The HTI-1 Final Rule, published in the Federal Register on January 9, 2024 (89 Fed. Reg. 1496), was initially set to take effect on February 8, 2024, but ONC later extended the effective date to March 11, 2025. That date has now arrived, marking an important milestone in the evolution of the federal interoperability framework. HTI-1 updates both the ONC Health IT Certification Program and the Information Blocking Regulations under 45 C.F.R. Part 171. Among its most consequential provisions is the creation of a new TEFCA Manner Exception, designed to bring the information blocking framework into closer alignment with the nationwide Trusted Exchange Framework and Common Agreement (TEFCA).
Why the TEFCA Exception Matters
The new TEFCA Manner Exception has significant implications for health information networks (HINs) and health information exchanges (HIEs). These entities are explicitly defined as “Actors” under the Information Blocking Rule and are subject to the stricter “knows or should know” knowledge standard. To understand the stakes, the exception must be viewed in the broader statutory context and its effect compared across TEFCA participants and non-participants.
The Information Blocking Rule, established by the 21st Century Cures Act and codified at 45 C.F.R. § 171.103, prohibits practices that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information (EHI), unless they fall within one of the enumerated exceptions. Before HTI-1, those exceptions included Preventing Harm, Privacy, Security, Infeasibility, Content and Manner, Fees, Licensing, and Health IT Performance. HTI-1 adds the TEFCA Manner Exception at § 171.403, which allows an actor to fulfill requests for EHI exclusively through TEFCA, so long as the conditions are met.
How the Exception Works
The structure is simple: if both the actor and the requestor are TEFCA participants or subparticipants, and the exchange occurs in accordance with TEFCA’s governance and technical requirements, then limiting fulfillment to TEFCA transactions is not considered information blocking. The exception is conditioned on compliance with related rules, including the Fees (§ 171.302) and Licensing (§ 171.303) exceptions, to ensure TEFCA participation is not misused to impose impermissible costs or contractual restrictions.
In effect, the federal government has elevated TEFCA as the preferred national framework for exchange and provided a safe harbor for actors that route transactions through it.
Different Standards, Different Risks
For HIEs and HINs, this exception is potentially transformative. Unlike health care providers, who are held to the lower “actual knowledge” standard under § 171.103(a)(3), HIEs and HINs are liable if they “know, or should know,” that their policies and practices are likely to “interfere with” EHI exchange. This exposes them to greater compliance risk when implementing governance or security measures that go beyond HIPAA. TEFCA participation offers a shield: by aligning with TEFCA’s framework, networks can adopt a TEFCA-only exchange model with reduced risk of being accused of information blocking.
For those outside TEFCA, the picture is more complicated. Without access to the TEFCA exception, any restrictive policies must be justified under other exceptions, most often Security or Privacy. The Security Exception (§ 171.203) permits practices necessary to protect the confidentiality, integrity, and availability of EHI, but requires that they be reasonable, tailored, consistently applied, and supported by documented risk assessments. Broad “business preference” policies, for example, blanket requirements that all patient-facing apps meet NIST IAL2 identity proofing, may not qualify if they are not necessary to address a concrete security risk. The Privacy Exception (§ 171.202) is narrower still. It only permits restrictions that are required by law, such as a statute mandating patient authorization before disclosure. Policies rooted solely in business risk management or internal liability concerns do not qualify.
A Compliance Pathway for Some, a Minefield for Others
These constraints illustrate why the TEFCA exception is so significant. It provides a straightforward compliance pathway for networks that align with TEFCA, while non-participants are left navigating exceptions that are both narrow and demanding. Every restrictive measure outside TEFCA must be carefully documented and justified, often with little margin for error.
It is equally important to note that the TEFCA exception is not dispositive. Falling within it does not immunize an actor from all scrutiny. Even TEFCA participants must ensure their practices are reasonable and consistent with Part 171 as a whole. Still, the exception offers a substantial compliance advantage by aligning policies with a governance model that ONC itself has endorsed as sufficient for safe harbor treatment.
A Push Towards TEFCA
The message is clear. Congress, ONC, and OIG are steadily pushing the industry toward TEFCA. By establishing a dedicated exception, regulators are making the compliance trade-offs explicit: join TEFCA and reduce your information blocking exposure or remain outside and face the burden of fitting every restrictive measure into one of the narrower exceptions. With civil monetary penalties of up to $1 million per violation for HIEs, HINs, and developers, this is not a trivial calculation.
For providers, who face programmatic disincentives rather than financial penalties, the calculus may be different. But for HIEs and HINs, entities structurally similar to TEFCA itself, the incentive to participate is profound. TEFCA not only facilitates national-scale interoperability but also provides a critical compliance shield against the growing risk of information blocking enforcement.
The effective date of HTI-1 is far more than a technical compliance deadline. It represents a turning point in federal interoperability policy. From today forward, HIEs and HINs must decide whether to navigate the strict confines of the Security and Privacy exceptions on their own, or to embrace TEFCA and secure the protection of a safe harbor designed with them in mind. Either path carries significant operational and legal consequences, but the direction of federal policy is clear: TEFCA is being positioned as the default national framework for EHI exchange, and the information blocking rules are evolving to make that vision a reality.