By December 31, 2022, all Certified Health Information Technology (i.e., EHR vendors) must have the new HL7 FHIR API capability and make information in USCDI Version 1 available to their customers. Century Cures Act, certified electronic medical record systems are now required to provide open FHIR API endpoints to their customers and patients. FHIR is a HL7 standard that defines data primitives in healthcare and allows medical systems to communicate using these data primitives. In short, FHIR defines a standardized way for external programs to communicate with these health systems to access patient data.

Starting on October 6, 2022, the definition of electronic health information (EHI) in the 21st Century Cures Act will expand beyond the United States Core Data for Interoperability (USCDI) Version 1 to all electronic Protected Health Information (ePHI) that a patient has the right to access under the Health Insurance Portability and Accountability Act (HIPAA).

Background: In the HIPAA Privacy Rule, protected health information (PHI) is considered any identifiable health information used, maintained, stored, or transmitted by a covered entity.

A covered entity health care provider is one that bills an insurance company for services provided to any patient. Covered entities include health plans and healthcare clearinghouses. Note: The Information Blocking Rule also applies to some organizations that are NOT covered entities; however, it is not applicable to all covered entities

Starting on October 6, 2022, instead of being limited to the USCDI Version 1, the definition of EHI will now include all information in a Designated Record Set, as defined under HIPAA.

In other words, EHI will not be limited to the specific data classes listed in the USCDI and will also consist of medical and payment records about a patient and any information of a type that may be used to make decisions about individuals, including patients. For actors covered by the information blocking rules, all ePHI in a Designated Record Set is considered to be EHI and subject to those rules.

EHI could include:

  • Medical records and billing records about individuals maintained by or for a covered healthcare provider;
  • Enrollment, payment, claims adjudication, and case or medical management record systems; or
  • Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals.

Understanding the scope of Electronic Health Information (EHI) for the Purposes of the Information Blocking Definition

Understanding the scope of Electronic Health Information (EHI) for the Purposes of the Information Blocking Definition

More information about about EHI and ePHI can be found at, and downloaded as PDFs:

Note types that must be shared between April 2021-October 2022

The eight (8) types of clinical notes that must be shared are outlined in the United States Core Data for Interoperability (USCDI), and include:

  • consultation notes
  • discharge summary notes
  • history & physical
  • imaging narratives
  • laboratory report narratives
  • pathology report narratives
  • procedure notes
  • progress notes

View the full USCDI.

While the Cures Act specifies penalties for health IT developers, HINs and HIEs, Congress left it up to the Department of Health and Human Services (HHS) to issue regulations on “disincentives” and enforcement policies for physicians. At this time, HHS has not yet released information on physician penalties.

Information blocking practices can be an Actor’s acts or omissions—essentially anything that interferes with the access, exchange or use of EHI. However, just because an action interferes with the access, exchange or use of EHI does not mean the practice is automatically considered an information blocking violation—facts and circumstances unique to each action should be considered. For instance, physician Actors must have the required knowledge and intent to interfere with access, exchange or use of EHI. Information blocking practices may include but are not limited to:

  • Limiting or restricting the interoperability of health IT;
  • Implementing health IT in ways that are likely to restrict the access, exchange or use of EHI;
  • Acts that lead to fraud, waste or abuse or impede care delivery enabled by health IT (for example, modifying EHR data reported to federal payment programs such as MIPS) and
  • Having the capability to provide same-day access to EHI in a form and format requested by a patient or a patient’s health care provider but taking several days to respond.

Physicians may implicate the information blocking rule if they knowingly take actions that interfere with exchange, access and use of EHI, even if no harm materializes.

If a patient requests that you share information
through an app, you are required to do so under
HIPAA if you have the technology to do so. Your EHR’s
API should allow the app to connect and receive
information securely. You are not responsible for
whether the app is a “good one,” including whether
it has appropriate privacy and security in place. If the
patient’s information is breached once stored within
the app, you are not responsible.

Publication of “FHIR service base URLs” (sometimes also referred to as “FHIR endpoints”) - A FHIR service base URL cannot be withheld by an actor as it (just like many other technical interfaces) is necessary to enable the access, exchange, and use of EHI

Information Blocking Claims: By the Numbers

ONC has greatly simplified the process of submitting an Information Blocking Claim. Information blocking claims can be submitted online through ONC’s Report Information Blocking Portal. The HHS OIG has the authority to investigate claims of possible information blocking across all types of actors: health care providers, health information networks and health information exchanges, and health IT developers of certified health IT.

The Information Blocking claims and information received by ONC in connection with a claim or suggestion of possible information blocking are generally protected from disclosure as specified by the Cures Act. Claims can be submitted anonymously as well.

ONC is tracking Information Blocking Claims starting from April 5, 2021 and now publishing the results monthly. There has been about a 20% increase in the number of validated Claims submitted from the end of 2021 to August 31, 2022.






  • About a 20% increase in the number of claims has been recorded from the end of 2021 to August 31, 2022.

  • The number of patients submitting Information Blocking Claims increased by 20% from the end of 2021 to August of 2022.

  • More than 75% of the Information Blocking Claims are filed on providers.

  • The number of Claims against providers went up about 35% from the end of 2021 to August of 2022.