Listen to this post

Under the 21st Century Cures Act information blocking requirements and the regulations promulgated thereunder by the Office of the National Coordinator for Health IT (ONC) (the Information Blocking Rules), certain actors, such as healthcare providers and certain electronic health record developers (Actors), are prohibited from engaging in information blocking of electronic health information (EHI). Information blocking is defined, in part, as a practice that “[e]xcept as required by law or covered by an exception [to the information blocking regulations], is likely to interfere with access, exchange, or use of electronic health information.”[1] Put simply, the Information Blocking Rules generally prohibit any act or omission by an Actor that interferes with the access, exchange, or use of EHI, subject to enumerated exclusions and exceptions. 

The wide-reaching effects of the Information Blocking Rules are increasingly apparent as Actors continue to grapple with how to operationalize compliance. A novel issue that has recently arisen is whether Actors may withhold EHI pursuant to other federal and state laws that permit the withholding of EHI, or whether the Information Blocking Rules would prohibit such withholding. As discussed below, the Information Blocking Rules may prohibit discretionary withholding of EHI, even where it is permitted under other federal and state laws.

Practices Required By Law Are Not Information Blocking, But Practices Permitted By Law May Be

Notably, the Information Bocking Rules narrowly exclude the withholding of EHI where “required by law” from its general prohibition. This exclusion has broad-ranging implications for Actors’ compliance with the Information Blocking Rules, including with regard to Actors’ reliance on other federal and state laws, and in particular such other laws that are merely permissive. The exclusion applies only to other laws that require a practice that could be information blocking; it does not apply to permissive laws. 

For example, ONC’s commentary in the preamble to the information blocking regulations suggests that where certain disclosures are permitted under HIPAA, the Information Blocking Rules require such disclosures.[2] The Director of ONC, Dr. Micky Tripathi, recently reiterated this point, stating that, “‘HIPAA says you’re permitted to [share]; information blocking [regulations] say you’re obligated to do it,’ as long as there is not another law forbidding the sharing.”

Many states have laws that permit specific Actors to withhold certain healthcare records under particular circumstances. The Information Blocking Rules, however, likely prohibit Actors from relying on such permissive state laws to withhold EHI, unless the Actor can generally satisfy an information blocking exception or the practice does not constitute information blocking for other reasons.

Reliance on Permissive State Laws to Withhold EHI May Be Information Blocking

By way of example, state laws often permit healthcare providers to withhold certain healthcare records where the provider determines releasing such records would pose a risk of harm to the individual that is the subject of the records or another person. In one instance, a healthcare provider recently inquired whether withholding certain mental health records under such a California law would violate information blocking prohibitions. 

The relevant California law provides that if a healthcare provider “determines there is a substantial risk of significant adverse or detrimental consequences to a patient in seeing or receiving a copy of mental health records requested by the patient, the provider may decline to permit inspection or provide copies to the patient” subject to certain conditions.[3] Because the California law merely permits (rather than requires) the provider to withhold the records, reliance solely on the California provision could violate information blocking because the Information Blocking Rules require that Actors share EHI except as otherwise required by law or where an information blocking exception is met. 

However, in certain circumstances, such as in the above example, an Actor could withhold the EHI where it generally satisfies an information blocking exception. Here, the preventing harm exception could apply to reach the same or a similar result as the California law. Notably, though, ONC has indicated that the information blocking exceptions are narrow and pose a high standard, so in some circumstances meeting an exception may be more onerous for an Actor than meeting a permissive state law standard.

Actors Should Review Their Operational Reliance on Permissive Laws

Actors should be aware of the Information Blocking Rules when relying on other laws that permit the Actor to withhold EHI. Actors should proactively determine whether the laws they rely upon to withhold EHI are mandatory or merely permissive, and whether the practice required or permitted by each law would constitute information blocking. For instance, Actors may have permissive provisions of state and other federal laws incorporated into their policies and procedures for health information management. Actors should review such policies and procedures to ensure that those documents do not permit the withholding of EHI pursuant to such permissive laws unless an information blocking exception is met or such practice would otherwise not be considered information blocking for other reasons. 

Failure to comply with the Information Blocking Rules can result in potentially-significant penalties for Actors. While the penalties and enforcement rules have yet to be finalized, penalties for health information networks and exchanges and developers of certified health IT may be up to $1 million per violation, and healthcare providers may be penalized with appropriate disincentives yet to be defined.

For assistance with questions regarding and compliance with the Information Blocking Rules, please contact a member of the Sheppard Mullin Healthcare Team


[1] 45 C.F.R. § 171.103(a) (emphasis added).

[2] 85 Fed. Reg. 25846 (“We noted that practices that are “required by law” can be distinguished from other practices that an actor engages in pursuant to a law, but which are not “required by law.” Such laws are typically framed in a way that permit an access, exchange or use of health information to be made only if specific preconditions are satisfied but do not expressly require that the actor engage in a practice that interferes with access, exchange, or use of EHI. . . . However, we noted that because the condition does not prohibit the actor from exchanging the EHI in all circumstances, the actor would be at risk of engaging in a practice that was information blocking unless an exception applied.”).

[3] See CA Health & Safety Code § 123115(b).