Access to healthcare information (or lack thereof) has always been touted as one of the key factors/necessities to realizing the promise of technology in the delivery of healthcare. Despite various legislative, judicial, patient and industry initiatives, access continues to be a challenge due to a variety of competitive practices and lack of capabilities. Consider the following events and whether they signal real progress:

  1. In a September 9, 2019 Press Release issued by the United States Department of Health & Human Services – Office of Civil Rights (“OCR”), the OCR announced that it had taken action against Bayfront Health St. Petersburg (“Bayfront”), an academic medical center in St. Petersburg, Florida, to enforce the Health Insurance Portability and Accountability Act (“HIPAA”) protections that guarantee every patient the right to receive copies of his/her medical records promptly and without being overcharged. The enforcement action against Bayfront (which includes the assessment of an $85,000 fine against Bayfront and the imposition of a “Resolution Agreement” between OCR and Bayfront) is notable as the OCR’s first enforcement action under the OCR’s “Right of Access Initiative” – a program designed to focus OCR resources on the enforcement of HIPAA’s right of access guarantees.
  2. On February 11, 2019, two offices of the US Department of Health and Human Services (“HHS”) — the Office of the National Coordinator for Health Information Technology (“ONC”) and the Centers for Medicare and Medicaid Services (“CMS”) – each released a proposed rule (ONC Proposed Rule; CMS Proposed Rule) (collectively, the “Proposed Rules”) aimed at enhancing the interoperability of electronic health record (“EHR”) systems and increasing patient access to electronic health information (“EHI”) as required by the 21st Century Cures Act.
  3. On September 23, 2019, seven major healthcare leadership groups, including the American Health Information Management Association (“AHIMA”) and the American Medical Association (AMA), sent a letter to Congress (the “AHIMA Letter”) critiquing the ONC Proposed Rule.

What is the link between the Bayfront case, the Proposed Rules, and the AHIMA letter? The link is commonly referred to as “Information Blocking.”

The Bayfront Case: OCR’s First Settlement with a HIPAA-Covered Entity under the OCR’s Right of Access Initiative. In the Bayfront case, a former Bayfront patient who received prenatal services at Bayfront submitted a request to Bayfront for the fetal monitoring records that were generated during her visit. The request was submitted by the patient on October 18, 2017. Shortly after she submitted the request, the patient was told by Bayfront that the requested records could not be located.  The patient then sought the assistance of legal counsel. Legal counsel submitted two additional requests on behalf of the patient on January 2, 2018 and February 12, 2018.

In March 2018 – almost 5 months after the original record request was submitted – Bayfront provided an incomplete set of records to the patient’s legal counsel. Bayfront followed up on its March 2018 response with a second response that was delivered to the patient’s counsel on August 23, 2018. Counsel shared the records with the patient, but it took the filing of a complaint with the OCR and the OCR’s intervention for the fetal heart monitor records to be provided to the patient on February 7, 2019 – 15 months after the original record request was submitted to Bayfront.

OCR determined that Bayfront’s failure to provide access to the patient’s designated record set was a clear violation of HIPAA’s right of access guarantee and that the HIPAA violation warranted a sizable financial penalty as well as the imposition of a corrective action plan as part of the Resolution Agreement between the parties.

Information Blocking. As defined by Congress in the 2016 21st Century Cures Act, “Information Blocking” is broadly defined as a “practice that . . . is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information” if that practice is known by a developer, exchange, network, or provider as being likely to do those things – interfere with, prevent, or materially discourage access – that are set forth in the definition. 42 U.S.C. §300jj-52(a). The penalty for vendors is up to $1 million “per violation.”

Information Blocking: Why? There are several reasons why a provider or other third party may try to withhold health information from a patient. As reported by the ONC, providers may withhold information to prevent a patient from seeking care from another provider, thereby controlling referrals and enhancing their market dominance. Providers may also withhold information when they are afraid that releasing the information may lead to a malpractice lawsuit.

Federal Regulatory Action. Under the ONC Proposed Rules, the ONC does not further define or specify “Information Blocking” beyond the definition provided under the 21st Century Cures Act. However, the ONC does state that it believes prevention and material discouragement are best understood as types of interference rather than mutually exclusive terms and, therefore, defines all such practices under the umbrella of “interference” (see proposed rule § 45 CFR 171.102 in the ONC Proposed Rule).

In furtherance of the ONC’s belief that Information Blocking is best understood through examples of interference rather than a single definition, the ONC Proposed Rule offers many examples of Information Blocking, including the following:[1]

  1. Practices that increase the cost, complexity, or other burdens associated with accessing, exchanging, or using EHI;
  2. Practices that limit the utility, efficacy, or value of EHI that is accessed, exchanged, or used, such as by diminishing the integrity, quality, completeness, or timeliness of the data;
  3. Formal restrictions expressed in contract or license terms, EHI sharing policies, organizational policies or procedures, or other instruments or documents that set forth requirements related to EHI or health IT. For instance, a health system’s internal policies or procedures require staff to obtain an individual’s written consent before sharing any of a patient’s EHI with unaffiliated providers for treatment purposes even though obtaining an individual’s consent is not required by state or federal law;
  4. A health system incorrectly claiming that the HIPAA Rules or other legal requirements preclude it from exchanging EHI with unaffiliated providers;
  5. Configuring capabilities in a way that removes important context, structure, or meaning from the EHI, or that makes the data less accurate, complete, or usable for important purposes for which it may be needed; and
  6. A health care provider has the capability to provide same-day access to EHI in a form and format requested by a patient or a patient’s healthcare provider, but takes several days to respond.

Given the breadth of practices that could be seen as Information Blocking, the ONC proposed seven exceptions when providers would be permitted to engage in practices that might constitute interference with the flow of health information but would not be considered Information Blocking under the Cures Act and/or the Proposed Regulations. The Information Blocking exceptions – i.e., the circumstances under which a provider’s interference with the flow of healthcare information would not constitute Information Blocking – as enumerated in the Proposed Regulations are as follows:

  1. Preventing Harm. Entities must have a reasonable belief that the practice of not sharing EHI will directly and substantially reduce the likelihood of harm to a patient or another person arising from any of the following (i) corrupt or inaccurate data being recorded or incorporated in a patient’s electronic health records; (ii) misidentification of a patient or patient’s electronic health information; (iii) the endangerment of life or physical safety of the patient or another person as determined by a licensed health care professional;
  2. Promoting the Privacy of Electronic Health Information. Entities may engage in practices that protect the privacy of EHI, including (i) a required precondition under state law is not satisfied; (ii) Health IT developers and certified Health IT not covered by HIPAA; (iii) certain exclusions from the Right of Access provisions under HIPAA codified at 42 CFR 164.524 (a)(1), (2), or (3); and (iv) respecting an individual’s request not to share information;
  3. Promoting the Security of Electronic Health Information. The practice must be directly related to safeguarding the confidentiality, integrity, and availability of EHI;
  4. Recovering Costs Reasonably Incurred. Entities are permitted to recover costs that are reasonably incurred, in providing access, exchange, or use of EHI. Fees must be: charged on the basis of objective and verifiable criteria uniformly applied to all similarly situated persons and requests; related to the costs of providing access, exchange, or use; and, reasonably allocated among all customers that use the product/service. Fees must not be based on anti-competitive or other impermissible criteria;
  5. Responding to Requests that are Infeasible. Entities may decline to provide access, exchange, or use of EHI if doing so is infeasible. Complying with the request must impose a substantial burden on the entity that is unreasonable under the circumstances (accounting for cost as well as available resources, etc.). The entity must respond in a timely manner to infeasible requests and work with requestors to provide a reasonable alternative means of accessing the EHI;
  6. Licensing of Interoperability Elements on Reasonable and Non-discriminatory Terms
    An entity that controls technologies or other interoperability elements that are necessary to enable access to EHI will not be Information Blocking so long as it licenses such elements on reasonable and non-discriminatory terms. Such a license can impose a reasonable royalty but must include appropriate rights so that the licensee can develop, market, and/or enable the use of interoperable products and services; and
  7. Maintaining and Improving Health IT Performance. An entity may make health IT under its control temporarily unavailable in order to perform maintenance or improvements to the health IT. In such instances, the entity must ensure that the health IT is unavailable for no longer than necessary to achieve the maintenance or improvements.

The AHIMA Letter. At the outset of the AHIMA Letter, the AHIMA, AMA, and those other organizations that penned the AHIMA Letter, make it clear that they share the ONC’s desire to leverage health information technology to enhance the delivery and quality of healthcare services in the U.S. However, the AHIMA Letter goes on to describe the authors’ concerns regarding the Proposed Rule and the way that the ONC is pursuing this shared goal. The chief complaint as set forth in the AHIMA Letter is that the ONC’s strategy to enforce the terms of the 21st Century Cure Act through its regulatory authority places an unreasonable burden on providers and the other impacted healthcare entities who handle healthcare records.

In order to address these concerns, the AHIMA Letter calls for the following revisions to the Proposed Rule before it is made final:

  1. Additional rulemaking prior to finalization to ensure sufficient levels of industry review and appropriate stakeholder feedback;
  2. Enhanced privacy and security measures to comply with the goals of the 21st Century Cures Act;
  3. Appropriate implementation timelines for the required use of certified health information technology; and
  4. Revised enforcement that prioritizes education and corrective action plans over monetary penalties.

Information Blocking: The Public Policy Imperative. It has been argued that Information Blocking by providers negatively impacts the U.S. Health Care System in several ways. For example:

  1. Information Blocking prevents patients from being able to make informed choices about their healthcare. For instance, if a physician blocks a patient from accessing information about mishandled care, the patient would not know that he or she should be seeking care elsewhere;
  2. If a provider blocks a patient’s access to information about past treatment or current health status, it can limit the ability of other providers to coordinate care and treat this patient based on the most comprehensive information available. As such, other providers may be unwilling or unable to initiate appropriate treatment without the full scope of the patient’s medical information; and
  3. It has been said that the ultimate impact of Information Blocking is that patients do not have the ability to control their own care and move freely from provider to provider. This monopolization of information creates unnecessary waste and prevents the entire healthcare system from evolving toward more efficient and effective care.


In sum, recent enforcement actions as well as recent regulatory actions indicate that eliminating Information Blocking is a top priority for HHS. The case of Bayfront illustrates that HHS is willing to assess large penalties on non-compliant entities in order to deter Information Blocking. From a public policy perspective, this may be one of the most important issues that must be addressed in order to move the entire U.S. Health Care System forward towards more integrated, efficient, and effective care. While the ONC has provided some exceptions to the general prohibition on Information Blocking, these exceptions are narrowly defined to those actions which are reasonable and necessary to protect patient information.

To limit the use of Information Blocking in a material way, one might argue that a fundamental change is needed in the way providers and other healthcare entities (including vendors such as a data analytics companies) perceive health information in the context of patient care.

For example, in the context of patient care delivery, the belief that health information is owned by a particular provider or payor – as opposed to the patient – and that such information must be guarded from disclosure to any third-parties (including other providers or payors) or risk a competitive disadvantage or diminution in value can be viewed as a fundamental impediment to the flow of health information along the continuum of healthcare. Likewise, the prevailing attitude amongst most healthcare information technology vendors centers around a belief that the data they obtain should be carefully guarded and access limited to maximize economic value. Certainly, the drive toward integrated healthcare is challenged by notions of health information ownership. In fact, this challenge is, in part, the reason that Federal electronic health records laws focus on interoperability as a fundamental component of a robust electronic health records system.

Putting guardrails around the proprietary interests that drive Information Blocking, would impact almost every aspect of the healthcare delivery system from the design of health information systems to the forms that patients fill out to request copies of their documents.  In order to protect the interests of patients and promote the benefits of healthcare integration, every step in the exchange of healthcare information – starting with the ability of a patient to access his or her health records without undue interference – must be scrutinized to ensure that information can flow easily between individuals and entities.

[1] For more examples, see Section VIII.C.5.c of The ONC Proposed Rule.