Our Results

On December 13, 2016, the 21st Century Cures Act was adopted into law.  It includes a wide range of improvements to the health care system.  In May of 2020, the Office of the National Coordinator for Health Information Technology (“ONC”) issued final regulations implementing certain provisions of the Cures Act (the “Cures Act Final Rule”), which includes several requirements, one of which is a prohibition on “information blocking”.  The information blocking regulations went into effect on April 5, 2021.

Question: What is “information Blocking”?
Answer: Information blocking is a practice by an actor such as a patient EHR or a provider that is likely to interfere with, prevent, or discourage access, exchange, or use of electronic health information (EHI).  Once a request is made, patients should be granted access to their EHI without any unreasonable delay.

Question: Are there any exceptions to the information blocking provisions?
Answer: Yes. There are eight exceptions to the information blocking provision.  The Exceptions are divided into two classes

Resource: The office of the National Coordinator for Health Information Technology (ONC). (2021). [information blocking exceptions]. HealthIT.gov. https://www.healthit.gov/topic/information-blocking

Exceptions that involve NOT fulfilling requests to access, exchange or use EHI:

1. Preventing Harm Exception
Example: An EHI request may be denied if the organization feels that denying the request will prevent harm from coming to a patient or their family member.  An actor may choose to segment sensitive records pertaining to behavioral health or substance abuse.  If an EHI request is denied or segmented, there must be appropriate documentation to justify the denial.

2. Privacy Exception:
Example: Organizations will not be required to disclose EHI in a way that is a privacy violation of an applicable State or Federal privacy law that is already in existence. An example of a privacy law that is already in existence is The HIPAA Privacy Rule: 45 CFR 164.524 (a)(1) and (2).  (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html)

3. Security Exception:
Example: This exception is designed to cover all legitimate security practices by actors. To implement this exception, the actor must demonstrate that the denial of access to EHI is “directly related to safeguarding the confidentiality, integrity and availability of EHI; tailored to specific security risks; and implemented in a consistent and non-discriminatory manner”. Organizations should consider updating their organizational privacy and security policies to ensure compliance with the information blocking provisions.

4. Infeasibility Exception:
Example: It will not be considered information blocking if a request for EHI cannot be fulfilled due to; natural or human made disasters, public health emergencies, public safety incidents, war, terrorist attacks, civil insurrection, or the inability to “unambiguously” segment the requested PHI.

5. Health IT Performance Exception:
Example: It will not be considered information blocking if a request for access to EHI is denied temporarily because the Health IT is offline for routine maintenance and improvements. The Health IT should not be offline for longer than necessary to perform the enhancements.

Exceptions that involve procedures for FULFILLING requests to access, exchange or use EHI:

6. Content and Manner Exception
Content Exception Example: In some instances, it is acceptable for an actor to limit the content of their response for a request to access EHI. This exception provides clarity and flexibility to organizations concerning the scope of a request for PHI. For up to 24 months after the publication of the Cures Act final rule, data requests that include EHI should, at a minimum, include the EHI data elements represented in the United States Core Data for Interoperability (USCDI standard). This exception promotes innovation and healthy competition, allowing actors to establish and maintain market negotiated terms for access use and exchange of EHI.

Manner Exception Example: In some instances, an actor may need to fulfill a request for EHI in an alternative manner. This exception applies if the actor is technically unable to fulfill the request in any manner requested or if agreeable terms cannot be reached with the requestor to fulfill the request.

7. Fees Exception
Example: It will not be information blocking for an actor to charge fees that are related to the development of technologies and delivery of services that will improve interoperability. This includes fees that consist of a reasonable profit margin, for accessing, exchanging, or using EHI.

8. Licensing Exception:
Example: It will not be considered information blocking for actors to license interoperability elements for EHI to be accessed, exchanged, or used. This exception allows for actors to protect the value of their innovations and charge reasonable royalties.

Question: Do information blocking provisions require actors to have certified health IT or upgrade their current certified health IT?
Answer: No. Information blocking regulations do not require actors to have or use certified health IT.  As of April 5, 2021, actors are not required to immediately upgrade their current certified health IT.

Question: Are healthcare providers subject to the information blocking regulations even if they do not use any certified health IT?
Answer: Yes. The information blocking regulations apply to healthcare providers regardless of whether any of the health IT that the provider uses is certified under the ONC Health IT Certification Program. When it comes to EHI, the law does not distinguish between certified and non-certified health IT systems.

Question: Are actors required to proactively make all electronic health information (EHI) available through patient portals?
Answer: No. The information blocking regulations do not require actors to proactively make EHI available to patients that have not requested it. However, once a patient does request access, their EHI it must be made available without delay.

Question: Are actors such as healthcare providers expected to release test results to the patient portal or application programing interface (API) as soon as the results become available to the ordering clinician?
Answer: Actors are not required to proactively make electronic health information available. However, once a request to access is made is made, actors must TIMELY respond to the request. A delay or unnecessary impediment could implicate information blocking provisions.

Question: Are nursing, pharmacy, or other professions’ clinical notes included in the definition of “electronic health information”?
Answer: Yes. Electronic health information does not specifically include or exclude notes or other clinical observations based on the type or specialty of the professional who authors them.

Question: What are the penalties for information blocking by an actor?
Answer: As of April 5, 2021, health IT developers of health IT and HINs/HIEs will be subject to penalties of up to $1M per violation. Health care providers are treated differently under the law. They may face “appropriate disincentives” that are yet to be set forth by the HHS Secretary.

The HHS Office for Civil Rights (OCR) has issued the HIPAA Notification of Enforcement Discretion during the COVID-19 emergency. This notice applies to all health care providers that are covered by HIPAA and provide telehealth services during the COVID-19 nationwide public health emergency.

Which parts of the HIPAA Rules are included in the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

  • Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
  • This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.
  • This Notification will remain in place indefinitely.

According to the OCR, the examples below may be considered a bad faith provision of telehealth services:

  • Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy.
  • The sale of patient data or use of patient data for marketing without authorization.
  • Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth.
  • The use of unacceptable public facing forms of remote communication for telehealth such as TikTok, Facebook Live, Twitch, or a chat room like Slack.

The table below includes a list of both Acceptable and Unacceptable forms of remote communication to use for telehealth services under the HIPAA Notification of Enforcement Discretion: 

Acceptable Platforms

(Vendor will sign HIPAA agreement) *

Acceptable Platforms

(Under Notification)

Unacceptable Platforms

(Do Not Use)

Non‐Public Facing Remote Communication Product Non‐Public Facing Remote Communication Product Public Facing Communication Product
Skype for Business / Microsoft Teams
Zoom for Healthcare
Google GSuite
Hangouts Meet
Cisco WebEx Meetings / WebEx Teams
Amazon Chime
Spruce Health Care Messenger
Apple FaceTime
Facebook Messenger Video Chat
Google Hangouts Video
WhatsApp Video Chat
Facebook Live
Chat rooms such as Slack

* Note:

OCR has not reviewed the HIPAA agreements offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA agreement with a covered entity. Further, OCR does not endorse any of the applications that allow for video chats listed above.

Quick Reminders:

  • OCR will not impose penalties for any noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the nationwide COVID-19 public health emergency.
  • Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
  • If any significant system or network changes have been deployed to support telehealth, please be sure to update your risk assessment accordingly.


Department of Health and Human Services Office for Civil Rights. FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency. Retrieved April 1, 2020 from https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf


This information is provided as a tool to help you understand the latest changes in HIPAA compliance as a result of the COVID-19 emergency. TriumpHealth employees and staff have created this presentation to the best of their knowledge and ability and make no representation or guarantee that this presentation is error-free. TriumpHealth has no liability or responsibility to any person or entity with respect to any loss of revenue, or indirect damages resulting from the potential use of this information.

by Tiffany Short & Katie Legendre | TriumpHealth