Skip to main content
Skip to footer

Understanding information blocking exceptions and compliance

Estimated read time: 5 minutes

by Josh Mast

Published on 9/24/2020

Imagine a world where the patient data that a clinician needs to provide the highest quality of care is available and easily accessible. Or where data can be safely and efficiently exchanged among stakeholders to increase knowledge of a virus and develop therapies and vaccines during a public health crisis. And the one that drives the Cerner mission and vision: a world where patients have their health information at their fingertips to use however they like and take with them wherever they receive care.

These scenarios are closer to reality with the Office of the National Coordinator (ONC) for Health IT rule on information blocking that was finalized in March. Though the concept of information blocking has been around for years, the legal framework is fresh. The recent ruling by the ONC sets April 5, 2021 as the compliance date for when electronic health information (EHI) must be made available without delays or unreasonable fees. The ONC also established guidelines for exceptions.

Like HIPAA, the information blocking framework defers to state privacy laws. The structure applies to three entities, or “actors” as they’re called by the ONC: health care providers, health IT developers and health information networks/exchanges.

Framework exceptions

Information blocking is broadly defined as any practice that “…is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information.” With such a wide reach, the ONC identified eight framework exceptions to ensure reasonable and necessary activities wouldn’t be mischaracterized as information blocking.

The exceptions allow providers, developers and health networks to comply with other legitimate business practices – even though some may technically be viewed as information blocking. The eight exceptions fall into one of these categories:

1. Denial exceptions, or providing a variety of reasons why a request for EHI access, exchange or use is denied

2. Approval and process exceptions that involve procedures for fulfilling a request for access, exchange or use

Framework compliance

How an EHI request is received and responded to determines if it’s compliant. To understand the framework, it’s important to know the content and manner exception. This exception outlines how requests should be fulfilled for EHI access, exchange or use. It also determines when the fees and licensing exception is applicable, along with how and when fees may be charged for an information request.

  • The content condition scopes the health information that actors are required to provide upon request.
  • The manner condition, or how EHI is requested to be made available, helps providers, developers and health networks determine the best format for fulfilling a request. When necessary, this includes offering an alternative.

Preparing for compliance requires developing a process – based on the content and manner exception – that’s applied when an information request is received. As part of the procedure, providers, developers and health networks should also outline when it’s appropriate for a request to be denied.

It’s important to know all the manners and methods that the requested EHI may be provided in order to determine if there’s a compliance risk. The content and manner exception limits information blocking to data that’s part of the U.S. Core Data for Interoperability (USCDI) for the first 18 months of compliance, or April 5, 2021, through October 6, 2022.

Since information blocking involves a request for information, the compliance framework doesn’t require actors to proactively provide EHI/USCDI data. Information blocking is also constrained by HIPAA, as well as other privacy and security requirements related to requests for access, exchange or use. There’s no framework mandate to proactively provide health information before a request is received.

Other requirements, such as those related to the Centers for Medicare & Medicaid Services Promoting Interoperability Programs or for use of Certified Electronic Health Record Technology, require proactively sharing health information through a patient portal. These requirements to proactively share health information are layered on top of information blocking requirements.

A guideline – not a tripwire

The process for receiving and responding to information requests is more important to compliance than a provider’s system capabilities. The framework provides a basis where actors can respond to requests for access, exchange or use of EHI or deny those requests when appropriate. Information blocking requires intent, and the ONC and the Office of Inspector General of Health and Human Services indicated that they don’t plan to punish unintended mistakes. As a result, the framework should be viewed as a guideline – not a tripwire – on which to share health information.

Today’s information blocking framework took years of advocacy by many committed voices in the health care arena. It’s uncommon to see a compliance program of this magnitude, and it will no doubt take time beyond its effective date of April 5 to truly understand its impact. But this framework is a critical step toward ensuring the secure, timely and appropriate flow of patient information – and a key milestone on the path toward improving health care for all.

Learn more about the information blocking framework that goes into effect April 5. Register for the Cerner Health Conference or log back into the platform through Dec. 14 to view the power session, “Fact vs. Fiction: information blocking,” featuring representatives from the ONC.

More like this: