Skip to Main Content.

This article was originally published on July 19, 2021 in Westlaw Today, an imprint of Thomson Reuters.

The federal Open Notes Rule (the “Rule”) implements a portion of the federal 21st Century Cures Act (Cures Act) related to “information blocking.” It specifies that clinical notes are among electronic health information (EHI) that must not be “blocked.” The notes must be available free of charge to patients and their representatives. Such access is through a patient portal or health applications on a smart device. The Rule significantly changes the way patient information will be shared and effectively mandates a Cloud for EHI.

The Rule, announced by the U.S. Department of Health & Human Services (DHHS) on March 9, 2020, gives patients “unprecedented safe, secure access to their health data” to make better health care decisions for themselves.

The Rule applies to health IT developers of certified health IT, health information exchanges and health information networks, and health care providers. It encompasses hospitals, long-term acute care hospitals, long-term care facilities, and nearly every other type of health care provider, including physicians and dentists and federally qualified health centers.

Two elements of the Open Notes Rule are triggered for health care providers on April 5, 2021. The first is the required data elements for EHI whenever it is accessed, exchanged, or used in a legally permissible manner. The second is compliance with the remainder of the information blocking requirements and exceptions, as discussed in the next section below.

The Rule “locks in,” for an 18-month period beginning on April 5, the EHI data elements contained in the U.S. Core Data for Interoperability (USCDI), Version 1. See 45 CFR §§ 170.213 and 170.299.
When responding to a request to access, use, or exchange EHI, a provider must respond at a minimum with the EHI identified by the data elements represented in the USCDI standard.

Psychotherapy notes are not included, as defined in 45 CFR 164.501. However, providers must still share other mental health records. Additionally, information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding is also excluded.

Information Blocking

Information blocking is defined as practices by an actor that likely interfere with, prevent, or materially discourage the access, exchange, or use of EHI, except as required by law or covered by an exception (45 CFR 171.103(a)).

A knowledge standard is also associated with the information blocking definition. Regarding a health care provider, information blocking occurs when the provider “knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of” EHI (45 CFR 171.103(a)(3)). For health IT developers of certified health IT and health information networks (HINs) or health information exchanges (HIEs), the standard is slightly broader in that the actor “knows, or should know, that such practice is likely to interfere with access, exchange, or use of electronic health information.

The information blocking requirements apply only to EHI and the electronic access to, and exchange of, patient data. This is different from HIPAA, which applies to “Covered Entities,” which covers patient health information in electronic form, and in paper form and verbal data.

The regulations also contain eight exceptions that will allow health care providers to engage in information blocking under certain circumstances. Five of these exceptions pertain to grounds that allow for a provider to not fulfill a request to access, exchange, or use EHI: preventing harm exception, privacy exception, security exception, infeasibility exception, and health IT performance exception. The remaining three exceptions pertain to procedures for fulfilling requests to access, exchange or use EHI: content and manner exception, fees exception, and licensing exception.

These exceptions are lengthy and may require compliance with specific conditions and, in some cases, sub-exceptions. Thus, an information blocking policy that includes replicating and implementing these exceptions will need to be adopted by all health care providers.


Compliance with the exceptions is voluntary and function as “safe harbors.” Compliant actions will not be treated as information blocking if the actor meets all applicable requirements and conditions of the exception at all relevant times (45 CFR 171.200). Actions that do not comply do not necessarily constitute information blocking. Instead, the facts and circumstances of each situation must be determined and analyzed as to whether the situation constituted information blocking.

Under Section 3022(b)(2)(B) of the Public Health Service Act, violations of the Rule’s requirements will result in a health care provider being “referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking.” Such rulemaking has not yet occurred.

It is unclear whether there will be retroactive penalties for a health care provider that engages in information blocking before the promulgation of such disincentives. There is also nothing in the regulations indicating which is the “appropriate agency” for disciplining health care providers. It is likely a safe assumption that it will be an arm of the DHHS such as the Office of Civil Rights (OCR) or the Office of Inspector General (OIG).

Benefits of the Rule

The Rule aims to foster innovation in health care to better deliver information, more conveniently, to patients and their providers. It also promotes transparency through technology, providing opportunities for the public to gain visibility into the services, quality, and costs of health care.

In a Demonstration Study, 105 physicians at Beth Israel Deaconess Medical Center, Geisinger Health System and Harborview Medical Center in Seattle offered some 19,000 patients access to their notes. More than 80% of patients opted to read their notes and, after a year, 99% wished to continue to do so. Of those who read their notes, more than 85% said that the availability of open notes would influence their choice of providers in the future. “Inviting Patients to Read Their Doctor’s Notes: A Quasi-experimental Study and a Look Ahead,” 157 Annals of Internal Medicine 461, 461–70 (2012).

Malpractice and Limitations on Liability

The Rule could help prevent medical malpractice. Malpractice lawsuits often happen because of lack of information or communication breakdown between the patient and provider. The Rule seeks to engage patients and increase transparency by sharing clinician notes with patients. Sharing notes can empower patients to be more active participants in their care, making them more likely to follow through on treatment recommendations.

In 2015, the Controlled Risk Insurance Company (CRICO) Strategies analyzed national medical malpractice claims and found that 30% of all claims involve a communication failure (CRICO Strategies Report). These claims involve communication breakdowns where facts, figures, or findings got lost between the individuals who had that information and those who needed it — across the spectrum of health care services and settings.

The CRICO Strategies Report contains numerous examples where communication breakdown resulted in incorrect diagnoses and/or medical malpractice lawsuits. In at least one instance where a patient died, effective communication between providers and between the provider and patient could have prevented the outcome. “Malpractice Risks in Communication,” Candello Annual Benchmarking Report, 2015.


Whether face-to-face, by phone, or via the medical record, information exchange guides the patient’s diagnosis, treatment and, ultimately, their prognosis and outcome. Patients and providers rely on information being timely, accurate, and accessible. When communication is unreliable, then providers and patients dependent on being fully informed are left vulnerable to medical errors that can lead to serious harm. The Rule seeks to rectify this communication problem by requiring that patients and providers be able access a patient’s EHI on one platform.

While clinical notes must be shared by health providers starting April 5, the requirement to share information with a patient’s third-party app that may be downloaded to a smartphone or other device has a compliance effective date of Oct. 6, 2022. Health care providers and other actors covered by the Rule will need to develop and institute policies, procedures, and training to ensure full compliance with its detailed and technical requirements.