Patient portals once had limited information available to patients, however, providers are now using them to offer an array of information to patients including laboratory results, surgical reports, and physician notes to be compliant with the 21st Century Cures Act.
Because of this legislation, the Office of the National Coordinator for Health Information Technology (ONC) issued an extensive outline addressing the compliance mandates for information blocking. A complete copy of those guidelines can be found on the ONC website here.
Under the longstanding rules of HIPAA, providers are given 30 days to provide a patient with access to their medical records upon receipt of a written request. Under the information blocking regulations, providers will now need to provide free access “without delay” to an expansive range of electronic personal health information to remain compliant beginning on October 6, 2022.
While healthcare providers may think it is inappropriate to provide access to sensitive information or “bad news” before talking with a patient, the Cures Act includes a provision prohibiting something called “information blocking.”
Information blocking may sound straightforward, but in practice, it can include a wide range of behaviors—some intentional and some unintentional—that limit patient access to their health information. Under the 21st Century Cures Act, information blocking is defined as any practice that is likely to interfere with, prevent, or materially discourage access to electronic health information.
For example, information blocking may occur if:
• A provider delays releasing lab or imaging results until after an appointment, even if the patient could access them sooner.
• Patients are charged unnecessary fees to access or download their medical records.
• Health systems create technical barriers that make it difficult for other providers or patients to share or transfer records.
• Policies require patients to submit extra paperwork, despite the information being readily available in the electronic health record (EHR).
Even if these actions are well-intended, they can still be considered information blocking under the law. Because of this, healthcare providers must carefully review their workflows, patient portal settings and record-sharing practices to ensure they are not unintentionally creating obstacles.
For providers, the key takeaway here is that any delay, barrier, or added burden placed between a patient and their information could be interpreted as non-compliance. By proactively addressing these issues, organizations can avoid penalties while strengthening patient trust and transparency.
According to the American Journal of Medicine, clinicians’ concerns over providing access to open notes centers around three main issues: clinicians’ ability to communicate critical results before patient access, compliance with information blocking vs. privacy laws, and the task of uploading prior medical records contained.
Even so, according to the United States Core Data for Inoperability (USCDI), several types of clinical notes must be shared if the technology is in place. The current list of information to share includes:
• Consultation Notes
• Discharge Summary Notes
• History and Physical
• Imaging Narratives
• Laboratory Report Narratives
• Pathology Report Narratives
• Procedure Notes
• Progress Notes
In situations where a patient may learn of test results on a portal before the clinician has an opportunity to review those results and communicate with the patient, there are limited exceptions. Under the Cures Act Rule, it states that information can be blocked or hidden from patient access on online portals if they believe the patient may harm another person or themselves due to reading the information or if they need to protect the security of another person’s electronic health information.
Detailed information on these exceptions are outlined by the ONC. The Rule itself only applies to records that exist in electronic form. Providers are not under obligation to upload paper files to portals.
Complying with the 21st Century Cures Act requires more than just flipping a switch on your patient portal. Healthcare facilities and providers must take a proactive approach to ensure policies, technology, and staff practices align with the new requirements. Here are some key steps our team recommends:
Confirm that your electronic health record (EHR) platform supports the immediate release of clinical notes and test results. It may also be beneficial to work with your vendor(s) to identify and address any gaps in interoperability or access settings
Update policies around medical record release to reflect the “without delay” standard. You should also document clear guidelines for when exceptions may be applied to avoid confusion or misuse.
Provide training on writing clinical notes with patient access in mind, balancing clarity with clinical accuracy. You can also offer guidance on how to handle sensitive results or high-risk scenarios where exceptions may apply.
Create workflows for situations where results may be alarming or confusing if viewed without clinical context. This can ensure exceptions are used consistently and documented appropriately to reduce liability exposure.
Educate patients on how to use the portal, interpret their records and contact providers with follow-up questions. You can position open notes as a tool to empower patients rather than a replacement for direct provider communication.
By taking these steps, healthcare organizations can not only meet compliance requirements but also reduce risk exposure while strengthening their patient relationships. Facilities that plan ahead and involve both staff and patients in the process are better positioned to turn compliance into an opportunity for improved care delivery.
While compliance with the Cures Act can feel like a burden, the shift toward open notes has shown clear advantages for both patients and healthcare providers. Based on a survey conducted by JAMA Network, seventy-four percent (74%) of clinicians surveyed regarding open notes felt it will lead to better patient care, allowing for higher engagement and patient compliance.
For patients, the benefits are significant:
• Improved understanding of care plans: Patients can revisit instructions, test results, and treatment notes after appointments, reducing confusion and miscommunication.
• Higher engagement in their own health: Access to notes encourages patients to ask better questions and participate more actively in decision-making.
• Better compliance with treatment: Studies show patients are more likely to take medications as prescribed and follow through with recommendations when they can review their physician’s notes directly.
And for providers, the advantages are equally impactful:
• Enhanced communication: Sharing notes reinforces what was discussed during the visit and helps ensure patients remember key details.
• Fewer duplicate questions and calls: When patients can easily access their results, follow-up questions often decrease.
• Strengthened patient trust: Transparent access fosters confidence in the provider’s commitment to honesty and quality care.
Although concerns remain about how sensitive information is shared, the overall evidence shows that open notes can serve as a powerful tool to improve both quality and safety in healthcare delivery. What’s more, the ability to access private health information “without delay” will also address one of the most commonly reported complaints of patients according to NCBI—that they experience a significant delay in gaining access to complete information from providers.
Providers must review their concerns and be included in discussions on process changes and potential risk exposures evolve in the healthcare community. At LHA Trust Funds, we want to help discuss the concerns of the new requirements and advise on areas that can lead to potential liability risks.
Contact Jamie Lamb, Director of Claims Operations, at JamieLamb@LHATrustFunds.com or (225)368-3817 to schedule a Cures Act Presentation at your healthcare facility.
This article is for informational purposes only and is not official technical or legal advice. State laws around data release may not supersede the 21st Century Cures Act. The Cures Rule specifically states that information need not be released to patients if such release is prohibited by other laws. Healthcare providers should consult with their organization’s Health Information Management, compliance, legal, finance, and/or public relations experts and teams to find out how it applies to them.
Jamie Lamb
Director of Claims Operations, LHA Trust Funds
Jamie Lamb began her career in claims in 1997. Her experience includes handling multi-line claims in the areas of general liability, medical malpractice, automobile liability, commercial and personal property, excess and umbrella policies, and professional liability. Her experience comes as a former Manager and Litigation Specialist for the American National family of companies. She has been highly involved in the education and training of both internal and external customers her entire career. Ms. Lamb attended both Evangel University in Springfield, Missouri, and Loyola University in New Orleans.
09.30.2025
Article
Check out our latest blog to learn about the potential of ambient listening and the proper process for ensuring privacy i...
Learn More
01.13.2025
Article
An early response and investigation are key to handling events. We want our members to know that we are here to help ensu...
Learn More
07.11.2024
Article
Here's how implementing return-to-work programs benefits healthcare organizations.
Learn More