2020 Cures Act Final Rule

August 19, 2020

On May 1, 2020, the Office of the National Coordinator for Health Information Technology (ONC) published the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program final rule (Final Rule). ASCA's comments on the 2020 Cures Act proposed rule were submitted in May 2019. This rule may have implications for some ASCs.

UPDATE: On October 29, 2020, ONC released an Interim Final Rule with Comment Period (IFC) which extends the compliance start date for information blocking provisions from November 2, 2020 to April 5, 2021. Read the press release. Read the Interim Final Rule.


The Final Rule is the result of provisions included in the 21st Century Cures Act signed into law in 2016. The 21st Century Cures Act defined “information blocking” as practices “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” The act directed the Secretary of the US Department of Health & Human Services (HHS) to develop exceptions that would not constitute information blocking. Any practice that could not meet an exception would be subject to penalties.

Definitions: Who and What is Covered

Healthcare providers and health information technology (health IT) developers are subject to the regulations in the Final Rule.

ONC finalized a definition of “health care provider” as set forth in section 3000(3) of the Public Health Service Act (PHSA). This definition explicitly includes ASCs, meaning that ASCs could be subject to penalties if found to be engaging in practices deemed as information blocking. ONC acknowledged comments such as ASCA’s that asked for exemptions for ASCs, but ultimately pointed to expanded compliance timelines and exceptions as mitigating the burden for providers with limited access to health IT.

Regarding the definition of “developer,” the information blocking provisions are limited to developers that offer a certified product. Developers that do not offer a certified product are not subject to potential penalties for information blocking under this rule. If you do offer a certified product, then you are accountable for information blocking for all electronic health information (EHI) that you store, access and exchange, not simply EHI that is interacting within your certified module. If you have a certified product that lapses, you are no longer accountable for information blocking regulations under this rule.

The last definition to note is the definition of “electronic health information.” In response to stakeholder comments, ONC finalized a narrower definition of EHI in order to align with electronic protected health information (ePHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to the extent that ePHI would be included in a designated record set. However, compliance with this definition of EHI will not go into effect until at least May 1, 2022.

What to Know for ASCs

As previously mentioned, the 21st Century Cures Act directed the HHS secretary to identify information blocking exceptions—reasonable and necessary activities that would guarantee a provider or developer protection from penalization. In the Final Rule, ONC delineates eight such scenarios that would absolve a provider or developer from penalties. The eight information blocking exceptions are:

  1. Preventing Harm Exception
  2. Privacy Exception
  3. Security Exception
  4. Infeasibility Exception
  5. Health IT Performance Exception
  6. Content and Manner Exception
  7. Fees Exception
  8. Licensing Exception

View ONC's Information Blocking Exceptions document for more information on each exception.

Let’s examine a couple of exceptions to illustrate how they work.

The Privacy Exception asserts that “it will not be information blocking if an actor does not fulfill a request to access, exchange, or use EHI in order to protect an individual’s privacy.” For instance, if an ASC does not fulfill a request to share EHI at the explicit request of an individual, then that ASC will NOT be found to have engaged in information blocking.

Another exception that may apply to ASCs is the Content and Manner Exception. This exception would allow an ASC flexibility in fulfilling a request for EHI if the ASC was unable to provide the EHI in the manner requested. For example, an ASC may encounter a situation where a health system or network requests EHI via a certified EHR module. If the ASC does not have a certified EHR module and therefore cannot fulfill the request, the facility will not automatically be found to have engaged in information blocking. ONC has delineated a stepwise approach for determining an alternative manner, such as transferring EHI via a nationally accredited data transfer standard, or, at the very least, an alternative machine-readable format.

It is important to note that not meeting the conditions of one of the eight exceptions does not automatically constitute information blocking. It only means that the case will be evaluated individually to determine whether penalties are appropriate.


Per the 21st Century Cures Act, health IT developers are liable for civil monetary penalties (CMPs) of up to $1 million per violation as determined by the HHS Office of Inspector General (OIG). Reminder: Only health IT developers who offer a certified product are subject to these penalties. OIG's proposed rule on civil monetary penalties for developers, published on April 24, 2020, outlines enforcement priorities, factors in determining penalty amounts and what may constitute a single “violation.”

The process for determining information blocking penalties for providers (such as ASCs) is still yet to be determined. While OIG will have authority over determining whether information blocking occurred, they do not have the power to impose penalties. Instead, providers will “be referred to the appropriate agency to be subject to appropriate disincentives.” The secretary of HHS is supposed to define appropriate agencies and disincentives in future rulemaking, but it is unclear if that will occur before the compliance dates listed below.

Compliance Timelines

ONC finalized expanded timelines to ease compliance. The timelines started when the rule was published in the federal register on May 1, 2020.

Compliance with the information blocking provisions was slated to begin six months after publication of the final rule (November 2, 2020). However, due to the COVID-19 public health emergency (PHE) ONC has delayed the compliance start date to April 5, 2021.

For 18 months after the compliance effective date—April 5, 2021, to October 5, 2022—information blocking compliance is required. However, during this period the definition of EHI will be narrowed to only the data elements in the United States Core Data for Interoperability (USCDI), the new standard that is replacing the Common Clinical Data Set (CCDS) in the 2015 Edition certification criteria.

Full compliance with all information blocking provisions, including the complete EHI definition, will be required beginning 24 months after the compliance date, on October 6, 2022.

For questions regarding this rule, please contact Alex Taira.


ONC Cures Act Final Rule web page

ONC Cures Act Interim Final Rule with Comment Period (IFC) web page

Federal Register: 2020 Cures Act Final Rule

Definition of “health care provider”

Definition of “protected health information”

Definition of “designated record set”

ONC Cures Act Final Rule: Information Blocking Exceptions

ONC Cures Act Final Rule: Highlighted Regulatory Dates

ASC Focus: ONC Releases New Electronic Health Information Regulations

OIG proposed rule on civil monetary penalties for developers


While there is no substitute for receiving a legal opinion regarding the specific facts in a particular case from qualified counsel that practice in this specialized area of law, the Federal Regulations section of ASCA’s website provides a starting point for understanding the federal rules impacting ASCs. For questions or more information, contact Kara Newbury.

Reproduction in whole or in part without written permission from ASCA is prohibited.