Cures Act Information Blocking Rule: What You Need to Know

information blocking rule

Cures Act Information Blocking Rule: What You Need to Know

Beginning April 5, 2021, healthcare providers, health IT developers, and health information networks or health information exchanges (all known as “actors”) must comply with the new ONC 21st Century Cures Act Information Blocking Final Rule.

The Cures Act Final Rule requires all “actors” to prevent actions that “interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI),” with a few exceptions.

To help you navigate these complex rules, let’s examine frequently asked questions to explain the Cures Act and what you need to know about complying with the information blocking rule.

What is the 21st Century Cures Act?

The 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program (Cures Act) was signed into law in December 2016. The Office of the National Coordinator (ONC) for Health Information Technology modified the Cures Act in May 2020 (Cures Act Final Rule), which became effective on April 5, 2021.

The Cures Act Final Rule prevents actors from blocking (information blocking) EHI between health systems, apps, and devices, allowing patients more control in their healthcare.

The ONC regulates three categories of “actors” under the information blocking section of the ONC Cures Act Final Rule: healthcare providers, health information network or health information exchanges, and health IT developers of certified health IT (e.g., eye care EHR vendors).

ONC Information blocking rule regulatory compliance timeline

Graphic Source: ONC-HIT,

For more information about the 21st Century Cures Act, refer to the Interoperability, Information Blocking, and ONC Health IT Certification Program Final Rule Overview.

What is the information blocking rule?

Information blocking (info blocking) is anything that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information (EHI). The information blocking policies apply to all electronically protected health information (ePHI) as defined in Health Insurance Portability and Accountability Act (HIPAA) to the extent that ePHI would be included in a designated record set.

The ONC information blocking rule includes anything that prevents access, exchange, or use of EHI. ONC defines three information blocking categories:

  • Access: Ability or means necessary to make EHI available for exchange of use;
  • Exchange: Ability for EHI to be transmitted between and among different technologies, systems, platforms, or networks (does NOT include faxing); and
  • Use: Ability for EHI, once accessed or exchanged, to be understood and acted upon.

ONC defines EHI as individually identifiable health information that is transmitted or maintained by or in electronic media and to the extent it would be included in the designated record set.

Information blocking industry resources

What are the information blocking exceptions?

The information blocking rule is intentionally left open-ended and does not define exactly what actions of information blocking are. Instead, it gives eight reasonable exceptions that are not considered information blocking and encourages each situation to be evaluated on a case-by-case basis.

Information blocking regulations are directive and require actors to provide access, exchange, and use of EHI for nearly all requests. There are two information blocking exception categories.

1. Not fulfilling requests to access, exchange, or use EHI:

  • Preventing harm
  • Privacy
  • Security
  • Infeasibility
  • Health IT performance

2. Procedures for fulfilling requests to access, exchange, or use EHI:

  • Content and manner
  • Fees
  • Licensing

How will eye care software comply with the information blocking rule?

As part of the 21st Century Cures Act Final Rule, EHR vendors, such as First Insight, need to ensure that they are not performing any actions that are likely to interfere with the access, exchange, or use of EHI. First Insight is compliant with the information blocking rule as we do not have any business, organization, or technical practices in place that prevent or discourage the access or exchange of EHI.

First Insight will maintain full compliance with our EHR certification, communications, maintain Application Program Interfaces (API) access, and ensure electronic health exchange complies with information blocking and assurances.

For specific information about eye care software certification and APIs, please visit First Insight’s EHR certification page. was the first-ever live tested Health IT Module for the 21st Century Cures Update Edition. is ONC Cures Update certified for (b)(1-2), (c)(3), (d)(2-3), (f)(5), (g)(6) and (g)(9).

How can you securely communicate electronically with patients via your ophthalmology and optometry software?

Provider compliance is based on “timely responses” to share EHI data when a patient asks for it. While can’t perform the necessary actions that eye care providers must do to be compliant, First Insight provides tools (such as Patient Portal or open APIs) you can use.

The integrated Patient Portal securely sends and receives Summary of Care (SoC) documents containing the United States Core Data for Interoperability (USCDI) data elements and EHI to patients and external providers via secure direct messaging and APIs. The USCDI is a standardized set of health classes and data elements for interoperable health information exchange.

API access is automatically enabled via the Patient Portal. Providers do not need to take any action on this except to ask the patient’s permission to send emails and click to sign patients up for

If you can choose to use a third-party or open-source patient portal, First Insight can authorize your practice to access our API. However, if you use another patient portal there may be extra steps for the patient and provider, and the patient portal will not integrate with

EHR cloud security

How does cloud EHR software adhere to secure cloud data protection, backup, and disaster recovery?

Rest assured that First Insight monitors and adheres to secure cloud data protection, backup, and disaster recovery measures. We will continue to stay current with privacy and security measures to protect your data.

For instance, listed below are critical components of First Insight’s cloud data security protocols for, our new unified practice management and EHR eye care software.

  • Advanced antivirus endpoint detection and Microsoft® Azure security protection with anti-malware and Enterprise-grade firewall technologies detect and stop ransomware threats from encrypting files.
  • Data at rest and data backups are encrypted.
  • Multi-factor and module-level authentication logins.
  • Scheduled Windows® and security updates.
  • Automated responses to vulnerabilities and attacks.
  • Country-level blocking, IP whitelisting, and restricted ports.
  • Disaster recovery backup of the last 30 days within 2 to 8 hours.

Select a certified eye care software partner that focuses on interoperability, accessibility, and security

Look for a certified eye care EHR and practice management system that focuses on your future goals, not immediate needs. Managing the patient-provider relationship has never been simpler for optometry and ophthalmology practices.

Request a demo to see how and other practice management business tools offer the support you need to run an efficient eye care practice. Request Demo

NOTE: If you are a current MaximEyes customer and need to add the Patient Portal module to your EHR system, email for more information.

This blog is meant as an educational resource and does NOT constitute legal information blocking compliance advice. Eye care providers are responsible for taking the necessary actions needed to comply with the information-blocking rule.