It depends. The Manner Exception, in particular the last provision of the “alternative manner” (45 CFR 171.301(b)(1)(iii)), does not specify the particular file extensions or outputs that must be supported. Instead, as a last alternative to make electronic health information (EHI) accessible, exchangeable, or useable, this specific provision within the exception requires actors to produce EHI in a “machine-readable format, including the means to interpret the electronic health information, agreed upon with the requestor.” If it is necessary to produce a PDF for the purpose of meeting this provision, the PDF should be an interpretable, machine-readable output. While this may be possible for some PDFs, other PDFs, such as those that include EHI as images, generally might not be an interpretable, machine-readable output.  

One way a PDF could be a machine-readable format would be if it was structured so that the data it conveyed could be consumed by another software program using consistent processing logic, consistent with the National Institute of Standards and Technology’s definition of “machine-readable.” If a data output format is structured so that the EHI it conveys is machine readable, then that output format is a machine-readable format, regardless of the file extension.

Updated:

This FAQ has been updated pursuant to the HTI-1 Final Rule.

Generally, yes, but it may depend on the circumstances.

The scope of EHI^[1] for which the actor must fulfill a request for access, exchange, or use in order to satisfy the Manner Exception is determined by the scope of the request and thus by the requestor. This is true regardless of whether the actor seeks to fulfill the request consistent with the manner requested condition (see 45 CFR 171.301(a)), the alternative manner condition (45 CFR 171.301(b)), or a combination of the conditions.

If the requestor’s request is for access, exchange, or use of a subset of EHI that the actor can fulfill in the manner requested (45 CFR 171.301(a)), then the actor can satisfy the Manner Exception by providing access, exchange, or use of that subset of EHI in that requestor-specified manner so long as the actor’s practice in doing so is otherwise consistent with the Manner Exception (45 CFR 171.301).

By contrast, if the actor cannot reach an agreement with the requestor or is not technically capable of providing all of the requested EHI in a particular requestor-specified manner, then to satisfy the Manner Exception for the request the actor would need to use one or more additional alternative manners specified by the requestor (45 CFR 171.301(b)(1)(i) and (ii)) or agreed to by the requestor (45 CFR 171.301(b)(1)(iii)), working through manners in the priority order identified in the alternative manner condition, until the actor has made all requested EHI available to the requestor.

An actor might have the technical capability to satisfy the Manner Exception for only some of the EHI requested in the manner(s) the requestor specifies. In such instances, the actor may want to consider whether another exception may apply for the remaining EHI not fulfilled through the Manner Exception.

^[1] EHI is defined for purposes of the information blocking regulations in 45 CFR 171.102. On and after October 6, 2022, the scope of EHI for purposes of the information blocking definition (45 CFR 171.103) is EHI as defined in 45 CFR 171.102 (89 FR 1199, 85 FR 70069). 

When an actor believes they can fulfill a request for access, exchange, or use of electronic health information (EHI), they may seek to satisfy the Manner Exception (45 CFR 171.301) to be sure they are not committing information blocking. The Manner Exception states in principle that an actor “must fulfill a request for EHI in any manner requested, unless the actor is technically unable to fulfill the request or cannot reach agreeable terms with the requestor to fulfill the request in the manner requested” (45 CFR 171.301(a)(1), 85 FR 25877). If an actor does not fulfill a request for EHI in any manner requested because the actor is technically unable to fulfill the request or cannot reach agreeable terms with the requestor, the Manner Exception then specifies that an actor must fulfill the request in an alternative manner (45 CFR 171.301(b)).

Under this alternative manner condition of the Manner Exception, the actor must fulfill the request for EHI without unnecessary delay in an alternative manner (45 CFR 171.301(b), 85 FR 25878). The actor must offer alternative manners in a strict priority order, starting with 45 CFR 171.301(b)(1)(i) and only proceeding to the next consecutive paragraph if the actor is technically unable to fulfill the request in the manner identified in the paragraph.

Importantly, a requestor must specify the technology or standards, respectively, of the alternative manners under paragraphs (b)(1)(i) and (ii) or agree to an alternative machine-readable format under paragraph (b)(1(iii). Simply put, if the requestor does not specify technology certified to a standard or standards adopted in part 170 ((b)(1)(i)), or content and transport standards published by certain publishers ((b)(1)(ii)), or agree to an alternative machine-readable format ((b)(1)(iii)), then the actor cannot meet the alternative manner condition of the Manner Exception. An actor is not permitted to presume or dictate the manner in which access, exchange, or use of EHI is fulfilled under the alternative manner condition of the Manner Exception.

If an actor is unable to meet the Manner Exception, the actor may want to consider whether the actor can meet the conditions of another exception. For example, the actor may be able to rely on the Infeasibility Exception. One factor of the infeasible under the circumstances condition of the Infeasibility Exception is “why the actor was unable to provide access, exchange, or use of electronic health information consistent with the Manner Exception.” (45 CFR 171.204(a)(5)(i)(F), 85 FR 25867).

No, it would not be information blocking if the actor’s practice of not fulfilling a request in such circumstances meets the Privacy Exception (45 CFR 171.202). All actors remain responsible for disclosing EHI only when the disclosure is allowed under all applicable federal laws. For example, actors who are HIPAA covered entities or business associates must comply with the HIPAA Privacy Rule and any other applicable federal laws that limit access, exchange, or use of EHI in particular circumstances. Adherence to such federal laws is not information blocking, if the other conditions of the Privacy Exception are also met.*

In particular, where federal law such as the HIPAA Privacy Rule does not permit EHI to be used or disclosed unless certain requirements (“preconditions”) are met, then an actor’s practice of not fulfilling a request to access, exchange, or use EHI when these preconditions are not met is not information blocking.*** The Precondition Not Satisfied (45 CFR 171.202(b)) sub-exception of the Privacy Exception outlines a framework for actors to follow so that the actors’ practices of not fulfilling requests to access, exchange, or use EHI would not constitute information blocking when a precondition of applicable law has not been satisfied.

One example that highlights the alignment between the HIPAA Privacy Rule and the information blocking regulations is when a law enforcement official requests records of abortions performed from a clinic. As explained in the “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care” guidance issued by the Office for Civil Rights, there are certain preconditions that must be met before this disclosure can be made: “If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.” In this example, federal law does not permit the disclosure of EHI unless certain requirements are met, and therefore, the actor’s practice not to disclose EHI would not be information blocking. We note that this is just one example of how the HIPAA Privacy Rule gives individuals confidence that their protected health information, including information relating to abortion and other sexual and reproductive health care, will be kept private. Please see the guidance from the Office for Civil Rights for additional information and examples.

A second example of the alignment between the HIPAA Privacy Rule and the information blocking regulations is in circumstances where the HIPAA Privacy Rule permits a covered entity to use or disclose EHI only following receipt of a valid HIPAA authorization from the individual (patient) or the individual’s personal representative. If an actor does not have a valid HIPAA authorization from the individual or their personal representative that permits the use or disclosure of EHI for the requested purpose, then a precondition for disclosure is not satisfied. Accordingly, the actor’s practice of not disclosing EHI would not be considered information blocking if it is consistent with the requirements of the Precondition Not Satisfied sub-exception.

To emphasize, wherever any federal law requires the authorization of the individual to disclose the EHI, an individual may always choose not to give such authorization, and an actor who does not disclose the EHI would not be information blocking if the actor meets all applicable requirements of the Privacy Exception.

No, if the actor’s conduct satisfies the requirements of the information blocking regulations, such as the Privacy Exception (45 CFR 171.202). For example, the sub-exception Respecting an Individual’s Request Not to Share Information permits an actor, unless the disclosure is required by law, to honor an individual’s request not to provide access, exchange, or use of the individual’s EHI, which aligns with the individual’s right to request a restriction on disclosures of their protected health information under the HIPAA Privacy Rule (45 CFR 164.522(a)(1)).

Separately, if an actor has privacy or security concerns about disclosing EHI to an app/app developer with which an individual may choose to share their EHI, an actor may educate the individual about such concerns consistent with the following FAQ: Will educating patients about the privacy and security risks posed by third-party apps that the patient chooses be considered interference?

Yes, if the actor satisfies the requirements of the information blocking regulations, such as the Precondition Not Satisfied sub-exception of the Privacy Exception (45 CFR 171.202(b)).** For purposes of the information blocking regulations, health care providers and other information blocking actors operating under multiple state laws, or state and tribal laws, with inconsistent legal requirements for EHI disclosures may choose to adopt uniform policies and procedures so that the actor only makes disclosures of EHI that meet the requirements of the state law providing the most protection to individuals’ privacy (45 CFR 171.202(b)).** Essentially, the Precondition Not Satisfied sub-exception establishes conditions under which an actor may adopt policies to satisfy state laws with more restrictive preconditions and apply those policies in all the jurisdictions in which they operate. 

To illustrate, consider a scenario in which an actor operates in two states, “State A” and “State B.” State A forbids disclosure of certain EHI, such as EHI specific to reproductive health care, to another health care provider, who is also currently treating the individual, without first obtaining written authorization from the individual. This scenario assumes State B’s law does not require authorization from the individual for disclosure of reproductive health care EHI for treatment purposes. In this scenario, an actor subject to the laws of both State A and State B can, consistent with the Privacy Exception (see 45 CFR 171.202(b)(3)), adopt uniform privacy policies and procedures that result in the actor disclosing EHI only when the individual has provided written authorization for a specific disclosure (consistent with the more privacy-protective requirements of State A’s law) of EHI about them for treatment purposes across the actor’s operations in both State A and State B. If the actor’s policies, procedures, and actions are consistent with the requirements of the Precondition Not Satisfied sub-exception (45 CFR 171.202(b)), the actor’s practices would not be considered information blocking – even though the actor’s uniform privacy policies and procedures may deny or delay access, exchange, or use of EHI in State B that (under laws in force in State B) would not require specific written authorization.

In a second, similar scenario, State A’s law sets more privacy protective or more “stringent”  requirements (“preconditions”) than both State B’s law and the HIPAA Privacy Rule for disclosures of EHI^[1] for particular purposes (such as disclosing information related to reproductive health care for law enforcement purposes^[2]). An actor operating in States A and B can meet the requirements of the Precondition Not Satisfied sub-exception (45 CFR 171.202(b)(1) through (3)) in order to have confidence that disclosing EHI only when the disclosure is consistent with the most privacy protective (most restrictive or most “stringent”) preconditions (in this example, State A’s) across all their operations in both State A and State B would not be considered information blocking.

^[1] “EHI” as defined in 45 CFR 171.102 is a subset of protected health information (PHI). See 45 CFR 160.103 (definition of “protected health information”). For more information on the HIPAA Privacy Rule and its conditions for disclosures of protected health information (PHI), please see resources of the Office for Civil Rights at HHS.gov/HIPAA.

^[2] For example, see “HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care,” which discusses the permissibility of disclosures for law enforcement purposes under the HIPAA Privacy Rule.