Information blocking rules and patient access rights in practice for clinicians

The message that nudged me into writing this wasn’t dramatic. A patient asked through the portal, “Can you send me everything related to last month’s visit, including the imaging and the doctor-to-doctor messages?” I paused. Everything? What sits in “everything” under HIPAA, what counts as “electronic health information” under the Cures Act, and what crosses a privacy line if I hold it back? I realized my comfort with these rules had grown in pieces—policy memos, hallway advice, and the occasional frantic Google search at 5 p.m. I wanted to pull it together here, in one practical place, the way I wish someone had explained it to me when portals first changed our days.

The moment this became real for me

It was a simple lab result that auto-released at midnight. By morning, the patient had read it, messaged three times, and was calling the clinic. My first instinct years ago would’ve been to slow the release “so patients don’t worry,” but that’s precisely the kind of generalized friction the information blocking rule forbids. The rule doesn’t say “share recklessly.” It says don’t knowingly interfere with access, exchange, or use of electronic health information (EHI) unless a specific exception applies. The exceptions are meant to be narrow and documented—think individualized risk of harm, a bona fide security safeguard, or a situation where it’s truly infeasible to provide the information in the requested way. For a quick, plain-English overview of the exceptions, I bookmarked the ONC fact sheet and keep it within reach here.

• High-value takeaway: Treat “access by default” as the baseline, and use exceptions sparingly and with documentation.
• When unsure whether a request falls under HIPAA’s right of access or ONC’s information blocking rule, remember that for patients, both point toward timely, reasonable access. The OCR’s plain-language guidance lives here.
• When you must say no or not yet, anchor it in the appropriate exception and explain the path forward (what information you can share now, what you’re reviewing, and by when).

What actually counts as electronic health information

For a while, I thought “EHI = whatever’s in the USCDI data set.” That was true early on, but since October 6, 2022, the scope expanded to the full set of electronic information in the “designated record set” (DRS)—not just a handful of data elements. The ONC page spells out this shift and the definition details here. In plain language: if the information is kept electronically and is used to make decisions about a person (think medical records, billing records, care management files), it very likely sits inside the DRS. Psychotherapy notes and information prepared for legal proceedings remain outside access rights under HIPAA; you can cross-check the regulatory text if you like reading the source itself here.

• Clinical examples of EHI: progress notes, lab reports, imaging, care plans, medication lists, allergies, problem lists, operative reports, and billing records.
• Commonly excluded: psychotherapy notes; data compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
• Gray zones worth pausing on: quality-improvement worksheets, internal peer review, and certain risk-management documents—these often sit outside the DRS, but check your organization’s definitions and state law.

The eight exceptions in clinician language

I keep a one-liner for each. If my reason doesn’t fit one of these, I assume I should share and sort the workflow around it. The official list is summarized by ONC here with the full regulation at 45 CFR Part 171 here.

• Preventing Harm: You reasonably believe releasing the info is likely to cause substantial harm (not just worry). Must be individualized and documented.
• Privacy: You’re honoring the patient’s preferences, meeting consent requirements, or following other privacy laws (e.g., adolescent confidentiality where state law protects it).
• Security: You’re applying objective, consistently enforced safeguards to protect EHI (e.g., throttling bulk queries during an active attack).
• Infeasibility: You truly cannot fulfill the request due to uncontrollable events, segmentation limits, or unreasonable burden after trying alternatives.
• Health IT Performance: Temporary unavailability to maintain or improve the system, with transparent policies.
• Content and Manner: If you can’t provide the exact format requested, you offer an alternative manner that still enables access/use without undue delay.
• Fees: Any fees must be reasonable and cost-based, never anti-competitive or access-discouraging.
• Licensing: If licensing of interoperability elements is needed, terms must be reasonable and non-discriminatory.

That “reasonable, cost-based” idea also runs through HIPAA’s right of access. OCR clarifies which costs are allowed (copying labor, supplies, postage) and which are not (search/retrieval fees) in its guidance here.

Timelines and enforcement that shape real behavior

Two clocks matter in my day-to-day.

• HIPAA right of access timeline: act on a request within 30 calendar days (with one 30-day extension if you give a written reason). OCR’s step-by-step is here.
• Information blocking enforcement: OIG finalized civil monetary penalties (CMPs) for developers and HIE/HINs—up to $1 million per violation—with ongoing updates posted here. For health care providers, HHS finalized “disincentives” (for Medicare-enrolled providers) rather than CMPs; see the Federal Register final rule here and ONC’s short overview slide deck here.

In practical terms, those disincentives can affect program participation and payment adjustments (for example, Promoting Interoperability status). I’ve never met a clinician motivated by penalty math alone—but program eligibility and reputation certainly focus attention.

How I turned the rules into a sane clinic workflow

I used to keep my own scratchpad. Now it’s a shared one-pager the team tweaks monthly. It’s boring, and it works.

• Standard intake script: When a patient asks for “everything,” staff confirm whether they want a specific date range, a type of record (e.g., imaging and radiology report), or the whole chart. We explain they can ask for a format (portal, PDF, CD for imaging) and we’ll offer the closest alternative if their first choice isn’t feasible (that’s the Content and Manner exception in action reference).
• Time stamps and tickets: Every access request gets a date/time stamp and a tracking number. The “due date” auto-populates at 30 days, with a reminder at day 20 to avoid last-minute scrambles. The HIPAA access rule text lives here if we need to confirm the clock.
• Exception log: If we withhold or delay EHI, we record: which exception, who decided, why the criteria fit, what we offered instead, and when we will re-check. This prevents “because it felt safer” from becoming policy.
• Release timing norms: We default to same-day portal release where technically feasible. For results likely to distress, we add anticipatory guidance (“This test can look scary before your clinician explains it; we’ll message you today”) rather than delay by default.
• Fee guardrails: Our access fee schedule lists only permitted cost-based items (copying labor, media, postage). We never include retrieval fees, per OCR guidance here.

Notes I keep by my desk for tricky situations

These are the rough edges where I still find myself double-checking the rules and leaning on colleagues.

• Adolescent confidentiality: If state law grants minors confidentiality for certain services, the Privacy exception may allow segmentation or delay for those items. We align with our pediatric and adolescent medicine leads rather than wing it.
• Third-party apps that feel risky: I sometimes worry about apps the patient chooses. The Security exception protects our systems; it does not let us refuse a patient’s app purely because we dislike their privacy policy. I document the risk conversation and honor the patient’s direction if technically feasible.
• “Don’t share my note with my family” requests: If the patient is the legal decision-maker, that preference falls under Privacy. If an alternate decision-maker is involved, or there’s a guardianship or proxy, we verify authority and keep the record of that verification.
• Abnormal results that feel dangerous to release now: I ask, “Is there individualized, likely risk of substantial harm?” If yes, Preventing Harm may apply—but only with documentation and a plan for re-check. If it’s just worry, we release with context.
• We simply can’t produce it that way: When a request demands a format our system can’t output, we offer the nearest technically feasible option without undue delay, as the Content and Manner exception allows (see ONC fact sheet here).

A pocket translation of the rules for busy days

Here’s the short version I tell myself between rooms: default to yes, fast, and in a usable format. If I’m saying “no” or “not yet,” I make sure the reason fits one of the eight exceptions and that I’ve offered an alternative. And I keep the enforcement picture in mind—not to scare myself, but to stay realistic. The OIG page is where I check the latest on penalties and case priorities here. The Federal Register entry on provider disincentives reminds me this isn’t just theory; it can affect how our organization is measured and paid here.

My “share by default” checklist

• Confirm identity and authority: patient, personal representative, or app designated by the patient.
• Clarify scope: specific items vs. entire chart; date ranges; imaging plus reports.
• Clarify format: portal download, secure email, API to an app, CD/DVD for imaging.
• Offer an alternative if needed: that’s Content and Manner—don’t let format disagreements stall access.
• Set expectations on timing: we aim for days, not weeks; HIPAA’s outer limit is 30 days, details here.
• Check exceptions only if truly needed: Preventing Harm, Privacy, Security, Infeasibility, Health IT Performance, Content and Manner, Fees, Licensing—outline which applies and why.
• Document the decision and communicate it: what we shared, what we didn’t, the reason, and when we’ll revisit.

Small habits that made a big difference

I started writing my notes a bit more like letters. Not flowery—just aware they will often be read the same day. I add a line on “what this means” and a line on “what happens next,” and my inbox quieted. When a result is likely to scare, I pre-write the portal message before the lab posts. I also keep a reusable snippet for the cost-based fees language and link to our patient-facing page, which draws on OCR’s fee guidance here.

• Template A, results day: “You may see your result before I do. If something looks worrisome, I will message you today with context.”
• Template B, format compromise: “We can’t produce [format] directly, but we can provide [alternative] today or [second alternative] by [date].”
• Template C, privacy-sensitive items: “I’m honoring your preference to keep [item] restricted. If that changes, tell us and we’ll update your sharing settings.”

Signals that tell me to slow down and double-check

Most requests are straightforward. A few deserve a pause—and a teammate.

• Escalating safety concerns: information could realistically trigger interpersonal violence or self-harm; consult your risk team and consider the Preventing Harm exception with careful documentation.
• Complex legal authority: guardianship transitions, contested proxies, or partial authority; verify before releasing.
• Bulk or automated third-party pulls: ensure your rate-limiting or verification steps are justified under the Security exception and applied consistently.
• State-law overlays: reproductive health, substance use, HIV, genetic data—state privacy protections may shape how you meet access and sharing obligations.

What I’m keeping and what I’m letting go

I’m keeping a bias toward sunlight. Patients read sooner; we answer cleaner. I’m keeping a tight exception log and the humility to ask for a second opinion when an edge case pops up. I’m letting go of “we’ve always done it this way” and the reflex to delay “just in case.” When I do need to limit access, I want my future self to look at the note and say, “Yes—that fits the rule, the exception, and the patient’s needs.”

FAQ

1) Can I delay releasing scary results until I talk to the patient?
Answer: Not by default. You need an individualized, likely risk of substantial harm to use the Preventing Harm exception. Otherwise, release and add context. See ONC’s exception summary here.

2) How fast do I have to send records if a patient asks?
Answer: HIPAA says act within 30 days (one 30-day extension with written reason). Many organizations aim for much faster. OCR’s guidance is here.

3) Can we charge a “retrieval fee” for old charts?
Answer: No. Fees must be reasonable and cost-based for copying, media, and postage—not retrieval. OCR details permitted fees here.

4) What happens if our organization is found to have “blocked” information?
Answer: Developers and HIE/HINs can face up to $1 million per violation; providers face programmatic disincentives if Medicare-enrolled. OIG posts updates here; the Federal Register rule for provider disincentives is here.

5) Are clinical notes always part of the records patients can access?
Answer: Generally yes, when they are in the designated record set. Psychotherapy notes and info prepared for legal proceedings are excluded. The regulatory text is here.

Sources & References

• HHS OCR Right of Access (2025)
• eCFR 45 CFR 164.524
• ONC Information Blocking Exceptions (2024)
• HHS OIG Information Blocking Penalties
• Federal Register Provider Disincentives (2024)

This blog is a personal journal and for general information only. It is not a substitute for professional medical advice, diagnosis, or treatment, and it does not create a doctor–patient relationship. Always seek the advice of a licensed clinician for questions about your health. If you may be experiencing an emergency, call your local emergency number immediately (e.g., 911 [US], 119).