Are AI-generated clinical recommendations covered by ONC information blocking rules?

Yes, when documented in the EHR. AI-generated risk scores, diagnostic recommendations, care pathway suggestions, and clinical notes incorporated into the patient record are EHI. Patients requesting their complete record under HIPAA and ONC rules have a right to that AI-generated content. A covered actor cannot selectively withhold AI-generated clinical data from the record without an applicable exception. AI outputs stored only in a proprietary vendor system separate from the EHR raise the question of whether non-incorporation itself constitutes information blocking if the data would otherwise qualify as EHI.

Can AI vendor contract terms constitute information blocking?

Yes. ONC has stated that contract terms can constitute information blocking when they prevent or materially discourage access, exchange, or use of EHI. High-risk provisions: clauses preventing health systems from migrating AI training data derived from patient records to another vendor; clauses giving the AI vendor ownership of de-identified patient data derived from EHI; restrictions on using EHI to train competing AI systems beyond reasonable security controls; provisions allowing the vendor to withhold access to AI outputs generated from the provider's own patient data.

How does ONC information blocking relate to HIPAA for clinical AI?

HIPAA and ONC information blocking address different aspects of the same system. HIPAA governs privacy and security of ePHI — the AI system needs audit controls (§164.312(b)) and the AI vendor needs a BAA. ONC information blocking governs interoperability and access — restrictions on AI-generated clinical data must meet an exception. A practice can comply with HIPAA while still constituting information blocking if it imposes restrictions beyond what HIPAA requires. Both frameworks must be satisfied simultaneously.

What are the penalties for information blocking violations?

OIG has civil monetary penalty authority for information blocking: up to $1 million per violation for health IT developers and health information networks/exchanges. Healthcare providers face investigation and referral rather than direct OIG civil penalties, but information blocking findings can affect Medicare/Medicaid participation and program integrity reviews. OIG finalized information blocking penalty rules in 2023 and has been actively investigating complaints. For health IT developers, findings can affect ONC certification status — with downstream implications for health systems using their certified products.

ONC Information Blocking Rule and Clinical AI: What Health Systems and EHR Vendors Must Document

Q: What is information blocking and when does it apply to clinical AI?

Information blocking under 45 CFR §171.103 is any practice by a covered actor — health IT developer, health information network, or healthcare provider — that the actor knows or should know is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI). Clinical AI outputs become EHI when documented in the patient record. Information blocking applies when a covered actor restricts access to those documented AI outputs without a recognized exception, or when an AI system is configured in a way that degrades interoperability without justification.

Q: What FHIR API requirements apply to AI-generated clinical data?

AI-generated clinical data within USCDI v3 data class definitions — clinical notes, assessments, observations, care plans — must be accessible via the patient access FHIR R4 API (§170.315(g)(10)) within 1 business day of being incorporated into the record. Clinical AI vendors building middleware must ensure AI outputs flow to the certified EHR documentation function within this window. AI outputs stored in proprietary systems are not directly subject to the 1-business-day requirement, but non-incorporation may raise information blocking questions.

Q: What are the ONC information blocking exceptions and which apply to clinical AI?

ONC has eight information blocking exceptions. Four are most relevant to clinical AI: Privacy Exception (§171.202) — restricting access required by applicable law (HIPAA, state law, 42 CFR Part 2), requires written policy with legal basis applied consistently; Security Exception (§171.203) — documented security risk based on reasonable assessment, not speculative; Infeasibility Exception (§171.204) — technical infeasibility requires written response within 10 business days and cure period; Content/Manner Exception (§171.301) — different format when requested format is not possible. All exceptions require documentation and consistent application.

ONC 21st Century Cures Act Final Rule (45 CFR Part 171) prohibits information blocking — practices that interfere with access to electronic health information (EHI). Clinical AI outputs incorporated into patient records are EHI subject to FHIR patient access API requirements within 1 business day of documentation. Restrictions on accessing AI-generated clinical data require an applicable ONC exception with documentation. ONC HTI-1 Final Rule adds Predictive DSI transparency requirements for certified health IT developers offering clinical AI.

Information Blocking and Clinical AI Outputs

Under 45 CFR §171.103, information blocking is any practice that an actor knows or should know is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI. AI-generated risk scores, diagnostic recommendations, treatment suggestions, and clinical notes documented in the EHR are EHI. Patients who request their complete record under HIPAA and ONC rules have a right to AI-generated clinical content incorporated into that record. Four clinical AI practices create information blocking risk: AI output not surfaced to patients via FHIR API, vendor contract terms restricting data portability, AI middleware that degrades FHIR API performance, and selective disclosure of AI reasoning while withholding inputs.

ONC Exceptions Relevant to Clinical AI

ONC has established eight exceptions to information blocking. Four are most relevant to clinical AI. Privacy Exception (§171.202): restricting access to comply with HIPAA, state law, or 42 CFR Part 2 — requires written policy with legal basis, applied consistently, not selectively. Security Exception (§171.203): restricting access for a documented security risk based on reasonable assessment, not speculative concern — consistency requirement applies. Infeasibility Exception (§171.204): technical infeasibility of responding to access request — requires written response within 10 business days and cure period when feasibility is established. Content/Manner Exception (§171.301): responding in a different format when the requested format is not possible, subject to good faith negotiation.

ONC HTI-1 Predictive DSI Transparency Requirements

ONC's Health Data Technology and Interoperability (HTI-1) Final Rule (effective June 2024) requires certified health IT developers offering Predictive DSI — clinical AI generating risk scores or recommendations — to publish specific information: intervention type and intended use population, training data sources and demographic composition, and performance metrics with demographic breakdowns. This transparency requirement is materially similar to EU AI Act Annex IV technical documentation and FDA's transparency requirements for Software as a Medical Device. Health IT developers seeking or maintaining ONC certification must comply. Providers are not directly subject to HTI-1 certification requirements, but their EHR vendors' compliance affects available certified tools.

FHIR API Requirements for AI-Generated Clinical Data

USCDI v3 defines minimum EHI data elements accessible via FHIR R4 APIs. AI-generated clinical data within USCDI data class definitions — clinical notes, assessments, observations, care plans — must be accessible through the patient access API (§170.315(g)(10)) within 1 business day of incorporation into the record. Clinical AI vendors building middleware must ensure AI outputs flow to the EHR documentation function within this window. AI outputs stored in proprietary systems separate from the certified EHR are not directly subject to the 1-business-day FHIR requirement, but non-incorporation may raise information blocking questions if the proprietary data would otherwise be accessible as part of the patient record.

FDA SaMD, HIPAA, and ONC: Coordinated Clinical AI Compliance

Clinical AI systems sit at the intersection of three frameworks. FDA SaMD regulation covers safety and effectiveness for clinical AI used in diagnosis or treatment — requiring 510(k) or De Novo clearance for high-risk CDS and real-world performance monitoring. HIPAA Security Rule covers protection of ePHI — audit controls (§164.312(b)) for AI systems touching ePHI and BAA with AI vendors. ONC information blocking covers access, exchange, and use of EHI including AI-generated clinical data — FHIR API compliance, Predictive DSI transparency, and exception documentation when access is restricted. A clinical AI implementation must satisfy all three simultaneously. A unified documentation approach — per-decision records with inputs/outputs, audit trails, performance monitoring, and transparency documentation — satisfies core requirements across all three frameworks.