health information management and we stand prepared to implement and adapt in accordance with the final outcomes, and in alignment with our mission to empower people to impact health. In so doing, we will continue to support our members and keep our HIM professionals informed and updated regarding developments and issuance of the final rules.”

The ONC’S proposed information blocking rule would⁠—with defined exceptions (see sidebar)—prohibit health providers, technology vendors, health information exchanges, and health information networks from practices that inhibit the exchange, use, or access of EHI. The rule would also standardize criteria for application programming interface (API) development.

The CMS rule on interoperability would require insurers participating in Medicare, Medicaid, and the federal insurance exchanges to provide members with electronic access to their claims and encounter data.

The final rules would solidify the information blocking rules proposed in the 21st Century Cures Act last year.

The final rules are expected to be announced in advance of the Annual HIMSS Conference & Exhibition in Orlando next month. Don Rucker, MD, and Seema Verma⁠—whose agencies, the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS), respectively, collaborated on the effort⁠—will deliver a keynote on March 11, which is expected to focus on the rules. HHS Secretary Alex M. Azar II will speak at HIMSS on March 10.

Implications for HIM

The ONC final rule may have several implications for health information management (HIM) professionals and how they protect, exchange, and collect data.

Some organizations, including AHIMA, have expressed concern regarding the lack of clarity and predictability around the definition of EHI.

In comments submitted to ONC, AHIMA recommended that the agency constrain the definition of EHI to the US Core Data for Interoperability (USCDI), a standardized set of health data classes and constituent data elements for nationwide interoperable health information exchange.

AHIMA expects that as ONC expands the USCDI to include additional data classes and elements, the definition of EHI will expand with it. This would provide “a degree of certainty as to what information must be provided in accordance with the information blocking provision.”

The language of the proposed CMS rule has also raised some concerns.

According to reporting by the Journal of AHIMA last year,1 CMS’s rule would attempt to modify the Conditions of Participation for hospitals and critical access hospitals with electronic health record (EHR) systems capable of producing event notifications by requiring them to send notifications to designated providers when patients are admitted, discharged, or transferred (ADT).

Failure to comply with this mandate would put hospitals at risk for sanctions, including monetary penalties and Medicare eligibility.

Addressing this issue during the proposed rule’s public comment period, AHIMA noted that while the organization was supportive of revisions to the Conditions, the rule as proposed could unfairly penalize providers if, for example, an organization’s ADT system and EHR did not interact.

“We recommend that prior to the implementation of this provision under the Conditions of Participation, CMS should work with ONC as part of ONC’s Health IT Certification Program to require … that health IT systems be properly certified to send and receive ADT data,” AHIMA wrote.

Preparing for Compliance

For organizations required to comply with EHR certification requirements, the ONC rule proposes an implementation deadline of 24 months from the effective date.

The information blocking provisions of the proposed rule did not state an effective date. However, because of a Clinton-era executive order that requires significant regulatory actions be submitted for review to the Office of Management and Budget, the rule could become effective 60 days after issuance of the final rule.

AHIMA and other stakeholder groups will offer resources to help member organizations. The Sequoia Project, a nonprofit public-private collaborative chartered to advance implementation of secure interoperable nationwide health information exchange, has formed a work group to interpret the rules and help healthcare organizations prepare for compliance. The organization recently published guidance on the information blocking rule.

“The impact of the ONC information blocking rule will be broad and significant to the health information sharing community,” says Mariann Yeager, CEO of the Sequoia Project. “It’s important to remember these rules are meant to improve interoperability and health information sharing in our communities. Organization should get involved in the community. There are many opportunities for organizations to participate in the webinars and meetings. Organizations can join the Information Blocking Workgroup meetings to learn about updates and ask any questions they may have.”

According to Riplinger, the organization and Sequoia have been collaborating on the development of an operational checklist to help organizations prepare for compliance.

Compliance and integration of these rules will require collaboration between HIM departments and IT within healthcare organizations. “I think a starting point is identifying who’s going to serve on this operational team across health IT and HIM to make sure they identify the things that need to happen to make sure they’re in compliance,” said Riplinger.

Rules at a Glance

Office of the National Coordinator for Health IT

The Interoperability, Information Blocking & Certification rule defines what information blocking is not and defines four categories of affected actors: providers, health IT vendors, health information exchanges, and health information networks. It also establishes seven exceptions to the 21st Century Cures Act’s ban on interfering with the transfer of health information:

  1. Preventing harm
  2. Promoting the privacy of EHI
  3. Promoting the security of EHI
  4. Recovering costs reasonably incurred
  5. Responding to requests that are infeasible
  6. Licensing of interoperability elements on reasonable and nondiscriminatory terms
  7. Maintaining and improving health IT performance

Centers for Medicare and Medicaid Services

The Interoperability and Patient Access Proposed Rule focuses on:

  • Making patient data more useful and transferable
  • Requiring managed care and fee-for-service (FFS) programs to:
    • Implement HL7 fast healthcare interoperability resources (FHIR)-based application programming interface (APIs)
    • Provide and incorporate electronic patient data
    • Use API technology to connect patients with provider networks
    • Participate in a trust network by January 2020
  • Revising the conditions of participation

Read more


Final Rules: What to Watch For

When the final rules drop, AHIMA encourages members to pay close attention to how Rucker and Verma address privacy and security, implementation timelines, and enforcement mechanisms.

In September 2019, AHIMA co-signed a letter to the chair and ranking member of the Senate Committee on Health, Education, Labor, and Pensions expressing concern about how HHS regulations could impact the information blocking provisions of the 21st Century Cures Act, and recommended that ONC issue supplemental rulemaking to address outstanding questions and concerns, including:

  • Enhanced privacy and security: The proposed rule does not sufficiently address Cures’ directives to protect patient data privacy and ensure health IT security. Further, it is imperative that the Committee continue its oversight of privacy and security issues that fall outside of the Health Insurance Portability and Accountability Act (HIPAA) regulatory framework.
  • Appropriate implementation timelines: ONC should establish reasonable timelines for any required use of certified health IT. Providers must be given sufficient time to deploy and test these systems, which must take into account competing regulatory mandates.
  • Revised enforcement: HHS should use discretion in its initial enforcement of the data blocking provisions of the regulation, prioritizing education and corrective action plans over monetary penalties.

The privacy and security provision became a turbulent topic of discussion in January when Epic, the largest developer of EHRs in the United States, criticized potentially serious patient privacy risks embedded in the language of the proposed rule.

  1. Modi, Bhavesh, Sarah Churchill Llamas, and Michael Marron-Stearns. “CMS and ONC Proposed Information Blocking Rules Overview and Key Considerations.” Journal of AHIMA, April 1, 2019.


Mary Butler ( is associate editor at the Journal of AHIMA.


  1. Great step towards the right direction. However, sending notification to designated providers when patients are admitted, discharged or transferred may still need reviewed for incidents that may occur and time limit. Incidents like interaction of the system and time limit(to allow feedback and using other means of communication to send notification).

Comments are closed.