Game Planning the Information Blocking Final Rule

By: AHIMA Administrator

Posted on: December 7, 2020

Category: Practice Updates , FOAMed , Journal Feed

Game Planning the Information Blocking Final Rule

By Debra Primeau, MA, RHIA, FAHIMA, and Jaime James, MHA, RHIA

The Office of the National Coordinator (ONC) for Health IT’s information blocking Final Rule, part of the 21st Century Cures Act (Cures Act), was published in the Federal Register on May 1.

While the initial compliance date was set for November 2, 2020, the COVID-19 public health emergency and its attendant disruptions to health system operations compelled the ONC to issue an interim Final Rule on October 29 that extends the compliance deadline to April 5, 2021.

This extension affords health information management (HIM) extra time to get a better understanding of the Final Rule’s provisions and better prepare their organizations for compliance.

This article will explain the Final Rule’s key concepts, including the purpose of the Cures Act and its relationship to interoperability. We will also provide an overview of the certification provisions and take a deeper dive into the information blocking provisions.

We also include critical considerations that HIM professionals can use to facilitate discussions within their organizations and create their own implementation checklist.

The Cures Act, Explained

Understanding the information blocking Final Rule requires an understanding of the Cures Act.

The Cures Act, passed by Congress in December 2016, authorized funding for and regulations of numerous healthcare issues, including modifications to drug and device approval processes, funding for mental health and substance abuse resources, and curtailing practices that prevent the access to and exchange and use of electronic health information (EHI), known as information blocking.

The ONC was tasked with creating provisions for this last part.

It is important to understand that the Final Rule pertains exclusively to EHI and the electronic data access and exchange. This sets it apart from HIPAA, which covers paper, electronic, and verbal data as protected health information (PHI).

However, all the rules for HIPAA remain in place. The difference is in the approach. Where HIPAA takes an authorization or directive approach (you “shall,” if so authorized), interoperability implies that you “must” share information as required.

A Patient-Centered Approach

The Final Rule makes it explicit that when it comes to control of their health records and healthcare decisions, the patient is firmly in the driver’s seat.

“Patients need and deserve control over their records” said HHS Secretary Alex M. Azar II. “Patients should be able to access their electronic medical record at no cost, period.”

The Final Rule provides patients access to their EHI with third-party apps installed on their personal devices.

Additionally, the Final Rule continues to protect patient privacy and security by enabling patients to use apps they authorize to receive their data and by supporting secure access through authentication tools similar to what the banking and travel industries use.

The Final Rule also means that patients will have the ability to shop for care and manage costs, because it sets the foundation for increased data availability and transparency, providing patients with the information needed to expand their choice of payers and providers.

ONC Final Rule Provisions

The ONC Final Rule implements or updates five key provisions related to interoperability:

  • ONC health IT certification
  • Health IT for the care continuum
  • Conditions and maintenance of certification requirements
  • Certification criteria
  • Information blocking

These provisions—along with suggested HIM discussion and action items—are discussed below in further detail.

HIM professionals can use these action items to lead discussions within their organizations. As the healthcare industry is continuing to learn and understand these new rules, any recommendations should be discussed with appropriate legal counsel.

ONC Health IT Certification Program

The first four provisions cover requirements for certifying health IT. While these provisions pertain mainly to IT developers of certified health IT, it is important for provider organizations to understand these provisions, as they are intended to improve and expand interoperability.

There are certain aspects of the certification provisions with which HIM professionals should become familiar.

Certification of health IT is voluntary. The question then becomes, would non-certified products be following the standards that certification brings to the table?

For instance, would the certification privacy and security standards be followed by non-certified products, such as third-party software applications used by patients to access their information? This in turn raises the question, how do we as HIM professionals balance the need to protect a patient’s privacy and security and complying with increased interoperability requirements?

The Final Rule is clear that provider organizations can and are encouraged to educate their patients on the use of third-party applications and the risks associated with sharing or providing access to EHI.

There are specific parameters outlined in the Final Rule that state this education must be consistent, accurate, unbiased, and objective. Education should include advantages, disadvantages, and the associated risk with sharing EHI.

Critical Considerations

  • Does your organization’s privacy practice notification need to be updated?
  • How will you educate patients on their abilities to access their EHI and the risks involved in using third-party apps?
Health IT for the Care Continuum

The intent of this provision is to further support patient care when and where it is needed by addressing health IT across the continuum of care.

This provision includes specialized areas in healthcare, such as pediatric health IT. It establishes criteria for the voluntary certification of pediatric health IT.

Ten recommendations and realigned certification criteria were confirmed in the Final Rule to support the health IT needs of pediatric health providers. This is a first step in building a health IT infrastructure that supports pediatric care, as well as other specialty care areas across the continuum.

Conditions and Maintenance of Certification Requirements

This provision requires the use of standardized APIs through the use of Fast Healthcare Interoperability Resources (FHIR) over the next two years.

Created by healthcare standards organization Health Level Seven International (HL7), FHIR is a standard describing data formats and elements, and an application programming interface for exchanging electronic health records (EHRs).

APIs allow apps to be developed for use on smartphones and will help patients connect to, access, store, and exchange their health data through the app of their choice. EHR vendors are responsible for building the authorization scopes that enable the secure data access through third-party apps, including verification and correct data access.

Critical Considerations

  • HIM professionals need to understand their organization’s app strategy and develop processes to mitigate possible challenges. For example, what process will be put in place if a patient requests their EHI via an app not connected with the organization?
Certification Criteria

The fourth provision relates to the certification criteria requirements for health IT, which were updated in the Final Rule.

One of the changes is that the data requirement for the following certification criteria is transitioning from the current Common Clinical Data Set (CCDS) to the new United States Core Data for Interoperability (USCDI).

By December 31, 2022, the USCDI data set must be used for these criteria, which is applicable in many of the Meaningful Use/Promoting Interoperability incentive programs:

  • View, download, transmit to third parties
  • Transition of care
  • Transmission to public health agencies
  • Consolidated Clinical Documentation Architecture (CDA) creation performance
  • Application access—all data request
Critical Considerations

  • If you are involved in any of these incentive payment programs, be sure to understand the timeline for this change within your organization.
Information Blocking

Information blocking has the most significant impact on HIM. HIM leaders need a clear understanding of the compliance dates and action items needed for implementing the information blocking provisions.

Understanding the definitions related to information blocking and the decision points around these definitions, along with the information blocking exceptions, will help to create the action items needed for discussion within an organization.

Compliance Deadlines, Definitions, and Enforcement

On October 29, ONC issued an Interim Final Rule extending the compliance dates for the agency’s Cures Act Final Rule. Click here for a printable table of the original and revised compliance dates.

The next section explains the Final Rule’s key definitions and enforcement mechanisms.

Final Rule Key Definitions

Information Blocking: Practices by an actor that likely interfere with, prevent, or materially discourage the access, exchange, or use of EHI, except as required by law or covered by an exception.

Actor: Three groups of actors are defined as required to abide by the information blocking rules:

  • Healthcare providers, a broad term encompassing a long list of provider types, each of whom are regulated without regard to whether they are covered entities under HIPAA
  • Developers of Certified Health IT will be regulated by ONC. Affected vendors include those whose health IT has one or more modules certified under ONC’s Health IT Certification program. The definition excludes healthcare providers that self-develop health IT for their own internal use, but not when they offer certified health IT for other entities to use in their own independent operations
  • Health information networks (HINs)/health information exchanges (HIEs) are now consolidated under the Cures Act. HINs and HIEs subject to information blocking claims are those that determine, control, or have the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of EHI among more than two unaffiliated individuals or entities.

Business associates (BAs) are not defined as an actor. However, based on a BA’s specific line of business, that service may qualify the BA as an actor under one of the definitions.

Critical Considerations

  • BAs and BA agreements should be evaluated according to the definitions provided in the Cures Act to determine any impact related to information blocking on the organization.

Access, Exchange, Use:

  • Access: The ability or means necessary to make EHI available for exchange, use or both
  • Exchange: The ability for EHI to be transmitted between and among different technologies, systems, platforms, or networks
  • Use: The ability for EHI, once accessed or exchanged, to be understood and acted upon
Critical Considerations

  • Transmitted: Transmitted is described as bidirectional in the Final Rule. What are the implications of bidirectional transmission within your organization? What are your current processes for patients to transmit information into your organization’s EHR?
  • Understood: Per the Final Rule, this does not mean an organization has to describe the clinical significance or relevance of the EHI.
    • Given the expanded amount of information that will be available electronically for patients, should or how will the process be communicated to patients if they have questions regarding their EHI?
    • Will providers receive additional calls based on the increased information available for access?
    • If so, what messaging might be needed for both the providers and patients?
    • Will amendment requests increase?
  • Acted Upon: What does the ability to write, modify, manipulate, or apply the information (all words used in the Final Rule) mean for your organization?

Electronic Health Information (EHI): EHI is ePHI, as defined by HIPAA, to the extent ePHI is included in the designated record set (DRS). Excludes: Psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding; and deidentified information.

Critical Considerations

  • How is your organization progressing with making the USCDI available for access, exchange, and use as of April 5, 2021?
  • How will the USCDI information be available for patients? Through your organization’s patient portal? What if your organization does not have a patient portal or is on an older EHR vendor version that cannot accommodate the USCDI expansion?
  • When will discussions begin on the access, exchange, and use of the full EHI?

Designated Record Set §164.501:

  1. A group of records maintained by or for a covered entity that is:
  2. The medical records and billing records about individuals maintained by or for a covered healthcare provider;
  3. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
  • Used, in whole or in part, by or for the covered entity to make decisions about individuals
  1. For purposes of this paragraph, the term record means any item, collection, or grouping of information that includes protected health information (PHI) and is maintained, collected, used, or disseminated by or for a covered entity
Critical Considerations

  • Re-review the DRS definition for your organization. Consider outside records processes where the records may be used to make decisions about the patient. Also review the billing records included as part of the DRS.
  • Legal health record definition: This definition can be reviewed, but the Final Rule does not include legal health record language. For instance, an organization’s legal health record definition most likely does not include billing records.
  • Review policies and procedures including, but not limited to, amendments, master patient index (MPI) integrity, retention, proxy, sensitive information, privacy and security, and many more.
  • Consider an assessment of your information governance program and activities.

USCDI: The USCDI is a set of health data classes and elements that allows for data sets beyond clinical data (see Table 1). The USCDI will continue to be updated which reflects how the Final Rule intends to provide more data availability and transparency and establishes the foundation for the broader sharing of EHI.

Table 1: United States Core Data for Interoperability (USCDI v1)
Data Classes Data Elements
Patient Demographics First, middle and last name

Previous name


Birth sex

Date of birth



Preferred language

Current address*

Previous address*

Phone number*

Phone number type*

Email address*

Care team members  
Assessment and plan of treatment  
Goals Patient goals
Clinical Notes* Consultation notes

Discharge summary note

History and physical

Imaging narrative

Lab report narrative

Path report narrative

Procedure notes

Progress notes

Health Concerns  
Laboratory Tests


Medications Medications

Medication allergies

Allergies and Intolerance Substance (medication)

Substance (drug class)


Provenance (place of origin)* Author time stamp

Author organization

Smoking Status  
Unique Device Identifier(s) – Implantable Devices  
Vital Signs Diastolic BP

Systolic BP

Body height

Body weight

Heart rate

Respiratory rate

Body temperature

Pulse oximetry

Inhaled O2 concentration

BMI percentile (2-20 yrs)*

Weight-for-length percentile (birth-36m)*

Head occipital-frontal circumference percentile (birth-36m)*

Reference range/scale or growth curve, as appropriate*

*changes from CCDS

Current Channel

Journal Of AHIMA
Subscribe To This Channel

Tags: Practice Updates , FOAMed , Journal Feed

Welcome to the healthcare-only HIPAA - GDPR compliant cloud. Exclusively hosted on a HPC environment!

Learn more or start today by choosing your secure HIPAA - GDPR compliant server's Operating System bellow and pick the package that's best for you.

BIPmd makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine, thousand or more.

Windows VPS options and add ons
Linux VPS options and add ons

Looking for a custom solution?

Our technicians can provide you with the best custom-made solutionss on the market, no matter whether you're a small business or large enterprise.

Get in touch