I N F O R M AT I O N B L O C K I N G

CURES ACT FINAL RULE

Information Blocking Exceptions
Section 4004 of the 21st Century Cures Act (Cures Act) defines practices that constitute information
blocking and authorizes the Secretary of Health and Human Services (HHS) to identify reasonable
and necessary activities that do not constitute information blocking (referred to as “exceptions”).

Exceptions that involve not fulfilling

On behalf of HHS, ONC has defined eight exceptions that offer actors (i.e., requests to access, exchange, or use EHI
health care providers, health IT developers, health information networks (HINs) Preventing Harm Exception
and health information exchanges (HIEs)) certainty that, when their practices
with respect to accessing, exchanging, or using electronic health information Privacy Exception
(EHI) meet the conditions of one or more exceptions, such practices will not be
Security Exception
considered information blocking.
Infeasibility Exception
An actor’s practice that does not meet the conditions of an exception will not
automatically constitute information blocking. Instead such practices will be Health IT Performance Exception
evaluated on a case-by-case basis to determine whether information blocking
has occurred. Exceptions that involve procedures
for fulfilling requests to access,
exchange, or use EHI
We have finalized eight exceptions that are divided into two categories:
• Exceptions that involve not fulfilling requests to access, exchange, or use EHI; and
Content and Manner Exception

• Exceptions that involve procedures for fulfilling requests to access, exchange, Fees Exception
or use EHI.
Licensing Exception

Exceptions that involve not fulfilling requests to access, exchange, or use EHI
Preventing Harm Exception
It will not be information blocking for an actor to engage in practices that are reasonable and necessary to prevent
harm to a patient or another person, provided certain conditions are met.

Objective of the Exception: Key Conditions of the Exception

This exception recognizes that
the public interest in protecting
• The actor must hold a reasonable belief that the practice will substantially
reduce a risk of harm;
patients and other persons
against unreasonable risks • The actor’s practice must be no broader than necessary;
of harm can justify practices
that are likely to interfere with
• The actor’s practice must satisfy at least one condition from each of the
following categories: type of risk, type of harm, and implementation basis; and
access, exchange, or use of EHI.
• The practice must satisfy the condition concerning a patient right to request
review of an individualized determination of risk of harm.

@ONC_HealthIT HealthIT.gov/CuresRule
Page 1 of 5
 Information Blocking Exceptions

Privacy Exception
It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect
an individual’s privacy, provided certain conditions are met.
Objective of the Exception: Key Conditions of the Exception
This exception recognizes that if To satisfy this exception, an actor’s privacy-protective practice must meet at least one of
an actor is permitted to provide the four sub-exceptions:
access, exchange, or use of EHI 1. Precondition not satisfied: If an actor is required by a state or federal law to satisfy
under a privacy law, then the
a precondition (such as a patient consent or authorization) prior to providing
actor should provide that access,
access, exchange, or use of EHI, the actor may choose not to provide access,
exchange, or use. However, an
exchange, or use of such EHI if the precondition has not been satisfied under
actor should not be required
certain circumstances.
to use or disclose EHI in a way
that is prohibited under state or 2. Health IT developer of certified health IT not covered by HIPAA: If an actor is a
federal privacy laws. health IT developer of certified health IT that is not required to comply with the
HIPAA Privacy Rule, the actor may choose to interfere with the access, exchange,
or use of EHI for a privacy-protective purpose if certain conditions are met.
3. Denial of an individual’s request for their EHI consistent with 45 CFR 164.524(a)
(1) and (2): An actor that is a covered entity or business associate may deny an
individual’s request for access to his or her EHI in the circumstances provided
under 45 CFR 164.524(a)(1) and (2) of the HIPAA Privacy Rule.
4. Respecting an individual’s request not to share information: An actor may
choose not to provide access, exchange, or use of an individual’s EHI if doing so
fulfills the wishes of the individual, provided certain conditions are met.

Security Exception
It will not be information blocking for an actor to interfere with the access, exchange, or use of EHI in order to protect the
security of EHI, provided certain conditions are met.
Objective of the Exception: Key Conditions of the Exception
This exception is intended to
cover all legitimate security
• The practice must be:
1. Directly related to safeguarding the confidentiality, integrity, and
practices by actors, but does
not prescribe a maximum availability of EHI;
level of security or dictate a 2. Tailored to specific security risks; and
one-size-fits-all approach. 3. Implemented in a consistent and non-discriminatory manner.

• The practice must either implement a qualifying organizational security policy

or implement a qualifying security determination.

@ONC_HealthIT HealthIT.gov/CuresRule
Page 2 of 5
 Information Blocking Exceptions

Infeasibility Exception
It will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI due to the
infeasibility of the request, provided certain conditions are met.
Objective of the Exception: Key Conditions of the Exception
This exception recognizes that
legitimate practical challenges may
• The practice must meet one of the following conditions:
» Uncontrollable events: The actor cannot fulfill the request for access,
limit an actor’s ability to comply
exchange, or use of electronic health information due to a natural or
with requests for access, exchange,
human-made disaster, public health emergency, public safety incident,
or use of EHI. An actor may not
war, terrorist attack, civil insurrection, strike or other labor unrest,
have—and may be unable to
telecommunication or internet service interruption, or act of military,
obtain—the requisite technological
civil or regulatory authority.
capabilities, legal rights, or other
means necessary to enable access, » Segmentation: The actor cannot fulfill the request for access, exchange,
exchange, or use. or use of EHI because the actor cannot unambiguously segment the
requested EHI.
» Infeasibility under the circumstances: The actor demonstrates through a
contemporaneous written record or other documentation its consistent
and non-discriminatory consideration of certain factors that led to its
determination that complying with the request would be infeasible
under the circumstances.

• The actor must provide a written response to the requestor within 10 business
days of receipt of the request with the reason(s) why the request is infeasible.

Health IT Performance Exception

It will not be information blocking for an actor to take reasonable and necessary measures to make health IT temporarily
unavailable or to degrade the health IT's performance for the benefit of the overall performance of the health IT,
provided certain conditions are met.

Objective of the Exception: Key Conditions of the Exception

This exception recognizes that for
health IT to perform properly and
• The practice must:
1. Be implemented for a period of time no longer than necessary to achieve the
efficiently, it must be maintained,
and in some instances improved, maintenance or improvements for which the health IT was made unavailable
which may require that health or the health IT’s performance degraded;
IT be taken offline temporarily. 2. Be implemented in a consistent and non-discriminatory manner; and
Actors should not be deterred 3. Meet certain requirements if the unavailability or degradation is initiated by a
from taking reasonable and health IT developer of certified health IT, HIE, or HIN.
necessary measures to make
health IT temporarily unavailable • An actor may take action against a third-party app that is negatively impacting
or to degrade the health IT’s the health IT’s performance, provided that the practice is:
performance for the benefit of the 1. For a period of time no longer than necessary to resolve any negative impacts;
overall performance of health IT. 2. Implemented in a consistent and non-discriminatory manner; and
3. Consistent with existing service level agreements, where applicable.

• If the unavailability is in response to a risk of harm or security risk, the actor must
only comply with the Preventing Harm or Security Exception, as applicable.

@ONC_HealthIT HealthIT.gov/CuresRule
Page 3 of 5
 Information Blocking Exceptions

Exceptions that involve procedures for fulfilling requests to access, exchange,

or use EHI
Content and Manner Exception
It will not be information blocking for an actor to limit the content of its response to a request to access, exchange, or use
EHI or the manner in which it fulfills a request to access, exchange, or use EHI, provided certain conditions are met.
Objective of the Exception: Key Conditions of the Exception
This exception provides
clarity and flexibility to actors
• Content Condition: Establishes the content an actor must provide in response to a
request to access, exchange, or use EHI in order to satisfy the exception.
concerning the required 1. Up to 24 months after the publication date of the Cures Act final rule, an actor
content (i.e., scope of EHI)
must respond to a request to access, exchange, or use EHI with, at a minimum, the
of an actor’s response to a
EHI identified by the data elements represented in the United States Core Data for
request to access, exchange,
Interoperability (USCDI) standard.
or use EHI and the manner
in which the actor may fulfill 2. On and after 24 months after the publication date of the Cures Act final rule, an
the request. This exception actor must respond to a request to access, exchange, or use EHI with EHI as defined
supports innovation and in § 171.102.
competition by allowing • Manner Condition: Establishes the manner in which an actor must fulfill a request to
actors to first attempt to access, exchange, or use EHI in order to satisfy this exception.
reach and maintain market » An actor may need to fulfill a request in an alternative manner when
negotiated terms for the the actor is:
access, exchange, and, use − Technically unable to fulfill the request in any manner requested; or
of EHI.
− Cannot reach agreeable terms with the requestor to fulfill the request.
» If an actor fulfills a request in an alternative manner, such fulfillment must
comply with the order of priority described in the manner condition and must
satisfy the Fees Exception and Licensing Exception, as applicable.

Fees Exception
It will not be information blocking for an actor to charge fees, including fees that result in a reasonable profit margin, for
accessing, exchanging, or using EHI, provided certain conditions are met.

Objective of the Exception: Key Conditions of the Exception

This exception enables actors The practice must:
to charge fees related to the
development of technologies
• Meet the basis for fees condition.
» For instance, the fees an actor charges must:
and provision of services that
enhance interoperability, − Be based on objective and verifiable criteria that are uniformly applied for all
similarly situated classes of persons or entities and requests.
while not protecting rent-
seeking, opportunistic fees, − Be reasonably related to the actor’s costs of providing the type of access,
exchange, or use of EHI.
and exclusionary practices
that interfere with access,
− Not be based on whether the requestor or other person is a competitor,
potential competitor, or will be using the EHI in a way that facilitates
exchange, or use of EHI. competition with the actor.
• Not be specifically excluded.
» For instance, the exception does not apply to:
− A fee based in any part on the electronic access by an individual, their personal
representative, or another person or entity designated by the individual to access
the individual’s EHI.
− A fee to perform an export of electronic health information via the capability of
health IT certified to § 170.315(b)(10).
• Comply with Conditions of Certification in § 170.402(a)(4) (Assurances – certification to
“EHI Export” criterion) or § 170.404 (API).

@ONC_HealthIT HealthIT.gov/CuresRule
Page 4 of 5
 Information Blocking Exceptions

Licensing Exception
It will not be information blocking for an actor to license interoperability elements for EHI to be accessed, exchanged, or
used, provided certain conditions are met.
Objective of the Exception: Key Conditions of the Exception
This exception allows actors The practice must meet:
to protect the value of their
innovations and charge
• The negotiating a license conditions: An actor must begin license negotiations with the
requestor within 10 business days from receipt of the request and negotiate a license
reasonable royalties in within 30 business days from receipt of the request.
order to earn returns on the
investments they have made • The licensing conditions:
to develop, maintain, and » Scope of rights
update those innovations. » Reasonable royalty
» Non-discriminatory terms
» Collateral terms
» Non-disclosure agreement
• Additional conditions relating to the provision of interoperability elements.

@ONC_HealthIT HealthIT.gov/CuresRule
Page 5 of 5