Introduction
The 21st Century Cures Act information blocking provisions went into full effect in October 2022. OIG enforcement began in 2024. For health IT teams, the practical implication is clear: systems that restrict or impede the flow of electronic health information — even through technical friction, not just explicit blocking — are now subject to civil monetary penalties. The architecture requirements that follow from the Act are specific: [[[[FHIR](/terms/FHIR)](/terms/FHIR)](/terms/FHIR)](/terms/FHIR) R4 APIs, bulk data export, and patient-facing data access flows that cannot be gatekept.
This guide translates the Cures Act's information blocking provisions and ONC's implementing regulations into concrete data architecture requirements.
What the Cures Act Prohibits
The information blocking provisions prohibit actors (health IT developers, health information networks, health care providers) from practices that are likely to interfere with access, exchange, or use of electronic health information (EHI), unless the practice qualifies for one of eight defined exceptions.
The eight exceptions (practices that are NOT information blocking):
- Preventing harm
- Privacy (HIPAA/state privacy law compliance)
- Security
- Infeasibility
- Health IT performance
- Content and manner (format restrictions)
- Fees
- Licensing
The key architectural implication: if your system technically enables information access but imposes unreasonable friction (slow APIs, complex authentication, expensive licensing fees), ONC can determine that the friction itself constitutes information blocking.
ONC Certified Health IT Requirements
ONC's 21st Century Cures Act Final Rule (ONC-Cures) requires EHR developers to achieve certification against the ONC Health IT Certification Program. For certified health IT, the following technical capabilities are mandatory:
Standardized API for Patient and Population Services
Certified EHRs must implement the ONC FHIR API certification criteria, which requires:
- FHIR R4 server supporting the US Core Implementation Guide
- SMART on FHIR authorization (both patient-facing and system scopes)
- Bulk Data Access (FHIR Bulk Data IG) for population-level queries
- Support for all required US Core resources
Required US Core resources (abridged):
Patient, AllergyIntolerance, CarePlan, CareTeam,
Condition (Problems and Health Concerns), Coverage,
Device (Implantable), DiagnosticReport (Lab, Cardiology, Radiology),
DocumentReference, Encounter, ExplanationOfBenefit,
Goal, Immunization, Location, Medication, MedicationDispense,
MedicationRequest, Observation (Lab, Vital Signs, Smoking Status),
Organization, Practitioner, PractitionerRole, Procedure,
Provenance, QuestionnaireResponse, RelatedPerson, ServiceRequest, Specimen
Bulk Data Export Architecture
The Cures Act requires population-level data access via FHIR Bulk Data. For health systems, this means implementing the $export operation at the Group or Patient level.
Bulk Export Pipeline Design
# FHIR Bulk Export operation handler (simplified)
async def handle_bulk_export_request(
group_id: str,
resource_types: list[str],
since: str,
requester_id: str,
purpose: str # TREATMENT, PAYMENT, OPERATIONS, INDIVIDUAL_ACCESS
):
# 1. Authorize the request (SMART backend services or patient SMART flow)
if not await authorize_bulk_request(requester_id, purpose, group_id):
raise UnauthorizedError("Requester not authorized for this bulk export")
# 2. Log the export request (information blocking audit)
export_id = await log_export_request(requester_id, group_id, resource_types, purpose)
# 3. Queue async export job (bulk exports take time)
await queue_export_job(export_id, group_id, resource_types, since)
# 4. Return 202 Accepted with Content-Location for polling
return {
"status": 202,
"content_location": f"/$export-status/{export_id}"
}
The bulk export must produce NDJSON files (newline-delimited JSON) in FHIR R4 format, organized by resource type.
Information Blocking Audit Logging
Every API request that involves EHI access should be logged for information blocking compliance. The log must be able to demonstrate that access was provided (not blocked) to authorized requesters.
CREATE TABLE governance.ehi_access_log (
access_id BIGINT GENERATED ALWAYS AS IDENTITY,
access_ts TIMESTAMP NOT NULL,
requester_id VARCHAR(100) NOT NULL,
requester_type VARCHAR(30), -- PATIENT, PROVIDER, PAYER, HIE
access_purpose VARCHAR(50), -- TPO, INDIVIDUAL_ACCESS, PUBLIC_HEALTH
fhir_operation VARCHAR(50), -- read, search-type, $export, etc.
resources_requested VARCHAR(500), -- comma-separated resource types
access_granted BOOLEAN NOT NULL,
denial_exception VARCHAR(50), -- if denied: which exception applies
denial_reason_detail VARCHAR(500),
response_time_ms INT, -- for performance friction detection
ehi_record_count INT, -- how many EHI records accessed
PRIMARY KEY (access_id)
);
Track response_time_ms — consistently slow API responses for specific requesters could be construed as information blocking by technical impediment.
Patient-Facing Data Access
The Cures Act explicitly protects patient rights to access their own EHI. Your patient access architecture must:
- Allow patients to designate third-party apps to access their data on their behalf
- Not restrict which third-party apps can connect (subject to security review exceptions)
- Not charge patients for accessing their own data through API
The patient-facing SMART on FHIR flow:
[Patient] → [Third-Party App] → [Authorization Server (SMART)] → [FHIR Server]
↓
[Patient authenticates]
[Grants scopes: patient/*.read]
↓
[Access token issued]
↓
[App queries FHIR Server with token]
[Patient data returned]
Common Cures Act Architecture Gaps
-
FHIR server with incomplete US Core coverage: Missing resources (DiagnosticReport, DocumentReference, Provenance) creates an information blocking risk for those data types.
-
Bulk export not implemented: Organizations that offer patient-level FHIR but not bulk export are not meeting the population-level access requirement.
-
Slow API responses for third-party apps: If your API responds in 200ms for internal consumers but 5 seconds for third-party app consumers, that performance disparity is an information blocking red flag.
-
Authentication friction for third-party apps: Requiring manual review and multi-week approval for third-party app registration — without a security-based justification — can constitute information blocking.
Key Takeaways
- Information blocking is not just about explicit restriction — unreasonable technical friction (slow APIs, complex authentication, high fees) can constitute blocking.
- US Core compliance is the FHIR baseline for Cures Act compliance. Gaps in US Core resource coverage create direct compliance risk.
- Bulk Data Export is mandatory, not optional. Population-level FHIR access must be supported alongside patient-level access.
- Log every EHI access event, including response time. Audit logs are your primary evidence that access was provided, not blocked.
- Use the [Schema Diff](/tools/schema-diff) to track changes to your FHIR-backing data models — a schema change that removes a mapped US Core resource creates an immediate Cures Act compliance gap.
mdatool Team
The mdatool team builds free engineering tools for healthcare data architects, analysts, and engineers working across payer, provider, and life sciences data.
Related Guides
Key Terms in This Article
More in Data Governance
Healthcare Data Governance: Building a Data Dictionary for Your Health Plan or PBM
Most health plans have a data governance policy. What they often lack is the artifact governance committees produce: a working data dictionary engineers actually use. Here is how to build one — and make it stick across teams.
Read moreWhy Health Plans Need a Healthcare Data Dictionary in 2026
Three engineers at the same health plan. Same patient database. Three different column names for date of birth. This is the hidden cost of inconsistent data naming — and it is almost never a line item in the budget. Here is the ROI case for healthcare data dictionaries.
Read moreHealthcare Data Dictionary: Complete Guide for Data Engineers in 2026
Every healthcare data warehouse eventually fails a HIPAA audit, produces a wrong HCC score, or generates a failed HEDIS submission — and traces the problem back to a missing or inconsistent data dictionary. Here is how to build one that actually gets used.
Read moreFree Tools
Ready to improve your data architecture?
Free tools for DDL conversion, SQL analysis, naming standards, and more.
Get weekly healthcare data engineering tips
Practical guides on data modeling, SQL standards, and healthcare domain conventions — straight to your inbox.
No spam. Unsubscribe any time.