Request a Demo

7 min read

21st Century Cures and Information Blocking: Is Your Provider Organization Ready?

Look at the contents of anyone’s smartphone and you’ll get a picture of just how much we’ve come to not only rely on apps, but also trust them. 

We share our location with our weather app so it can give us an up-to-date, personalized forecast. In just a few clicks, we transfer funds from our bank account to a friend’s when she picks up the tab at dinner. We track our food consumption and exercise on wellness-centered apps. We hail a ride, order groceries, and even trade stocks. 

For most Americans—it’s estimated that over 80 percent own at least one smartphone—apps help us navigate our everyday lives. But, how much do they help us improve our health? How much do they give us data we can use to make more informed decisions about our care? Do they enable us to send relevant data to our care teams securely and, in return, receive it?

Our work to prepare providers for Cures is an extension of Moxe’s longstanding mission: to offer a simple control center to service data requests from any third party – automatically and securely through Digital ROI™.

Part of the vision of the 21st Century Cures Act (Cures Act) is to enable patients and providers to more easily and securely access health information electronically. If we can do our banking via smartphone apps, why shouldn’t we be able to use apps to send and receive health information?

Cures Act: Promoting innovation, accessibility, and interoperability

President Obama signed the Cures Act into law on Dec. 13, 2016 — for health data, the vision is that data flows seamlessly between providers, payers, and patients, with patients ultimately having the ability to control their data and use it in the third-party apps of their choice.

The law recognizes that healthcare IT must develop new capabilities to give patients more power to access and use their health information in meaningful ways, ultimately with the goal of empowering patients and improving healthcare delivery. In particular, the act focuses on improving  nationwide interoperability and banning information blocking, which it defines as  “a practice that . . .is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” 

We’ve created infoblocking.org with a survey to help you assess your readiness to comply

The final rules

While the Cures Act was signed into law in 2016, on March 9, 2020, the U.S. Department of Health and Human Services (HHS) finalized two rules that address the interoperability and patient access provisions of the act. 

In a press release announcing the finalization of the two rules, HHS said the rules “mark the most extensive healthcare data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure.”

The two rules were issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), and are commonly referred to as the “ONC Final Rule” and the “CMS Final Rule.” 

While the CMS rule impacts health plans, the ONC rule has significant implications for health systems/providers.

The information blocking rules represent a shift in how the whole healthcare community will need to think about electronic health information.

The ONC rule: What’s in those 1,144 pages?

Like the companion CMS rule, there is a lot of complexity within the text, so we’ll lay out the key requirements here, with a focus on what providers need to do.

At a high level, the rule: 

  • Defines the set of actors subject to the information blocking regulations: providers, health information networks/information exchanges, and developers of certified health IT.

  • Requires health IT developers to adopt standardized application programming interfaces (APIs), which will help individuals securely and easily access structured electronic health information (EHI) using smartphone applications.

  • Includes a provision requiring that patients can electronically access all of their EHI, structured and/or unstructured, at no cost.

  • Outlines eight exceptions that allow an actor to not fulfill requests to access, exchange or use EHI


Note: While this post focuses on the ONC rule, the CMS rule has two major implications for providers:

  1. CMS will begin to publicly report providers who do not list their digital contact information (i.e. secure digital endpoint for information sharing) in the National Plan & Provider Enumeration System (NPPES)

  2. CMS conditions of participation now include a requirement for hospitals, psychiatric hospitals, and critical access hospitals to send admission discharge/transfer (ADT) notifications to other providers/facilities.

You can read more about the CMS rule here.

Information blocking: Are you ready to comply with the ONC rule?

As mentioned previously, information blocking refers to practices that interfere with, prevent or discourage the access, exchange, or use of EHI.  It includes charging fees, using contracts, creating organizational policies, or implementing technology in custom ways that limit access, exchange, or use of EHI.

Healthcare providers, developers of certified health IT, health information networks, and health information exchanges all must follow the information blocking rules or risk incurring penalties.

Any organization or individual can file a complaint with ONC if they feel an actor who is obliged to comply with the ONC rule is engaging in information blocking. ONC will pass on complaints to the Office of the Inspector General (OIG), who is responsible for investigating complaints. OIG is currently going through notice and comment rulemaking to define the civil monetary penalties for information blocking; the proposed rule was published Apr 24.

The accused will be required to present documentation and prove that they did not information block by claiming one of ONC’s eight exceptions and proving that they met all of the requirements of the exception at all times during the period the organization had been accused of blocking. Documentation will be key, therefore, in defending against information blocking claims.

For providers subject to MIPS, those found guilty of information blocking fail the “promoting interoperability” measure and suffer a reduction to the applicable percentage change to Medicare payments for the next calendar year. If a provider had already attested for MIPS that they did not information block, a False Claims Act penalty may be applied.

Given that ONC enforcement is planned to start in early 2021, now is the time to prepare by implementing policies, procedures and tools that make it easy for your team to comply.

Information blocking exceptions

There are two categories of exceptions to information blocking: The first category includes instances where an organization/individual does not fulfill a request or chooses not to share health information with a requestor; the second category involves procedures and policies that are allowed when fulfilling a request. For the purposes of this post, we’ll break the exceptions into “fail to fulfill” and “policies and procedures” categories. 

In the “fail to fulfill” category, exceptions include: 

    1. Preventing harm – This exception says data can be withheld if there is risk of substantial harm to the patient if that data is shared.

    2. Protecting privacy – This exception says information can be blocked if state or federal law places privacy limitations on data sharing or the patient chooses to keep their data private.

    3. Protecting security – This exception says information can be blocked if appropriate data security measures are not in place or data security is threatened.

    4. Infeasibility – This exception says information can be blocked if the request is infeasible, such as if there is a state of emergency or something outside of an organization’s control (natural disaster, mass casualty event, etc.). 

    5. Health IT performance – This exception says information can be blocked if the health IT system is unavailable due to planned or unplanned maintenance or upgrades, or allowed throttling/network load balancing. 

In the “policies and procedures” category, exceptions include:

    1. Content and manner – This exception sets rules for how organizations fulfill requests and what data must be provided. It provides flexibility concerning the required content of an organization’s/individual’s response to a request to access, exchange or use EHI and the manner in which the actor may fulfill the request (provided certain conditions are met).

    2. Fees – This exception sets the rules for what and who an organization can charge. 

    3. Interoperability elements – This exception sets the rules for how organizations may license interoperability elements. 

Note: ONC put together a document that further explains the exceptions and their key conditions. We went a step further and created a compliance assessment tool to determine any areas you need to improve to meet compliance. 

To determine if your organization can claim any of the exceptions, visit infoblocking.org to take the compliance assessment survey.

When does my organization need to be prepared to comply with the ONC rule?

ONC’s  has released three extensions for rule implementation. During this voluntary window, compliance with the rule is encouraged, but not required. The most recent extension, announced on October 29, 2020 pushed requirements back by six months.
Beginning April 5, 2021
, providers are required to comply with information blocking standards.

ONC issued the following statement on enforcement discretion: “In light of COVID-19, ONC will exercise its discretion in enforcing all new requirements under 45 CFR Part 170 that have compliance dates and timeframes until 3 months after each initial compliance date or timeline identified in the ONC Cures Act Final Rule” … “This additional flexibility for development and implementation enables our healthcare system to focus on addressing the COVID-19 pandemic, while still maintaining a trajectory that will advance patients’ access to their health information, reduce the cost of care, and improve the quality of care.” 

Given that ONC enforcement is starting in 2021, now is the time to prepare by implementing policies, procedures, and tools that make it easy for your team to comply.

Assessing compliance: Is your organization prepared to prove exceptions to information blocking?

The information blocking rules represent a shift in how the industry will need to think about EHI.

While HIPAA puts the onus on the requestor of information to prove they need EHI, the information blocking rules put the onus on the provider of information to prove they cannot provide the requested EHI due to one of ONC’s eight information blocking exceptions. 

Preparing for information blocking compliance?

Preparing to comply with information blocking rules will take a concerted effort, and Moxe is here to help. 

For the past five years, we’ve focused on helping providers manage requests for clinical data—keeping automation and access control top of mind. Providers utilize our product to configure and automate data sharing across their entire ecosystem of requestors, including members, payers, and other providers.

Our work to prepare providers for Cures is an extension of this longstanding work: Moxe’s platform seamlessly connects with your EHR and offers a simple control center to service data requests from any third party. Our technology allows us to standardize data to comply with the rule (and any other requirements), configure access controls based on your policies and preferences, and provide seamless data tracking and robust audit capabilities. 

Are you ready for the Cures Act? We’ve created a compliance assessment survey tool, infoblocking.org, to help you assess your readiness to comply. 

Free compliance assessment at infoblocking.org

Set yourself up for success with automation and digitization

With enforcement of the info blocking portion of the ONC rule rapidly approaching, release of information (ROI) automation and digitization is critical for providers to secure compliance without significantly adding to their workload on an ongoing basis.

When you automate and digitize your ROI with Moxe, you:

  • Put consistent, unbiased evaluation logic in place that helps your organization prevent claims of selective information release or information blocking

  • Offer your HIM (health information management) team governance of APIs for managing clinical data

  • Streamline workflows that require multiple reviews/signoffs, allowing reviewers to easily “pass the baton” and assign ownership to subsequent reviewers

  • Create a clear data trail to support your organization during both internal and external audits.

  • Set yourself up for successful digital transfer of information to patients’ preferred applications as required by the ONC rule

  • Benefit from centralized tracking of requests and responses, making it easier to monitor turnaround time for data requests across different requestor types

  • Free up your ROI staff from handling standard / typical requests, allowing them to focus on more nuanced requests

  • Get automatic evaluation of release restrictions for regulatory compliance: Moxe’s filtering logic includes consideration of info blocking exceptions in record sharing adjudication

Julian Malinak is VP Business Development at Moxe, where he focuses on helping health plans acquire, manage, and utilize clinical and administrative data. He previously co-founded Canvas Medical focusing on improving EHR workflows for primary care providers and worked at the CMS Innovation Center designing accountable care organization and other value-based payment models.

References/additional resources: