You are using an unsupported browser
You are using an unsupported browser. This web site is designed for the current versions of Microsoft Edge, Google Chrome, Mozilla Firefox, or Safari.
Site Feedback
The Office of the Federal Register publishes documents on behalf of Federal agencies but does not have any authority over their programs. We recommend you directly contact the agency associated with the content in question.
If you have comments or suggestions on how to improve the www.ecfr.gov website or have questions about using www.ecfr.gov, please choose the 'Website Feedback' button below.
If you would like to comment on the current content, please use the 'Content Feedback' button below for instructions on contacting the issuing agency
Website Feedback
eCFR
The Electronic Code of Federal Regulations
Enhanced Content :: FR Reference
Enhanced content is provided to the user to provide additional context.
Enhanced Content :: FR Reference
Title 45
This content is from the eCFR and is authoritative but unofficial.
Navigate by entering citations or phrases (eg: 1 CFR 1.1 49 CFR 172.101 Organization and Purpose 1/1.1 Regulation Y FAR).
Choosing an item from citations and headings will bring you directly to the content. Choosing an item from full text search results will bring you to those results. Pressing enter in the search box will also bring you to search results.
Background and more details are available in the Search & Navigation guide.
- Table of Contents
Enhanced Content - Table of Contents
Enhanced Content - Table of Contents
- Details
Enhanced Content - Details
- URL
- https://www.ecfr.gov/current/title-45/part-171
- Citation
- 45 CFR Part 171
- Agency
- Department of Health and Human Services
Part 171Authority:
Source:
85 FR 25955, May 1, 2020, unless otherwise noted.
Enhanced Content - Details
- Print/PDF
Enhanced Content - Print
Generate PDF (approximately 25+ pages)
This content is from the eCFR and may include recent changes applied to the CFR. The official, published CFR, is updated annually and available below under "Published Edition". You can learn more about the process here.
Enhanced Content - Print
- Display Options
Enhanced Content - Display Options
Enhanced Content - Display Options
- Subscribe
Enhanced Content - Subscribe
Subscribe to: 45 CFR Part 171
Enhanced Content - Subscribe
- Timeline
Enhanced Content - Timeline
Enhanced Content - Timeline
- Go to Date
Enhanced Content - Go to Date
Enhanced Content - Go to Date
- Compare Dates
Enhanced Content - Compare Dates
Enhanced Content - Compare Dates
- Published Edition
Enhanced Content - Published Edition
View the most recent official publication:
These links go to the official, published CFR, which is updated annually. As a result, it may not include the most recent changes applied to the CFR. Learn more.
Enhanced Content - Published Edition
- Developer Tools
Enhanced Content - Developer Tools
Information and documentation can be found in our developer resources.
Enhanced Content - Developer Tools
eCFR Content
The Code of Federal Regulations (CFR) is the official legal print publication containing the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the Federal Government. The Electronic Code of Federal Regulations (eCFR) is a continuously updated online version of the CFR. It is not an official legal edition of the CFR.
Learn more about the eCFR, its status, and the editorial process.
Enhanced Content
PART 171—INFORMATION BLOCKING
Authority:
Source:
85 FR 25955, May 1, 2020, unless otherwise noted.
Subpart A—General Provisions
§ 171.100 Statutory basis and purpose.
(a) Basis. This part implements section 3022 of the Public Health Service Act, 42 U.S.C. 300jj-52.
(b) Purpose. The purpose of this part is to establish exceptions for reasonable and necessary activities that do not constitute information blocking as defined by section 3022(a)(1) of the Public Health Service Act, 42 U.S.C. 300jj-52.
§ 171.101 Applicability.
(a) This part applies to health care providers, health IT developers of certified health IT, health information exchanges, and health information networks, as those terms are defined in § 171.102.
(b) Health care providers, health IT developers of certified health IT, health information exchanges, and health information networks are subject to this part on and after April 5, 2021.
(c) If any provision of this part is held to be invalid or unenforceable facially, or as applied to any person, plaintiff, or circumstance, it shall be construed to give maximum effect to the provision permitted by law, unless such holding shall be one of utter invalidity or unenforceability, in which case the provision shall be severable from this part and shall not affect the remainder thereof or the application of the provision to other persons not similarly situated or to other dissimilar circumstances.
[85 FR 25955, May 1, 2020, as amended at 85 FR 70085, Nov. 4, 2020; 89 FR 101810, Dec. 16, 2024]
§ 171.102 Definitions.
For purposes of this part:
Access means the ability or means necessary to make electronic health information available for exchange or use.
Actor means a health care provider, health IT developer of certified health IT, health information network or health information exchange.
API Information Source is defined as it is in § 170.404(c).
API User is defined as it is in § 170.404(c).
Appropriate agency means a government agency that has established disincentives for health care providers that the Office of Inspector General (OIG) determines have committed information blocking.
Business associate is defined as it is in 45 CFR 160.103.
Certified API Developer is defined as it is in § 170.404(c).
Certified API technology is defined as it is in § 170.404(c).
Disincentive means a condition specified in § 171.1001(a) that is imposed by an appropriate agency on a health care provider that OIG determines has committed information blocking for the purpose of deterring information blocking practices.
Electronic health information (EHI) means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include:
(1) Psychotherapy notes as defined in 45 CFR 164.501; or
(2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
Exchange means the ability for electronic health information to be transmitted between and among different technologies, systems, platforms, or networks.
Fee means any present or future obligation to pay money or provide any other thing of value.
Health care provider has the same meaning as “health care provider” in 42 U.S.C. 300jj.
Health information network or health information exchange means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:
(1) Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
(2) That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.
Health IT developer of certified health IT means an individual or entity, other than a health care provider that self-develops health IT that is not offered to others, that develops or offers health information technology (as that term is defined in 42 U.S.C. 300jj(5)), and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to 42 U.S.C. 300jj-11(c)(5) (ONC Health IT Certification Program).
Information blocking is defined as it is in § 171.103.
Interfere with or interference means to prevent, materially discourage, or otherwise inhibit.
Interoperability element means hardware, software, integrated technologies or related licenses, technical information, privileges, rights, intellectual property, upgrades, or services that:
(1) May be necessary to access, exchange, or use electronic health information; and
(2) Is/Are controlled by the actor, which includes the ability to confer all rights and authorizations necessary to use the element to enable the access, exchange, or use of electronic health information.
Offer health information technology or offer health IT means to hold out for sale, resale, license, or relicense or to sell, resell, license, relicense, or otherwise provide or supply health information technology (as that term is defined in 42 U.S.C. 300jj(5) and where such health information technology includes one or more Health IT Modules certified under the ONC Health IT Certification Program) for deployment by or for other individual(s) or entity(ies) under any arrangement except an arrangement consistent with subparagraph (3)(iii), below. Activities and arrangements described in subparagraphs (1) through (3) are considered to be excluded from what it means to offer health IT.
(1) Donation and subsidized supply arrangements are not considered offerings when an individual or entity donates, gives, or otherwise makes available funding to subsidize or fully cover the costs of a health care provider's acquisition, augmentation, or upkeep of health IT, provided such individual or entity offers and makes such subsidy without condition(s) limiting the interoperability or use of the technology to access, exchange or use electronic health information for any lawful purpose.
(2) Implementation and use activities conducted by an individual or entity as follows:
(i) Issuing user accounts or login credentials to the individual's or entity's employees in the course of their employment or contractors within the scope of their contract in order for such employees or contractors to: use, operate, implement, configure, test, maintain, update or upgrade, or to give or receive training on, the individual's or entity's health IT system(s) or specific application(s) within such system(s).
(ii) Implementing, operating, or otherwise making available production instances of application programming interface (API) technology that supports access, exchange, and use of electronic health information that the individual or entity has in its possession, custody, control, or ability to query or transmit from or across a health information network or health information exchange.
(iii) Implementing, operating, and making available production instances of online portals for patients, clinicians or other health care providers, or public health entities to access, exchange, and use electronic health information that the individual or entity has in its possession, custody, control, or ability to query or transmit from or across a health information network or health information exchange.
(iv) Issuing login credentials or user accounts for the individual's or entity's production, development, or testing environments to public health authorities, or such authorities' employees or contractors, as a means of accomplishing or facilitating access, exchange, and use of electronic health information for public health purposes including but not limited to syndromic surveillance.
(v) Issuing login credentials or user accounts for independent healthcare professionals who furnish services in a healthcare facility to use the facility's electronic health record or other health IT system(s) in: furnishing, documenting, and accurately billing for care furnished in the facility; participating in clinical education or improvement activities conducted by or in the healthcare facility; or receiving training in use of the healthcare facility's health IT system(s).
(3) Consulting and legal services arrangements as follows:
(i) Legal services furnished by outside counsel—when furnishing legal services to a client in any matter or matters pertaining to the client's seeking, assessing, selecting, or resolving disputes over contracts or other arrangements by which the client obtains use of certified health IT. Outside counsel also does not offer health IT when facilitating limited access or use of a client's health IT by independent expert witnesses engaged by the outside counsel, opposing parties' counsel and experts, and special masters and court personnel, as appropriate to legal discovery.
(ii) Health IT consultant assistance with selection, implementation, and use of health IT —furnished to a health IT customer or user to help the customer do (or to do on behalf of a customer) any or all of the following with respect to any health IT product that the consultant does not sell or resell, license or relicense, or otherwise supply to the customer under any arrangement on a commercial basis or otherwise:
(A) Define the business needs of the customer or user or evaluate health IT product(s) against such business needs, or both;
(B) Negotiate for the purchase, lease, license, or other arrangement under which the health IT product(s) will be used; or
(C) Oversee or carry out configuration, implementation, or operation of health IT product(s).
(iii) Comprehensive and predominantly non-health IT administrative or operations management services—when an individual or entity furnishes a health care provider with administrative or operational management consultant services and the consultant acts as the agent of the provider or otherwise acts on behalf of the provider in dealings with one or more health IT developer(s) or vendor(s), or managing the day-to-day operations and administrative duties for the health IT, or both. To be consistent with this subparagraph, such services must be furnished as part of a comprehensive array of predominantly non-health IT administrative and operational functions that would otherwise be executed by the health care provider.
Permissible purpose means a purpose for which a person is authorized, permitted, or required to access, exchange, or use electronic health information under applicable law.
Person is defined as it is in 45 CFR 160.103.
Practice means an act or omission by an actor.
Reproductive health care means health care, as defined in 45 CFR 160.103, that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes. This definition shall not be construed to set forth a standard of care for or regulate what constitutes clinically appropriate reproductive health care.
Use means the ability for electronic health information, once accessed or exchanged, to be understood and acted upon.
[85 FR 25955, May 1, 2020, as amended at 89 FR 1435, Jan. 9, 2024; 89 FR 54717, July 1, 2024; 89 FR 102564, Dec. 17, 2024]
§ 171.103 Information blocking.
(a) Information blocking means a practice that except as required by law or covered by an exception set forth in subparts B, C, or D of this part, is likely to interfere with access, exchange, or use of electronic health information; and
(b) If conducted by:
(1) A health IT developer of certified health IT, health information network or health information exchange, such developer, network or exchange knows, or should know, that such practice is likely to interfere with access, exchange, or use of electronic health information; or
(2) A health care provider, such provider knows that such practice is unreasonable and is likely to interfere with access, exchange, or use of electronic health information.
[89 FR 1436, Jan. 9, 2024]
Subpart B—Exceptions That Involve Not Fulfilling Requests to Access, Exchange, or Use Electronic Health Information
§ 171.200 Availability and effect of exceptions.
A practice shall not be treated as information blocking if the actor satisfies an exception to the information blocking provision as set forth in this subpart B by meeting all applicable requirements and conditions of the exception at all relevant times.
§ 171.201 Preventing harm exception—when will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to prevent harm not be considered information blocking?
An actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to prevent harm will not be considered information blocking when the practice meets the conditions in paragraphs (a) and (b) of this section, satisfies at least one condition from each of paragraphs (c), (d), and (f) of this section, and also meets the condition in paragraph (e) of this section when applicable.
(a) Reasonable belief. The actor engaging in the practice must hold a reasonable belief that the practice will substantially reduce a risk of harm to a patient or another natural person that would otherwise arise from the access, exchange, or use of electronic health information affected by the practice. For purposes of this section, “patient” means a natural person who is the subject of the electronic health information affected by the practice.
(b) Practice breadth. The practice must be no broader than necessary to substantially reduce the risk of harm that the practice is implemented to reduce.
(c) Type of risk. The risk of harm must:
(1) Be determined on an individualized basis in the exercise of professional judgment by a licensed health care professional who has a current or prior clinician-patient relationship with the patient whose electronic health information is affected by the determination; or
(2) Arise from data that is known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason.
(d) Type of harm. The type of harm must be one that could serve as grounds for a covered entity (as defined in § 160.103 of this title) to deny access (as the term “access” is used in part 164 of this title) to an individual's protected health information under:
(1) Section 164.524(a)(3)(iii) of this title where the practice is likely to, or in fact does, interfere with access, exchange, or use (as these terms are defined in § 171.102) of the patient's electronic health information by their legal representative (including but not limited to personal representatives recognized pursuant to 45 CFR 164.502) and the practice is implemented pursuant to an individualized determination of risk of harm consistent with paragraph (c)(1) of this section;
(2) Section 164.524(a)(3)(ii) of this title where the practice is likely to, or in fact does, interfere with the patient's or their legal representative's access to, use or exchange (as these terms are defined in § 171.102) of information that references another natural person and the practice is implemented pursuant to an individualized determination of risk of harm consistent with paragraph (c)(1) of this section;
(3) Section 164.524(a)(3)(i) of this title where the practice is likely to, or in fact does, interfere with the patient's access, exchange, or use (as these terms are defined in § 171.102) of their own electronic health information, regardless of whether the risk of harm that the practice is implemented to substantially reduce is consistent with paragraph (c)(1) or (2) of this section; or
(4) Section 164.524(a)(3)(i) of this title where the practice is likely to, or in fact does, interfere with a legally permissible access, exchange, or use (as these terms are defined in § 171.102) of electronic health information not described in paragraph (d)(1), (2), or (3) of this section, and regardless of whether the risk of harm the practice is implemented to substantially reduce is consistent with paragraph (c)(1) or (2) of this section.
(e) Patient right to request review of individualized determination of risk of harm. Where the risk of harm is consistent with paragraph (c)(1) of this section, the actor must implement the practice in a manner consistent with any rights the individual patient whose electronic health information is affected may have under § 164.524(a)(4) of this title, or any Federal, State, or tribal law, to have the determination reviewed and potentially reversed.
(f) Practice implemented based on an organizational policy or a determination specific to the facts and circumstances. The practice must be consistent with an organizational policy that meets paragraph (f)(1) of this section or, in the absence of an organizational policy applicable to the practice or to its use in particular circumstances, the practice must be based on a determination that meets paragraph (f)(2) of this section.
(1) An organizational policy must:
(i) Be in writing;
(ii) Be based on relevant clinical, technical, and other appropriate expertise;
(iii) Be implemented in a consistent and non-discriminatory manner; and
(iv) Conform each practice to the conditions in paragraphs (a) and (b) of this section, as well as the conditions in paragraphs (c) through (e) of this section that are applicable to the practice and its use.
(2) A determination must:
(i) Be based on facts and circumstances known or reasonably believed by the actor at the time the determination was made and while the practice remains in use; and
(ii) Be based on expertise relevant to implementing the practice consistent with the conditions in paragraphs (a) and (b) of this section, as well as the conditions in paragraphs (c) through (e) of this section that are applicable to the practice and its use in particular circumstances.
§ 171.202 Privacy exception—When will an actor's practice of not fulfilling a request to access, exchange, or use electronic health information in order to protect an individual's privacy not be considered information blocking?
An actor's practice of not fulfilling a request to access, exchange, or use electronic health information in order to protect an individual's privacy will not be considered information blocking when the practice meets all of the requirements of at least one of the sub-exceptions in paragraphs (b) through (e) of this section.
(a) Definitions in this section.
(1) The term HIPAA Privacy Rule as used in this section means 45 CFR parts 160 and 164.
(2) The term individual as used in this section means one or more of the following—
(i) An individual as defined by 45 CFR 160.103.
(ii) Any other natural person who is the subject of the electronic health information being accessed, exchanged, or used.
(iii) A person who legally acts on behalf of a person described in paragraph (a)(2)(i) of this section in making decisions related to health care as a personal representative, in accordance with 45 CFR 164.502(g).
(iv) A person who is a legal representative of and can make health care decisions on behalf of any person described in paragraph (a)(2)(i) or (ii) of this section.
(v) An executor, administrator, or other person having authority to act on behalf of a deceased person described in paragraph (a)(2)(i) or (ii) of this section or the individual's estate under State or other law.
(b) Sub-exception—precondition not satisfied. To qualify for the exception on the basis that State or Federal law requires one or more preconditions for providing access, exchange, or use of electronic health information that have not been satisfied, the following requirements must be met—
(1) The actor's practice is tailored to the applicable precondition not satisfied, is implemented in a consistent and non-discriminatory manner, and either:
(i) Conforms to the actor's organizational policies and procedures that:
(A) Are in writing;
(B) Specify the criteria to be used by the actor to determine when the precondition would be satisfied and, as applicable, the steps that the actor will take to satisfy the precondition; and
(C) Are implemented by the actor, including by providing training on the policies and procedures; or
(ii) Are documented by the actor, on a case-by-case basis, identifying the criteria used by the actor to determine when the precondition would be satisfied, any criteria that were not met, and the reason why the criteria were not met.
(2) If the precondition relies on the provision of a consent or authorization from an individual and the actor has received a version of such a consent or authorization that does not satisfy all elements of the precondition required under applicable law, the actor must:
(i) Use reasonable efforts within its control to provide the individual with a consent or authorization form that satisfies all required elements of the precondition or provide other reasonable assistance to the individual to satisfy all required elements of the precondition; and
(ii) Not improperly encourage or induce the individual to withhold the consent or authorization.
(3) For purposes of determining whether the actor's privacy policies and procedures and actions satisfy the requirements of paragraphs (b)(1)(i) and (b)(2) above when the actor's operations are subject to multiple laws which have inconsistent preconditions, they shall be deemed to satisfy the requirements of the paragraphs if the actor has adopted uniform privacy policies and procedures to address the more restrictive preconditions.
(c) Sub-exception—health IT developer of certified health IT not covered by HIPAA. If the actor is a health IT developer of certified health IT that is not required to comply with the HIPAA Privacy Rule, when engaging in a practice that promotes the privacy interests of an individual, the actor's organizational privacy policies must have been disclosed to the individuals and entities that use the actor's product or service before they agreed to use them, and must implement the practice according to a process described in the organizational privacy policies. The actor's organizational privacy policies must:
(1) Comply with State and Federal laws, as applicable;
(2) Be tailored to the specific privacy risk or interest being addressed; and
(3) Be implemented in a consistent and non-discriminatory manner.
(d) Sub-exception—denial of an individual's request for their electronic health information consistent with 45 CFR 164.524(a)(1) and (2). If an individual requests electronic health information under the right of access provision under 45 CFR 164.524(a)(1) from an actor that must comply with 45 CFR 164.524(a)(1), the actor's practice must be consistent with 45 CFR 164.524(a)(2).
(e) Sub-exception—individual's request not to share EHI. An actor may elect not to provide access, exchange, or use of an individual's electronic health information if the following requirements are met—
(1) The individual requests that the actor not provide such access, exchange, or use of electronic health information without any improper encouragement or inducement of the request by the actor;
(2) The actor documents the request within a reasonable time period;
(3) The actor's practice is implemented in a consistent and non-discriminatory manner; and
(4) An actor may terminate an individual's request for a restriction to not provide such access, exchange, or use of the individual's electronic health information only if:
(i) The individual agrees to the termination in writing or requests the termination in writing;
(ii) The individual orally agrees to the termination and the oral agreement is documented by the actor; or
(iii) The actor informs the individual that it is terminating its agreement to not provide such access, exchange, or use of the individual's electronic health information except that such termination is:
(A) Not effective to the extent prohibited by applicable Federal or State law; and
(B) Only applicable to electronic health information created or received after the actor has so informed the individual of the termination.
[85 FR 25955, May 1, 2020, as amended at 89 FR 102564, Dec. 17, 2024]
§ 171.203 Security exception—When will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information not be considered information blocking?
An actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information will not be considered information blocking when the practice meets the conditions in paragraphs (a), (b), and (c) of this section, and in addition meets either the condition in paragraph (d) of this section or the condition in paragraph (e) of this section.
(a) The practice must be directly related to safeguarding the confidentiality, integrity, and availability of electronic health information.
(b) The practice must be tailored to the specific security risk being addressed.
(c) The practice must be implemented in a consistent and non-discriminatory manner.
(d) If the practice implements an organizational security policy, the policy must—
(1) Be in writing;
(2) Have been prepared on the basis of, and be directly responsive to, security risks identified and assessed by or on behalf of the actor;
(3) Align with one or more applicable consensus-based standards or best practice guidance; and
(4) Provide objective timeframes and other parameters for identifying, responding to, and addressing security incidents.
(e) If the practice does not implement an organizational security policy, the actor must have made a determination in each case, based on the particularized facts and circumstances, that:
(1) The practice is necessary to mitigate the security risk to electronic health information; and
(2) There are no reasonable and appropriate alternatives to the practice that address the security risk that are less likely to interfere with access, exchange or use of electronic health information.
[85 FR 25955, May 1, 2020, as amended at 85 FR 70085, Nov. 4, 2020]
§ 171.204 Infeasibility exception—When will an actor's practice of not fulfilling a request to access, exchange, or use electronic health information due to the infeasibility of the request not be considered information blocking?
An actor's practice of not fulfilling a request to access, exchange, or use electronic health information due to the infeasibility of the request will not be considered information blocking when the practice meets one of the conditions in paragraph (a) of this section and meets the requirements in paragraph (b) of this section.
(a) Conditions —
(1) Uncontrollable events. The actor cannot fulfill the request for access, exchange, or use of electronic health information because of a natural or human-made disaster, public health emergency, public safety incident, war, terrorist attack, civil insurrection, strike or other labor unrest, telecommunication or internet service interruption, or act of military, civil or regulatory authority that in fact negatively impacts the actor's ability to fulfill the request.
(2) Segmentation. The actor cannot fulfill the request for access, exchange, or use of electronic health information because the actor cannot unambiguously segment the requested electronic health information from electronic health information that:
(i) Is not permitted by applicable law to be made available; or
(ii) May be withheld in accordance with 45 CFR 171.201, 171.202, or 171.206 of this part.
(3) Third party seeking modification use. The request is to enable use of EHI in order to modify EHI provided that the request for such use is not from a health care provider requesting such use from an actor that is its business associate.
(4) Manner exception exhausted. The actor is unable to fulfill a request for access, exchange, or use of electronic health information because paragraphs (a)(4)(i), (ii), and (iii) of this section are all true; and the actor complied with paragraph (a)(4)(iv) of this section.
(i) The actor could not reach agreement with a requestor in accordance with § 171.301(a) or was technically unable to fulfill a request for electronic health information in the manner requested.
(ii) The actor offered at least two alternative manners in accordance with § 171.301(b), one of which must use either technology certified to standard(s) adopted in part 170 (§ 171.301(b)(1)(i)) or published content and transport standards consistent with § 171.301(b)(1)(ii).
(iii) The actor does not provide the same access, exchange, or use of the requested electronic health information to a substantial number of individuals or entities that are similarly situated to the requester.
(iv) In determining whether a requestor is similarly situated under paragraph (a)(4)(iii), an actor shall not discriminate based on:
(A) Whether the requestor is an individual as defined in § 171.202(a)(2)
(B) The health care provider type and size; and
(C) Whether the requestor is a competitor of the actor or whether providing such access, exchange, or use, would facilitate competition with the actor.
(5) Infeasible under the circumstances.
(i) The actor demonstrates, prior to responding to the request pursuant to paragraph (b) of this section, through a contemporaneous written record or other documentation, its consistent and non-discriminatory consideration of the following factors that led to its determination that complying with the request would be infeasible under the circumstances:
(A) The type of electronic health information and the purposes for which it may be needed;
(B) The cost to the actor of complying with the request in the manner requested;
(C) The financial and technical resources available to the actor;
(D) Whether the actor's practice is non-discriminatory and the actor provides the same access, exchange, or use of electronic health information to its companies or to its customers, suppliers, partners, and other persons with whom it has a business relationship;
(E) Whether the actor owns or has control over a predominant technology, platform, health information exchange, or health information network through which electronic health information is accessed or exchanged; and
(F) Why the actor was unable to provide access, exchange, or use of electronic health information consistent with the exception in § 171.301.
(ii) In determining whether the circumstances were infeasible under paragraph (a)(3)(i) of this section, it shall not be considered whether the manner requested would have:
(A) Facilitated competition with the actor; or
(B) Prevented the actor from charging a fee or resulted in a reduced fee.
(b) Responding to requests. If an actor does not fulfill a request for access, exchange, or use of electronic health information for any of the reasons provided in paragraph (a) of this section, the actor must, within ten business days of receipt of the request, provide to the requestor in writing the reason(s) why the request is infeasible.
[85 FR 25955, May 1, 2020, as amended at 89 FR 1436, Jan. 9, 2024; 89 FR 102564, Dec. 17, 2024]
§ 171.205 Health IT performance exception—When will an actor's practice that is implemented to maintain or improve health IT performance and that is likely to interfere with the access, exchange, or use of electronic health information not be considered information blocking?
An actor's practice that is implemented to maintain or improve health IT performance and that is likely to interfere with the access, exchange, or use of electronic health information will not be considered information blocking when the practice meets a condition in paragraph (a), (b), (c), or (d) of this section, as applicable to the particular practice and the reason for its implementation.
(a) Maintenance and improvements to health IT. When an actor implements a practice that makes health IT under that actor's control temporarily unavailable, or temporarily degrades the performance of health IT, in order to perform maintenance or improvements to the health IT, the actor's practice must be—
(1) Implemented for a period of time no longer than necessary to complete the maintenance or improvements for which the health IT was made unavailable or the health IT's performance degraded;
(2) Implemented in a consistent and non-discriminatory manner; and
(3) If the unavailability or degradation is initiated by a health IT developer of certified health IT, health information exchange, or health information network:
(i) Planned. Consistent with existing service level agreements between the individual or entity to whom the health IT developer of certified health IT, health information exchange, or health information network supplied the health IT; or
(ii) Unplanned. Consistent with existing service level agreements between the individual or entity; or agreed to by the individual or entity to whom the health IT developer of certified health IT, health information exchange, or health information network supplied the health IT.
(b) Assured level of performance. An actor may take action against a third-party application that is negatively impacting the health IT's performance, provided that the practice is—
(1) For a period of time no longer than necessary to resolve any negative impacts;
(2) Implemented in a consistent and non-discriminatory manner; and
(3) Consistent with existing service level agreements, where applicable.
(c) Practices that prevent harm. If the unavailability of health IT for maintenance or improvements is initiated by an actor in response to a risk of harm to a patient or another person, the actor does not need to satisfy the requirements of this section, but must comply with all requirements of § 171.201 at all relevant times to qualify for an exception.
(d) Security-related practices. If the unavailability of health IT for maintenance or improvements is initiated by an actor in response to a security risk to electronic health information, the actor does not need to satisfy the requirements of this section, but must comply with all requirements of § 171.203 at all relevant times to qualify for an exception.
§ 171.206 Protecting Care Access—When will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to reduce potential exposure to legal action not be considered information blocking?
An actor's practice that is implemented to reduce potential exposure to legal action will not be considered information blocking when the practice satisfies the condition in paragraph (a) of this section and also satisfies the requirements of at least one of the conditions in paragraphs (b) or (c) of this section.
(a) Threshold condition. To satisfy this condition, a practice must meet each of the following requirements:
(1) Belief. The practice is undertaken based on the actor's good faith belief that:
(i) Persons seeking, obtaining, providing, or facilitating reproductive health care are at risk of being potentially exposed to legal action that could arise as a consequence of particular access, exchange, or use of specific electronic health information; and
(ii) Specific practices likely to interfere with such access, exchange, or use of such electronic health information could reduce that risk.
(2) Tailoring. The practice is no broader than necessary to reduce the risk of potential exposure to legal action that the actor in good faith believes could arise from the particular access, exchange, or use of the specific electronic health information.
(3) Implementation. The practice is implemented either consistent with an organizational policy that meets paragraph (a)(3)(i) of this section or pursuant to a case-by-case determination that meets paragraph (a)(3)(ii) of this section.
(i) An organizational policy must:
(A) Be in writing;
(B) Be based on relevant clinical, technical, and other appropriate expertise;
(C) Identify the connection or relationship between the interference with particular access, exchange, or use of specific electronic health information and the risk of potential exposure to legal action that the actor believes the interference could reduce;
(D) Be implemented in a consistent and non-discriminatory manner; and
(E) Conform to the requirements in paragraphs (a)(1) and (2) of this section and to the requirements of at least one of the conditions in paragraphs (b) or (c) of this section that are applicable to the prohibition of the access, exchange, or use of the electronic health information.
(ii) A case-by-case determination:
(A) Is made by the actor in the absence of an organizational policy applicable to the particular situation;
(B) Is based on facts and circumstances known to, or believed in good faith by, the actor at the time of the determination;
(C) Conforms to the conditions in paragraphs (a)(1) and (2) of this section; and
(D) Is documented either before or contemporaneous with engaging in any practice based on the determination. Documentation of the determination must identify the connection or relationship between the interference with particular access, exchange, or use of specific electronic health information and the risk of potential exposure to legal action.
(4) Another actor's reliance on good faith belief. For purposes of this section, an actor who is a business associate of, or otherwise maintains EHI on behalf of, another actor may rely on the good faith belief consistent with paragraph (a)(1) of the section and organizational policy or case-by-case determinations consistent with paragraph (a)(3) of this section of the actor on whose behalf relevant EHI is maintained.
(b) Patient protection condition. When implemented for the purpose of reducing the patient's risk of potential exposure to legal action, the practice must:
(1) Affect only the access, exchange, or use of specific electronic health information the actor in good faith believes could expose the patient to legal action because the electronic health information shows, or would carry a substantial risk of supporting a reasonable inference, that the patient:
(i) Obtained reproductive health care;
(ii) Inquired about or expressed an interest in seeking reproductive health care; or
(iii) Has any health condition(s) or history for which reproductive health care is often sought, obtained, or medically indicated.
(2) Be subject to nullification by an explicit request or directive from the patient that the access, exchange, or use of the specific electronic health information occur despite the risk(s) to the patient that the actor has identified.
(3) For purposes of paragraph (b)(1) and (2) of this section, “patient” means the natural person who is the subject of the electronic health information or another natural person referenced in, or identifiable from, the EHI as a person who has sought or obtained reproductive health care.
(c) Care access condition. When implemented for the purpose of reducing the risk of potential exposure to legal action for one or more licensed health care professionals, other health care providers, or other persons involved in providing or facilitating reproductive health care that is lawful under the circumstances in which such health care is provided, the practice must affect only access, exchange, or use of specific electronic health information that the actor believes could expose a care provider(s) and facilitator(s) to legal action because the information shows, or would carry a substantial risk of supporting a reasonable inference, that they provide or facilitate, or have provided or have facilitated, reproductive health care.
(d) Presumption. For purposes of determining whether an actor's practice meets paragraph (b)(1)(i) or (c) of this section, care provided by someone other than the actor is presumed to have been lawful unless the actor has actual knowledge that the care was not lawful under the circumstances in which such care is provided.
(e) Definition of legal action. As used in this section, legal action means any one or more of the following—
(1) A criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;
(2) A civil or criminal action brought in a court to impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or
(3) An administrative action or proceeding against any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
[89 FR 102564, Dec. 17, 2024]
Subpart C—Exceptions That Involve Procedures for Fulfilling Requests to Access, Exchange, or Use Electronic Health Information
§ 171.300 Availability and effect of exceptions.
A practice shall not be treated as information blocking if the actor satisfies an exception to the information blocking provision as set forth in this subpart C by meeting all applicable requirements and conditions of the exception at all relevant times.
§ 171.301 Manner exception—When will an actor's practice of limiting the manner in which it fulfills a request to access, exchange, or use electronic health information not be considered information blocking?
An actor's practice of limiting the manner in which it fulfills a request to access, exchange, or use electronic health information will not be considered information blocking when the practice follows the conditions of this section.
(a) Manner requested.
(1) An actor must fulfill a request for electronic health information in any manner requested, unless the actor is technically unable to fulfill the request or cannot reach agreeable terms with the requestor to fulfill the request in the manner requested.
(2) If an actor fulfills a request for electronic health information in any manner requested:
(i) Any fees charged by the actor in relation to fulfilling the request are not required to satisfy the exception in § 171.302; and
(ii) Any license of interoperability elements granted by the actor in relation to fulfilling the request is not required to satisfy the exception in § 171.303.
(b) Alternative manner. If an actor does not fulfill a request for electronic health information in any manner requested because it is technically unable to fulfill the request or cannot reach agreeable terms with the requestor to fulfill the request in the manner requested, the actor must fulfill the request in an alternative manner, as follows:
(1) The actor must fulfill the request without unnecessary delay in the following order of priority, starting with paragraph (b)(1)(i) of this section and only proceeding to the next consecutive paragraph if the actor is technically unable to fulfill the request in the manner identified in a paragraph.
(i) Using technology certified to standard(s) adopted in part 170 that is specified by the requestor.
(ii) Using content and transport standards specified by the requestor and published by:
(A) The Federal Government; or
(B) A standards developing organization accredited by the American National Standards Institute.
(iii) Using an alternative machine-readable format, including the means to interpret the electronic health information, agreed upon with the requestor.
(2) Any fees charged by the actor in relation to fulfilling the request are required to satisfy the exception in § 171.302.
(3) Any license of interoperability elements granted by the actor in relation to fulfilling the request is required to satisfy the exception in § 171.303.
[89 FR 1437, Jan. 9, 2024]
§ 171.302 Fees exception—When will an actor's practice of charging fees for accessing, exchanging, or using electronic health information not be considered information blocking?
An actor's practice of charging fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using electronic health information will not be considered information blocking when the practice meets the conditions in paragraph (a) of this section, does not include any of the excluded fees in paragraph (b) of this section, and, as applicable, meets the condition in paragraph (c) of this section.
(a) Basis for fees condition.
(1) The fees an actor charges must be—
(i) Based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons or entities and requests;
(ii) Reasonably related to the actor's costs of providing the type of access, exchange, or use of electronic health information to, or at the request of, the person or entity to whom the fee is charged;
(iii) Reasonably allocated among all similarly situated persons or entities to whom the technology or service is supplied, or for whom the technology is supported; and
(iv) Based on costs not otherwise recovered for the same instance of service to a provider and third party.
(2) The fees an actor charges must not be based on—
(i) Whether the requestor or other person is a competitor, potential competitor, or will be using the electronic health information in a way that facilitates competition with the actor;
(ii) Sales, profit, revenue, or other value that the requestor or other persons derive or may derive from the access, exchange, or use of the electronic health information;
(iii) Costs the actor incurred due to the health IT being designed or implemented in a non-standard way, unless the requestor agreed to the fee associated with the non-standard design or implementation to access, exchange, or use the electronic health information;
(iv) Costs associated with intangible assets other than the actual development or acquisition costs of such assets;
(v) Opportunity costs unrelated to the access, exchange, or use of electronic health information; or
(vi) Any costs that led to the creation of intellectual property, if the actor charged a royalty for that intellectual property pursuant to § 171.303 and that royalty included the development costs for the creation of the intellectual property.
(b) Excluded fees condition. This exception does not apply to—
(1) A fee prohibited by 45 CFR 164.524(c)(4);
(2) A fee based in any part on the electronic access of an individual's EHI by the individual, their personal representative, or another person or entity designated by the individual;
(3) A fee to perform an export of electronic health information via the capability of health IT certified to § 170.315(b)(10) of this subchapter for the purposes of switching health IT or to provide patients their electronic health information; and
(4) A fee to export or convert data from an EHR technology that was not agreed to in writing at the time the technology was acquired.
(c) Compliance with the Conditions of Certification condition. Notwithstanding any other provision of this exception, if the actor is a health IT developer subject to the Conditions of Certification in § 170.402(a)(4), § 170.404, or both of this subchapter, the actor must comply with all requirements of such conditions for all practices and at all relevant times.
(d) Definition of Electronic access. The following definition applies to this section:
Electronic access means an internet-based method that makes electronic health information available at the time the electronic health information is requested and where no manual effort is required to fulfill the request.
§ 171.303 Licensing exception—When will an actor's practice to license interoperability elements in order for electronic health information to be accessed, exchanged, or used not be considered information blocking?
An actor's practice to license interoperability elements for electronic health information to be accessed, exchanged, or used will not be considered information blocking when the practice meets all of the following conditions.
(a) Negotiating a license conditions. Upon receiving a request to license an interoperability element for the access, exchange, or use of electronic health information, the actor must—
(1) Begin license negotiations with the requestor within 10 business days from receipt of the request; and
(2) Negotiate a license with the requestor, subject to the licensing conditions in paragraph (b) of this section, within 30 business days from receipt of the request.
(b) Licensing conditions. The license provided for the interoperability element(s) needed to access, exchange, or use electronic health information must meet the following conditions:
(1) Scope of rights. The license must provide all rights necessary to:
(i) Enable the access, exchange, or use of electronic health information; and
(ii) Achieve the intended access, exchange, or use of electronic health information via the interoperability element(s).
(2) Reasonable royalty. If the actor charges a royalty for the use of the interoperability elements described in paragraph (a) of this section, the royalty must be reasonable and comply with the following requirements:
(i) The royalty must be nondiscriminatory, consistent with paragraph (b)(3) of this section.
(ii) The royalty must be based solely on the independent value of the actor's technology to the licensee's products, not on any strategic value stemming from the actor's control over essential means of accessing, exchanging, or using electronic health information.
(iii) If the actor has licensed the interoperability element through a standards developing organization in accordance with such organization's policies regarding the licensing of standards-essential technologies on terms consistent with those in this exception, the actor may charge a royalty that is consistent with such policies.
(iv) An actor may not charge a royalty for intellectual property if the actor recovered any development costs pursuant to § 171.302 that led to the creation of the intellectual property.
(3) Non-discriminatory terms. The terms (including royalty terms) on which the actor licenses and otherwise provides the interoperability elements must be non-discriminatory and comply with the following requirements:
(i) The terms must be based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons and requests.
(ii) The terms must not be based in any part on—
(A) Whether the requestor or other person is a competitor, potential competitor, or will be using electronic health information obtained via the interoperability elements in a way that facilitates competition with the actor; or
(B) The revenue or other value the requestor may derive from access, exchange, or use of electronic health information obtained via the interoperability elements.
(4) Collateral terms. The actor must not require the licensee or its agents or contractors to do, or to agree to do, any of the following—
(i) Not compete with the actor in any product, service, or market.
(ii) Deal exclusively with the actor in any product, service, or market.
(iii) Obtain additional licenses, products, or services that are not related to or can be unbundled from the requested interoperability elements.
(iv) License, grant, assign, or transfer to the actor any intellectual property of the licensee.
(v) Pay a fee of any kind whatsoever, except as described in paragraph (b)(2) of this section, unless the practice meets the requirements of the exception in § 171.302.
(5) Non-disclosure agreement. The actor may require a reasonable non-disclosure agreement that is no broader than necessary to prevent unauthorized disclosure of the actor's trade secrets, provided—
(i) The agreement states with particularity all information the actor claims as trade secrets; and
(ii) Such information meets the definition of a trade secret under applicable law.
(c) Additional conditions relating to the provision of interoperability elements. The actor must not engage in any practice that has any of the following purposes or effects.
(1) Impeding the efficient use of the interoperability elements to access, exchange, or use electronic health information for any permissible purpose.
(2) Impeding the efficient development, distribution, deployment, or use of an interoperable product or service for which there is actual or potential demand.
(3) Degrading the performance or interoperability of the licensee's products or services, unless necessary to improve the actor's technology and after affording the licensee a reasonable opportunity to update its technology to maintain interoperability.
[85 FR 25955, May 1, 2020, as amended at 85 FR 70085, Nov. 4, 2020]
Subpart D—Exceptions That Involve Practices Related to Actors' Participation in The Trusted Exchange Framework and Common Agreement (TEFCASM)
Source:
89 FR 1437, Jan. 9, 2024, unless otherwise noted.
§ 171.400 Availability and effect of exceptions.
A practice shall not be treated as information blocking if the actor satisfies an exception to the information blocking provision as set forth in this subpart D by meeting all applicable requirements and conditions of the exception at all relevant times.
§ 171.401 Definitions.
Common Agreement has the meaning given to it in 45 CFR 172.102.
Framework Agreement has the meaning given to it in 45 CFR 172.102.
Participant has the meaning given to it in 45 CFR 172.102.
Qualified Health Information Network or QHIN has the meaning given to it in 45 CFR 172.102.
Subparticipant has the meaning given to it in 45 CFR 172.102.
[89 FR 101810, Dec. 16, 2024]
§ 171.402 [Reserved]
§ 171.403 TEFCA manner exception—When will an actor's practice of limiting the manner in which it fulfills a request to access, exchange, or use electronic health information to only via TEFCA not be considered information blocking?
An actor's practice of limiting the manner in which it fulfills a request for access, exchange, or use of electronic health information to only via TEFCA will not be considered information blocking when the practice follows the conditions specified in paragraphs (a) through (d) of this section.
(a) Mutually part of TEFCA. The actor and requestor are both part of TEFCA.
(b) Requestor capability. The requestor is capable of such access, exchange, or use of the requested electronic health information from the actor via TEFCA.
(c) Limitation. The request for access, exchange, or use of EHI is not via the standards adopted in 45 CFR 170.215, including version(s) of those standards approved pursuant to 45 CFR 170.405(b)(8).
(d) Fees and licensing.
(1) Any fees charged by the actor in relation to fulfilling the request are required to satisfy the exception in § 171.302; and
(2) Any license of interoperability elements granted by the actor in relation to fulfilling the request is required to satisfy the exception in § 171.303.
Subparts E-I [RESERVED]
Subpart J—Disincentives for Information Blocking by Health Care Providers
Source:
89 FR 54717, July 1, 2024, unless otherwise noted.
§ 171.1000 Scope.
This subpart sets forth disincentives that an appropriate agency may impose on a health care provider that OIG determines has committed information blocking, and certain procedures related to those disincentives.
§ 171.1001 Disincentives.
(a) Centers for Medicare & Medicaid Services may apply the following disincentives:
(1) An eligible hospital or critical access hospital (CAH) as defined in 42 CFR 495.4 is not a meaningful electronic health record (EHR) user as also defined in 42 CFR 495.4.
(2) A Merit-based Incentive Payment System (MIPS) eligible clinician as defined in 42 CFR 414.1305, who is also a health care provider as defined in § 171.102, is not a meaningful EHR user for MIPS as defined in 42 CFR 414.1305.
(3) Accountable care organizations (ACOs) who are health care providers as defined in § 171.102, ACO participants, and ACO providers/suppliers will be removed from, or denied approval to participate, in the Medicare Shared Savings Program as defined in 42 CFR part 425 for at least 1 year.
(b) [Reserved]
§ 171.1002 Notice of disincentive.
Following referral of a determination of information blocking by OIG, an appropriate agency that imposes a disincentive or disincentives specified in § 171.1001 shall send a notice to the health care provider subject to the disincentive or disincentives, via usual methods of communication for the program or payment system under which the disincentive is applied, that includes:
(a) A description of the practice or practices that formed the basis for the determination of information blocking referred by OIG;
(b) The basis for the application of the disincentive or disincentives being imposed;
(c) The effect of each disincentive; and
(d) Any other information necessary for a health care provider to understand how each disincentive will be implemented.
Subpart K—Transparency for Information Blocking Determinations, Disincentives, and Penalties
Authority:
Source:
89 FR 54718, July 1, 2024, unless otherwise noted.
§ 171.1100 Scope.
This subpart sets forth the information that will be posted on the Office of the National Coordinator for Health Information Technology's (ONC) public website about actors that have been determined by the HHS Office of Inspector General to have committed information blocking.
§ 171.1101 Posting of information for actors found to have committed information blocking.
(a) Health care providers.
(1) ONC will post on its public website the following information about health care providers that have been subject to a disincentive in § 171.1001(a) for information blocking:
(i) Health care provider name;
(ii) Business address;
(iii) The practice, as the term is defined in § 171.102 and referenced in § 171.103, found to have been information blocking, including when the practice occurred;
(iv) Disincentive(s) applied; and
(v) Where to find any additional information about the determination of information blocking that is publicly available via HHS or, where applicable, another part of the U.S. Government.
(2) The information specified in paragraph (a)(1) of this section will not be posted prior to a disincentive being imposed or the completion of any administrative appeals process pursued by the health care provider, and will not include information about a disincentive that has not been applied.
(3) Posting of the information specified in paragraph (a)(1) of this section will be conducted in accordance with existing rights to review information that may be associated with a disincentive specified in § 171.1001.
(b) Health IT developers of certified health IT and health information networks or health information exchanges.
(1) ONC will post on its public website the following information, to the extent applicable, about health information networks/health information exchanges and health IT developers of certified health IT (actors) that have been determined by the HHS Office of Inspector General to have committed information blocking:
(i) Type of actor;
(ii) Actor's legal name, including any alternative or additional trade name(s) under which the actor operates;
(iii) The practice, as the term is defined in § 171.102 and referenced in § 171.103, found to have been information blocking or alleged to be information blocking in the situation specified in paragraph (b)(2)(i) of this section, and including when the practice occurred; and
(iv) Where to find any additional information about the determination (or resolution of information blocking as specified in paragraph (b)(2)(i) of this section) of information blocking that is publicly available via HHS or, where applicable, another part of the U.S. Government.
(2) The information specified in paragraph (b)(1) of this section will not be posted until one of the following occurs:
(i) OIG enters into a resolution of civil money penalty (CMP) liability; or
(ii) A CMP imposed under subpart N of 42 CFR part 1003 has become final consistent with the procedures in subpart O of 42 CFR part 1003.