Information blocking and the Cures Act

The Cures Act took effect last month, limiting information blocking practices in healthcare settings. This Act is great news for patients who have been asking for faster and more open access to their own health records. Under this Act, patients have the right to timely access to the electronic health record (EHR) in their patient portal.  This includes treatment provider notes and laboratory and diagnostic results (treatment records).  

Healthcare chief compliance officers are particularly interested in Section 4004. Under that section, health care organization will not be permitted to block or interfere with information in the patient’s EHR.  

Definition of information blocking  

Information blocking is a practice that is likely to interfere with access, exchange, or use of electronic health information (EHI) by a health information technology (IT) developer. Essentially, that means that technology should not interfere with patients having access to information stored in their EHR.  (Read more from

It is important to develop policies and procedures that clearly outline both proper billing practices and information release policies. For instance, which information is available in the patient portal automatically and which information is held back until providers speak with the patient? Typically, all laboratory results automatically appear in the patient portal except for those indicating a sexually transmitted disease or high probability for cancer. This is because without further clinical explanation by the provider, these results may be unnecessarily distressing to the patient or may be taken out of context. 

Examples of information blocking 

The Act describes certain practices that constitute information blocking. This includes practices that restrict authorized access, exchange, or use under applicable state or federal law of treatment records. This may include implementing health IT processes or systems that 

  • Are likely to substantially increase the complexity or burden of accessing, exchanging, or using the EHI. This could be an EHR vendor charging exorbitant fees for a patient or provider to access information in the EHR.  
  • May restrict the access, exchange, or use of EHI with respect to exporting complete information sets. The office of record (usually Health Information Management or Medical Records) must be able to export complete records if required. This could be upon receipt of a valid subpoena or patient’s request for their medical record with a valid, signed authorization. 
  • In a broad sense may lead to fraud, waste, or abuse, including care delivery enabled by Health IT.  This could happen when patients are unable to access their medical bills and the provider is charging for good or services not received. 

Fraud, waste, and abuse  

The words “fraud, waste, and abuse” are big red flags for compliance professionals. In this case, patients struggling to access medical bills could ultimately trigger an audit by a federal agency for noncompliant billing activity.  If the audit reveals billing overpayments, the funds will have to be paid back to the government. If the audit reveals fraud, the provider or organization can be excluded from federally funded insurance programs.   

Next steps 

Now that you’ve got some baseline knowledge of this new rule, you probably want to see if it applies to you and how to respond if it does. (The deadline may have passed, but you can still get caught up!) YouCompli customers can see if the new rules apply to them and find resources to help with implementation and tracking.  

Pretty quickly after you’ve determined that this rule applies to you, you’re going to want to help providers answer questions about portal access.

Many healthcare institutions have already provided the transparency and access this rule requires. If you need help understanding the regulation and implementing and tracking changes in your organization, please contact the YouCompli team to see how we can help. 

Denise Atwood, RN, JD, CPHRM 

District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC 

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG. 

Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


Want to keep up on the latest regulatory changes. Subscribe to YouCompli updates!

Man typing on laptop