Building the Healthcare Brain The 21st Century Cures Act.
Information blocking, EHI sharing, and operationalized compliance.
A practitioner-grade walkthrough of the Cures Act information blocking rule (45 CFR Part 171). What the rule says, how OIG enforces it, the eight exceptions, the September 2023 enforcement go-live, and how CPS One operationalizes Cures Act compliance inside the privacy program rather than alongside it.
Five things every healthcare compliance team should know.
Dec 13, 2016
Public Law 114-255 signed by President Obama. The information blocking provisions live at 42 U.S.C. § 300jj-52.
Apr 5, 2021
85 FR 25642 effective date. Initial EHI scope limited to USCDI v1. 45 CFR Part 171 codifies the rule.
Oct 6, 2022
Information blocking definition expanded to all EHI as defined in 45 CFR § 171.102 — not just USCDI v1.
Sep 1, 2023
Civil money penalties up to $1M per violation for health IT developers, HINs, and HIEs. Provider disincentives under separate ONC/CMS rule.
Information blocking, defined.
The 21st Century Cures Act defines information blocking as a practice by a healthcare provider, health IT developer of certified health IT, health information network, or health information exchange that except as required by law or covered by an exception, is likely to interfere with access, exchange, or use of electronic health information.
The operative legal standard for healthcare providers is knowingly: the provider knew that the practice was unreasonable and was likely to interfere with EHI access. For health IT developers and HINs/HIEs, the standard is constructive knowledge — they knew or should have known the practice was likely to interfere.
The definition of Electronic Health Information (EHI) was expanded on October 6, 2022 from the initial USCDI v1 dataset to all electronic protected health information (ePHI) that would be considered part of the designated record set under HIPAA — effectively the universe of electronic clinical, administrative, and demographic data a healthcare actor holds.
When not sharing is allowed.
The ONC Final Rule defines eight exceptions in two categories. Category 1 covers practices that involve not fulfilling a request. Category 2 covers procedures for how requests get fulfilled. Each exception has specific conditions. Documentation burden is on the actor.
Category 1 — Exceptions to not fulfill a request
Preventing Harm
A practice that interferes with EHI access to substantially reduce a risk of harm to a patient or another natural person. Reasonable belief, type-of-risk-specific.
Privacy
A practice that interferes with access for privacy reasons. Includes precondition-not-satisfied, denial of individual’s request not covered, health IT developer-not-covered, and other sub-conditions.
Security
A practice that protects the security of EHI. Must be directly related to safeguarding confidentiality, integrity, or availability.
Infeasibility
A practice that interferes with access where it is infeasible to fulfill the request for specified reasons — uncontrollable events, segmentation impossibility, third-party encumbrance, or infeasibility under the circumstances.
Health IT Performance
A practice that takes health IT temporarily offline to maintain or improve performance, address security risks, or perform necessary updates. Must be no longer than necessary.
Category 2 — Exceptions for fulfilling procedures
Content and Manner
A practice that limits the content of an EHI response or the manner of fulfilling a request. Content limited to USCDI v1 (until Oct 2022), then full EHI; manner must follow the regulatory order of preference.
Fees
A practice that involves charging fees. Must be based on objective, verifiable criteria; uniformly applied; reasonable; and meet specific cost-permitted conditions. Cannot exceed reasonable cost recovery.
Licensing
A practice that involves licensing interoperability elements. License terms must be non-discriminatory, royalty-bearing only under specific conditions, and not impose collateral terms that interfere with use.
OIG civil money penalties — live since September 2023.
The HHS Office of Inspector General published the Final Rule on civil money penalties for information blocking on July 3, 2023 (88 FR 42820). For health IT developers of certified health IT, health information networks, and health information exchanges, civil money penalties can reach up to $1 million per violation. The enforcement effective date was September 1, 2023.
For healthcare providers, the regulatory mechanism is different: the Office of the National Coordinator and CMS jointly issue rules that establish "appropriate disincentives," which include reductions in Medicare reimbursement under MIPS, removal from the Promoting Interoperability program, and exclusion from certain CMS payment models. The provider disincentive rule was finalized in 2024.
Investigation begins when an information blocking complaint is filed through ONC’s online portal. ONC reviews, escalates to OIG (for developers/HINs/HIEs) or CMS (for providers), and the regulator decides whether to investigate further. The actor has the burden of producing evidence that an exception applied. Documentation is the difference between a defensible position and a CMP.
How CPS One handles information blocking.
Cures Act compliance is documentation discipline. The eight exceptions all require the actor to prove they apply — with consistent procedures, timestamped evidence, and reviewer audit trails. CPS One operationalizes that discipline as part of the privacy program, on the same workflow substrate as HIPAA, OCR audit prep, and GDPR.
Information blocking incident tracking
Every EHI request, denial, exception invocation, and partial fulfillment logged. Reviewer, timestamp, and rationale captured at every step. Linkable from any patient or third-party request workflow.
Exception documentation templates
Pre-built templates for all 8 exceptions, with mandatory-field validation specific to each exception’s conditions. Privacy Officer review surfaces before submission. Versioned and audit-ready.
EHI request workflow
Structured intake from patients (45 CFR § 164.524 individual access), third parties (45 CFR § 171.301 access requests), and other actors. Routing, fulfillment, and timeline tracking.
Accounting of Disclosures
Every EHI disclosure logged with purpose, recipient, date, and basis (treatment, payment, operations, patient request, third-party request). Cross-referenced with the disclosure register required under 45 CFR § 164.528.
Privacy Policy Template Library
Pre-built Cures Act-aligned policies for patient access procedures, third-party access procedures, fee schedules under Exception 7, and information blocking exception-invocation procedures.
OCR audit preparation
Pre-mapped against OCR audit protocols and ONC information blocking complaint procedures. Documentation produced as a byproduct of doing the work — not assembled retroactively under audit pressure.
Cures Act questions buyers ask.
What is the 21st Century Cures Act information blocking rule?
The 21st Century Cures Act (Public Law 114-255), signed December 13, 2016, established information blocking as a regulatory violation under 45 CFR Part 171. The ONC Final Rule (May 1, 2020; effective April 5, 2021) defines information blocking as practices by health IT developers, health information networks, health information exchanges, and healthcare providers that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. The rule applies to all EHI as of October 6, 2022.
Who is regulated under information blocking?
Three categories of actors: healthcare providers (hospitals, physician practices, ASCs, LTC facilities); health IT developers of certified health IT; and Health Information Networks/Exchanges. Each has slightly different enforcement mechanisms but the same core obligation: do not interfere with the access, exchange, or use of EHI without a valid exception.
What are the eight information blocking exceptions?
Eight exceptions in two categories. Category 1 (not fulfilling requests): Preventing Harm, Privacy, Security, Infeasibility, Health IT Performance. Category 2 (procedures for fulfilling): Content and Manner, Fees, Licensing. Each exception has specific conditions an actor must meet to qualify. Documentation is critical — the burden is on the actor to prove an exception applies.
What is the OIG enforcement penalty?
OIG’s July 3, 2023 Final Rule establishes civil money penalties up to $1 million per violation for health IT developers, HINs, and HIEs. For healthcare providers, the appropriate disincentive is established under separate ONC/CMS rulemaking and includes mechanisms like reduction in Medicare reimbursement under MIPS and Promoting Interoperability. The enforcement landscape has been live since September 1, 2023.
How does CPS One support Cures Act compliance?
CPS One operationalizes Cures Act compliance through five workflows in the Privacy Operations modules: information blocking incident tracking, exception documentation templates, EHI request workflow, disclosure accounting, and Cures Act-aligned policy library. Built into the same audit ledger as HIPAA, GDPR, and OCR audit workflows.
More on healthcare privacy and AI governance.
CPS One overview
Privacy operations, HIPAA compliance, and AI governance for healthcare — the platform that operationalizes Cures Act compliance.
See the platform →
More commentaryAll regulatory commentary
CMS CRUSH RFI, CMS-0057-F field guide, WISeR Provider Guide walkthrough, and more.
Browse all →
Customer OutcomesPrivacy programs in production
Six CPS One case studies from health systems, academic medical centers, and revenue cycle organizations — live deployments operationalizing Cures Act and HIPAA.
Read the stories →
Build Cures Act compliance into the privacy program.
A 30–45 minute working session with the team that built CPS One. Bring an open information blocking complaint, a stalled EHI request workflow, or a Cures Act policy gap you’re trying to close.