Skip to Main Content
April 30, 2021

Ready? Set. Go! IBR Compliance Is Here

This Briefing is brought to you by AHLA's Health Information and Technology Practice Group.
  • April 30, 2021
  • Ammon Fillmore , Indiana Health Information Exchange
  • Josh Mast , Cerner
  • Melissa Soliz , Coppersmith Brockelman PLC

In 2016, Congress passed the 21st Century Cures Act (the Cures Act). Section 4004 of the Cures Act prohibits health care providers, health information networks/health information exchanges (HINs/HIEs), and health information technology (IT) developers (collectively referred to as “actors”) from information blocking—that is, improperly interfering with the access, exchange, or use of electronic health information (EHI), unless the interference is required by law or covered by a regulatory exception. Congress delegated to the Secretary of the U.S. Department of Health and Human Services (HHS) the authority to specify through rulemaking the reasonable and necessary activities that do not constitute information blocking. In 2020, the Office of the National Coordinator for Health Information Technology (ONC) within HHS finalized those regulations (45 C.F.R. Part 171). April 5, 2021 was the extended “applicability date” for compliance with Section 4004 of the Cures Act and its implementing regulations (collectively, the Information Blocking Rule or IBR). 

The IBR represents a significant milestone in the push for greater interoperability and easier patient access and control over EHI. Traditionally, health information has been governed by state and federal privacy and security laws like the Health Insurance Portability and Accountability Act (HIPAA), which restrict when organizations may use and disclose health information. In most instances, these laws permit, but do not require, organizations to use or disclose health information. The IBR, in contrast, effectively requires actors to make EHI available for access, exchange, or use in response to an EHI request or face regulatory enforcement, unless the actor lacked the necessary intent, the interference with the EHI request was required by law, or a regulatory exception applies. This Briefing provides a high-level summary of the IBR framework, suggestions on how to approach compliance, and various examples from the field.

You must be logged in to access this content.