Information blocking: Ensuring patients’ secure and convenient access to health information

Starting April 5, 2021, healthcare entities are required to abide by a specific rule set forth in the 21st Century Cures Act on Interoperability, Information Blocking, and ONC Health IT Certification. This rule gives patients the right to electronically access all of their electronic health information (EHI). There is no requirement to proactively make EHI available unless patients ask. The final rule was released in March 2020 and was scheduled for implementation on November 2, 2020. The Department of Health & Human Services cited COVID-19 as the reason for the delay. Groups subject to compliance (referred to as actors) in the rule include:

  • Healthcare providers
  • Health information networks or health information exchanges
  • Health IT developers of certified health IT (e.g., electronic health record vendors)

Types of EHI impacted by this rule

As outlined by the United States Core Data for Interoperability (USCDI), actors are required to share the following eight types of notes and narratives when a patient asks:


  • Consultation
  • Discharge
  • History and physical
  • Procedure
  • Progress


  • Imaging
  • Laboratory report
  • Pathology report

What is information blocking?

Information blocking is anything that interferes with, prevents, or materially discourages access, exchange, or use of EHI. Under this rule, the following situations might constitute information blocking:

  • Practices that restrict authorized access, exchange, or use under applicable state or federal law of such information for treatment and other permitted purposes under such applicable law, including transitions between certified health information technologies (health IT).
  • Implementing health IT in nonstandard ways that are likely to substantially increase the complexity or burden of accessing, exchanging, or using EHI.
  • Implementing health IT in ways that are likely to:
    • Restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health IT systems;
    • Lead to fraud, waste, or abuse, or impede innovations and advancements in health information access, exchange, and use, including care delivery enabled by health IT.

Exceptions that don’t constitute information blocking fall under two major categories. For each, certain conditions that are detailed in the rule must be met.

Category 1: Exceptions that fall under this category: preventing harm to a patient or another person; protecting an individual’s privacy; protecting the security of EHI; infeasibility of the request; and temporary health IT measures that are necessary to prevent system disruptions.

Category 2: Exceptions that fall under this category: limiting the content of the response or the manner in which the request is fulfilled; charging reasonable fees transparently and consistently; and necessary licensing of application programming interface (API) elements.

The importance of ONC and HIPAA compliance

Health systems must not cause information blocking, but also can’t provide access to EHI to unauthorized parties because that would violate HIPAA. How to balance access and convenience with security is a challenge. Patient portals that were mandated as part of the 2009 HITECH Act allow patient data access, online appointment scheduling, secure direct messaging, and virtual prescription refill requests, among other functions. An increasing number of healthcare providers provide access to EHI via a tablet when a patient physically visits their office. Although repercussions for noncompliance are implied in the rule, specific penalties have yet to be outlined.

Keeping patient information secure and convenient to access

Imprivata has vast expertise providing robust digital identity solutions that help actors and patients alike access EHI securely in compliance with HIPAA that also meet requirements of the new ONC rule. The Imprivata digital identity framework for healthcare presents a unified, security- and efficiency-focused strategy for managing identities across the complex HDO ecosystem.

Imprivata PatientSecure ensures a 1:1 match between an individual person and their medical record by binding a biometric identifier to the electronic record. Further, Imprivata PatientSecure touchless authentication enables patients to feel comfortable and confident about compliance.