Skip to main content
Skip to footer

Provider Information Blocking and Attestation - Part 1

Published on 5/15/2017

This week, we have a two-part blog diving into the 21st Century Cures Act. Part 1 examines the effect of the Cures Act on health care industry's continued push for interoperability and the challenges of information blocking applied to the provider. On Wednesday, look for Part 2, which will explore information blocking as applied to HIT developers.

It seems there is never enough time for all that goes on in the regulatory and compliance world. In 2017, we are presented with compliance considerations to factor in: information blocking and the 21st Century Cures Act (Cures Act).

Information blocking as related to health care and interoperability can be difficult to pinpoint. Until recently, the focus of the information blocking discussions have centered around the conduct of health IT (HIT) developers, with good reason. There are quite a few articles and information points written and available on information blocking and HIT developers relating to interfacing, patient access, provider access and Application Program Interfaces (APIs). There are also quite a few requirements related to HIT developers in the Cures Act itself, including up to a $1 million fine per information blocking incident for HIT developers. These will not be the topic of this paper. Here, we'll review examples of information blocking from a health care provider or organization.

One of the goals of the meaningful use (MU) program and the establishment of Certified Electronic Health Record Technology (CEHRT) was to create and enhance interoperability in support of care delivery. As interoperability has proven difficult to achieve, the focus on barriers to interoperability — like information blocking — has grown.

The ONC report on information blocking

In April 2015, the Office of the National Coordinator (ONC) issued its report to Congress on information blocking, including an initial definition of information blocking itself. ONC defined information blocking as occurring "when persons or entities knowingly and unreasonably interfere with the exchange or use of electronic health information."

ONC additionally outlined activities that could be considered information blocking, such as implementing HIT in nonstandard ways or mandating practices that restrict individuals' access to their electronic health information, as well as some reasonable justifications for certain instances that might be considered information blocking.

ONC noted a need to work with the Health and Human Services (HHS) Office for Civil Rights to educate providers of care specific to circumstances where the sharing of protected health information is permitted under prevailing federal law. Finally, ONC noted that information blocking cases are fact-specific and require investigation into nearly all cases.

Attestation statements

In 2015, Congress passed the Medicare Access and CHIP Reauthorization Act, which contained a new requirement for hospitals and professionals to demonstrate that they have not limited or restricted the interoperability of their CEHRT. The Centers for Medicare and Medicaid Services (CMS) has enacted the new requirement on hospitals and professionals by creating three new attestation statements for all those attesting to the MU and Merit-based Incentive Payment System (MIPS) programs in 2017 and after.

These three statements require providers to attest they:

  • Did not knowingly and willfully take action to limit or restrict the interoperability of certified EHR technology.
  • Implemented technologies, standards, policies, practices and agreements reasonably calculated to ensure that the CEHRT was connected in accordance with applicable law, compliant with all standards applicable to the exchange of information, implemented to allow for timely access by patients to their electronic health information and implemented to allow for the timely, secure and trusted bidirectional exchange of structured electronic health information with other health care providers and with disparate CEHRT vendors.
  • Responded in good faith and in a timely manner to requests to retrieve or exchange electronic health information from patients, health care providers and other persons, regardless of the requester's affiliation or CEHRT vendor.


With the enactment of the Cures Act in December 2016, Congress defined information blocking conducted by a provider as a practice the provider knows "is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information."

The Cures Act outlines practices that would be considered information blocking, which largely mirror the new attestation statements for MU and MIPS. The Cures Act granted the Office of the Inspector General (OIG) authority to investigate claims of information blocking and to refer providers found to have performed information blocking to the proper agency for "appropriate disincentives."

As the attestation statements are tied to being a meaningful user of CEHRT under MU and MIPS, we can assume one potential disincentive of information blocking is a rejection or revocation of attestation to the MU and MIPS programs, resulting in penalties. However, we need more guidance from CMS to know the full disincentive spectrum available. Further, although the authority granted to OIG to investigate cases of information blocking is currently in effect, we expect OIG to await additional guidance from HHS prior to investigating most claims.

What providers can do

What tasks does this introduce for health care providers?

The first thing that should be done, if not recently performed, is a review of each provider organization's policies and practices related to the sharing of information. Information blocking can occur through: 1) implementing CEHRT in a manner that would interfere with the system's interoperable abilities; and 2) preventing a patient or authorized provider from accessing, exchanging or using applicable electronic health information.

How should information policies and practices be evaluated?

There are few key issues to watch for during an organization's evaluation of its information-sharing policies and practices. The most common offenses include:

Provider education on information blocking should incorporate what health information may be shared with patients, their authorized representatives and other health care providers caring for the patient, as well as when and how that information can be shared under HIPAA and state privacy and security laws.

If issues are identified, they should be prioritized and reported to the organization's compliance officer and/or legal department to determine if there are issues to be addressed. Information blocking is very fact-specific, and additional review or understanding of the situation may be required. Reviews will need to be conducted on a regular basis, and CEHRT implementations and upgrades will need to be monitored to ensure ongoing compliance. Information blocking is newer to provider compliance, but it is now part of every provider's compliance efforts.

How will you stay ahead of the curve with new regulatory requirements? Count on Cerner to lead you through the future of regulatory compliance. Learn more here.