Cures Act Final Rule

On May 1, 2020, the Office of the National Coordinator for Health Information Technology (ONC) published the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program final rule (Final Rule). ASCA's comments on the 2020 Cures Act proposed rule were submitted in May 2019. This rule may have implications for some ASCs.

On October 29, 2020, ONC released an Interim Final Rule with Comment Period (IFC) which delayed the compliance start date for information blocking provisions from November 2, 2020 to April 5, 2021. Full compliance with Information Blocking provisions has been required from providers since October 6, 2022.


The Final Rule is the result of provisions included in the 21st Century Cures Act signed into law in 2016. The 21st Century Cures Act defined “information blocking” as practices “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” The act directed the Secretary of the US Department of Health & Human Services (HHS) to develop exceptions that would not constitute information blocking. Any practice that could not meet an exception would be subject to penalties.

Definitions: Who and What is Covered

Healthcare providers and health information technology (health IT) developers are subject to the regulations in the Final Rule.

ONC finalized a definition of “health care provider” as set forth in section 3000(3) of the Public Health Service Act (PHSA). This definition explicitly includes ASCs, meaning that ASCs could be subject to penalties if found to be engaging in practices deemed as information blocking. ONC acknowledged comments such as ASCA’s that asked for exemptions for ASCs, but ultimately pointed to expanded compliance timelines and exceptions as mitigating the burden for providers with limited access to health IT.

Regarding the definition of “developer,” the information blocking provisions are limited to developers that offer a certified product. Developers that do not offer a certified product are not subject to potential penalties for information blocking under this rule. If you do offer a certified product, then you are accountable for information blocking for all electronic health information (EHI) that you store, access and exchange, not simply EHI that is interacting within your certified module. If you have a certified product that lapses, you are no longer accountable for information blocking regulations under this rule.

The last definition to note is the definition of “electronic health information.” In response to stakeholder comments, ONC finalized a narrower definition of EHI in order to align with electronic protected health information (ePHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to the extent that ePHI would be included in a designated record set. However, compliance with this definition of EHI will not go into effect until at least May 1, 2022.

What to Know for ASCs

As previously mentioned, the 21st Century Cures Act directed the HHS secretary to identify information blocking exceptions—reasonable and necessary activities that would guarantee a provider or developer protection from penalization. In the Final Rule, ONC delineates eight such scenarios that would absolve a provider or developer from penalties. The eight information blocking exceptions are:

    1. Preventing Harm Exception
    2. Privacy Exception
    3. Security Exception
    4. Infeasibility Exception
    5. Health IT Performance Exception
    6. Manner Exception
    7. Fees Exception
    8. Licensing Exception

View ONC's Information Blocking Exceptions document for more information on each exception.

Let’s examine a couple of exceptions to illustrate how they work.

The Privacy Exception asserts that “it will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy.” For instance, if an ASC does not fulfill a request to share EHI at the explicit request of an individual, then that ASC will NOT be found to have engaged in information blocking.

Another exception that may apply to ASCs is the Manner Exception. This exception would allow an ASC flexibility in fulfilling a request for EHI if the ASC was unable to provide the EHI in the manner requested. For example, an ASC may encounter a situation where a health system or network requests EHI via a certified EHR module. If the ASC does not have a certified EHR module and therefore cannot fulfill the request, the facility will not automatically be found to have engaged in information blocking. ONC has delineated a stepwise approach for determining an alternative manner, such as transferring EHI via a nationally accredited data transfer standard, or, at the very least, an alternative machine-readable format.

It is important to note that not meeting the conditions of one of the eight exceptions does not automatically constitute information blocking. It only means that the case will be evaluated individually to determine whether penalties are appropriate.


Per the 21st Century Cures Act, health IT developers are liable for civil monetary penalties (CMPs) of up to $1 million per violation as determined by the HHS Office of Inspector General (OIG). Reminder: Only health IT developers who offer a certified product are subject to these penalties. In April 2020, OIG published a proposed rule on CMPs for developers. The final rule was published on June 27, 2023 and outlines enforcement priorities, factors in determining penalty amounts and what may constitute a single “violation.”

The process for determining information blocking penalties for providers (such as ASCs) is still yet to be determined. While OIG will have authority over determining whether information blocking occurred, they do not have the power to impose penalties. Instead, providers will “be referred to the appropriate agency to be subject to appropriate disincentives.” The secretary of HHS is supposed to define appropriate agencies and disincentives in future rulemaking.

Compliance Timelines

ONC finalized expanded timelines to ease compliance. The timelines started when the rule was published in the federal register on May 1, 2020.

Compliance with the information blocking provisions was slated to begin six months after publication of the final rule (November 2, 2020). However, due to the COVID-19 public health emergency (PHE) ONC delayed the compliance start date to April 5, 2021.

For 18 months after the compliance effective date - April 5, 2021, to October 5, 2022- information blocking compliance was required but the definition of EHI was narrowed to only the data elements in the United States Core Data for Interoperability (USCDI). Full compliance with all information blocking provisions, including the complete EHI definition, has been required since October 6, 2022.

For questions regarding this rule, please contact