• Home
  • >
  • Blog
  • >
  • The Final Rule: Information Blocking

September 21, 2023

The Final Rule: Information Blocking


This article addresses the Information Blocking Final Rule regarding enforcement, associated Civil Monetary Penalties (CMPs) and entities subject to these penalties.  This article is subsequent to the original article “HIPAA, The Cures Act and Information Blocking Compliance” and Article on Right of Access Vs Information Blocking Part 1 and Part 2.

On September 14, 2023, the Office of Inspector General (OIG) posted the Final Rule “Fraud & Abuse; Information Blocking; OIG’s Civil Money Penalty Rules” describing enforcement of the Information Blocking rule.

“Actors” Subject to Penalty

Blocking health information interoperability is prohibited by “Actors”, which are health information networks, HIEs, health information technology developers of certified health IT, and health care providers.  Information blocking is defined in § 171.103.  In the context of information blocking, the Cures Act authorizes Civil Monetary Penalties or CMPs for any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI) if the practice is conducted by an entity subject to penalty.

How to Determine if Information is EHI

The image below is from HealthIT.gov:

So, what is NOT EHI?

  1. Psychotherapy notes as defined in 45 CFR 164.501
  2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding
  3. Individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g
  4. Individually identifiable health information in records described at 20 U.S.C. 1232g(a)(4)(B)(iv)
  5. Individually identifiable health information in employment records held by a covered entity in its role as employer
  6. Individually identifiable health information regarding a person who has been deceased for more than 50 years
  7. De-identified protected health information as defined under 45 CFR 164.514

What is meant by “interfere”?

Interfere with or interference related to information blocking of EHI means to prevent, materially discourage, or otherwise inhibit and applies to:

  • Health Care Provider - Entities offering certified health IT;
  • Health IT developers of certified health information technology (IT); and
  • Health information exchange (HIE); or Health information networks (HIN) and an entity that knows or should know that the practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI;

The 3 categories of “Actors” listed above which are subject to enforcement penalties are explained in more detail below.

Health Care Provider

A health care provider is a: hospital; skilled nursing facility; nursing facility; home health entity or other long term care facility; health care clinic; community mental health center; renal dialysis facility; blood center; ambulatory surgical center; emergency medical services provider; federally qualified health center; group practice; pharmacist; pharmacy; laboratory; physician; practitioner; provider operated by or under contract with the Indian Health Service (HIS) or by an Indian tribe, tribal organization, or urban Indian organization; rural health clinic; covered entity under 42 U.S.C. 256b; ambulatory surgical center; therapist; and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary. 

  • The full definition of “health care provider” is available in the Public Health Service Act (42 U.S.C. 300jj).
  • For healthcare providers, the law applies the standard of whether they know that the practice is unreasonable and is likely to interfere with the access, exchange, or use of EHI.

Health IT developer of certified health IT

This is in reference to an individual or entity, other than a health care provider, that self-develops health IT for its own use, that develops or offers health information technology (as that term is defined in 42 U.S.C. 300jj(5)) and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to 42 U.S.C. 300jj–11(c)(5) (ONC Health IT Certification Program).

Health Information Network or Health Information Exchange

Health information network or health information exchange means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:

  • Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
  • That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.


The final rule also explains OIG's approach to enforcement, with focus on information blocking allegations that pose greater risk to patients, providers, and health care programs, as well as OIG's anticipated consultation and coordination with the Office of the National Coordinator for Health Information Technology (ONC) and other agencies, as appropriate, in reviewing and investigating allegations of information blocking.

The Cures Act identified ways for ONC, OCR, and OIG to consult, refer, and coordinate on information blocking claims.

Information Blocking Investigations and Enforcement for Entities Subject to Civil Monetary Penalties

  1. OIG receives an information blocking complaint;
  2. OIG uses its enforcement priorities to assess complaints;
  3. OIG opens an information blocking case leading to the next step;
  4. OIG investigating the complaint by gathering facts, conducting interviews, document requests, etc. 
    • OIG may consult with ONC to assess facts and information blocking regulations
    • Case closed if OIG concludes information blocking was not committed
  5. OIG provides an opportunity to the entity to discuss OIG’s investigation;
  6. If OIG concludes the entity committed information blocking, a demand letter is sent to the entity;
  7. Entity has the opportunity to appeal OIG’s imposition of the penalty.

Whether OIG's or ONC's authority is appropriate to address a claim of information blocking will depend on the facts and circumstances of the allegation and the results of an investigation. For example, ONC and OIG may initially agree that a claim is most appropriately evaluated through an OIG investigation.

ONC has authority to take action against an individual or entity that is a developer participating in the ONC Health IT Certification Program. 45 CFR 170.580.

OIG has authority to impose CMPs against a health IT developer of certified health IT, which includes developers participating in the ONC Health IT Certification Program. Thus, an individual or entity that meets the definition of health IT developer of certified health IT could be subject to CMPs, termination of certification or other action under the ONC Health IT Certification Program review process, or both. 85 FR 25789, May 1, 2020.


The ONC Final Rule implements certain Cures Act information blocking provisions, including defining terms and establishing reasonable and necessary activities that do not constitute information blocking or “exceptions” to the definition of information blocking.  I recommend reading the additional articles referenced below to gain a better understanding of the eight exceptions to the Rule.  Also, visit the ONC Information Blocking Portal designed for individuals to file a complaint regarding Information Blocking and/or HIPAA violations made by covered entities or business associates.

Additional Resources to Reference:

Learn the basics of the 2021 Information Blocking Rule “HIPAA, The Cures Act & Information Blocking Compliance” which explains the original inception date and outlines exceptions to the Rule

Know the difference between a Right of Access Violation versus Information Blocking:

  • Is the Violation Right of Access or Information Blocking? Part 1 of 2
  • Is the Violation Right of Access or Information Blocking?  Part 2 of 2

Information Blocking page; Office of the National Coordinator for Health Information Technology (ONC) on HealthIT.gov

Information Blocking Portal

Online Training in HIPAA Privacy/Security with a lesson addressing Interoperability, Right of Access, Information Blocking and Artificial Intelligence

Copyright © 2023 American Institute of Healthcare Compliance All Rights Reserved 


Verified by MonsterInsights