Regulation of Medicine


The 21st Century Cures Act and Information Blocking

Executive Summary 

The 21st Century Cures Act indicates a significant shift in how electronic health information is approached. The act requires healthcare professionals to make major adjustments quickly as non-compliance could lead to costly fines. Healthcare organizations must understand their obligations to ensure they can mitigate any risk of liability.  

Recommended Actions 
  • Ensure that your healthcare practice has a policy and procedure in place for how to respond to a patient’s data request. 
  • Ensure that all physicians and staff are appropriately trained regarding this policy and understand the importance of appropriately responding to patient requests. 
  • Monitor updates regarding the requirements under the Cures Act exceptions to ensure continuous compliance  

The 21st Century Cures Act, or the Cures Act, is a large piece of legislation signed into law in 2016. Healthcare IT changes — specifically, improving the sharing of electronic health records (EHR) and authorizing penalties for the interference with lawful sharing of HER — are an integral part of the Cures Act that will impact healthcare providers. Although the Cures Act covers a wide array of topics, one of the main objectives is to increase patient access to medical records. 

On March 9, 2020, the Office of the National Coordinator for Health Information Technology (ONC) issued a final rule further implementing the Cures Act. The ONC rule prohibits “information blocking,” a practice that, except as required by law or specified by HHS as a “reasonable and necessary activity,” is “likely to interfere with access, exchange, or use of electronic health information (EHI).” The final rule also includes a provision requiring that patients be able to electronically access all of their EHI, structured and/or unstructured, at no cost. Even if a healthcare organization does not use any certified health IT (such as paper charts), the healthcare organization is still subject to the information blocking rule. 

There are a few reasons why this rule is going into effect. First, the rule was passed because patients and providers have been requesting expanded and timelier access to medical records. Second, digital capabilities have evolved such that these requests can be met more efficiently. And finally, the rule creates a common set of standards for sharing electronic information.      

What This Means for Healthcare Organizations 

The information blocking part of the final rule was scheduled to take effect on November 2, 2020, but because of COVID-19, the ONC issued an interim final rule extending the compliance deadline for information blocking to April 5, 2021. Currently, the Office of the Inspector General (OIG) has not yet announced financial penalties for information blocking noncompliance. For healthcare organizations, HHS also must engage in future rulemaking to establish appropriate disincentives for noncompliance.  

Although healthcare organizations are responsible for compliance with the new rule, most of the responsibilities initially lie with the EHR vendor. Under the final rule, healthcare organizations must give a patient electronic access to their EHI upon request or make EHI available for patients to access at their convenience. Of note, EHI does not include psychotherapy notes. The rule requires providers make the following data set (known as the U.S. Core Data for Interoperability or “USCDI”) available to patients electronically starting on April 5, 2021: 

  • Allergies 
  • Vitals 
  • Care team 
  • Clinical notes 
  • Immunizations 
  • Labs 
  • Medication 
  • Demographics 
  • Health concerns 
  • Goals 
  • Problems 
  • Procedures 
  • Provenance 
  • Smoking status  
  • Unique Device Identifier implants  
  • Assessment and plan of treatment  

With most EHR vendors, results will be shared with patients immediately in their EHR once the status is marked “final” by the provider. Preliminary results will not be shared, but all clinic notes (except for psychotherapy notes) authored by Advanced Practice Providers and above will be shared immediately upon the closing of an ambulatory encounter or provider electronic signature of an inpatient note. Notes requiring co-signature will not be released until co-signed, and emergency department notes will not appear for patient viewing until the patient is discharged from the emergency department or admitted to the hospital.  

As the provider, you will be responsible for ensuring that clinicians and staff are not participating in information blocking. We recommend you contact your EHR vendor to ensure that they will provide you the capabilities to comply with the final rule requirements. We also recommend you follow the updated practices of the health system you work most closely with. 


There are eight exceptions (and key conditions required to meet those exceptions) to the final rule that can be found here. These actions do not constitute information blocking because the ONC rule views the activities as reasonable and necessary. An actor’s practice that does not meet the conditions of an exception will not automatically constitute information blocking. Instead, such practices will be evaluated on a case-by-case basis to determine whether information blocking has occurred. The exceptions are divided into the following two categories: (1) exceptions that involve not fulfilling requests to access, exchange, or use EHI; and (2) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI. The eight exceptions are: 

Preventing Harm Exception  

It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent harm to a patient or another person, provided certain conditions are met. Two examples that would likely fall under this exception are if a patient is suicidal or if a patient has made a credible threat of harm to another person and the practice reasonably believes its actions will substantially reduce the risk of these harms.  

Privacy Exception  

It will not be information blocking if an actor does not fulfill a request to access, exchange or use EHI to protect an individual's privacy, provided certain conditions are met. For instance, if a teenager does not want a note shared (e.g., there is evidence of an STI or pregnancy), the teenager can either revoke proxy access or the provider can withhold the note at the request of the teen, citing the “Privacy Exception.” 

Security Exception  

It will not be information blocking for an actor to interfere with the access, exchange or use of EHI to protect the security of EHI, provided certain conditions are met. 

Infeasibility Exception  

It will not be information blocking if an actor does not fulfill a request to access, exchange or use EHI due to the infeasibility of the request, provided certain conditions are met. Examples of situations that would fall under this exception are natural disasters, public safety incidents or a public health emergency. Another important qualifying requirement to this exception is that the practice must provide a written response to the requestor within 10 business days of receipt of the request with the reason(s) why the request is infeasible. 

Health IT Performance Exception  

It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT, provided certain conditions are met. For example, if the EHI is unavailable because the health IT system is being taken offline or because the IT vendor is performing maintenance. 

Content and Manner Exception  

It will not be information blocking for an actor to limit the content of its response to a request to access, exchange or use EHI or how it fulfills a request to access, exchange or use EHI, provided certain conditions are met. 

Fees Exception 

It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging or using EHI, provided certain conditions are met. 

Licensing Exception 

It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged or used, provided certain conditions are met. 

At this time, the exceptions are not very detailed, but it is anticipated that further guidance and details will be released in the future. 

Next Steps 

Attend a webinar regarding the Cures Act provided by an EHR vendor (such as Epic, Athena and Cerner). If your EHR vendor does not have a webinar, we have provided a link below to ONC’s recorded webinars under the “recommended resources” section. Cerner also released a podcast discussing the final rule, which can be found here. 

Attend a webinar hosted by the local health system you are most closely affiliated with to see if they have any additional guidance and how they will maintain compliance with the Cures Act. 

Physicians and staff should have protocols in place for what to do when they receive a data request. Ensure that your practice has a general understanding of the new changes and has implemented a default rule of sharing electronic records immediately with the patient. 

Additional Resources  

HHS – Extends Compliance Dates 

HHS - HHS Finalizes Historic Rules to Provide Patients More Control of Their Health Data – Information Blocking FAQs – Information Blocking – Fact Sheets 

ONC Overview of the Cures Act Final Rule 

What ONC's Cures Act Final Rule Means for Clinicians and Hospitals 

Recorded Webinars on the Cures Act Final Rule 

Holland & Knight – ONC Information Blocking Requirements: What You Need to Know 

ONC – Share Notes 

Lessons Learned  
  • Document all patient data requests and maintain copies of the requests in the patients’ medical records. 
  • Consider implementing a checklist for staff members to use when responding to any patient data requests for electronic information to ensure compliance every time.  
  • Monitor state or local laws regarding the requirements for making electronic health information available to patients as these rules could surpass the Cures Act requirements. 
Potential Damages 

Failure to comply with the Cures Act could mean costly fines for a healthcare organization. Non-compliance could lead to civil monetary penalties of up to $1 million per violation for engaging in information blocking. Although these are hefty fines, the frequency of such violations is relatively low, which could reflect the fact that the Cures Act recently went into effect.   


    1. There is generally a “preventing harm” exception to the Cures Act final rule.
    2. To qualify for the “infeasibility exception,” the healthcare practice must provide a written response to the requestor within six months of receipt of the request.
    3. If a patient requests access to their EHI, we must timely provide them with such access.


    Want to learn more?

    Interested in how MagMutual can help?

    View our products


    The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.