By Kathie McDonald-McClure and Margaret Young Levi

The Information Blocking Final Rule, a provision of the 21st Century Cures Act geared towards ensuring access, exchange and use of electronic health information (EHI), was published on May 1, 2020, and became effective on June 20, 2020.  However, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) extended the compliance effective dates for the Final Rule several times over the last year—and most providers were hopeful that it would be extended once again—but there are no more delays.  Information Blocking compliance is now effective, as of April 5, 2021.  Health care providers should take immediate steps to ensure compliance.

What Is Information Blocking?

The Information Blocking Final Rule aims to improve patient access to EHI by prohibiting practices that are “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” A health care provider can run afoul of the Information Blocking Rule if the “provider knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.”   45 C.F.R. 171.103.

Information blocking can take many forms.  The Final Rule did not provide an exhaustive list or comprehensive description of practices that may implicate the information blocking prohibition, but does provide some examples, such as imposing unreasonable fees that would prevent patients from accessing their health information.  The Rule’s several exceptions to information blocking also implicate practices that could constitute information blocking.  See our further discussion of the exceptions below.

Who Must Comply?

The Information Blocking Rule regulates three categories of “actors”:  (1) health information networks (HINs) and health information exchanges (HIEs), (2) Health IT Developer of Certified Health IT, and (3) health care providers.  This article focuses on health care providers.  The definition of “health care provider” incorporated into the Information Blocking Rule (45 CFR 171.102) is the same as listed in the definition of health care provider set forth in the Public Health Service Act at 42 U.S.C. 300jj. 

Accordingly, a “health care provider” subject to the Information Blocking Rule includes the following:

Hospital; skilled nursing facility; nursing facility; home health entity or other long term care facility; health care clinic; community mental health center; renal dialysis facility; blood center; ambulatory surgical center; emergency medical services provider; federally qualified health center; group practice; pharmacist; pharmacy; laboratory; physician; practitioner; provider operated by or under contract with the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization; rural health clinic; covered entity under 42 U.S.C. 256b; ambulatory surgical center; therapist; any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary.   

Importantly, per the ONC, a provider is subject to the Information Blocking Rule regardless of whether the provider uses EHI that is certified under the ONC Health IT Certification Program.

Are There Exceptions To The Information Blocking Rule?

ONC has identified eight reasonable and necessary activities that do not constitute information blocking.  These exceptions apply to certain activities that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, but that would be reasonable and necessary if certain conditions are met. The eight exceptions are:

  • Preventing Harm Exception
  • Privacy Exception
  • Security Exception
  • Infeasibility Exception
  • Health IT Performance Exception
  • Content and Manner Exception
  • Fees Exception
  • Licensing Exception

These exceptions come with qualifiers and caveats and deserve close study before relying on one. For example, the Infeasibility Exception, despite what one might think on the face of it, does not give a provider an excuse not to comply with the requirement to include certain EHI data elements from the United States Core Data for Interoperability (USCDI) standards in the provider’s response to the EHI request on the basis that it’s “infeasible”. Instead, a provider having difficulty with the form and content for responding to a request for EHI should look to the Content and Manner Exception.

Blanket Delay in Release of Test Results.  One exception to information blocking that has engendered much discussion is the patient harm exception and whether providers may delay the release of electronic laboratory and other test results to patients in order to allow the clinician an opportunity to review the results first and communicate the results directly with the patient.  Some providers have a policy of automatically holding test results for a period of time, such as two hours or two days, before releasing them to the patient electronically, such as through a patient portal. ONC has indicated that such blanket delays could be information blocking but may still permit delays on a case-by-case basis if there is a risk of harm to the patient.  ONC stresses:

“Deference should generally be afforded to patients’ right to choose whether to access their data as soon as it is available or wait for the provider to contact them to discuss their results. Only in specific circumstances do we believe delaying patients’ access to their health information so that providers retain full control over when and how it is communicated could be both necessary and reasonable for purposes of substantially reducing a risk of harm.” 

In practice, this could mean a patient would be able to access test results electronically in parallel to the availability of the test results to the ordering clinician—unless the patient consents to permitting the physician time to review the results first.

What Are The Penalties for Noncompliance?

Per the ONC, enforcement of violations of the Information Blocking Final Rule will not begin until the United States Office of Inspector General (OIG) establishes civil monetary penalties (CMPs) through future rulemaking.  Accordingly, providers will not be subject to penalties until the OIG’s CMP rule is final.  In the interim, ONC states that it will not exercise its discretion to impose CMPs for noncompliance that occurs before the CMP rule is final. 

On April 5, 2021, in a HealthITBuzz blog post,A New Day for Interoperability—The Information Blocking Regulations Start Now,” the ONC stated: “ONC will continue to release education materials and communicate with stakeholders about the information blocking regulations. We remain closely partnered with the HHS Office of Inspector General with respect to information blocking investigations and civil monetary penalties (for which a final rule is still pending) as well as HHS broadly when it comes to disincentives for health care providers.”

Meanwhile, the ONC has activated its information blocking complaint submission process via a link to Report Information Blocking on its HealthIT Feedback and Inquiry Portal.  Within the complaint dialogue box, the ONC suggests that complainant include the type of EHI requested (e.g., lab result, medical history, diagnostic images), the type or purpose of the EHI request (e.g., patient request to access his/her records, healthcare provider request to export patient records from a different healthcare provider) and the health IT being used by the requestor and by the person or entity that failed to satisfy the request (e.g., system and version).  The ONC states that, per the Cures Act, the complaint is not subject to disclosure under the Freedom of Information Act.  Finally, if the complainant believes the person or entity blocking access to the information is a HIPAA covered entity or business associate, the complaint portal provides a direct link to the HHS Office for Civil Rights website for filing a HIPAA complaint.

Is There Governmental Compliance Guidance?

Yes.  The navigation bar at the top of the ONC Information Blocking home page provides a dropdown list of “Resources,” including Fact Sheets, Frequently Asked Questions (FAQs), and webinars among other resources.  Notably, ONC recently updated its FAQs with further guidance and clarifications on how to comply with the Final Rule. Providers who have not recently reviewed the FAQs are encouraged to do so.  The updated FAQs are flagged with an asterisk (*) and one of two dates: 1/15/2021 and 3/19/2021. 

Among the updated FAQs is ONC’s further guidance on how to fulfill a request with the EHI data elements represented in the USCDI standardsImportantly, on and after April 5, 2021, providers must respond to a request to access, exchange, or use EHI with, at a minimum, all requested EHI identified by the data elements represented in the USCDI standard.  Providers can register for an account with ONC and submit comments to the USCDI standards, including suggestions on improving the clarity, functionality and applicability of the USCDI standards to meet the needs of providers in specific care settings. 

Providers also can submit specific questions or feedback about compliance with the Information Blocking Rule by clicking on the box for ONC Cures Act Final Rule on the ONC’s HealthIT Feedback and Inquiry Portal.

Compliance Tips

Health care providers should review their contracts, policies and practices to ensure that they are not likely to interfere with access, exchange, or use of EHI.  Revisions to those provisions of a provider’s medical records policies dealing with access may be in order.  In addition, it’s advisable to have a separate policy dealing with information blocking compliance given the complexity of the eight exceptions and the specific requirements related to how to produce EHI in compliance with the USCDI standards. 

Additionally, it’s imperative that providers talk to their EHI vendor to ensure any automatic hold on test results that may have been built into their system is dealt with in a way that ensures compliance with the Information Blocking Rule that prohibits EHI access delays.  Likewise, providers with patient portals should review how they respond to patient requests for information as well as how decisions are made to connect with a patient’s third-party app to ensure that unreasonable delays that do not meet an information blocking exception are dealt with properly.

Any contract with a vendor supplying EHI software, including vendors who host EHI from a legacy Electronic Health Record (EHR) system, should be reviewed and updated if possible to ensure the vendor’s practices, or the contract itself, does not create an obstacle to the provider’s compliance with the Information Blocking Rule.  Even a provider’s standard HIPAA Business Associate Agreement (BAA) form may need to be revised to incorporate compliance with the Information Blocking Final Rule when the BAA is used with vendors of EHI to add a specific requirement to comply with the Information Blocking Rule since this Rule is not part of HIPAA.  Merely complying with HIPAA’s right of access regulation will not meet the requirement of the Information Blocking Rule.

If you need additional information, please contact:

Kathie McDonald-McClure, Partner

Phone: 502.562.7526 


Margaret Young Levi

Phone: 859.288.7469


HITECH Act Amendment: Using “Recognized Security Practices” May Lead to More Favorable HHS Review and Reduced Fines After Data Breach

by Margaret Young Levi and Kathie McDonald-McClure

Congress amended the Health Information Technology for Economic and Clinical Health Act (HITECH Act) on January 5, 2021.  This Amendment requires the U.S. Department of Health and Human Services (HHS) to favorably consider whether covered entities and business associates have implemented specific security measures when making decisions regarding penalties and audits under the Health Insurance Portability and Accountability Act (HIPAA). 

Specifically, the Amendment mandates HHS to “consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place” when HHS is making decisions to (1) decrease fines, (2) decrease the length and extent of an audit or terminate an audit, and (3) mitigate other remedies with respect to resolving potential violations of the HIPAA Security Rule. 

The HIPAA Security Rule already requires covered entities and business associates to implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI) but it does not specify those safeguards. This Amendment recognizes certain safeguards and provides benefits to covered entities and business associates who implemented them.  The Amendment defines “recognized security practices” to mean:

  • the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act,
  • the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and
  • other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.

Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security Rule. 

The Amendment does not permit HHS to fine a covered entity or business associate, nor to increase fines, merely due to choosing not to engage in “recognized security practices”. Likewise, the Amendment does not prevent HHS from imposing fines if the administrative, physical and technical safeguards implemented by the covered entity or business associate were lacking or not appropriate, or if there was a data breach due to a lack of appropriate safeguards.  On the other hand, a covered entity or business associate who has experienced a data breach resulting from a cyber attack could benefit from reduced fines if these recognized security measures were in place.

The Amendment is to be effective retoactively to December 13, 2016, the effective date of The 21st Century Cures Act.   

Federal Agencies Warn of Cyberattacks on U.S. Hospitals

By Margaret Young Levi and Kathie McDonald-McClure

On October 28, 2020,  the Federal Bureau of Investigation (FBI), the U.S. Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a Joint Cybersecurity Advisory warning hospitals and the health care community about coordinated ransomware attacks on hospitals designed to steal data and freeze hospital information systems for financial gain. 

Six U.S. hospitals fell victim to this attack on October 27th and the FBI, HHS, and CISA have credible information that more hospitals will be targeted in this attack. The ransomware behind these attacks is known as Ryuk, which utilizes TrickBot malware and other malware to execute the attack. The Ryuk ransomware is designed to allow the cybercriminals to stealthily access, map and move laterally across the victim’s network before encrypting critical data files and deleting connected backups.

Network Best Practices. The Joint Cybersecurity Advisory provides some practical precautions that health care providers can put in place to protect their networks from these threats:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts.
  • Do not reuse the same password for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Ensure that your remote access and application “block lists” and “allow lists” are up-to-date so that only those programs and individuals with permission can access your system.
  • Audit user accounts with administrative privileges and configure access controls with minimum necessary privileges in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and address ports that are not needed. (Ports are your network’s gateways for internet data exchange. There are 65,535 TCP ports and 65,535 UDP ports. Cybercriminals scan these ports to find access into your network and you should too!)
  • Identify the critical data assets on your network and ensure that backups of these assets are not connected to the network 24-7 and the most recent backup is housed offline from the network.
  • Implement network segmentation to secure sensitive data.  For example, sensitive data files should not reside on the same server as email.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

End User Awareness and Training. As pointed out in the Joint Cybersecurity Advisory, a best practice includes focusing on user awareness and training. Because end users are the most common targets, ensure employees and stakeholders are aware of ransomware and phishing scams and how they are delivered. To ensure that you can timely mitigate the risk and deploy your data security incident response plan, ensure employees and stakeholders know who to contact if they see suspicious activity or believe they are a victum of an attack.

Addressing the Ransom Demand. The Joint Cybersecurity Advisory also includes information on what to immediately do when a ransomware attack is discovered.  In particular, it advises not paying ransoms.  For more information about this read our article on the Wyatt HITECH Law blog discussing two new Treasury Department advisories issued on October 1, 2020 about the risks of paying ransoms and the potential for sanctions when doing so.

The Wyatt Data Incident Response Team has prepared “Six Tips” on responding to a cybersecurity incident within the first 24-48 hours. For more information on Wyatt’s Data Privacy & Security Incident Response Team see our Data Privacy & Incident Response Team brochure and visit the Data Incident Response Team tab on this blog.

New Treasury Department Ransomware Advisories Warn that Ransom Payment May be Sanctionable

by Margaret Young Levi and Kathie McDonald-McClure

Cyber attacks using ransomware have been on the rise during the COVID-19 pandemic.  Ransomware, whether it encrypts computer files or locks an entire hard drive, can block access to an organization’s essential operating data, unless the organization can obtain a decryption key. In many if not most cases, a decryption key is only available by paying a ransom to the cybercriminal.

On October 1, 2020, the U.S. Department of the Treasury Office of Terrorism and Financial Intelligence announced the issuance of two advisories aimed at fighting ransomware scams and attacks.  In making the announcement, Deputy Secretary Justin G. Muzinich said:

Cybercriminals have deployed ransomware attacks against our schools, hospitals, and businesses of all sizes. Treasury will continue to use its powerful tools to counter these malicious cyber actors and their facilitators.

The advisories also warned that those who facilitate ransomware payments may be sanctioned for violating Treasury law and regulations. However, Treasury’s efforts to crack down on ransomware in this way places its victims in the crossfire.  Ransomware victims may feel they have no choice but to pay the ransom if this is the only way to regain access to essential data, which is often the case when the most recent data back-up is also attacked and a decryption key is not available by other means.  Moreover, paying the ransom may be a matter of public safety.  For example, ransomware that locks healthcare providers out of patient electronic medical records, attacks computers that support life-saving medical devices, or that shuts down computers connected to automobiles and other consumer devices, could pose a risk of injury or even death.

Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory, entitled “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” (Treasury Advisory). The Treasury Advisory is intended to educate financial institutions and others involved in cyber incident response measures about ransomware trends and indicators of ransomware as well as related money laundering activities.  More specifically, the Treasury Advisory addresses the following areas of concern:


The EPCS Mandate: Kentucky Requires Electronic Prescribing Of Controlled Substances

by Lindsay K. Scott

In an ongoing effort to battle the opioid crisis, Kentucky House Bill 342 was signed into law on March 26, 2019.  This bill created a new statute, KRS 218A.182, to require that all prescriptions for controlled substances be submitted electronically, unless certain exceptions apply (the “EPCS Mandate”).  Effective January 1, 2021, practitioners who prescribe controlled substances to be dispensed by a Kentucky pharmacy must issue the prescription electronically (“e-prescribe”) directly to the pharmacy unless an exception applies. Continue reading