In a September 3 Press Release, the U.S. Department of Health and Human Services (HHS) announced that it is increasing efforts to curb information blocking. This was quickly followed by a September 4 Enforcement Alert issued jointly by the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (ASTP/ONC) and the HHS Office of Inspector General (OIG). Both developments come against the backdrop of CMS’s newly announced voluntary interoperability framework initiative, launched earlier this year, which seeks to accelerate open, standards-based health data exchange for a patient-centered digital health ecosystem. These developments signal HHS’s focus on empowering patients and healthcare providers with what HHS is calling “friction-free information.” 

Information Blocking Background

In 2016, the 21st Century Cures Act (Cures Act) sought to encourage and incentivize the free flow of patient information among the patient’s providers and improve coordination of care and patient outcomes. To that end, the Cures Act prohibits “information blocking” practices that interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information (EHI) unless a regulatory exception applies. The Cures Act assigned enforcement authority for the information blocking provisions to ASTP/ONC and OIG.  

On June 27, 2023, HHS published a final rule, covered in Akerman’s Health Law Rx blog, implementing information blocking penalties for health IT developers, health information networks (HINs), and health information exchanges (HIEs). One year later, HHS revisited its enforcement mechanisms as they relate to providers in a final rule providing for “disincentives” that can be levied against non-compliant Medicare providers. These “appropriate disincentives” can result in lower payments to hospitals and critical access hospitals participating in the Medicare Promoting Interoperability Program, lower scores and therefore lower payment to clinicians and group practices participating in the Merit-based Incentive Payment System, and ineligibility determinations for ACO participants and providers/suppliers participating in a Medicare Shared Savings Program Accountable Care Organization (ACO). 

Enforcement Statistics and Priorities

HHS has not released information about its enforcement of the information blocking penalties since the rule became effective in September 2023. However, we do know that between April 5, 2021, and August 31, 2025, ASTP/ONC received 1,420 information blocking complaints via its online portal, with nearly 800 of those complaints coming from patients and just under 200 coming from healthcare providers. More than 1,000 of these complaints were against healthcare providers. Though we do not have enforcement statistics, OIG does provide a window into its enforcement priorities on its website, and it has previously signaled that its priority is to investigate cases that:

• could harm patients, patient populations, the community, or the public;
• significantly impact a provider’s ability to care for patients;
• occur over an extended period of time;
• cause financial loss to federal healthcare programs or other government or private entities; or
• are performed with actual knowledge of non-compliance.

The September 4 Enforcement Alert emphasizes that separate consequences may apply in addition to civil monetary penalties of up to $1 million per violation. For example, ASTP/ONC may ban a health IT developer from the ONC Health IT Certification Program and may also terminate the certification of the health IT involved in information blocking. The September 3 Press Release and September 4 Enforcement Alert also encourage individuals and organizations to report suspected information blocking practices via ASTP/ONC’s Information Blocking Portal.

Next Steps

Healthcare providers, certified health IT developers, and HIN/HIEs should consider reviewing their policies, procedures, and conduct and consider updates, changes, and refinements to the extent needed for compliance. Additional measures to consider also include:

• Engaging counsel in advance of an OIG investigation to ensure compliance with the information blocking provisions and preparedness in the face of an enforcement action.

• Documenting the applicability and use of information blocking exceptions, including a determination of the exception’s reasonableness as applied to the conduct.

• For those developing or offering certified health IT and HIN/HIEs, assessing whether they may be subject to the ONC Information Blocking Rule. 

• Calibrating compliance programs to ensure that the program evidences a subjective intent to comply with the new information blocking rules and review certifications to ensure that they fairly and accurately reflect current business practices.

Akerman’s Health Law Rx blog will continue to monitor developments related to enforcement of information blocking provisions, and our team of healthcare attorneys is prepared to help you navigate these and other complicated regulatory and compliance questions.