Under new rules being proposed by HHS, health care providers and others would have to cease practices the government is calling “information blocking,” under threat of fines (for some types of businesses) or possible restriction from participation in government health programs.

The draft rules come as HHS works to implement provisions in the 21st Century Cures Act written to ease sharing of patient information throughout the health care system, including with patients themselves. When finalized, the rules are likely to mean hospitals and other providers also will have to adopt new—or better—systems to allow patients to “electronically access all of their electronic health information,” or EHI. That new acronym is ubiquitous in the 687-plus-page proposed rule issued by the HHS Office of the National Coordinator for Health Information Technology (ONC).

The information blocking provisions in the proposed rule are likely of most interest to HIPAA covered entities (CEs) and business associates (BAs). ONC officials said they “consulted extensively” with the HHS Office for Civil Rights (OCR) to craft these provisions with the “shared goals of preventing information blocking for nefarious or self-interested purposes while maintaining and upholding existing privacy rights and protections for individuals.”

In tandem with ONC’s proposed rule, the Centers for Medicare & Medicaid Services issued its own, clocking in at 251 pages, that would require “Medicaid, the Children’s Health Insurance Program, Medicare Advantage plans and qualified health plans in the federally-facilitated exchanges [to] provide enrollees with immediate electronic access to medical claims and other health information electronically by 2020.”

Both rules were published in the March 4 Federal Register, with a comment deadline of May 3. They were initially announced at the HIMSS conference in mid-February and posted on the Public Inspection, or advance version of the Federal Register, on Feb. 22.

The ONC draft regulation establishes seven exceptions for when such blocking is allowed by entities, referred to as “actors,” covered by the law. One such proposed exception is for “promoting the privacy of electronic health information.”

The proposed rule also details the process for investigations and sanctions, including civil penalties, by HHS Office of Inspector General (OIG) for actors—provider organizations, health IT developers, exchanges and others—that engage in information blocking. As far as specific penalties, however, these are not spelled out, and ONC is seeking more information to help identify them.