In this third post in Gravely Group’s series on the information blocking exceptions, we will walk through the requirements of the Privacy Exception. The Privacy Exception focuses on when an Actor’s Practice of not fulfilling a request for electronic health information (EHI) will, nonetheless, not be considered information blocking because the EHI is withheld in order to protect an individual’s privacy. However, per ONC, this exception is narrowly intended to “allow for the protection of patients and other particular persons against substantial risks of harm otherwise arising from the access, exchange, or use of EHI in defined circumstances.”[1]

You already know from our previous posts that an Actor who relies on an exception is required to meet every element of the exception. The Privacy Exception is uniquely structured in that it consists of four, discrete sub-exceptions. An Actor that relies on the Privacy Exception must meet all of the requirements under at least one of these four sub-exceptions.

 If you have not yet read Gravely Group’s overview of the information blocking exceptions, we suggest you check it out!

Privacy Sub-Exception 1: Precondition Not Satisfied

The first sub-exception applies if applicable law imposes a specific precondition that must be satisfied before information may be released, and that precondition has not been met. ONC has expressed concerned about this sub-exception being used as a “pretext” to deny access, exchange, or use of EHI and requires that the Practice be narrowly applied.

The requirements for Sub-exception 1 are:

  1. Organizational Policies & Procedures: The Practice must conform to the Actor’s written policies and procedures that specify the criteria the Actor uses to determine when the precondition is satisfied and, if applicable, specify what steps the Actor will take to satisfy the precondition. These policies and procedures must also be implemented by the Actor, including through the provision of training on such policies and procedures.
  2. Case-by-Case Determination: The Practice must be documented by the Actor on a case-by-case basis, with such documentation identifying the criteria the Actor uses to determine when the precondition is satisfied, the criterion/criteria that were not met in the instance being documented, and why the criterion/criteria were not met.

Privacy Sub-Exception 2: Health IT Developer of Certified Health IT Not Covered by HIPAA

This sub-exception only applies to those health IT developers that are not covered by the HIPAA Privacy Rule. Most health IT developers are Business Associates of their Covered Entity customers, so this sub-exception will not apply to them.

In order to satisfy sub-exception 2 of the Privacy Exception, the Actor must include the applicable Practice in the Actor’s organizational privacy policies. These policies must:

Privacy Sub-Exception 3: Denying an Individual’s Request for His/Her Own Information as Allowed Under 45 CFR 164.524(a)(1) and (2)

This sub-exception simply says that if an Actor withholds EHI on the basis of this HIPAA provision, it is not violating the Information Blocking rule. However, an Actor must be able to demonstrate that it fully complies with the HIPAA requirements before relying upon this sub-exception.

HIPAA allows a Covered Entity or a Business Associate to deny an individual access to his/her own PHI in limited situationsThe Privacy Rule identifies specific grounds on which a Covered Entity or their Business Associate may deny an individual access to their own PHI in very limited situations, which are:

Privacy Sub-Exception 4: Respecting an Individual’s Request to Not Share Information

If an individual requests that his/her information not be shared, and an Actor agrees to this request, then the Actor may withhold that information from others unless the Actor is otherwise required by law to provide access, exchange, or use of the EHI.

To satisfy sub-exception 4, the request must:


Gravely Group’s next post in this series on the information blocking exceptions will cover the Preventing Harm Exception. Stay tuned!

 In referring to an individual (singular), this post uses the pronouns “his/her.” This is not intended to be exclusionary, and Gravely Group believes in equality for individuals of all gender identities. What is your preferred inclusive, singular pronoun? Are we being too rigid by avoiding use of “they” as a traditionally plural pronoun?
Let us know your thoughts by hitting us up on Twitter 

[1] 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health Certification Program, 85 Fed. Reg. 25642, 25821 (May 1, 2020), available at: