Compliance Foundations

Information Blocking Rule (21st Century Cures Act): Compliance for Medical Practices

10 min read · Last reviewed May 23, 2026

The Information Blocking Rule at 45 CFR Part 171, implementing the 21st Century Cures Act, prohibits actors — healthcare providers, health-IT developers of certified products, and health information networks/exchanges — from engaging in practices that are likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or covered by a Part 171 exception. CMS-administered provider disincentives at 45 CFR §§ 171.1000–171.1002 landed in July 2024 and reach MIPS payment after an OIG determination.

What the rule actually prohibits

The substantive standard at 45 CFR § 171.103 defines "information blocking" as a practice that, except as required by law or covered by an exception, is likely to interfere with access, exchange, or use of EHI. For healthcare providers, the standard adds a knowledge element: the practice must be one that the provider knows is unreasonable and is likely to interfere.

Working parts:

  • Actors. Three categories under 45 CFR § 171.102: healthcare providers (broad definition including individual practitioners, group practices, hospitals, and most clinical entities); health IT developers of certified health IT; health information networks (HINs) and health information exchanges (HIEs).
  • EHI scope. Initially limited to the USCDI v1 subset; expanded on October 6, 2022 to the full EHI definition — any electronic protected health information to the extent that it would be included in a designated record set under HIPAA, with certain exclusions. The Assistant Secretary for Technology Policy / Office of the National Coordinator (ASTP/ONC) maintains the USCDI definition.
  • Access, exchange, and use. All three verbs. A practice that interferes with any of the three is potentially blocking.
  • Likely to interfere. Objective standard. The rule does not require proof of actual interference; the test is whether the practice is likely to interfere.
  • Knowledge standard for providers. Healthcare providers must know the practice is unreasonable. The standard is more lenient than for developers and HINs/HIEs, who face a strict-liability-style "should know" test.

The Part 171 exceptions

The exceptions at 45 CFR §§ 171.201–171.206, 171.301–171.303, and 171.403 define practices that, if every element is met, are not information blocking. The exceptions divide into three groups: exceptions involving not fulfilling requests (Preventing Harm, Privacy, Security, Infeasibility, Health IT Performance, Protecting Care Access); exceptions involving procedures for fulfilling requests (Manner, Fees, Licensing); and the TEFCA Manner exception that applies to actors participating in the Trusted Exchange Framework and Common Agreement.

| Exception | Citation | When it applies | | --- | --- | --- | | Preventing Harm | 45 CFR § 171.201 | Practice is reasonable and necessary to prevent physical harm; meets risk-determination and patient-specific requirements | | Privacy | 45 CFR § 171.202 | Practice protects privacy under federal or state law, including HIPAA, 42 CFR Part 2, state minor-consent laws | | Security | 45 CFR § 171.203 | Practice is reasonable and necessary to protect security; tailored, implemented under organizational policy | | Infeasibility | 45 CFR § 171.204 | Uncontrollable events, segmentation, or other infeasibility; written response within 10 business days | | Health IT Performance | 45 CFR § 171.205 | Practice is necessary to maintain or improve performance; documented; time-limited | | Protecting Care Access | 45 CFR § 171.206 | Practice is reasonable and necessary to reduce risk of legal exposure tied to providing or facilitating reproductive or other lawful care across state lines | | Manner | 45 CFR § 171.301 | Provides EHI in the manner requested, or in a permitted alternative manner if the requested manner is technically not feasible | | Fees | 45 CFR § 171.302 | Charges fees that meet cost-based, uniform, transparent conditions; excludes patient-directed access | | Licensing | 45 CFR § 171.303 | Licenses interoperability elements on reasonable, non-discriminatory terms | | TEFCA Manner | 45 CFR § 171.403 | Actor participates in TEFCA and responds to a TEFCA-routed request in a TEFCA-compliant manner |

Each exception is element-based. Partial fit does not protect the practice. The Privacy Exception, in particular, requires both a recognized privacy interest and one of four sub-bases (state-law precondition, denial of access, individual request, infeasibility of segmentation). Most early enforcement turns on overbroad invocation of the Privacy or Security exceptions without the required elements documented.

How enforcement actually works

Information Blocking enforcement landed in late 2024 with disincentives reaching the practice's MIPS payment, and the practical effect is that a single confirmed determination can convert a positive MIPS adjustment to a substantial negative one. The enforcement architecture:

  • OIG investigates. OIG investigates information blocking claims across all actor types. For health-IT developers, HINs, and HIEs, OIG also imposes CMPs up to $1 million per violation under 42 CFR Part 1003, Subpart N. For healthcare providers, OIG's role is investigation and determination — disincentive imposition is handled by CMS.
  • CMS applies provider disincentives. After OIG determines that a healthcare provider has committed information blocking, CMS applies the disincentives at 45 CFR §§ 171.1000–171.1002 under the final rule at 89 FR 54662 (July 1, 2024). For MIPS-eligible clinicians, the Promoting Interoperability category is scored zero, materially reducing the overall MIPS final score and the resulting payment adjustment. For eligible hospitals, Medicare EHR Incentive Program eligibility is affected. For ACOs in the Medicare Shared Savings Program, participation eligibility can be revoked.
  • ASTP/ONC handles certification nonconformity. For health-IT developers, the Assistant Secretary for Technology Policy / ONC handles certified-product nonconformity actions through the ONC Health IT Certification Program; ASTP/ONC also operates the public complaint portal but does not directly enforce disincentives against provider actors.
  • OCR is not the provider disincentive enforcer. While OCR remains the HIPAA Right of Access enforcer (and an Information Blocking refusal that also breaches § 164.524 can independently trigger OCR action), OCR does not impose the Part 171 provider disincentives.
  • Complaint portal. Public complaint intake runs through the ASTP/ONC Information Blocking Portal.
  • Investigation timeline. OIG investigates the matter, makes a determination, and refers to the appropriate enforcing agency (CMS for provider disincentives, OIG-direct CMPs for developers and HINs/HIEs).

The early 2025 enforcement pattern emerging is documented in OIG's Information Blocking Reports and the ASTP/ONC public-facing materials. The pattern: complaints overwhelmingly come from patients about access requests not honored, second from providers about referrals not honored, third from developers about platform restrictions.

What practices most often miss

Across information-blocking exposures during compliance-binder review, the recurring fact patterns:

  • Refusal to send records to patient-chosen third parties. The patient has the right under both HIPAA Right of Access and the Information Blocking Rule to direct records to a third party of their choosing. Refusing to send to a personal Gmail without invoking a documented Security Exception is the pattern that generates the most patient complaints.
  • Portal-only access policies. Requiring the patient to use the portal — and only the portal — without alternative paths can fail the Content and Manner Exception if the patient explicitly requests a different format.
  • Excessive fees on electronic copies. The Fees Exception requires the fee be cost-based and uniform. Charging more for electronic copies than the OCR Right-of-Access cost limits is a frequent finding.
  • Delays on referral-related requests. A referring physician's request for records to support a consultation is a classic interference vector when not fulfilled in a reasonable time. The rule does not specify a deadline — but unexplained delay is the practice that surfaces in complaints.
  • Privacy Exception invoked categorically. Treating "all family-member requests" or "all third-party requests" as Privacy Exception cases without the patient-specific element analysis fails the exception.
  • Vendor-side restrictions passed through. A practice's EHR vendor restricts data export and the practice accepts the restriction. The restriction is the vendor's potential blocking, but the practice's passive acceptance and failure to push for an alternative path can independently surface.

The practices that survive review document the request, document the response, document the exception relied upon by element, and document the time elapsed. The documentation discipline is the entire game.

State-law overlay

The rule preserves state law that is more protective of privacy. State frameworks that interact with Information Blocking:

  • California CMIA at Civil Code §§ 56-56.37 imposes stricter authorization and access timing than HIPAA; Privacy Exception fits the state-law-precondition sub-basis.
  • Texas HB 300 / Tex. Health & Safety Code Chapter 181 imposes a 15-business-day electronic-record-access timeline; failure to meet that timeline can independently surface.
  • 42 CFR Part 2 for substance-use-disorder records imposes stricter consent requirements that interact with the Privacy Exception — see the 42 CFR Part 2 guide.
  • State minor-consent statutes. The Privacy Exception preserves state-law-based parental-access restrictions for adolescent-confidential services.
  • State-law breach notification runs independently. An information-blocking-driven disclosure that exceeds the authorization can trigger breach notice under both HIPAA and state breach statutes.

Compliance checklist

For practice-side information blocking compliance:

  • [ ] Designated information-blocking compliance lead, named in writing
  • [ ] Written information-blocking policy covering each of the eight exceptions, with element-by-element documentation requirements
  • [ ] Patient access workflow that honors patient-directed third-party transmission, including reasonable secure channels and patient-acknowledged risk for unencrypted channels
  • [ ] Provider-to-provider referral workflow with a defined turnaround target
  • [ ] Fee schedule for electronic copies that meets both the Fees Exception elements and the HIPAA Right of Access cost limits — whichever is lower
  • [ ] Documentation template for any request not fulfilled in the manner requested, citing the exception by regulation
  • [ ] Vendor contract review for EHR and HIN/HIE provisions that could restrict EHI access, exchange, or use
  • [ ] Annual workforce training on the rule, the eight exceptions, and the documentation requirements
  • [ ] Complaint-intake workflow with a defined response time
  • [ ] State-law overlay reviewed for the practice's state and any state where patients are located
  • [ ] USCDI v3 and the full-EHI definition incorporated into the practice's data-mapping and access-fulfillment workflows

Restraint about outcomes

The Information Blocking Rule is fact-specific and exception-driven. No vendor or guide can predict how OIG and OCR will evaluate a specific request-and-response on its facts. What rigorous policy, training, and documentation do is materially reduce the likelihood of a complaint, narrow the issues if one surfaces, and position the practice for a defensible exception analysis.

This guide is not legal advice. The exception analysis on any specific information-blocking matter is a legal determination; consult outside healthcare counsel before relying on an exception to decline a request.

How d3rx fits

The d3rx compliance binder holds the source-grounded administrative documentation an information-blocking program is built from — the access-request workflow, the exception-by-exception policy file, the fee schedule, the vendor-contract review log, and the workforce training record. The d3rx audit defense workflow supports OIG, OCR, and ASTP/ONC inquiry handling when a complaint surfaces. d3rx does not represent the practice in any OIG, OCR, or ASTP/ONC proceeding and does not replace counsel; it is a point-in-time administrative documentation aid that counsel and the practice work from.

Step 1 · Get the binder

Get the d3rx compliance binder for your practice

Pre-filled to address the gaps this guide coversInformation Blocking Rule (21st Century Cures Act): Compliance for Medical Practices. We will email you the section preview and your binder intake link.

No PHI required. We use your email to send the binder preview and intake link only.

Frequently asked

Does the patient's request to email their records to a personal Gmail trigger Information Blocking if I refuse?

If the patient has affirmatively requested electronic health information be sent to a third-party destination of their choosing (including a personal email account), refusing without a basis in one of the statutory exceptions at [45 CFR §§ 171.201–171.206, 171.301–171.303, and 171.403](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171) is information blocking. The Privacy Exception at [45 CFR § 171.202](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171) does not categorically permit refusal because the patient has authorized the disclosure. Practices commonly invoke the Security Exception at [45 CFR § 171.203](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171) for unencrypted email — that requires a documented, tailored, written policy, not an ad-hoc refusal. The cleanest path is to honor the request via a portal or secure channel and document the patient's choice when they decline.

Are appointment notes I am still drafting considered electronic health information (EHI) that I have to share?

Drafts that have not yet been finalized are generally outside the scope of EHI because the actor is not yet 'maintaining' the data in a way that an electronic-health-information request reaches. The October 2022 expansion of EHI from the USCDI subset to the full EHI definition under [45 CFR § 171.102](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171) means once notes are signed and committed to the patient record, they are EHI. The HHS FAQ on this is at the [ASTP/ONC Information Blocking FAQs](https://www.healthit.gov/topic/information-blocking-faqs). Time-limited delay to allow finalization is generally not blocking when documented under reasonable policy.

Can I charge the patient for an electronic copy of their records under Information Blocking?

The Fees Exception at [45 CFR § 171.302](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171) permits cost-recovery fees that meet specific conditions — cost-based, uniform, transparent, and not used to discourage access. The HIPAA Right of Access fee limits at [45 CFR § 164.524(c)(4)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-164/subpart-E/section-164.524) apply concurrently and are typically stricter. Where the two frameworks overlap, the lower limit governs. Charging a patient $50 for an electronic copy when the OCR-published reasonable cost is under $10 has been a documented OCR enforcement pattern. See the [HIPAA right of access guide](/compliance-guides/hipaa-right-of-access-request-handling) for the parallel HIPAA-side framework.

What about a payer or HIE requesting our records — does Information Blocking force us to release everything?

Not everything, and the analysis depends on who is requesting and for what purpose. The rule reaches 'access, exchange, and use' of EHI by 'requestors' that include patients, providers, HIEs, HINs, and health-IT developers. The Privacy Exception, Security Exception, Health IT Performance Exception at [45 CFR § 171.205](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171), and the Infeasibility Exception at [45 CFR § 171.204](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171) all apply depending on facts. A payer requesting records for utilization review through an HIE without patient authorization invokes a different exception analysis than a treating provider requesting records for a transition of care. Counsel evaluates the requestor and purpose before invoking an exception.

What is the actual penalty for a healthcare provider engaging in information blocking?

For healthcare provider actors, CMS administers the provider disincentives at [45 CFR §§ 171.1000–171.1002](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-J), which became effective in July 2024 after OIG investigates and confirms an information-blocking determination. Disincentives for eligible hospitals reduce the annual Market Basket update. Disincentives for clinicians eligible for MIPS reduce the Promoting Interoperability performance category score to zero, materially reducing the practice's MIPS payment adjustment. For health-IT developers and HINs/HIEs (under OIG jurisdiction), CMPs reach $1 million per violation under [42 CFR Part 1003](https://www.ecfr.gov/current/title-42/chapter-V/subchapter-B/part-1003) as authorized by the Cures Act.

Do I need to give parents access to a teenage patient's records under Information Blocking?

State law controls who is the patient's personal representative for minors, and the Privacy Exception at [45 CFR § 171.202](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171) preserves state-law-based restrictions on parental access (typically for adolescent-confidential services — reproductive health, mental health, substance use). The rule does not override state minor-consent statutes. Where state law permits the minor to consent to a service and treats the minor as the patient, the parent is not the personal representative for that service, and providing the parent access is permissible only under the relevant state rule. The HIPAA personal-representative framework at [45 CFR § 164.502(g)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-164/subpart-E/section-164.502) runs alongside. Counsel evaluates the state-specific framework.

Turn this into a review-ready binder

The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.

Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.

This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.

Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

Sources & Citations
  1. 45 CFR Part 171https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171
  2. USCDI definitionhttps://www.healthit.gov/isa/united-states-core-data-interoperability-uscdi
  3. 45 CFR §§ 171.201–171.206https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-B
  4. 171.301–171.303https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-C
  5. 171.403https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-D
  6. 45 CFR § 171.201https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-B/section-171.201
  7. 45 CFR § 171.202https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-B/section-171.202
  8. 45 CFR § 171.203https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-B/section-171.203
  9. 45 CFR § 171.204https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-B/section-171.204
  10. 45 CFR § 171.205https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-B/section-171.205
  11. 45 CFR § 171.206https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-B/section-171.206
  12. 45 CFR § 171.301https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-C/section-171.301
  13. 45 CFR § 171.302https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-C/section-171.302
  14. 45 CFR § 171.303https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-C/section-171.303
  15. 45 CFR § 171.403https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-D/section-171.403
  16. 42 CFR Part 1003, Subpart Nhttps://www.ecfr.gov/current/title-42/chapter-V/subchapter-B/part-1003
  17. 45 CFR §§ 171.1000–171.1002https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-J
  18. 89 FR 54662 (July 1, 2024)https://www.federalregister.gov/documents/2024/07/01/2024-14266/21st-century-cures-act-establishment-of-disincentives-for-health-care-providers-that-have-committed
  19. ASTP/ONC Information Blocking Portalhttps://www.healthit.gov/topic/information-blocking/report-information-blocking
  20. Information Blocking Reportshttps://oig.hhs.gov/oei/reports/

Sources verified as of May 23, 2026

Research Aid Notice

This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.

Related Guides