HHS Signals Heightened Information Blocking Enforcement

On September 3, the US Department of Health and Human Services (HHS) issued a press release announcing a “crackdown” on the “harmful practice” of information blocking.

The next day, HHS’ Office of Inspector General (OIG) and the Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) published a joint enforcement alert, further emphasizing the federal government’s commitment to intensifying enforcement activity, dedicating additional resources, and taking decisive action to detect and stop information blocking.

Together, these announcements represent the strongest indication yet that federal regulators are prepared to deploy all available authorities — including civil monetary penalties (CMPs), certification bans, and payment disincentives — to ensure that electronic health information (EHI) flows freely and without unnecessary barriers. For regulated entities, the message is clear. The period of education and delayed compliance has ended. OIG investigations are underway, ONC certification reviews have begun, and the Centers for Medicare and Medicaid Services (CMS) stands ready to impose Medicare payment disincentives once an information blocking determination is referred. Organizations that create, exchange, or rely on EHI should treat these developments as a call to confirm that their policies, technical configurations, and business practices align with the requirements of the 21st Century Cures Act and its implementing regulations.

Information Blocking: The Statutory and Regulatory Framework

The statutory foundation for information blocking enforcement is Section 4004 of the 21st Century Cures Act (codified at 42 U.S.C. § 300jj-52). It broadly prohibits any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI, unless an exception for permissible practices applies. The regulatory framework was established in 2020 when ONC finalized regulations at 45 C.F.R. Part 171. These rules define the actors subject to the prohibition — namely, health care providers, health information technology (IT) developers of certified health IT, health information exchanges (HIEs), and health information networks (HINs). The rules also describe the scope of EHI covered, and set forth eight exceptions, such as those designed to protect patient privacy or ensure security.

Congress allocated enforcement responsibilities among several HHS agencies.

OIG

Under 42 C.F.R. Part 1003, OIG may impose CMPs of up to $1 million per violation against health IT developers, HIEs, and HINs that knowingly engage in information blocking. OIG’s 2023 final rule, which we discussed in a prior alert, clarified investigative procedures, established a six-year look-back period, and outlined aggravating factors, with September 1, 2023, as the start of CMP enforcement.

ONC

For certified health IT, ONC (under 45 C.F.R. Part 170) may suspend or terminate certification or ban a developer from the Certification Program — actions that can remove products from the federal marketplace and trigger downstream contractual liabilities for developers, such as breach of contract claims from customers who rely on certified products.

CMS

CMS, pursuant to its 2024 final rule on “appropriate disincentives,” may sanction health care providers that commit information blocking by denying hospitals the annual market-basket increase under the Medicare Promoting Interoperability Program, assigning clinicians a zero score in the Promoting Interoperability category of the Merit-based Incentive Payment System, and removing accountable care organizations or participants from the Medicare Shared Savings Program. The rule authorizes CMS to impose disincentives for information blocking beginning July 31, 2024, except for Shared Savings Program disincentives, which CMS may impose after January 1.

What the Enforcement Announcements Add

HHS’ press release and the enforcement alert signal a coordinated and intensified federal approach to information blocking enforcement. The press release publicly announced HHS’ intent to take an active enforcement stance against health care entities that “restrict patients’ engagement in their care by blocking the access, exchange, and use of electronic health information.” It emphasized that stopping information blocking is a top priority for HHS and that additional resources will be dedicated to curbing these practices. The press release also served as a warning to regulated entities that enforcement is no longer theoretical — HHS is now actively investigating and will hold violators accountable using all available authorities.

Building on this, the enforcement alert provides further detail on how these enforcement efforts will be operationalized. The alert confirms that OIG investigations will prioritize cases where practices cause or risk patient harm, significantly impair a provider’s ability to deliver care, persist for a long duration, result in financial loss to federal health programs or private parties, or are undertaken with actual knowledge of their obstructive effect. HHS has committed to dedicating additional resources to information blocking enforcement, elevating staffing, budgeting, and inter-agency coordination. As a result, entities should anticipate more rapid investigative timelines and broader document requests.

Importantly, both the press release and the alert highlight the coordinated approach among OIG, ONC, and CMS. A single incident of information blocking may now trigger multiple parallel remedies, including CMPs, decertification of health IT products, and provider payment adjustments. For example, a developer found to have blocked EHI could face a CMP, lose certification, and be subject to customer complaints arising from provider payment consequences. This integrated enforcement strategy underscores the need for organizations to proactively assess and remediate any practices that could be construed as information blocking.

Intersection With the CMS Digital Health Ecosystem Initiative

The recent launch of CMS’ “Digital Health Ecosystem” initiative is closely intertwined with the enforcement of information blocking rules. This initiative aims to accelerate the adoption of interoperable health technologies, leverage application programming interfaces (APIs) for beneficiary-facing tools, and integrate real-time data across Medicare and Medicaid. Robust enforcement of information blocking is essential to achieving these goals, as the ecosystem relies on the frictionless movement of EHI among payers, health care providers, and third-party applications. Practices that impede data liquidity undermine API functionality and the patient-choice model that CMS seeks to expand.

By tying provider payment adjustments to information blocking determinations, CMS aligns financial incentives with the policy objectives of the Digital Health Ecosystem: rewarding entities that facilitate data sharing and penalizing those that obstruct it. Organizations that adapt their IT architecture to comply with the information blocking regulations at 45 C.F.R. Part 171, such as by implementing standardized Fast Healthcare Interoperability Resources based APIs, will be better positioned to meet future CMS data exchange requirements under value-based purchasing, prior authorization, and quality-reporting programs. Information blocking compliance should therefore be viewed not merely as a defensive measure, but as foundational to participating in the evolving digital health marketplace.

Key Takeaways

The enforcement alert and companion HHS press release mark a decisive transition from policy development to active, coordinated enforcement of information blocking rules. Health care providers, health IT developers of certified health IT, HIEs, and HINs should recognize that the federal government is committed to using its enforcement authorities to ensure the free flow of EHI. In this environment, proactive compliance and strategic planning are essential to mitigate risk and maintain eligibility for federal programs.

Stakeholders should consider the following as they calibrate their compliance efforts.

• Expect an increase in OIG investigations, ONC certification actions, and CMS disincentive referrals, with enforcement focused on practices that harm patients, impede care, or reflect knowing misconduct.

• Liability exposure is substantial and multifaceted. A single information blocking incident can result in CMPs of up to $1 million per violation, decertification of health IT products, and reductions in Medicare payments.

• Documentation is critical. Maintain thorough records of decision-making, security assessments, and interoperability efforts to demonstrate compliance or support the application of an exception.

• Self-disclosure of violations and prompt corrective action may reduce penalty exposure and demonstrate good faith to regulators.

• Aligning IT infrastructure and business practices with information blocking regulations and CMS digital health initiatives will position organizations to participate in emerging value-based and data-driven health care models.

Navigating the evolving landscape requires careful attention to overlapping regulatory regimes, exception criteria, and enforcement priorities. Experienced health care counsel can provide valuable guidance in assessing compliance, developing defensible policies, and responding to multiagency inquiries, helping organizations manage risk while enabling innovation and participation in the digital health ecosystem.