Information Blocking Rule Explained | 21st Century Cures Act | Qventive

Qventive Healthcare

Information Blocking Rule

The information blocking rule — part of the 21st Century Cures Act implementation — prohibits healthcare actors from engaging in practices that unreasonably interfere with the access, exchange, or use of electronic health information. In effect since 2021, with enforcement structures now operational. Understanding what counts as information blocking, what the exceptions are, and what compliance looks like matters for all healthcare organizations handling EHI.

Book Your Free Assessment 📞 (201) 488-2750

The Challenge Information Blocking Rule Practices Face

The HHS OCR Breach Portal documented over 725 healthcare breaches in 2023. For practices dealing with information blocking rule, the stakes are even higher — because downtime doesn’t just cost money, it delays patient care. That’s why Qventive approaches information blocking rule differently than a generic IT company would.

Qventive has spent 30+ years building healthcare-exclusive IT expertise. Our Observe-Improve-Prevent methodology ensures every engagement starts with understanding your actual practice operations before recommending changes. Steve Gerbino founded this company in 1994 with a single focus: healthcare. That focus hasn’t changed.

How We Deliver Information Blocking Rule Without Disruption

Our approach to information blocking rule follows a deliberate sequence that most IT companies skip:

Step 1: Embed with your clinical team for 3–5 days. Watch real patient encounters. Document every technology friction point — the frozen screen during check-in, the workaround your MA invented because the template doesn’t match the workflow, the report that takes 12 clicks when it should take 3.

Step 2: Design solutions based on what we observed — not on vendor demos or questionnaires. If your practice uses its EHR platform differently than the practice down the street, the configuration should reflect that.

Step 3: Implement changes in phases, monitor outcomes, and adjust. Technology that isn’t monitored drifts. We run quarterly reviews to catch issues before they become emergencies.

Multi-Provider Practice — IT Consolidation

THE PROBLEM

A growing practice in Bergen County was managing 5 separate IT vendors — one for networking, one for EHR, one for email, one for backup, and one for security. When a server issue disrupted EHR access for 4 hours, each vendor blamed the others. The practice lost a full day of patient revenue.

THE SOLUTION

Qventive consolidated all IT under a single managed services agreement. We audited the existing infrastructure, identified 3 redundant vendor contracts, standardized the network architecture, and deployed our healthcare-specific monitoring stack.

THE RESOLUTION

Vendor count dropped from 5 to 1. Monthly IT spend decreased 22% while service quality improved. Mean time to resolution for IT issues dropped from 4+ hours to under 30 minutes because one team owns the entire stack.

Ready to Talk?

30-minute assessment. No pitch.

Book Assessment (201) 488-2750

Resources

HIPAA at HHS.gov ↗MIPS at CMS.gov ↗NIST Framework ↗

Who Is Subject to the Rule

Applicability framework.

"Actors" subject to information blocking rule are: healthcare providers (hospitals, medical practices, nurses, other clinicians), health IT developers of certified health IT (EHR vendors with ONC certification), and health information networks / health information exchanges (HIEs).

"Information blocking" is a practice that, except as required by law or covered by an exception, is likely to interfere with access, exchange, or use of electronic health information (EHI). For health IT developers and HIEs, the standard is "knows or should know"; for providers, it's "knows."

Enforcement structure: health IT developers and HIEs face potential civil monetary penalties up to $1M per violation (enforced by HHS OIG). Healthcare providers face "disincentives" — Medicare payment adjustments rather than direct monetary penalties. ONC information blocking guidance.

The Eight Exceptions

Practices that aren't information blocking.

The rule establishes eight exceptions — specific categories of practices that, when they meet the exception's conditions, don't constitute information blocking even if they interfere with access or exchange:

Preventing Harm Exception — practices reasonably necessary to prevent harm to a patient or another person.
Privacy Exception — practices necessary to comply with privacy laws (HIPAA, state privacy laws, etc.).
Security Exception — practices necessary to address security of EHI (reasonable and appropriate security measures).
Infeasibility Exception — practices where meeting a request isn't feasible under specific circumstances.
Health IT Performance Exception — practices reasonably necessary to maintain or improve health IT performance.
Content and Manner Exception — providing EHI in alternative manner when requested manner isn't available.
Fees Exception — charging fees for certain activities that meet specific conditions (reasonable, cost-based).
Licensing Exception — licensing of interoperability elements on reasonable terms.

Each exception has specific conditions that must be met. Exceptions aren't blanket protections; they require meeting specific criteria for the specific practice. ONC exceptions guidance.

Practical Compliance for Medical Practices

What information blocking compliance looks like operationally.

Patient access to records

Patients are entitled to their EHI. Patient portal access should be accessible and not encumbered by unnecessary friction. Release of records to patients should follow HIPAA timelines (30 days, with limited extension available) without being stretched into information blocking territory. Fees for patient records should follow HIPAA and information blocking rule fee requirements.

Provider-to-provider exchange

Records requested by other healthcare providers for patient care should be shared without unnecessary obstacles. Common historical practices (long delays, excessive fees, requiring paper release forms for electronic exchange, requiring providers to jump through hoops to receive electronic records) are now information blocking exposure.

App and third-party access

Patient-authorized app access to EHI via FHIR APIs is a common information blocking concern. Providers shouldn't prevent patient apps from accessing patient records simply because the provider doesn't want third parties to have data. Legitimate concerns (security, app authenticity) can fit within exceptions; general reluctance does not.

EHR configuration

EHR configuration that unnecessarily restricts EHI access (overly restrictive role permissions, disabled interoperability features, restrictive patient portal configuration) can constitute information blocking. Reviewing EHR configuration for information blocking exposure is practical compliance work. See our EHR consulting scope.

Documentation of exceptions

When practices deny or delay EHI access citing an exception, documentation of the specific exception and how its conditions are met protects the practice. Generic "we don't share that" responses without specific exception justification create information blocking exposure.

Interaction with HIPAA

Information blocking rule and HIPAA work together.

HIPAA and information blocking rule are distinct but aligned. HIPAA Privacy Rule provides patient right of access; information blocking rule reinforces that right with additional structure preventing practices from unreasonably restricting it. Generally compliance with HIPAA patient access obligations reduces information blocking exposure.

Where HIPAA requires withholding information (psychotherapy notes, some PHI about third parties, etc.), the information blocking rule's Privacy Exception typically covers the practice. Where state law requires restrictions (some mental health protections, 42 CFR Part 2 for SUD records), those restrictions are compatible with the Privacy Exception.

Key principle: comply with HIPAA patient access obligations without adding restrictions that HIPAA doesn't require. Practices that use HIPAA as cover for general reluctance to share information face information blocking exposure; practices that comply with HIPAA's access mandate generally satisfy information blocking rule. See our HIPAA compliance page.

Answering Your Information Blocking Rule Questions

Anyone, in practice. ONC maintains a complaint portal where patients, providers, developers, or others can submit information blocking complaints. Patients filing complaints for denied record access is common; providers filing complaints against developers restricting interoperability also common.

Depends on actor type. Health IT developers and HIEs: civil monetary penalties up to $1M per violation, enforced by HHS OIG. Healthcare providers: "disincentives" through Medicare payment adjustments — reduced MIPS scoring consequences, reduced reimbursement for certain services. Penalty magnitude depends on violation scope and willfulness. HHS penalty framework.

No. The rule prohibits unreasonable interference with EHI access — not mandated universal disclosure. Appropriate restrictions (privacy, security, legal compliance) fit within exceptions. Reasonable fees for certain services fit within Fees Exception. The requirement is that restrictions be appropriate and fit within specific exceptions, not that no restrictions exist.

Fees are permitted for certain activities under the Fees Exception but must meet specific conditions — reasonable, cost-based, not discriminatory. Practices charging excessive fees for patient record access or for provider-to-provider exchange face information blocking exposure. Fee schedules should align with actual costs and not be designed to discourage access. HIPAA access guidance overlaps with information blocking fee provisions.

Patient portal should provide accessible EHI access without unnecessary friction. Common historical practices like requiring in-person signup, limiting portal to specific document types, or charging for portal access can constitute information blocking. Modern patient portal configurations in certified EHRs typically comply by default; practices should verify their specific configuration doesn’t create friction.

Patient-authorized apps accessing EHI via FHIR APIs is specifically contemplated by information blocking rule. Providers can’t refuse app access based on general reluctance about third parties. Security concerns about specific apps can fit within Security Exception if genuinely necessary; general preference not to share with third parties doesn’t. Certified EHRs now provide FHIR API infrastructure; implementation compliance is the practical question. See our HL7 FHIR page.

Yes. Infeasibility Exception can apply in some scenarios but has specific requirements. Legacy systems genuinely unable to support FHIR API access may fit infeasibility for that specific capability; reluctance to upgrade systems doesn’t. Long-term trajectory is that information blocking rule incentivizes migration from legacy systems to modern interoperable platforms — part of the rule's policy design.

Get In Touch

Ready to Modernize Your Practice Technology?

Schedule your free practice technology assessment. Our healthcare IT specialists will review your current systems, identify gaps, and outline a roadmap built specifically for your practice.

30 years of healthcare-only experience
EHR-certified across 7 major platforms
HIPAA-compliant from day one
No long-term contracts required

Book Your Free Assessment

Last Updated: April 2026 · Reviewed by: Qventive Healthcare clinical technology team

Stop refereeing IT vendors.
Start growing your practice.

Free assessment. No obligation.

Let’s Meet 📞 (201) 488-2750