chevron-down Created with Sketch Beta.
June 01, 2021

The 21st Century Cures Act and Information Blocking: A Case Study of Implementation at an Academic Medical Center

By Tyler Cowart, JD, CHC and David Safani, MD, MBA, FAPA, UCI Health, Orange, CA


The 21st Century Cures Act (Act), which aims to put patients in the driver’s seat of their healthcare information, brought many changes to healthcare providers nationwide in 2021.1 The Act, passed by Congress in 2016, promotes the electronic access, exchange, and use of health information to enhance coordination of care and transparency with patients. By promoting the electronic access and exchange of health information, the Act encourages providers and patients to build better rapport; it also empowers the patient to comply with agreed-upon plans of care and allows for quicker amendments to incorrect or misleading information documented in a patient’s medical record. To emphasize this exchange of healthcare data, the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS) both published final rules on May 1, 2020 addressing interoperability and information blocking. These rules seek to work in tandem to accomplish the underlying goals of data sharing and patient access to electronic health records (EHRs). We highlight here key interoperability takeaways in CMS’ rule and then turn our focus to implementation of the ONC information blocking provisions in an academic health setting, looking to information technology (IT), clinical, legal, and compliance considerations.

The CMS Rule

Among various requirements, the CMS Interoperability and Patient Access Final Rule (CMS Final Rule) contains two provisions specific to interoperability. The first encourages healthcare payors (e.g., Medicare Advantage, Medicaid, and CHIP plans) to implement application programming interfaces (APIs), which allow for a more seamless exchange of information between systems, such as mobile apps, EHRs, or practice management systems.2

Another important takeaway from the CMS Final Rule is a new Medicare Condition of Participation (CoP) for healthcare providers effective May 1, 2021.3 This new CoP amends the “Medical Record Services” CoP at 42 C.F.R. § 482.24 to include “Electronic Notifications.” 4 The CoP now requires “hospitals to send electronic patient notifications of admission, discharge, and/or transfer to another health care facility or to another community provider or practitioner” – also known as an “ADT” notification.5 The ADT notification should at least include the patient’s name, treating practitioner name, and the sending institution name.6 Such notification should be made to the patient’s post-acute care providers, as well as to the patient’s primary care practitioner, primary care practice group or entity, or other practitioner or practitioner group as identified by the patient.7

The ONC Rule

While the CMS Final Rule is certainly important, this article focuses on the 21st Century Cures Act: Interoperability, Information Blocking, and ONC Health IT Certification Program Final Rule (ONC Final Rule) as the ONC rule has a greater impact on providers by way of the information blocking provisions.8 The ONC Final Rule compliance date was originally set for November 2, 2020 — six months from the date the ONC Final Rule was published in the Federal Register. However, on October 29, 2020, The Department of Health and Human Services (HHS) extended the compliance date to April 5, 2021, considering the ongoing COVID-19 public health emergency.9

Information blocking is defined as a practice that is “likely to interfere with access, exchange, or use of electronic health information,” unless such blocking is required by law or specified by HHS as a reasonable and necessary activity.10 The information blocking provisions apply to “actors” – categorized as healthcare providers, health IT developers, health information exchanges, and health information networks.11

The ONC Final Rule applies information blocking provisions to electronic health information (EHI), which includes electronic protected health information as defined in the Health Insurance Portability and Accountability Act (HIPAA) to the extent that it would be included in a designated record, regardless of whether the records are maintained by a HIPAA covered entity.12 EHI includes, among other data elements, most clinical note types and most lab results from nearly all author types throughout the organization. The current scope of data is listed in the United States Core Data for Interoperability Version 1 (USCDI) published by ONC.13 EHI does not, however, include psychotherapy notes that are maintained separately from the medical record or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action.14 Actors should be aware that on and after October 6, 2022, the EHI definition is no longer limited to the data elements represented in the USCDI.

A critical component in complying with the information blocking provisions is understanding what actions are not considered information blocking. The ONC Final Rule provides eight exceptions when actors may legally “block” information, almost half of which deal with procedures for information sharing. The exceptions for information blocking are Preventing Harm, Privacy, Security, Infeasibility, and Health IT Performance.15 The exceptions that relate to procedures for information sharing are Content and Manner, Fees, and Licensing.16

For healthcare providers, the most common exceptions used will be Preventing Harm and Privacy. The Preventing Harm exception allows providers to withhold information if reasonable and necessary to prevent physical harm to a patient or another person.17 While the statute does not specify physical harm, the ONC FAQs clarify that the “type of harm” follows the HIPAA Privacy Rule standard for denying patients access to their records, which, in most cases, requires a risk of physical harm.18 The Privacy exception allows the withholding of information to protect an individual’s privacy, including a patient’s request to not share the information.19

IT Implementation Considerations

Our implementation of the ONC Final Rule required significant investment in time and resources. Forming a team of compliance and privacy representatives, IT analysts, and clinical informaticists and leaders is best practice. A clear understanding of the ONC Final Rule was vital to prevent the need for numerous alterations to the build. Initial steps included outlining note types and result data and parsing out which met criteria as an USCDI element and which met an exception outlined above. Grouping notes into distinct categories of meeting an exception or not became increasingly onerous when the same note type was utilized in disparate ways by different departments and staff.

We took a tiered approach in our implementation, sharing attending physicians’ notes in November 2020 and then all other clinical notes in April 2021. This approach allowed for troubleshooting and learning lessons as well as time to obtain further guidance from the compliance and legal offices before a larger medical center-wide rollout to all residents, nurses, social workers, and other clinical healthcare workers (clinicians). The outcomes obtained during the first phase were later used to allay concerns of the remaining clinicians during the second phase. On the flip side, we found that this tiered approach led to technical glitches in some dependent workflows, which required correction before the go-live date. Regardless of a full implementation or a tiered approach, significant testing of various workflows is vital. The inclusion of clinical informaticists in such roles can significantly help in finding errors given their knowledge of clinical workflows and understanding of the underlying technology.

While almost all notes should be set to release by default to the patient, clinicians need an option to prevent release if an exception is met. However, clinicians needed to understand how, when, and why to apply exceptions. Education in the form of electronic communication, virtual town halls, and a FAQs document was helpful, as many clinicians would not have accessed information regarding exceptions and blocking notes. Despite the best efforts to educate the masses, many would not have seen or read any of the media provided.  It is best practice to use in-line alerts within the EHR to educate clinicians. When attempting to block a note, clinicians should be required to select from a pre-approved list of options that match the exceptions in addition to an optional comment field. Collection of this information through audits will be helpful in determining next steps to prevent inappropriate blocking of information.

Nearly all healthcare providers will rely on patient portals integrated with the EHR to comply with the requirements surrounding the availability of EHI. Presentation of data elements within the patient portal is another caveat worthy of careful consideration. Information documented between visits may manifest as an additional visit in the portal view, leading to patient confusion and complaints. In some portals, patients are unable to filter their visits or documents, rendering it difficult to find sought-after information. There may be opportunities for customization of the portal. Working closely with the EHR vendor throughout the process is best practice. Given that EHR vendors are also subject to the regulations, they are motivated to work with health systems and healthcare providers to ensure a successful implementation.

The initial reaction to the impending implementation of the ONC Final Rule was mixed among clinicians. While the overwhelming majority of clinicians saw benefits for patients, some worried about the potential for unintended consequences. These worries ranged from notes causing the patient confusion, worry, or stress, to an increase in patient-generated electronic messages and time spent outside the visit or writing notes. Some in more sensitive and stigmatized fields such as psychiatry and psychology worried that notes would cause emotional stress to the patients and an exacerbation of their underlying mental illness. The implementation team attempted to allay these clinician concerns by sharing studies documenting the benefits of sharing notes with patients. One study discovered that sharing notes led to patients feeling more in control of their care and to improvements in medication and treatment plan adherence.20 They saw very low rates of patients who reported notes causing confusion, worry, or offense and only a small proportion of clinicians experienced longer visits, more time addressing questions outside of visits, or taking more time to write notes. Anywhere from three to 36 percent reported changing documentation content.21

While it is still too early to evaluate data from the full implementation, data from our November 2020 release of faculty notes demonstrated similar trends. We did not see a large increase in patient messages nor a significant number of patient complaints. Some clinicians found that requests for amendments were helpful when they may have misinterpreted or misheard the patient’s concerns or simply mistyped a word or phrase.  Clinicians would be wise to encourage patients to read their notes given the data exemplifying the positive benefits of doing so. To minimize amendment requests,  clinicians can show patients their note during the appointment, making the patient part of the process. Further, clinicians should be cautious when including future treatment considerations within their note given the possibility a patient may misconstrue the consideration as a recommendation.

For those in the mental health field, worries about mental illness exacerbation were shown to be largely exaggerated. Some patients experienced a sense of judgment from their physician which required intervention between visits and often during the next scheduled visit. For select patients, future notes would include less detail when describing more sensitive topics such as sexual history or relationships. In these cases, a clinician may generally speak to conflict within a relationship without providing specific details to describe it. In such cases, augmenting the standard clinical note shared with the patient with a psychotherapy note involving interpretations and theories on a patient’s relationships and psychological desires and conflicts proved fruitful in allowing the clinician to keep private information that may have been therapeutically inappropriate to share with the patient in the first place. In some instances, the sharing of the note led to a rich discussion of how the patient interpreted the clinician’s words, creating an unexpected opportunity for therapeutic progress.

The timing of the release of information is also an important clinical consideration when utilizing a patient portal. In some EHRs, different parts of a chart can be shared either immediately on selection (i.e., diagnoses) or after the encounter is signed. Given that information found within the chart need not be repeated within the note, releasing the note prior to updating all sections of the encounter may leave a patient with incomplete information. This is especially important in academic systems where students and residents write notes and update records and an attending physician must review and attest to their work and its accuracy. In our experience, it is advisable to release the information only when the encounter is completed by all authors and signed by their supervisor.

Compliance and Legal Considerations

Implementing the information blocking provisions brought compliance and legal teams together with IT, clinical leaders, and health information management for an endless maze of regulatory analysis. With such a heavy influence on the IT side, system settings at many steps of the way required partnership with stakeholders across the enterprise. As with many regulations encountered by health systems, the information blocking provisions contain quite a bit of ambiguity as related to implementation requirements. Keeping this in mind, many organizations, including ours, relied on ONC FAQs, guidance by professional organizations, and collaboration with colleagues to provide a smooth go-live for patients and the organization alike.22

Above all else, an early start was instrumental in ensuring a successful implementation of the information blocking rules. While many health systems were full steam ahead for implementation by November 2, 2020, the six-month delay to April 5, 2021 provided additional time to refine system settings, revise compliance policies and procedures, perform system testing, provide additional training and education, and create auditing and monitoring plans for organizations to ensure alignment with the seven elements of an effective compliance program.23

Addressing State Law

Like many states, California has unique regulations governing medical information that conflict with the information blocking provisions. One example of this state-specific nuance is dubbed “AB 2253 labs.”24 California Assembly Bill 2253 requires that healthcare providers in the state of California first discuss certain lab results (i.e., HIV, positive hepatitis, drug tests, and those tests showing a malignancy) with a patient prior to manually posting the results via electronic means, such as an EHR-based patient portal. Temporarily withholding this information from the patient portal, until the clinician has discussed the results with the patient, does not constitute information blocking and demonstrates one of many nuances that required organization-wide training and education. This example meets the information blocking Privacy exception since a precondition of state law (i.e., first discussing the certain lab results with the patient prior to posting the results) is not satisfied if the information is automatically posted.25

To address unique situations such as AB 2253 labs, as well as an end-to-end review of the new regulations, the UCI Health Compliance & Privacy and Informatics Offices drafted and circulated an FAQ document to all staff and providers. This document was based on a new organizational information blocking policy and served as a framework for a subsequent town hall session for staff and providers to raise questions and concerns with the subject matter experts. Compiling and housing one central FAQ document is a great best practice to deliver a single source of information and provide ongoing updates to all staff as additional questions are asked and answered.

Next Steps

Now several months out from the April 5, 2021 compliance date, health systems are likely still receiving questions from staff, providers, and patients, and possibly tweaking system settings based on user feedback. The shift to ongoing compliance necessitates auditing and monitoring plans. Key components of an information blocking auditing and monitoring plan include review of notes and results withheld from patients under one of the exceptions, as well as a random sampling of any other state-specific settings, such as the California AB 2253 labs mentioned above. An effective auditing and monitoring plan will include all relevant stakeholders involved in the process as well as documented corrective actions in response to the audit findings, regardless of whether the root cause is attributed to a person, process, or technology.

Moving forward, our sights are also set on “phase two” of the information blocking implementation. As noted above, effective October 6, 2022 the EHI scope is no longer limited to the data elements outlined in the USCDI. Compliance and legal departments should remain engaged with IT and clinical leaders to ensure compliance with the broader scope of data that will soon be available to patients. Health systems that can share the broader scope of EHI ahead of October 6, 2022 will be well ahead of the curve.


Implementation of the  Act and information blocking provisions was a journey for many stakeholders at many organizations. Early collaboration among IT, clinical teams, health information management, legal, and compliance proved successful for a smooth go live. All teams came together to assist on their respective duties — whether reviewing IT system build settings or drafting an FAQ to share with staff and clinicians across the organization. Health systems excel in complex regulatory ventures when armed with the tools of strong leadership and an ability to problem solve across matrixed teams. With a shifting focus to proactive compliance and continued communication, future efforts in this space will prove beneficial for both healthcare providers and patients. 


  1. H.R.34 - 114th Congress (2015-2016): 21st Century Cures Act | | Library of Congress.
  2.; 85 Fed. Reg. 25510, 25512.
  3. Healthcare organizations must comply with Medicare Conditions of Participation to begin and continue participating in the Medicare and Medicaid programs. See       
  4. 42 C.F.R. § 482.24(d).
  5. 85 Fed. Reg. 25586; § 482.24(d).
  6. 42 C.F.R.  § 482.24(d)(2).
  7. 42 C.F.R. § 482.24(d)(5).
  8.  Federal Register : 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program.
  9. 85 Fed. Reg. 70064.
  10. 45 C.F.R. § 171.103(a).
  11. Id.; a health information exchange (HIE) or health information network (HIN) is an individual or entity that enables the access, exchange, or use of electronic health information among two or more unaffiliated individuals or entities for treatment, payment, or healthcare operations purposes. 45 C.F.R. § 171.102.
  12. 45 C.F.R. § 160.103; § 164.501; § 171.102.
  13. “The USCDI is a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange.” See United States Core Data for Interoperability Version 1.
  14. 45 C.F.R. § 164.501; § 171.102.
  15. 45 C.F.R.  § 171.201-205.
  16. 85 Fed. Reg. 25820; 45 § 171.301-303.
  17. 45 C.F.R. § 171.201.
  18. Information Blocking FAQs (; 45 C.F.R. § 164.524.
  19. 45 C.F.R. § 171.202.
  20.; Patients Managing Medications and Reading Their Visit Notes: A Survey of OpenNotes Participants | Annals of Internal Medicine ( (July 2, 2019).
  21.  Inviting Patients to Read Their Doctors' Notes: A Quasi-experimental Study and a Look Ahead | Annals of Internal Medicine ( (Oct. 2, 2012).
  22. Information Blocking FAQs (
  23. The Office of Inspector General (OIG) outlines the following seven elements of a healthcare organization’s effective compliance program: implementation policies and procedures, designating a compliance officer and compliance committee, conducting effective training and education, developing effective lines of communication, conducting internal monitoring and auditing, enforcing standards through well-publicized disciplinary guidelines, and responding promptly to detected offenses and undertaking appropriate corrective action. See
  24. Bill Text - AB-2253 Clinical laboratory test results: electronic conveyance.; Cal. H&SC § 123148(f).
  25. 45 C.F.R. § 171.202(b).
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Tyler Cowart

Orange County, CA

Tyler Cowart is the Compliance Privacy Officer for UCI Health and the UC Irvine School of Medicine in Irvine, CA. Prior to joining UCI, he worked in compliance at UC San Diego Health and UnitedHealthcare. He is currently Adjunct Professor of Healthcare Laws & Regulations at Mitchell Hamline School of Law in St. Paul, MN and serves as Vice Chair of Communications for the ABA Health Law Section Physician Issues Interest Group. Mr. Cowart earned his Juris Doctorate at Mitchell Hamline with an emphasis in health law and healthcare compliance. He is a licensed attorney in the state of Minnesota and Certified in Healthcare Compliance by the Health Care Compliance Association. He may be reached at [email protected].

David Safani, PhD

Orange County, CA

Dr. Safani earned his Doctor of Medicine degree at UC Irvine School of Medicine and his Masters in Business Administration at the UC Irvine Paul Merage School of Business. He is board certified in general psychiatry, child and adolescent psychiatry, and clinical informatics and is Epic-certified in Physician Builder and Analytics. After completing his psychiatry residency and child and adolescent psychiatry fellowship at UC Irvine, he continued on as faculty where he serves as the Medical Director of Ambulatory Clinical Operations for the Department of Psychiatry; a Clinical Informaticist for UCI Health; and an Assistant Professor of Clinical Psychiatry. He provides direct weekly supervision and teaching for students, residents and fellows.  He has provided numerous local, state-wide, and national presentations on a range of topics including pediatric ADHD; depression, anxiety, and suicide; compliance and coding; and career development and financial planning for early-career physicians. He has volunteered on several committees and organizations including President of the Orange County Psychiatric Society. In his free time, he enjoys gardening, completing home projects, playing the piano, and spending time with his family and dogs.  He may be reached at [email protected].