Regulations last checked for updates: Nov 22, 2024

Title 45 - Public Welfare last revised: Nov 19, 2024
§ 171.100 - Statutory basis and purpose.

(a) Basis. This part implements section 3022 of the Public Health Service Act, 42 U.S.C. 300jj-52.

(b) Purpose. The purpose of this part is to establish exceptions for reasonable and necessary activities that do not constitute information blocking as defined by section 3022(a)(1) of the Public Health Service Act, 42 U.S.C. 300jj-52.

§ 171.101 - Applicability.

(a) This part applies to health care providers, health IT developers of certified health IT, health information exchanges, and health information networks, as those terms are defined in § 171.102.

(b) Health care providers, health IT developers of certified health IT, health information exchanges, and health information networks are subject to this part on and after April 5, 2021.

[85 FR 25955, May 1, 2020, as amended at 85 FR 70085, Nov. 4, 2020]
§ 171.102 - Definitions.

For purposes of this part:

Access means the ability or means necessary to make electronic health information available for exchange or use.

Actor means a health care provider, health IT developer of certified health IT, health information network or health information exchange.

API Information Source is defined as it is in § 170.404(c).

API User is defined as it is in § 170.404(c).

Appropriate agency means a government agency that has established disincentives for health care providers that the Office of Inspector General (OIG) determines have committed information blocking.

Business associate is defined as it is in 45 CFR 160.103.

Certified API Developer is defined as it is in § 170.404(c).

Certified API technology is defined as it is in § 170.404(c).

Disincentive means a condition specified in § 171.1001(a) that is imposed by an appropriate agency on a health care provider that OIG determines has committed information blocking for the purpose of deterring information blocking practices.

Electronic health information (EHI) means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include:

(1) Psychotherapy notes as defined in 45 CFR 164.501; or

(2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Exchange means the ability for electronic health information to be transmitted between and among different technologies, systems, platforms, or networks.

Fee means any present or future obligation to pay money or provide any other thing of value.

Health care provider has the same meaning as “health care provider” in 42 U.S.C. 300jj.

Health information network or health information exchange means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:

(1) Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and

(2) That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.

Health IT developer of certified health IT means an individual or entity, other than a health care provider that self-develops health IT that is not offered to others, that develops or offers health information technology (as that term is defined in 42 U.S.C. 300jj(5)), and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to 42 U.S.C. 300jj-11(c)(5) (ONC Health IT Certification Program).

Information blocking is defined as it is in § 171.103.

Interfere with or interference means to prevent, materially discourage, or otherwise inhibit.

Interoperability element means hardware, software, integrated technologies or related licenses, technical information, privileges, rights, intellectual property, upgrades, or services that:

(1) May be necessary to access, exchange, or use electronic health information; and

(2) Is/Are controlled by the actor, which includes the ability to confer all rights and authorizations necessary to use the element to enable the access, exchange, or use of electronic health information.

Offer health information technology or offer health IT means to hold out for sale, resale, license, or relicense or to sell, resell, license, relicense, or otherwise provide or supply health information technology (as that term is defined in 42 U.S.C. 300jj(5) and where such health information technology includes one or more Health IT Modules certified under the ONC Health IT Certification Program) for deployment by or for other individual(s) or entity(ies) under any arrangement except an arrangement consistent with subparagraph (3)(iii), below. Activities and arrangements described in subparagraphs (1) through (3) are considered to be excluded from what it means to offer health IT.

(1) Donation and subsidized supply arrangements are not considered offerings when an individual or entity donates, gives, or otherwise makes available funding to subsidize or fully cover the costs of a health care provider's acquisition, augmentation, or upkeep of health IT, provided such individual or entity offers and makes such subsidy without condition(s) limiting the interoperability or use of the technology to access, exchange or use electronic health information for any lawful purpose.

(2) Implementation and use activities conducted by an individual or entity as follows:

(i) Issuing user accounts or login credentials to the individual's or entity's employees in the course of their employment or contractors within the scope of their contract in order for such employees or contractors to: use, operate, implement, configure, test, maintain, update or upgrade, or to give or receive training on, the individual's or entity's health IT system(s) or specific application(s) within such system(s).

(ii) Implementing, operating, or otherwise making available production instances of application programming interface (API) technology that supports access, exchange, and use of electronic health information that the individual or entity has in its possession, custody, control, or ability to query or transmit from or across a health information network or health information exchange.

(iii) Implementing, operating, and making available production instances of online portals for patients, clinicians or other health care providers, or public health entities to access, exchange, and use electronic health information that the individual or entity has in its possession, custody, control, or ability to query or transmit from or across a health information network or health information exchange.

(iv) Issuing login credentials or user accounts for the individual's or entity's production, development, or testing environments to public health authorities, or such authorities' employees or contractors, as a means of accomplishing or facilitating access, exchange, and use of electronic health information for public health purposes including but not limited to syndromic surveillance.

(v) Issuing login credentials or user accounts for independent healthcare professionals who furnish services in a healthcare facility to use the facility's electronic health record or other health IT system(s) in: furnishing, documenting, and accurately billing for care furnished in the facility; participating in clinical education or improvement activities conducted by or in the healthcare facility; or receiving training in use of the healthcare facility's health IT system(s).

(3) Consulting and legal services arrangements as follows:

(i) Legal services furnished by outside counsel—when furnishing legal services to a client in any matter or matters pertaining to the client's seeking, assessing, selecting, or resolving disputes over contracts or other arrangements by which the client obtains use of certified health IT. Outside counsel also does not offer health IT when facilitating limited access or use of a client's health IT by independent expert witnesses engaged by the outside counsel, opposing parties' counsel and experts, and special masters and court personnel, as appropriate to legal discovery.

(ii) Health IT consultant assistance with selection, implementation, and use of health IT —furnished to a health IT customer or user to help the customer do (or to do on behalf of a customer) any or all of the following with respect to any health IT product that the consultant does not sell or resell, license or relicense, or otherwise supply to the customer under any arrangement on a commercial basis or otherwise:

(A) Define the business needs of the customer or user or evaluate health IT product(s) against such business needs, or both;

(B) Negotiate for the purchase, lease, license, or other arrangement under which the health IT product(s) will be used; or

(C) Oversee or carry out configuration, implementation, or operation of health IT product(s).

(iii) Comprehensive and predominantly non-health IT administrative or operations management services—when an individual or entity furnishes a health care provider with administrative or operational management consultant services and the consultant acts as the agent of the provider or otherwise acts on behalf of the provider in dealings with one or more health IT developer(s) or vendor(s), or managing the day-to-day operations and administrative duties for the health IT, or both. To be consistent with this subparagraph, such services must be furnished as part of a comprehensive array of predominantly non-health IT administrative and operational functions that would otherwise be executed by the health care provider.

Permissible purpose means a purpose for which a person is authorized, permitted, or required to access, exchange, or use electronic health information under applicable law.

Person is defined as it is in 45 CFR 160.103.

Practice means an act or omission by an actor.

Use means the ability for electronic health information, once accessed or exchanged, to be understood and acted upon.

[85 FR 25955, May 1, 2020, as amended at 89 FR 1435, Jan. 9, 2024; 89 FR 54717, July 1, 2024]
§ 171.103 - Information blocking.

(a) Information blocking means a practice that except as required by law or covered by an exception set forth in subparts B, C, or D of this part, is likely to interfere with access, exchange, or use of electronic health information; and

(b) If conducted by:

(1) A health IT developer of certified health IT, health information network or health information exchange, such developer, network or exchange knows, or should know, that such practice is likely to interfere with access, exchange, or use of electronic health information; or

(2) A health care provider, such provider knows that such practice is unreasonable and is likely to interfere with access, exchange, or use of electronic health information.

[89 FR 1436, Jan. 9, 2024]
source: 85 FR 25955, May 1, 2020, unless otherwise noted.
cite as: 45 CFR 171.101