The Wait Is Over: Information Blocking Enforcement Is Officially Here
Highlights
- The U.S. Department of Health and Human Services is moving from policy to enforcement under the 21st Century Cures Act, with investigations into potential information blocking now underway and penalties in effect for applicable actors.
- Health information technology (IT) developers, entities offering certified health IT and health information exchanges face substantial civil monetary penalties and potential health IT certification loss and healthcare providers face reimbursement impacts under Centers for Medicare & Medicaid Services programs.
- Organizations should reassess actor status, update policies and documentation processes, integrate privacy compliance, and strengthen training, monitoring and technology coordination to mitigate enforcement risk.
We were told it would arrive, heard it was on the brink, and now it is here. In the opening session of the U.S. Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy (ASTP) 2026 Annual Meeting, HHS Assistant Secretary Thomas Keane announced that ASTP is in the process of issuing of notices of investigation of potential nonconformity to one category of information blocking actors, health IT developers.
What Does This Mean?
Information Blocking Enforcement is Active
The 21st Century Cures Act (Cures Act), enacted in 2016, established provisions to promote interoperability and patient access to electronic health information (EHI). A critical component of the Cures Act is the prohibition of information blocking, which refers to practices that interfere with the access, exchange or use of EHI. Effective April 5, 2021, and amended beginning in December 2023 through the Health Data, Technology and Interoperability (HTI) Rules, the Office of the National Coordinator for Health Information Technology (ONC) issued regulations defining information blocking and establishing permissible exceptions.
An enforcement structure for health IT developers and health information exchanges was finalized June 27, 2023, with enforcement against these information blocking actors underway since September 1, 2023. Penalties for healthcare providers were effective July 1, 2024. The Office of Inspector General (OIG) is authorized to investigate information blocking claims and, in September 2025, HHS Secretary Robert F. Kennedy Jr. directed HHS resources toward active enforcement.
Information Blocking Complaints Will Continue to Increase
Since 2021, there has been no enforcement; however, the Information Blocking Complaint Portal has been open and actively used, with nearly 1,600 complaints submitted as of February 2026.
Penalties Are Likely
Information blocking actors can be assured of potential penalties. Health IT developers, entities "offering certified health IT" and health information exchanges or networks are facing potential fines of up to $1 million per violation, with potential for stacking of violations. Health IT developers face potential loss of ONC Health IT certification and being banned from the ONC program. This can have a significant economic impact on health IT developers and potential for indirect negative impact on their customers who rely on the certification for Centers for Medicare & Medicaid Services (CMS) payment program reporting.
Healthcare providers reporting to CMS under the Merit-Based Incentive Payment System and Promoting Interoperability, as well as those participating in accountable care organizations (ACOs) may experience loss of reimbursement and savings revenue. In addition, healthcare providers should be cognizant of the potential for related False Claim Act enforcement activity.
How to Prepare
- Incorporate Information Sharing and Privacy and Security in Health IT Design and Development: Although this is currently prioritized through the Health Information Technology for Economic and Clinical Health (HITECH)/Cures Act Certification regulations and process, the HTI-5 Rule proposes the removal of 34 of 60 certification criteria and revision of seven others, altering nearly 70 percent of existing requirements. In addition, as seen in prior whistleblower actions against health IT developers, claims of certification failures may still arise.
- Assess Actor Status: Although an organization may not be a health IT developer, the organization may meet the definition of an entity "offering certified health IT" or as a health information exchange or network. The modified definition of "offering certified health IT" may apply to healthcare providers and support organizations that do not satisfy one of the definition exceptions and increase exposure to financial civil money penalties.
- Review and Update Policies and Processes: Steps to take include ensuring that organizational policies and procedures align with information blocking regulations and promote seamless EHI exchange and confirming that implemented processes align with policy statements and do not contribute to practices of information blocking.
- Establish a Formal Documentation Process for Exceptions: Meeting an exception may provide relief from enforcement. Documentation and supporting records should be created and maintained. HTI-5 proposes removal of the prior Trusted Exchange Framework and Common Agreement (TEFCA) exception adopted in HTI-3, and this exception, if finalized, may create the need to expand documentation when transmission has been through TEFCA.
- Privacy Compliance Integration: Monitor changes in privacy laws and integrate compliance with privacy laws, such as Part 2 Substance Use Disorder privacy law and the various state medical record laws, with processes to mitigate and prevent information blocking while continuing to meet required privacy restrictions. Establishing a process for prompt response to patient requests for electronic access outside of the patient portal and implementing requirements for release of information (ROI) vendors are imperative. State law privacy requirements, particularly in California, complicate the interaction between information sharing and privacy requirements.
- Training: Provide comprehensive training to staff members on information blocking, including the definition, exceptions and potential consequences of noncompliance. Particular attention to staff responsible for health IT, health information management and privacy is important.
- Monitor Compliance: Implement mechanisms to monitor and audit information sharing practices to identify and address any potential issues proactively. Address specific processes for navigating privacy laws prohibiting or delaying disclosures.
- Health IT Coordination and Contracting: Investigate technology processes that can enable compliance with the Cures Act and assist in flagging and restricting disclosure of sensitive information that is either prohibited from disclosure or requires additional consents or other actions prior to disclosure. Appropriate contract provisions may provide protections on all sides of the transaction.
If you have any questions about information blocking compliance or related enforcement risks, please contact the authors.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.