top of page
Search

Information Blocking Enforcement is Finally Here – What “Actors” Should Know

  • Writer: Dennis Sapien-Pangindian
    Dennis Sapien-Pangindian
  • Sep 9
  • 4 min read
Information Blocking
After years of regulatory developments, enforcement is finally on the horizon for information blocking.

On September 3, 2025, the U.S. Department of Health and Human Services (HHS) announced that Secretary Robert F. Kennedy, Jr. directed HHS to increase resources dedicated to curbing the harmful practice of information blocking. The 21st Century Cures Act of 2016 authorized the Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (ASTP/ONC) and HHS Office of Inspector General (OIG) to take enforcement actions to hold those who block patient information accountable and to prevent future violations.


As a result, ASTP/ONC, the principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology, and OIG, the primary investigative division of HHS, will play leading roles in this initiative. While the information blocking regulatory scheme has been in place for years now, and OIG’s enforcement authorities in effect since September 1, 2023, there has not been an ostensibly significant effort to begin such enforcement until now.


What is Information Blocking?

The 21st Century Cures Act defines information blocking as practices that are likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI), except where required by law or covered by an allowable exception. In plain terms, it’s when providers, developers, or health information networks make it harder than it should be for patients, clinicians, or payors to get the information they need.


Examples include:

  • A hospital refusing to share patient records with an unaffiliated physician treating the patient.

  • An electronic health record (EHR) vendor charging excessive fees to export patient data.

  • A health IT developer delaying implementation of interoperability features that would allow data sharing.


ASTP/ONC has issued regulations addressing information blocking, including identifying limited exceptions—such as to protect privacy or ensure security—where an entity will not be considered to have committed information blocking if its actions meet the conditions of the exceptions (45 CFR Part 171).


The Cures Act created clear expectations: patients must have access to their health data, and information should flow freely to support care coordination and innovation.


What are the Penalties for Information Blocking?

OIG has the authority to investigate claims of information blocking and impose civil monetary penalties (CMPs) against individuals and entities that commit information blocking (42 U.S.C. 300jj-52). Specifically, OIG the Cures Act built upon OIG’s already-existing investigative and enforcement authorities such that it may impose CMPs of up to $1 million per violation against:

•       Health IT developers of certified health IT,

•       Entities offering certified health IT,

•       Health information exchanges (HIEs), and

•       Health information networks (HINs).


OIG stated that it will prioritize enforcement where practices cause patient harm, significantly impact or impair a provider’s ability to deliver patient care, are of long duration, or cause financial loss to Federal health care programs or other Government or private entities.

 

Furthermore, ASTP/ONC can ban a developer of certified health IT that information blocks from the ONC Health IT Certification Program and may also terminate the certification of health IT involved in information blocking. ASTP/ONC has stated that it intends to investigate and take swift action where warranted.

 

Why HCPs Should Also Care About Information Blocking

Just because healthcare providers may not be subject to CMPs, it does not mean they are off the hook completely. Under the Cures Act, OIG may investigate and refer providers that engage in information blocking to HHS, which may impose appropriate disincentives. CMS has established specific disincentives that it may apply to the following providers:


•       Eligible hospitals and critical access hospitals participating in the Medicare Promoting Interoperability Program;

•       Merit-based Incentive Payment System eligible clinicians (including a group practice); and

•       A Medicare Shared Savings Program accountable care organization (ACO), ACO participants, and ACO providers/suppliers.


Additionally, HCPs should be wary of the fact that the regulations defining the terms “Health IT developers of certified health IT”, “HIEs,” and “HINs” are functional definitions. Therefore, if an entity that considers itself a healthcare provider, but nonetheless acts in a way that is consistent with these definitions, they may indeed be subject to CMPs. Therefore, it is important for HCPs to take stock of their functions as they relate to HER interoperability such that they do not unwittingly make themselves eligible for CMPs.


How Should Actors Prepare for Information Blocking Enforcement?

“Actors” under the Cures Act include health IT developers, health information networks, and healthcare providers. To prepare:

  • Review Policies and Contracts: Ensure that data sharing agreements and EHR contracts don’t create unnecessary barriers to access.

  • Implement Compliance Programs: Designate a compliance officer and train staff on information blocking rules just as they should with any other regulatory risk.

  • Leverage ONC Exceptions: Understand the nine regulatory exceptions where limiting data exchange is permitted (e.g., privacy, security, preventing harm).

  • Audit Systems: Test whether patients and outside providers can actually access the information as required.

  • Document Decision-Making: If you rely on an exception, maintain detailed documentation to justify your actions.


Final Thoughts

Information blocking enforcement has officially arrived. What was once an abstract compliance requirement is now an area of active investigation and penalties. “We have already begun reviewing reports of information blocking against developers of certified health IT under the ONC Health IT Certification Program and are providing technical assistance to our colleagues at OIG for investigations,” said Tom Keane, MD, Assistant Secretary for Technology Policy and National Coordinator for Health Information Technology. For healthcare innovators, startups, and providers alike, the message is clear: ensure your systems and policies comply with Federal and State interoperability requirements—or risk significant consequences.


By taking proactive steps today, you can not only avoid enforcement but also improve patient trust and strengthen your position in a healthcare ecosystem that increasingly values transparency and interoperability.


This blog is for informational purposes only and not legal advice. For specific guidance on information blocking compliance, consult with experienced counsel or compliance experts.

bottom of page