New HHS 21st Century Cures Act IT Rule – Part 2

We discussed three of the information blocking exceptions to the ONC rule implementing the 21st Century Cures Act. These are two more of the non-fulfillment exceptions to the ONC rule. Another three fulfillment exceptions follow. The exceptions try to balance the ability of the developers and practitioners to provide technical and medical solutions with the patient’s desire for privacy and security of his/her medical records.

1. Infeasibility Exception.

“It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the infeasibility of the request, provided certain conditions are met.”

  • Objective of the Exception. The exception to the ONC rule recognizes that there may be technical, legal, and other reasons why the healthcare actor’s ability to comply with EHI use, exchange, or access requests is limited.
  • Key Conditions of the Exception. To qualify for this exception, the healthcare actor needs to meet one of the following conditions:
    • Uncontrollable events. Here, the actor can comply with the EHI use/access/exchange requirements due to certain uncontrollable events such as:
      • A natural or human-made disaster
      • A public health emergency
      • War
      • Terrorist attacks
      • A public safety incident
      • A strike or other labor unrest
      • A civil insurrection
      • Interruption of Internet or telecommunication services
      • A regulatory, civil or military act
    • Segmentation. This condition applies if the healthcare actor can’t meet the EHI request because the EHI that is requested “cannot unambiguously segment the requested EHI.”
    • Infeasibility under the circumstances. Here, “the actor demonstrates through a contemporaneous written record or other documentation its consistent and non-discriminatory consideration of certain factors that led to its determination that complying with the request would be infeasible under the circumstances.” The healthcare entity must give the requester a written response within 10 days – explain why the EHI request is not feasible.

2. Health IT Performance Exception.

“It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily unavailable or to degrade the health IT’s performance for the benefit of the overall performance of the health IT, provided certain conditions are met.”

  • Objective of the Exception. This exception recognizes that health IT requires maintenance and improvements. The system may need to be offline. Healthcare actors should be encouraged to improve the performance of the IT system if the interruptions aren’t severe.
  • Key Conditions of the Exception. The conduct/practice of the healthcare actor must:
    • Be implemented only for – as long as needed
    • Be “implemented in a consistent and non-discriminatory manner”
    • If the unavailability of the system is started “by a health IT developer of certified health IT, HIE, or HIN,” then the actor may work on a third-party app which is impacting the IT performance in a negative way, provided the work is:
      • Only for is as long as necessary to resolve the negativity issues
      • Is “implemented in a consistent and non-discriminatory manner”
      • Complies with current service legal agreements, where applicable.

If the unavailability is due to a harm risk or security risk – the actor must comply with those applicable exceptions too.

Fulfilling request exceptions

These exceptions to the ONC rule on information blocking are:

  • Content and Manner Exception.

“It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.”

    • Objective of the Exception. This exception helps clarify, and provides flexibility, for healthcare actors regarding the scope of the EHI on a request to access, use, or exchange the EHI and on the way the healthcare actor may fulfill the request. The aim of this exception is to encourage innovation and competition – by “allowing actors to first attempt to reach and maintain market negotiated terms for the access, exchange, and use of EHI.”
    • Key Conditions of the Exception.
      • Content Condition. This provision provides the content the actor must provide when someone requests to use/exchange/access EHI
        • Up to 24 months after the publication date of the Cures Act final rule, the healthcare entity – “must respond to a request to access, exchange, or use EHI with, at a minimum, the EHI identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard.”
        • On or after that 24 month deadline the healthcare actor “must respond to a request to access, exchange, or use EHI with EHI as defined in § 171.102.
      • Manner Condition. This provision provides the way in which the healthcare actor must fulfill an exchange/use/access of EHI request:
        • A healthcare actor may be able to fulfill an EHI request in an alternative way when the actor is:
          • Not able to technically fulfill the request in the manner requested
          • Can’t reach “agreeable terms with the requestor to fulfill the request.”
      • “If an actor fulfills a request in an alternative manner, such fulfillment must comply with the order of priority described in the manner condition and must satisfy the Fees Exception and Licensing Exception, as applicable.”
  • Fees Exception.

“It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using EHI, provided certain conditions are met.”

    • Objective of the Exception. This exception permits healthcare entities to charge fees for developing technologies to enhance interoperability – providing the fees aren’t for rent, opportunistic fees, and exclusionary practices which interfere with the use, access, or exchange of the electronic health information.
    • Key Conditions of the Exception. To qualify for the exception, the conduct/practice of the healthcare entity must:
      • Meet the “basis for fees condition.” For example, the fees must:
        • “Be based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons or entities and requests.”
        • “Be reasonably related to the actor’s costs of providing the type of access, exchange, or use of EHI.”
        • “Not be based on whether the requestor or other person is a competitor, potential competitor, or will be using the EHI in a way that facilitates competition with the actor.”
      • Not be specifically excluded. For instance, this exception doesn’t apply to a fee that is:
        • “Based in any part on the electronic access by an individual, their personal representative, or another person or entity designated by the individual to access the individual’s EHI.”
        • “To perform an export of electronic health information via the capability of health IT certified to § 170.315(b)(10).”
      • “Comply with Conditions of Certification in § 170.402(a)(4) (Assurances – certification to “EHI Export” criterion) or § 170.404 (API).”
  • Licensing Exception

“It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or used, provided certain conditions are met.”

    • Objective of the Exception. This exception permits healthcare actors the right to protect their innovations and charge reasonable royalties so the developers can have a return on their investments to create innovative healthcare products.
    • Key Conditions of the Exception. To qualify for this exception, the practice of the healthcare entity must meet:
      • “The negotiating a license conditions: An actor must begin license negotiations with the requestor within 10 business days from receipt of the request and negotiate a license within 30 business days from receipt of the request.”
      • The licensing conditions. These include:
        • Scope of rights
        • Reasonable royalties
        • Non-discriminatory terms
        • Collateral terms
        • Non-disclosure agreements
    • Additional conditions relating to the provision of interoperability elements.



Clinical notes and the OCN rule

The United States Core Data for Interoperability (USCDI) is a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange.

According to, “the eight (8) types of clinical notes that must be shared are outlined in the United States Core Data for Interoperability (USCD). The 8 types include:

  • Consultation notes
  • Discharge summary notes
  • History & physical
  • Imaging narratives
  • Laboratory report narratives
  • Pathology report narratives
  • Procedure notes
  • Progress notes

The following clinical notes generally are not covered by the new OCN rule:

  • Psychotherapy notes recorded (in any manner) by a mental health professional – who is “documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.”
    • “Note: Clinicians and organizations are required to share medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.”
  • Information that was gathered to be used in a criminal, civil, or administrative proceeding.

Clinical notes must be shared with patients (on request) by health systems starting on April 5, 2021 – and with a patient’s third-party app (for example, downloaded to a smartphone) by October 6, 2022.

Generally clinical notes cannot be blocked unless one of the 8 exceptions to the Rule, as discussed above, apply.

A delay in the effective dates of the OCN rule due to COVID-19

The OCN announced in March 2020 that the ONC and CMS, working with the HHS, is allowing compliance flexibilities regarding the interoperability final rules due to COVID-19. To support the efforts to combat COVID-19, the “ONC intends to exercise enforcement discretion for 3 months at the end of certain ONC Health IT Certification Program compliance dates associated with the ONC Cures Act Final Rule to provide flexibility while ensuring the goals of the rule remain on track.”

An interim final rule was announced in November 2020 that generally moves the date for compliance of the following matters to April 5, 2021. Exceptions may apply:

  • Information blocking compliance
  • Certification requirement compliance
  • API requirements

New HHS Rule Protects Patient Privacy Under HIPAA and HITECH

Much-anticipated regulation protects patient privacy under HIPAA and HITECH

Additional concerns about the ONC rule

There are some advantages to sharing patient information. The main one is improving the quality of care the patient receives. From a legal viewpoint sharing information is advantageous – if it reduces the risk of liability as compared to not sharing the patient data. For example, a doctor may need to see a critical diagnostic test. If the test result is on a different electronic health record system (one which doesn’t share clinical data with doctors who use a different HER system), the risk is that if the doctor doesn’t have the correct result, he/she might commit medical malpractice.

Not everyone is entitled to patient information, even with the OCN information-blocking law. The IT developer (and other healthcare entities) need to consider whether the sharing of the information:

  • Violates HIPAA
  • Violates any state laws on sharing patient information

IT developers and physicians need to understand the new ONC rule on implementation of the 21st Century Cures Act. This includes understanding the certification, interoperability, and information blocking requirements. An experienced healthcare lawyer works with developers and medical practices to help balance their business and medical goals with their compliance requirements. There can be heavy fines and other consequences for failing to comply with federal and state laws – specifically if the privacy and security of electronic health records is affected.

Medical practitioners and IT developers should contact Cohen Healthcare Law Group, PC for legal advice on 21st Century Cures Act and CMS compliance rules. Our experienced healthcare lawyers explain how new laws create new requirements for patient privacy and security and what exceptions apply.

Contact Us

Book your Legal Strategy Session now
Cohen Healthcare Law Logo

Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.

Start typing and press Enter to search