View all articles | Read the next article | Take the CCB CEU quiz

 

In September 2025, U.S. Department of Health and Human Services (HHS) Secretary Robert F. Kennedy Jr. issued a news release announcing increased federal resources dedicated to reducing information blocking.1 Shortly thereafter, HHS Office of Inspector General (OIG) and Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology published a joint enforcement alert addressing compliance with the Information Blocking Rule. These actions signal heightened federal scrutiny on information blocking, underscoring the need for regulated actors to review potential risks and assess their current policies and practices to ensure compliance.

 

Background

The Information Blocking Rule, was promulgated under the 21st Century Cures Act of 2016. The rule prohibits actors from engaging in any practice except as required by law or covered by an exception that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information (EHI).2 Interestingly, by including the word “likely” in the definition of information blocking, a violation can occur even if the practice does not actually block, hinder, or discourage the access, exchange, or use of EHI.

There are three types of actors regulated by the Information Blocking Rule: healthcare providers, health information exchanges and networks (HIE/HIN), and developers of certified health IT. The requisite level of knowledge differs by actor type. For HIE/HIN and certified health IT developers, a violation may occur if the actor “knows” or “should know” the practice was unreasonable and likely to interfere with the access, exchange, or use of EHI.3 Healthcare providers, in contrast, are held to a

30 Compliance Today | March 2026

more narrow knowledge standard, as they must know that a “practice is unreasonable and is likely to interfere with,” prevent, or materially discourage the “access, exchange, or use of” EHI.4

It is important to note that the Information Blocking Rule applies to all individuals and organizations meeting the regulatory definition of actor; this would include those who do not meet the definition of covered entity under HIPAA. For HIPAA covered entities, the Information Blocking Rule works hand in hand with the Right of Access provisions under HIPAA.5,6 Overarchingly, the Information Blocking Rule aims to promote the availability and flow of EHI. By reducing barriers to information sharing, the rule works to enhance coordination of care, improve clinical decision-making, and give patients more agency and control over their personal health information.

Enforcement action/disincentives

Enforcement actions and disincentives for information blocking violations vary by actor type. In July 2023, OIG issued the final rule establishing civil monetary penalties up to $1 million per violation by HIE/HINs and certified health IT developers.7, 8 A violation is defined as a practice that constitutes information blocking.9 Determining whether a practice is a violation requires a review of the case-specific facts and circumstances.

To illustrate when a practice would be considered a violation, and to provide understanding of the violation analysis, OIG provided hypotheticals in the preamble of the 2023 final rule. In one example, OIG explained that if an actor adopts a system change that automatically blocks all requests for EHI submitted through a specific technology platform, this would be a single violation because it was a solitary system change. In such cases, the duration of the practice and the number of patients affected would be considered when determining the penalty amount imposed.

In contrast, OIG described another scenario in which an actor received multiple separate requests for EHI and denied each request individually. As each denial represents a separate decision, each denial would be a separate violation. In this scenario, the penalty could exceed more than $1 million, as each violation can incur separate penalties with consideration for the number of impacted patients. Additionally, health IT developers face an added risk of potentially losing their certification from the Office of the National Coordinator for Health Information Technology (ONC). Decertification can disrupt market participation and provider operations, making it a particularly costly enforcement option.

Conversely, healthcare providers are subject to disincentives tied to Medicare participation. Those disincentives were published in the Federal Register on July 3, 2024.10 For hospitals and critical access hospitals (CAH) participating in the Medicare Promoting Interoperability Program, an information blocking violation results in the facility not being deemed a meaningful electronic health record (EHR) user for the calendar year of the EHR reporting period in which OIG refers its determination of violation to the Centers for Medicare & Medicaid Services (CMS). For hospitals, this would be a 75% loss of the annual market basket increase. At the same time, a CAH will have its payment reduced to 100% instead of 101%.11 If CMS has already determined whether the hospital or CAH is not a meaningful EHR user for the reporting period, there is no additional impact. Moreover, each OIG referral of a violation only affects the meaningful EHR user status in a single reporting period — even if multiple violations occurred within the same period.12

Determining if a practice is a violation requires a review of the case-specific facts and circumstances.

For Merit-based Incentive Payment System (MIPS) eligible clinicians, a violation results in the clinician not being considered a meaningful EHR user and not receiving a score in the Promoting Interoperability performance category for the corresponding performance calendar year. Providers who participate in the Medicare Shared Savings Program (MSSP) as an Accountable Care Organization (ACO) or a participant in an ACO, a violation could bar participation in the savings program for one year. Such a determination could also result in the healthcare provider being removed from their ACO or being prevented from joining an ACO. Notably, HHS has not yet proposed disincentives for healthcare providers that do not participate in the Medicare Promoting Interoperability Program, MIPS, or MSSP, leaving a gap in potential enforcement activities.

Although the information blocking enforcement provisions have been in effect for more than one year, to date of writing, OIG has yet to publicly announce an enforcement action. OIG has identified its “enforcement priorities as conduct that:

“(1) resulted in, is causing,or had the potential to cause patient harm;

“(2) significantly impacted a provider’s ability to care for patients;

“(3) was of long duration;

“(4) caused financial loss to Federal health care programs, or other government or private entities; or

“(5) was performed with actual knowledge.”13

ONC has published data on submissions to the Information Blocking Portal. From April 5, 2021, through August 31, 2025, the ONC received 1,420 submissions.14 One thousand three hundred thirty-six of those represent claims of information blocking. Over 700 of the submissions were reported by patients. Healthcare providers were the subject of roughly five times as many claims as the next most frequent actor type: health IT developers. These data points should be a warning sign to organizations that have not taken action to address the Information Blocking Rule, particularly where multiple complaints could focus on the same actor.

What actions should a healthcare provider consider?

For organizations starting from ground zero, a good starting point is to determine where your EHI is stored. From there, organizations can shift their focus to establishing policies and procedures to monitor compliance with the Information Blocking Rule and related laws such as HIPAA.

◆ Policy: Document your organization’s commitment to sharing EHI and complying with the Information Blocking Rule. Consider starting by outlining the general concept of information blocking, enumerating the exceptions, and delineating the internal review process for EHI requests. Organizations may choose to use a group policy approach to address the rule, in which they have separate policies on the general rule, the exceptions and potentially a third policy to outline their review process for when a request for EHI is received. Others may determine that the Information Blocking Rule is best integrated into their policy on Right of Access under HIPAA.

  • Procedure: Identify the pathways through which individuals and entities may request EHI. Develop a process for reviewing and evaluating requests for EHI. Determine who will respond to the requests for EHI. Establish a standardized process for addressing information blocking complaints and determine who will respond to said complaints. 
  • Assessment: Consider forming a multidisciplinary task group with individuals from your health information management and EHR teams to evaluate current practices and identify opportunities to improve access to EHI. If your organization has a patient portal, involve the EHR team to review the settings surrounding immediate release of information to the patient portal. As a general rule, EHI should be immediately released to the patient portal unless an exception or another law applies. 
  • Monitoring: Partner with your EHR reporting and analytics teams to build reports to review information that may be restricted from release to the patient portal or through the release-of-information process. 

This information may include notes, imaging results, test results, and labs. Some EHRs may contain default or “hidden” build settings that automatically restrict specific note types from release to the patient portal. Once identified, these settings should be reviewed for compliance and adjusted as needed. Regular reporting on EHI restricted from release allows organizations to assess current practices, monitor for compliance, and pinpoint areas for improvement, including educating workforce members.

◆ Education: Ensure workforce members are aware of the Information Blocking Rule and the organization’s policies and procedures. Train individuals who negotiate or manage contracts with third-party vendors to ensure they understand pathways for access, use, and exchange of EHI, preventing inadvertent barriers or unintentional roadblocks. Provide training on the HIPAA Right of Access and the various information blocking exceptions.

Conclusion

With the federal government signaling its commitment to prioritize the Information Blocking Rule and using all available authorities to hold actors accountable, enforcement actions appear to be looming

Endnotes

on the horizon. Developing a robust compliance framework along with regularly reviewing internal policies and practices can help reduce the risk of violations and may serve as a mitigating factor in any enforcement action.

1. U.S. Department of Health and Human Services, “HHS Announces Crackdown on Health Data Blocking,” news release, September 3, 2025, https://www.hhs.gov/press-room/hhs-crackdown-health-data-blocking.html.

2. 45 C.F.R. Part 171, https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171.

3. 45 C.F.R. § 171.103(b)(1), https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-A/section

171.103#p-171.103(b)(1). 4. 45 C.F.R. § 171.103(b)(2), https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-D/part-171/subpart-A/section171.103#p-171.103(b)(2).

5. Rachel Nelson and Kathryn Marchesini, “Information Blocking Regulations Work in Concert with HIPAA Rules and Other Privacy Laws to Support Health Information Privacy,” Assistant Secretary for Technology Policy, April 12, 2023, https://healthit.gov/blog/insights-updates/information-blocking-regulations-work-in-concert-with-hipaa-rules-and other-privacy-laws-to-support-health-information-privacy/ . 

6. A. Michi McClure, “Is the Violation Right of Access or Information Blocking? Part 1 of 2,” March 14, 2023, American Institute of Healthcare Compliance, https://aihc-assn.org/is-the-violation-right-of-access-or-information-blocking-part 1-of-2/ . 

7. Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules, 88 Fed. Reg. 42,820 ( July 3, 2024), https://www.govinfo.gov/content/pkg/FR-2023-07-03/ pdf/2023-13851.pdf . 

8. 42 U.S.C. § 300jj-52(b)(2)(A), https://uscode.house.gov/view.xhtml?req=42+U.S.C.+%EF%BF%BD+300jj-52%28b%29 %282%29%28A%29&f=treesort&fq=true&num=2&hl=true&edition=prelim&granuleId=USC-prelim-title42-section3 00jj-52 .

9. 42 C.F.R. § 1003.1410, https://www.ecfr.gov/current/title-42/chapter-V/subchapter-B/part-1003/subpart-N/ section-1003.1410 .

10. Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules, 88 Fed. Reg. 42,830 ( July 3, 2023), https://www.govinfo.gov/content/pkg/FR-2023-07-03/ pdf/2023-13851.pdf . 

11. 21st Century Cures Act: Establishment of Disincentives for Health Care Providers That Have Committed Information Blocking, 89 Fed. Reg. 54,662 ( July 1, 2024), https://www.govinfo.gov/content/pkg/FR-2024-07-01/pdf/2024-13793. pdf . 

12. 21st Century Cures Act: Establishment of Disincentives for Health Care Providers That Have Committed Information Blocking, 89 Fed. Reg. at 54,691. 

13. Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules, 88 Fed. Reg. at 42,822. 

14. Assistant Secretary for Technology Policy, “Information Blocking Claims: By the Numbers,” accessed January 8, 2026, https://www.healthit.gov/data/quickstats/information-blocking-claims-numbers . 

Takeaways

  • The U.S. Department of Health and Human Services Office of Inspector General and the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology recently announced the federal government’s increased focus on enforcement of the Information Blocking Rule. 
  • To date, no enforcement actions for information blocking have been published, leading actors to rely on the hypotheticals published in the rulemaking process. 
  • No enforcement action or disincentive has been proposed for healthcare providers that do not participate in certain Medicare programs. 
  • Actors should implement a framework to mitigate risk by ensuring practices comply with the rule or are tailored to meet an exception. 
  • Ensure workforce members are aware of the Information Blocking Rule and receive education on the organization’s policies and procedures associated with the rule. 

March 2026 | Compliance Today 33

View all articles          Read the next article

 

Copyright © 2025 Health Care Compliance Association (HCCA). All rights reserved. All information provided through this site, including without limitation all information such as the "look and feel" of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms of Use and Privacy Statement.