Home
gpo.gov
govinfo.gov

e-CFR Navigation Aids

Browse

Simple Search

Advanced Search

 — Boolean

 — Proximity

 

Search History

Search Tips

Corrections

Latest Updates

User Info

FAQs

Agency List

Incorporation By Reference

eCFR logo

Related Resources

Electronic Code of Federal Regulations

We invite you to try out our new beta eCFR site at https://ecfr.federalregister.gov. We have made big changes to make the eCFR easier to use. Be sure to leave feedback using the Help button on the bottom right of each page!

e-CFR data is current as of September 24, 2020

Title 45Subtitle ASubchapter D → Part 171


Title 45: Public Welfare


PART 171—INFORMATION BLOCKING


Contents

Subpart A—General Provisions

§171.100   Statutory basis and purpose.
§171.101   Applicability.
§171.102   Definitions.
§171.103   Information blocking.

Subpart B—Exceptions That Involve Not Fulfilling Requests to Access, Exchange, or Use Electronic Health Information

§171.200   Availability and effect of exceptions.
§171.201   Preventing harm exception—when will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to prevent harm not be considered information blocking?
§171.202   Privacy exception—When will an actor's practice of not fulfilling a request to access, exchange, or use electronic health information in order to protect an individual's privacy not be considered information blocking?
§171.203   Security exception—When will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information not be considered information blocking?
§171.204   Infeasibility exception—When will an actor's practice of not fulfilling a request to access, exchange, or use electronic health information due to the infeasibility of the request not be considered information blocking?
§171.205   Health IT performance exception—When will an actor's practice that is implemented to maintain or improve health IT performance and that is likely to interfere with the access, exchange, or use of electronic health information not be considered information blocking?

Subpart C—Exceptions That Involve Procedures for Fulfilling Requests to Access, Exchange, or Use Electronic Health Information

§171.300   Availability and effect of exceptions.
§171.301   Content and manner exception—When will an actor's practice of limiting the content of its response to or the manner in which it fulfills a request to access, exchange, or use electronic health information not be considered information blocking?
§171.302   Fees exception—When will an actor's practice of charging fees for accessing, exchanging, or using electronic health information not be considered information blocking?
§171.303   Licensing exception—When will an actor's practice to license interoperability elements in order for electronic health information to be accessed, exchanged, or used not be considered information blocking?

Authority: 42 U.S.C. 300jj-52; 5 U.S.C. 552.

Source: 85 FR 25955, May 1, 2020, unless otherwise noted.

return arrow Back to Top

Subpart A—General Provisions

return arrow Back to Top

§171.100   Statutory basis and purpose.

(a) Basis. This part implements section 3022 of the Public Health Service Act, 42 U.S.C. 300jj-52.

(b) Purpose. The purpose of this part is to establish exceptions for reasonable and necessary activities that do not constitute information blocking as defined by section 3022(a)(1) of the Public Health Service Act, 42 U.S.C. 300jj-52.

return arrow Back to Top

§171.101   Applicability.

(a) This part applies to health care providers, health IT developers of certified health IT, health information exchanges, and health information networks, as those terms are defined in §171.102.

(b) Health care providers, health IT developers of certified health IT, health information exchanges, and health information networks must comply with this part on and after November 2, 2020.

return arrow Back to Top

§171.102   Definitions.

For purposes of this part:

Access means the ability or means necessary to make electronic health information available for exchange or use.

Actor means a health care provider, health IT developer of certified health IT, health information network or health information exchange.

API Information Source is defined as it is in §170.404(c).

API User is defined as it is in §170.404(c).

Certified API Developer is defined as it is in §170.404(c).

Certified API technology is defined as it is in §170.404(c).

Electronic health information (EHI) means electronic protected health information as defined in 45 CFR 160.103 to the extent that it would be included in a designated record set as defined in 45 CFR 164.501, regardless of whether the group of records are used or maintained by or for a covered entity as defined in 45 CFR 160.103, but EHI shall not include:

(1) Psychotherapy notes as defined in 45 CFR 164.501; or

(2) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.

Exchange means the ability for electronic health information to be transmitted between and among different technologies, systems, platforms, or networks.

Fee means any present or future obligation to pay money or provide any other thing of value.

Health care provider has the same meaning as “health care provider” in 42 U.S.C. 300jj.

Health information network or health information exchange means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:

(1) Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and

(2) That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164.

Health IT developer of certified health IT means an individual or entity, other than a health care provider that self-develops health IT for its own use, that develops or offers health information technology (as that term is defined in 42 U.S.C. 300jj(5)) and which has, at the time it engages in a practice that is the subject of an information blocking claim, one or more Health IT Modules certified under a program for the voluntary certification of health information technology that is kept or recognized by the National Coordinator pursuant to 42 U.S.C. 300jj-11(c)(5) (ONC Health IT Certification Program).

Information blocking is defined as it is in §171.103.

Interfere with or interference means to prevent, materially discourage, or otherwise inhibit.

Interoperability element means hardware, software, integrated technologies or related licenses, technical information, privileges, rights, intellectual property, upgrades, or services that:

(1) May be necessary to access, exchange, or use electronic health information; and

(2) Is/Are controlled by the actor, which includes the ability to confer all rights and authorizations necessary to use the element to enable the access, exchange, or use of electronic health information.

Permissible purpose means a purpose for which a person is authorized, permitted, or required to access, exchange, or use electronic health information under applicable law.

Person is defined as it is in 45 CFR 160.103.

Practice means an act or omission by an actor.

Use means the ability for electronic health information, once accessed or exchanged, to be understood and acted upon.

return arrow Back to Top

§171.103   Information blocking.

(a) Information blocking means a practice that—

(1) Except as required by law or covered by an exception set forth in subpart B or subpart C of this part, is likely to interfere with access, exchange, or use of electronic health information; and

(2) If conducted by a health information technology developer, health information network or health information exchange, such developer, network or exchange knows, or should know, that such practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information; or

(3) If conducted by a health care provider, such provider knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.

(b) Until May 2, 2022, electronic health information for purposes of paragraph (a) of this section is limited to the electronic health information identified by the data elements represented in the USCDI standard adopted in §170.213.

return arrow Back to Top

Subpart B—Exceptions That Involve Not Fulfilling Requests to Access, Exchange, or Use Electronic Health Information

return arrow Back to Top

§171.200   Availability and effect of exceptions.

A practice shall not be treated as information blocking if the actor satisfies an exception to the information blocking provision as set forth in this subpart B by meeting all applicable requirements and conditions of the exception at all relevant times.

return arrow Back to Top

§171.201   Preventing harm exception—when will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to prevent harm not be considered information blocking?

An actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to prevent harm will not be considered information blocking when the practice meets the conditions in paragraphs (a) and (b) of this section, satisfies at least one condition from each of paragraphs (c), (d), and (f) of this section, and also meets the condition in paragraph (e) of this section when applicable.

(a) Reasonable belief. The actor engaging in the practice must hold a reasonable belief that the practice will substantially reduce a risk of harm to a patient or another natural person that would otherwise arise from the access, exchange, or use of electronic health information affected by the practice. For purposes of this section, “patient” means a natural person who is the subject of the electronic health information affected by the practice.

(b) Practice breadth. The practice must be no broader than necessary to substantially reduce the risk of harm that the practice is implemented to reduce.

(c) Type of risk. The risk of harm must:

(1) Be determined on an individualized basis in the exercise of professional judgment by a licensed health care professional who has a current or prior clinician-patient relationship with the patient whose electronic health information is affected by the determination; or

(2) Arise from data that is known or reasonably suspected to be misidentified or mismatched, corrupt due to technical failure, or erroneous for another reason.

(d) Type of harm. The type of harm must be one that could serve as grounds for a covered entity (as defined in §160.103 of this title) to deny access (as the term “access” is used in part 164 of this title) to an individual's protected health information under:

(1) Section 164.524(a)(3)(iii) of this title where the practice is likely to, or in fact does, interfere with access, exchange, or use (as these terms are defined in §171.102) of the patient's electronic health information by their legal representative (including but not limited to personal representatives recognized pursuant to 45 CFR 164.502) and the practice is implemented pursuant to an individualized determination of risk of harm consistent with paragraph (c)(1) of this section;

(2) Section 164.524(a)(3)(ii) of this title where the practice is likely to, or in fact does, interfere with the patient's or their legal representative's access to, use or exchange (as these terms are defined in §171.102) of information that references another natural person and the practice is implemented pursuant to an individualized determination of risk of harm consistent with paragraph (c)(1) of this section;

(3) Section 164.524(a)(3)(i) of this title where the practice is likely to, or in fact does, interfere with the patient's access, exchange, or use (as these terms are defined in §171.102) of their own electronic health information, regardless of whether the risk of harm that the practice is implemented to substantially reduce is consistent with paragraph (c)(1) or (2) of this section; or

(4) Section 164.524(a)(3)(i) of this title where the practice is likely to, or in fact does, interfere with a legally permissible access, exchange, or use (as these terms are defined in §171.102) of electronic health information not described in paragraph (d)(1), (2), or (3) of this section, and regardless of whether the risk of harm the practice is implemented to substantially reduce is consistent with paragraph (c)(1) or (2) of this section.

(e) Patient right to request review of individualized determination of risk of harm. Where the risk of harm is consistent with paragraph (c)(1) of this section, the actor must implement the practice in a manner consistent with any rights the individual patient whose electronic health information is affected may have under §164.524(a)(4) of this title, or any Federal, State, or tribal law, to have the determination reviewed and potentially reversed.

(f) Practice implemented based on an organizational policy or a determination specific to the facts and circumstances. The practice must be consistent with an organizational policy that meets paragraph (f)(1) of this section or, in the absence of an organizational policy applicable to the practice or to its use in particular circumstances, the practice must be based on a determination that meets paragraph (f)(2) of this section.

(1) An organizational policy must:

(i) Be in writing;

(ii) Be based on relevant clinical, technical, and other appropriate expertise;

(iii) Be implemented in a consistent and non-discriminatory manner; and

(iv) Conform each practice to the conditions in paragraphs (a) and (b) of this section, as well as the conditions in paragraphs (c) through (e) of this section that are applicable to the practice and its use.

(2) A determination must:

(i) Be based on facts and circumstances known or reasonably believed by the actor at the time the determination was made and while the practice remains in use; and

(ii) Be based on expertise relevant to implementing the practice consistent with the conditions in paragraphs (a) and (b) of this section, as well as the conditions in paragraphs (c) through (e) of this section that are applicable to the practice and its use in particular circumstances.

return arrow Back to Top

§171.202   Privacy exception—When will an actor's practice of not fulfilling a request to access, exchange, or use electronic health information in order to protect an individual's privacy not be considered information blocking?

An actor's practice of not fulfilling a request to access, exchange, or use electronic health information in order to protect an individual's privacy will not be considered information blocking when the practice meets all of the requirements of at least one of the sub-exceptions in paragraphs (b) through (e) of this section.

(a) Definitions in this section. (1) The term HIPAA Privacy Rule as used in this section means 45 CFR parts 160 and 164.

(2) The term individual as used in this section means one or more of the following—

(i) An individual as defined by 45 CFR 160.103.

(ii) Any other natural person who is the subject of the electronic health information being accessed, exchanged, or used.

(iii) A person who legally acts on behalf of a person described in paragraph (a)(1) or (2) of this section in making decisions related to health care as a personal representative, in accordance with 45 CFR 164.502(g).

(iv) A person who is a legal representative of and can make health care decisions on behalf of any person described in paragraph (a)(1) or (2) of this section.

(v) An executor, administrator, or other person having authority to act on behalf of a deceased person described in paragraph (a)(1) or (2) of this section or the individual's estate under State or other law.

(b) Sub-exception—precondition not satisfied. To qualify for the exception on the basis that State or Federal law requires one or more preconditions for providing access, exchange, or use of electronic health information that have not been satisfied, the following requirements must be met—

(1) The actor's practice is tailored to the applicable precondition not satisfied, is implemented in a consistent and non-discriminatory manner, and either:

(i) Conforms to the actor's organizational policies and procedures that:

(A) Are in writing;

(B) Specify the criteria to be used by the actor to determine when the precondition would be satisfied and, as applicable, the steps that the actor will take to satisfy the precondition; and

(C) Are implemented by the actor, including by providing training on the policies and procedures; or

(ii) Are documented by the actor, on a case-by-case basis, identifying the criteria used by the actor to determine when the precondition would be satisfied, any criteria that were not met, and the reason why the criteria were not met.

(2) If the precondition relies on the provision of a consent or authorization from an individual and the actor has received a version of such a consent or authorization that does not satisfy all elements of the precondition required under applicable law, the actor must:

(i) Use reasonable efforts within its control to provide the individual with a consent or authorization form that satisfies all required elements of the precondition or provide other reasonable assistance to the individual to satisfy all required elements of the precondition; and

(ii) Not improperly encourage or induce the individual to withhold the consent or authorization.

(3) For purposes of determining whether the actor's privacy policies and procedures and actions satisfy the requirements of paragraphs (b)(1)(i) and (b)(2) above when the actor's operations are subject to multiple laws which have inconsistent preconditions, they shall be deemed to satisfy the requirements of the paragraphs if the actor has adopted uniform privacy policies and procedures to address the more restrictive preconditions.

(c) Sub-exception—health IT developer of certified health IT not covered by HIPAA. If the actor is a health IT developer of certified health IT that is not required to comply with the HIPAA Privacy Rule, when engaging in a practice that promotes the privacy interests of an individual, the actor's organizational privacy policies must have been disclosed to the individuals and entities that use the actor's product or service before they agreed to use them, and must implement the practice according to a process described in the organizational privacy policies. The actor's organizational privacy policies must:

(1) Comply with State and Federal laws, as applicable;

(2) Be tailored to the specific privacy risk or interest being addressed; and

(3) Be implemented in a consistent and non-discriminatory manner.

(d) Sub-exceptiondenial of an individual's request for their electronic health information consistent with 45 CFR 164.524(a)(1) and (2). If an individual requests electronic health information under the right of access provision under 45 CFR 164.524(a)(1) from an actor that must comply with 45 CFR 164.524(a)(1), the actor's practice must be consistent with 45 CFR 164.524(a)(2).

(e) Sub-exception—respecting an individual's request not to share information. Unless otherwise required by law, an actor may elect not to provide access, exchange, or use of an individual's electronic health information if the following requirements are met—

(1) The individual requests that the actor not provide such access, exchange, or use of electronic health information without any improper encouragement or inducement of the request by the actor;

(2) The actor documents the request within a reasonable time period;

(3) The actor's practice is implemented in a consistent and non-discriminatory manner; and

(4) An actor may terminate an individual's request for a restriction to not provide such access, exchange, or use of the individual's electronic health information only if:

(i) The individual agrees to the termination in writing or requests the termination in writing;

(ii) The individual orally agrees to the termination and the oral agreement is documented by the actor; or

(iii) The actor informs the individual that it is terminating its agreement to not provide such access, exchange, or use of the individual's electronic health information except that such termination is:

(A) Not effective to the extent prohibited by applicable Federal or State law; and

(B) Only applicable to electronic health information created or received after the actor has so informed the individual of the termination.

return arrow Back to Top

§171.203   Security exception—When will an actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information not be considered information blocking?

An actor's practice that is likely to interfere with the access, exchange, or use of electronic health information in order to protect the security of electronic health information will not be considered information blocking when the practice meets the conditions in paragraphs (a), (b), and (c) of this section, and in addition meets either the condition in paragraph (d) of this section or the condition in paragraph (e) of this section.

(a) The practice must be directly related to safeguarding the confidentiality, integrity, and availability of electronic health information.

(b) The practice must be tailored to the specific security risk being addressed.

(c) The practice must be implemented in a consistent and non-discriminatory manner.

(d) If the practice implements an organizational security policy, the policy must—

(1) Be in writing;

(2) Have been prepared on the basis of, and be directly responsive to, security risks identified and assessed by or on behalf of the actor;

(3) Align with one or more applicable consensus-based standards or best practice guidance; and

(4) Provide objective timeframes and other parameters for identifying, responding to, and addressing security incidents.

(e) If the practice does not implement an organizational security policy, the actor must have made a determination in each case, based on the particularized facts and circumstances, that:

(1) The practice is necessary to mitigate the security risk to electronic health information; and

(2) There are no reasonable and appropriate alternatives to the practice that address the security risk that are less likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information.

return arrow Back to Top

§171.204   Infeasibility exception—When will an actor's practice of not fulfilling a request to access, exchange, or use electronic health information due to the infeasibility of the request not be considered information blocking?

An actor's practice of not fulfilling a request to access, exchange, or use electronic health information due to the infeasibility of the request will not be considered information blocking when the practice meets one of the conditions in paragraph (a) of this section and meets the requirements in paragraph (b) of this section.

(a) Conditions—(1) Uncontrollable events. The actor cannot fulfill the request for access, exchange, or use of electronic health information due to a natural or human-made disaster, public health emergency, public safety incident, war, terrorist attack, civil insurrection, strike or other labor unrest, telecommunication or internet service interruption, or act of military, civil or regulatory authority.

(2) Segmentation. The actor cannot fulfill the request for access, exchange, or use of electronic health information because the actor cannot unambiguously segment the requested electronic health information from electronic health information that:

(i) Cannot be made available due to an individual's preference or because the electronic health information cannot be made available by law; or

(ii) May be withheld in accordance with §171.201.

(3) Infeasible under the circumstances. (i) The actor demonstrates, prior to responding to the request pursuant to paragraph (b) of this section, through a contemporaneous written record or other documentation its consistent and non-discriminatory consideration of the following factors that led to its determination that complying with the request would be infeasible under the circumstances:

(A) The type of electronic health information and the purposes for which it may be needed;

(B) The cost to the actor of complying with the request in the manner requested;

(C) The financial and technical resources available to the actor;

(D) Whether the actor's practice is non-discriminatory and the actor provides the same access, exchange, or use of electronic health information to its companies or to its customers, suppliers, partners, and other persons with whom it has a business relationship;

(E) Whether the actor owns or has control over a predominant technology, platform, health information exchange, or health information network through which electronic health information is accessed or exchanged; and

(F) Why the actor was unable to provide access, exchange, or use of electronic health information consistent with the exception in §171.301.

(ii) In determining whether the circumstances were infeasible under paragraph (a)(3)(i) of this section, it shall not be considered whether the manner requested would have:

(A) Facilitated competition with the actor.

(B) Prevented the actor from charging a fee or resulted in a reduced fee.

(b) Responding to requests. If an actor does not fulfill a request for access, exchange, or use of electronic health information for any of the reasons provided in paragraph (a) of this section, the actor must, within ten business days of receipt of the request, provide to the requestor in writing the reason(s) why the request is infeasible.

return arrow Back to Top

§171.205   Health IT performance exception—When will an actor's practice that is implemented to maintain or improve health IT performance and that is likely to interfere with the access, exchange, or use of electronic health information not be considered information blocking?

An actor's practice that is implemented to maintain or improve health IT performance and that is likely to interfere with the access, exchange, or use of electronic health information will not be considered information blocking when the practice meets a condition in paragraph (a), (b), (c), or (d) of this section, as applicable to the particular practice and the reason for its implementation.

(a) Maintenance and improvements to health IT. When an actor implements a practice that makes health IT under that actor's control temporarily unavailable, or temporarily degrades the performance of health IT, in order to perform maintenance or improvements to the health IT, the actor's practice must be—

(1) Implemented for a period of time no longer than necessary to complete the maintenance or improvements for which the health IT was made unavailable or the health IT's performance degraded;

(2) Implemented in a consistent and non-discriminatory manner; and

(3) If the unavailability or degradation is initiated by a health IT developer of certified health IT, health information exchange, or health information network:

(i) Planned. Consistent with existing service level agreements between the individual or entity to whom the health IT developer of certified health IT, health information exchange, or health information network supplied the health IT; or

(ii) Unplanned. Consistent with existing service level agreements between the individual or entity; or agreed to by the individual or entity to whom the health IT developer of certified health IT, health information exchange, or health information network supplied the health IT.

(b) Assured level of performance. An actor may take action against a third-party application that is negatively impacting the health IT's performance, provided that the practice is—

(1) For a period of time no longer than necessary to resolve any negative impacts;

(2) Implemented in a consistent and non-discriminatory manner; and

(3) Consistent with existing service level agreements, where applicable.

(c) Practices that prevent harm. If the unavailability of health IT for maintenance or improvements is initiated by an actor in response to a risk of harm to a patient or another person, the actor does not need to satisfy the requirements of this section, but must comply with all requirements of §171.201 at all relevant times to qualify for an exception.

(d) Security-related practices. If the unavailability of health IT for maintenance or improvements is initiated by an actor in response to a security risk to electronic health information, the actor does not need to satisfy the requirements of this section, but must comply with all requirements of §171.203 at all relevant times to qualify for an exception.

return arrow Back to Top

Subpart C—Exceptions That Involve Procedures for Fulfilling Requests to Access, Exchange, or Use Electronic Health Information

return arrow Back to Top

§171.300   Availability and effect of exceptions.

A practice shall not be treated as information blocking if the actor satisfies an exception to the information blocking provision as set forth in this subpart C by meeting all applicable requirements and conditions of the exception at all relevant times.

return arrow Back to Top

§171.301   Content and manner exception—When will an actor's practice of limiting the content of its response to or the manner in which it fulfills a request to access, exchange, or use electronic health information not be considered information blocking?

An actor's practice of limiting the content of its response to or the manner in which it fulfills a request to access, exchange, or use electronic health information will not be considered information blocking when the practice meets all of the following conditions.

(a) Content condition—electronic health information. An actor must respond to a request to access, exchange, or use electronic health information with—

(1) USCDI. For up to May 2, 2022, at a minimum, the electronic health information identified by the data elements represented in the USCDI standard adopted in §170.213.

(2) All electronic health information. On and after May 2, 2022, electronic health information as defined in §171.102.

(b) Manner condition—(1) Manner requested. (i) An actor must fulfill a request described in paragraph (a) of this section in any manner requested, unless the actor is technically unable to fulfill the request or cannot reach agreeable terms with the requestor to fulfill the request.

(ii) If an actor fulfills a request described in paragraph (a) of this section in any manner requested:

(A) Any fees charged by the actor in relation to fulfilling the response are not required to satisfy the exception in §171.302; and

(B) Any license of interoperability elements granted by the actor in relation to fulfilling the request is not required to satisfy the exception in §171.303.

(2) Alternative manner. If an actor does not fulfill a request described in paragraph (a) of this section in any manner requested because it is technically unable to fulfill the request or cannot reach agreeable terms with the requestor to fulfill the request, the actor must fulfill the request in an alternative manner, as follows:

(i) The actor must fulfill the request without unnecessary delay in the following order of priority, starting with paragraph (b)(2)(i)(A) of this section and only proceeding to the next consecutive paragraph if the actor is technically unable to fulfill the request in the manner identified in a paragraph.

(A) Using technology certified to standard(s) adopted in part 170 that is specified by the requestor.

(B) Using content and transport standards specified by the requestor and published by:

(1) The Federal Government; or

(2) A standards developing organization accredited by the American National Standards Institute.

(C) Using an alternative machine-readable format, including the means to interpret the electronic health information, agreed upon with the requestor.

(ii) Any fees charged by the actor in relation to fulfilling the request are required to satisfy the exception in §171.302.

(iii) Any license of interoperability elements granted by the actor in relation to fulfilling the request is required to satisfy the exception in §171.303.

return arrow Back to Top

§171.302   Fees exception—When will an actor's practice of charging fees for accessing, exchanging, or using electronic health information not be considered information blocking?

An actor's practice of charging fees, including fees that result in a reasonable profit margin, for accessing, exchanging, or using electronic health information will not be considered information blocking when the practice meets the conditions in paragraph (a) of this section, does not include any of the excluded fees in paragraph (b) of this section, and, as applicable, meets the condition in paragraph (c) of this section.

(a) Basis for fees condition. (1) The fees an actor charges must be—

(i) Based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons or entities and requests;

(ii) Reasonably related to the actor's costs of providing the type of access, exchange, or use of electronic health information to, or at the request of, the person or entity to whom the fee is charged;

(iii) Reasonably allocated among all similarly situated persons or entities to whom the technology or service is supplied, or for whom the technology is supported; and

(iv) Based on costs not otherwise recovered for the same instance of service to a provider and third party.

(2) The fees an actor charges must not be based on—

(i) Whether the requestor or other person is a competitor, potential competitor, or will be using the electronic health information in a way that facilitates competition with the actor;

(ii) Sales, profit, revenue, or other value that the requestor or other persons derive or may derive from the access, exchange, or use of the electronic health information;

(iii) Costs the actor incurred due to the health IT being designed or implemented in a non-standard way, unless the requestor agreed to the fee associated with the non-standard design or implementation to access, exchange, or use the electronic health information;

(iv) Costs associated with intangible assets other than the actual development or acquisition costs of such assets;

(v) Opportunity costs unrelated to the access, exchange, or use of electronic health information; or

(vi) Any costs that led to the creation of intellectual property, if the actor charged a royalty for that intellectual property pursuant to §171.303 and that royalty included the development costs for the creation of the intellectual property.

(b) Excluded fees condition. This exception does not apply to—

(1) A fee prohibited by 45 CFR 164.524(c)(4);

(2) A fee based in any part on the electronic access of an individual's EHI by the individual, their personal representative, or another person or entity designated by the individual;

(3) A fee to perform an export of electronic health information via the capability of health IT certified to §170.315(b)(10) of this subchapter for the purposes of switching health IT or to provide patients their electronic health information; and

(4) A fee to export or convert data from an EHR technology that was not agreed to in writing at the time the technology was acquired.

(c) Compliance with the Conditions of Certification condition. Notwithstanding any other provision of this exception, if the actor is a health IT developer subject to the Conditions of Certification in §170.402(a)(4), §170.404, or both of this subchapter, the actor must comply with all requirements of such conditions for all practices and at all relevant times.

(d) Definition of Electronic access. The following definition applies to this section:

Electronic access means an internet-based method that makes electronic health information available at the time the electronic health information is requested and where no manual effort is required to fulfill the request.

return arrow Back to Top

§171.303   Licensing exception—When will an actor's practice to license interoperability elements in order for electronic health information to be accessed, exchanged, or used not be considered information blocking?

An actor's practice to license interoperability elements for electronic health information to be accessed, exchanged, or used will not be considered information blocking when the practice meets all of the following conditions.

(a) Negotiating a license conditions. Upon receiving a request to license an interoperability element for the access, exchange, or use of electronic health information, the actor must—

(1) Begin license negotiations with the requestor within 10 business days from receipt of the request; and

(2) Negotiate a license with the requestor, subject to the licensing conditions in paragraph (b) of this section, within 30 business days from receipt of the request.

(b) Licensing conditions. The license provided for the interoperability element(s) needed to access, exchange, or use electronic health information must meet the following conditions:

(1) Scope of rights. The license must provide all rights necessary to:

(i) Enable the access, exchange, or use of electronic health information; and

(ii) Achieve the intended access, exchange, or use of electronic health information via the interoperability element(s).

(2) Reasonable royalty. If the actor charges a royalty for the use of the interoperability elements described in paragraph (a) of this section, the royalty must be reasonable and comply with the following requirements:

(i) The royalty must be non-discriminatory, consistent with paragraph (c)(3) of this section.

(ii) The royalty must be based solely on the independent value of the actor's technology to the licensee's products, not on any strategic value stemming from the actor's control over essential means of accessing, exchanging, or using electronic health information.

(iii) If the actor has licensed the interoperability element through a standards developing organization in accordance with such organization's policies regarding the licensing of standards-essential technologies on terms consistent with those in this exception, the actor may charge a royalty that is consistent with such policies.

(iv) An actor may not charge a royalty for intellectual property if the actor recovered any development costs pursuant to §171.302 that led to the creation of the intellectual property.

(3) Non-discriminatory terms. The terms (including royalty terms) on which the actor licenses and otherwise provides the interoperability elements must be non-discriminatory and comply with the following requirements:

(i) The terms must be based on objective and verifiable criteria that are uniformly applied for all similarly situated classes of persons and requests.

(ii) The terms must not be based in any part on—

(A) Whether the requestor or other person is a competitor, potential competitor, or will be using electronic health information obtained via the interoperability elements in a way that facilitates competition with the actor; or

(B) The revenue or other value the requestor may derive from access, exchange, or use of electronic health information obtained via the interoperability elements.

(4) Collateral terms. The actor must not require the licensee or its agents or contractors to do, or to agree to do, any of the following—

(i) Not compete with the actor in any product, service, or market.

(ii) Deal exclusively with the actor in any product, service, or market.

(iii) Obtain additional licenses, products, or services that are not related to or can be unbundled from the requested interoperability elements.

(iv) License, grant, assign, or transfer to the actor any intellectual property of the licensee.

(v) Pay a fee of any kind whatsoever, except as described in paragraph (b)(2) of this section, unless the practice meets the requirements of the exception in §171.302.

(5) Non-disclosure agreement. The actor may require a reasonable non-disclosure agreement that is no broader than necessary to prevent unauthorized disclosure of the actor's trade secrets, provided—

(i) The agreement states with particularity all information the actor claims as trade secrets; and

(ii) Such information meets the definition of a trade secret under applicable law.

(c) Additional conditions relating to the provision of interoperability elements. The actor must not engage in any practice that has any of the following purposes or effects.

(1) Impeding the efficient use of the interoperability elements to access, exchange, or use electronic health information for any permissible purpose.

(2) Impeding the efficient development, distribution, deployment, or use of an interoperable product or service for which there is actual or potential demand.

(3) Degrading the performance or interoperability of the licensee's products or services, unless necessary to improve the actor's technology and after affording the licensee a reasonable opportunity to update its technology to maintain interoperability.

return arrow Back to Top

Need assistance?