Skip to main content
Skip to footer

Understanding information blocking exceptions and compliance

Estimated read time: 5 minutes

by Josh Mast

Published on 3/29/2021

The content below aims to provide high-level education around the Office of the National Coordinator for Health IT (ONC’s) information blocking final rule. Cerner clients have been provided with detail and action items regarding ONC information blocking compliance. For additional resources, please contact your client accountable executive.

Imagine a world where the patient data that a clinician needs to provide the highest quality of care is available and easily accessible. Or where data can be safely and efficiently exchanged among stakeholders to increase knowledge of a virus and develop therapies and vaccines during a public health crisis. And the one that drives the Cerner mission and vision: a world where patients have their health information at their fingertips to use however they like and take with them wherever they receive care.

As we quickly approach the April 5 compliance deadline for the ONC’s final rule on information blocking, these scenarios are closer to reality than ever before. The ONC ruling requires electronic health information (EHI) to be made available without undue delays or unreasonable fees. The compliance framework applies to three entities, or “actors” as they’re called by the ONC: healthcare providers, health IT developers and health information networks/exchanges. The information blocking framework defers to federal, state and tribal privacy laws. 

Download the infographic

Framework exceptions

Though the concept of information blocking has been around for years, the legal framework is fresh. Information blocking is broadly defined as any practice that “…is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information.” With such a wide reach, the ONC identified eight framework exceptions to ensure reasonable and necessary activities wouldn’t be mischaracterized as information blocking.

The exceptions allow providers, developers and health networks to comply with other legitimate business practices – even though some may otherwise meet the definition of information blocking. The eight exceptions fall into two categories:

  1. Denial exceptions, which outline several reasons why a request for EHI access, exchange or use is denied.
  2. Approval and process exceptions that reflect how requests for access, exchange or use for EHI can be fulfilled.

Framework compliance

How an EHI request is received and responded to determines if it’s compliant. To understand the framework, it’s important to know the content and manner exception. This exception outlines how requests should be fulfilled for EHI access, exchange or use. It also determines when the fees and licensing exception is applicable, along with how and when fees may be charged for an information request.

  • The content condition scopes the health information that actors are required to provide upon request.
  • The manner condition, or how EHI is requested to be made available, helps providers, developers and health networks determine the best format for fulfilling a request. When necessary, this includes offering an alternative.

Preparing for compliance requires developing a process – based on the content and manner exception – that’s applied when an information request is received. As part of the procedure, providers, developers and health networks should also outline when it’s appropriate for a request to be denied.

It’s important to know all the manners and methods that the requested EHI may be provided in order to determine if there’s a compliance risk. The content and manner exception limits information blocking to data that’s part of the U.S. Core Data for Interoperability (USCDI) for the first 18 months of compliance, or April 5, 2021, through October 6, 2022.

The information blocking framework revolves around requests for information and as such the compliance framework doesn’t require actors to proactively provide EHI/USCDI data. Though ONC doesn’t define requests, these requests could be one-off requests, initial requests for ongoing release of information or the ongoing fulfillment of requests of information, such as interfaces, APIs and connections to health information exchanges or portals. Information blocking is also constrained by HIPAA, as well as other privacy and security requirements related to requests for access, exchange or use.

Other requirements, such as those related to the Centers for Medicare & Medicaid Services Promoting Interoperability Programs or for use of Certified Electronic Health Record Technology, require proactively sharing health information through a patient portal. These requirements to proactively share health information are layered on top of information blocking requirements.

While there is no singular answer for how to best provide data access, Cerner offers several options to enable access, exchange and use of EHI, such as standards-based interfaces, APIs, HealtheLife ℠ patient portal, health information exchange connections and many more. Cerner will continue to advance and enhance our interoperable functionality and is dedicated to enabling the easy access, exchange and use of EHI by all authorized users. 

Download the infographic

A guideline – not a tripwire

The process for receiving and responding to information requests is more important to compliance than a provider’s system capabilities. The framework provides a basis where actors can respond to requests for access, exchange or use of EHI or deny those requests when appropriate. Information blocking requires intent and knowledge, and the ONC and the Office of Inspector General of Health and Human Services indicated that they don’t plan to punish unintended mistakes. As a result, the framework should be viewed as a guideline – not a tripwire – on which to share health information.

Today’s information blocking framework took years of advocacy by many committed voices in the healthcare arena. It’s uncommon to see a compliance program of this magnitude, and it will no doubt take time beyond its effective date of April 5 to truly understand its impact. But this framework is a critical step toward ensuring the secure, timely and appropriate flow of patient information – and a key milestone on the path toward improving healthcare for all.

For decades, Cerner has been a leading advocate in shaping policy and developing technology for the unimpeded exchange of health information that gives patients access to a digital, longitudinal health record. Learn more here.