Skip to main content

The Cures Act Information Blocking Rule: Impact on Data Access, Interoperability, and Security

November 2022, Vol 12, No 11
Kem Tolliver, CMOM, CPC, FACMPE
President, Medical Revenue Cycle Specialists
Bowie, MD

The 21st Century Cures Act (Cures Act) was signed into law by President Barack Obama on December 13, 2016.1 The overarching goal of this legislation was to modernize the US healthcare system through technology and science, which can enhance national interoperability by promoting the sharing of health information.2

In May 2020, the Office of the National Coordinator for Health Information Technology (ONC) published the Final Rule of the Cures Act, which is designed to ensure that patients have access to their electronic health information (EHI). The ruling also supports provider needs regarding clinical data sharing and addresses industry-wide information blocking practices.3

To be compliant and offer the best support to their patients, healthcare providers need to understand the provisions of the Final Rule as it pertains to creating, maintaining, and sharing patient health data, and the impact of this legislation on their practices.

Interoperability and Information Blocking

The ONC is charged with pulling together national efforts to implement the most advanced health information technology (IT) and the electronic exchange of information. The framework that the ONC has developed through the Final Rule allows for secure national sharing of healthcare data amongst various organizations and healthcare entities. This is known as “interoperability.”4

For software vendors to make this data sharing a reality, their programs must be able to “speak” to one another. The healthcare industry uses Health Level Seven International medical data standards for information exchange. To adhere to new programming requirements for system interoperability, Health Level Seven International released its Fast Healthcare Interoperability Resources version 4.0.4

The Final Rule also includes the government authority to prohibit 3 categories of “actors”—healthcare providers, health IT developers of certified health IT, and health information networks/health information exchanges—from a practice known as “information blocking,” which is defined as impeding or delaying the flow of health data among healthcare providers, networks, vendors, and patients.5

The information blocking provisions dictate that clinical notes created in an electronic health record must be immediately available to patients through a secure online portal. The 8 types of clinical notes that must be shared with patients are as follows6:

  1. Consultation notes
  2. Discharge summary notes
  3. History and physical notes
  4. Imaging narratives
  5. Laboratory report narratives
  6. Pathology report narratives
  7. Procedure notes
  8. Progress notes.

Information Blocking Exceptions

There are 8 information blocking exceptions established in the Final Rule that providers also need to be aware of to ensure compliance. These exceptions are as follows7:

  1. Preventing harm
  2. Privacy
  3. Security
  4. Infeasibility
  5. Health IT performance
  6. Licensing
  7. Fees
  8. Content and manner.

It is best to become familiar with these information blocking exceptions before attempting to apply them to data sharing scenarios. It is important to understand that these exceptions are voluntary and offer actors certainty, but it is also worth noting that even in cases where a practice does not meet any of the exceptions, this does not automatically mean that information blocking has occurred. This is determined on a case-by-case basis.

Information Blocking Complaints and Investigations

Providers have a responsibility to educate patients on their rights regarding the access of personal health information and what to do if they feel they have been denied this access. Information blocking complaints do not require individuals to submit personal identifying information; they may remain anonymous and are protected from disclosure by the Freedom of Information Act.

So, what happens after a patient reports information blocking through the Information Blocking Portal on ONC’s website, The ONC will confirm receipt with the submitter and the report is automatically assigned a tracking number (eg, IB-XXX). Depending on the facts and details included in the complaint, the ONC may contact the submitter for additional information.

Information blocking complaints can be initiated with the Office of Inspector General (OIG) at or by phone at 1-800-HHS-TIPS (1-800-447-8477). The OIG Hotline will not be able to respond to any inquiries about action taken in response to a complaint. For more information, see OIG’s Hotline website:

Do not leave your organization in a lurch; be sure to publicize the name and contact information of your Compliance Officer so that complaints are handled internally prior to escalating to Federal or state authorities.

Securing Patient Portals

Now that practices are required to share more EHI online with patients, it is critical that they ensure the privacy and security of their platforms. Patient portals can become easy targets for cybersecurity attacks; therefore, it is critical to include added security layers such as multifactor authentication. These new requirements open additional opportunities to encourage patients to take ownership of and manage their health information.

ONC’s website has curated a number of frequently asked questions related to the Cures Act and information blocking to help actors better understand compliance requirements (see below).


The Cures Act is monumental legislation, and this article barely scratches the surface in terms of what providers need to know. However, my hope is that this information may generate ideas that will encourage you to implement new internal processes in your practice. I would encourage you to utilize your resources to develop policies and procedures for interoperability and information sharing by considering the following internal compliance opportunities:

  • Update internal medical record release policies
  • Update medical record copying pricing
  • Conduct security risk assessment
  • Update patient portal permissions
  • Sign off on notes in a timely manner
  • Update notice of privacy practices.

Frequently Asked Questions About the Cures Act and Information Blocking

  • Are healthcare providers subject to the information blocking regulations even if they do not use any certified health IT?
  • Yes. The information blocking regulations in 45 CFR part 171 apply to a healthcare provider, as defined in the Public Health Service Act and incorporated in 45 CFR 171.102, regardless of whether any of the health IT the provider uses is certified under the ONC Health IT Certification Program.

  • Could the ONC please clarify whether the information blocking regulations will apply to business associates of Health Insurance Portability and Accountability Act (HIPAA) covered entities?
  • The information blocking regulations in 45 CFR part 171 apply to healthcare providers, health IT developers of certified health IT, and health information networks/health information exchanges, as each is defined in 45 CFR 171.102. Any individual or entity that meets one of these definitions is an “actor” and subject to information blocking regulations, regardless of whether they are also a HIPAA covered entity or business associate.

  • Does the Cures Act replace HIPAA compliance guidance for medical records requests?
  • No, the final rule requires disclosure of EHI unless an exception applies or the disclosure is prohibited by law.

  • Must we include test results on the patient portal as soon as they are available, even if the provider hasn't reviewed them yet?
  • Yes, unless you qualify for one of the 8 exceptions. Under the Preventing Harm Exception, you can delay sharing test results to the patient if the physician feels that doing so will cause harm to the life or physical safety of the patient. Follow your state laws.

  • Can I wait until the patient requests records before I make them available on the patient portal?
  • No, as this may result in the patient filing a complaint with the ONC (remember that the patient portal is a feature/component of your electronic medical record).

  • Are we required to release/publish to the portal records and documents that did not originate from our practice?
  • Yes, unless it meets one of the 8 exceptions.

Source: Information blocking. Updated October 31, 2022. Accessed November 8, 2022


  1. US Food and Drug Administration. 21st Century Cures Act. January 31, 2020. Accessed September 27, 2022.
  2. Health IT legislation. Updated August 9, 2022. Accessed September 30, 2022.
  3. Federal Register. 21st Century Cures Act: Interoperability, Information Blocking and the ONC Health IT Certification Program. Updated April 4, 2020. Accessed October 15, 2022.
  4. United States Core Data for Interoperability (USCDI). Accessed September 27, 2022.
  5. Information blocking. Updated October 31, 2022. Accessed November 8, 2022.
  6. Clinical notes. Accessed October 15, 2022.
  7. The Office of the National Coordinator for Health Information Technology. Cures Act final rule: information blocking exceptions. Updated July 2022. Accessed September 27, 2022.
Article provided through a partnership with
Practice Management Institute
Michigan Society of Hematology & Oncology

Related Items