HHS announces information blocking enforcement “crackdown” Skip to main content

HHS announces information blocking enforcement “crackdown”

Overview


The US Department of Health and Human Services (HHS) announced its intent to begin actively enforcing the information blocking regulations adopted under the 21st Century Cures Act, in a press release on September 3, 2025, and an enforcement alert issued jointly by the HHS Office of Inspector General (OIG) and Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP) on September 4, 2025. Actors subject to the information blocking regulations should review their current information sharing practices to ensure compliance.

For more information on information blocking, visit McDermott Will & Schulte’s Information Blocking & Interoperability in Healthcare resources page. For more information about how to prepare for HHS enforcement of the information blocking regulations, view our webinar “Information Blocking: Defense of Cures Act Investigations and Enforcement.”

In Depth


The Cures Act prohibits information blocking by health care providers, certified health information technology (IT) developers, and health information networks and exchanges (HIN/HIEs). Information blocking refers to practices that are likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or specified in an information blocking exception, and that:

  • If conducted by a certified health IT developer or HIN/HIE, the developer or HIN/HIE knows, or should know, are likely to interfere with access, exchange, or use of EHI.
  • If conducted by a health care provider, the provider knows are unreasonable and likely to interfere with access, exchange, or use of EHI.

On July 3, 2023, OIG issued its final rule to implement OIG’s authority under the Cures Act to investigate claims of information blocking and assess civil monetary penalties of up to $1 million (subject to inflation adjustments) for information blocking violations by a certified health IT developer or an HIN/HIE. The effective date of the OIG final rule was September 1, 2023. For a discussion of the OIG final rule, see our Special Report. To date, OIG has not publicly released information about any investigation or enforcement action under the OIG final rule.

On July 1, 2024, HHS issued a final rule to implement the Cures Act provision establishing penalties (called “appropriate disincentives”) for certain health care providers determined by OIG to have committed information blocking. The disincentives for certain Medicare-participating hospitals and clinicians became effective July 31, 2024, while disincentives associated with the Medicare Shared Savings Program became effective January 1, 2025. For a discussion of the appropriate disincentives final rule, see our On the Subject. To date, there have been no public reports of any OIG investigation of health care providers or impositions of appropriate disincentives by HHS under this final rule.

In addition to these penalties, ASTP can terminate a certified health IT developer’s certifications under the Health IT Certification Program for information blocking in violation of ASTP’s health IT certification requirements.

HHS described the September 3, 2025, press release as “a warning to actors still engaging in information blocking to come into compliance with the rules governing the flow of patient information” and encouraged stakeholders to report alleged information blocking.

In the enforcement alert, ASTP and OIG committed “to using all available authorities to hold information blockers accountable,” and HHS stated that it will provide additional resources to enforce the information blocking prohibition. In conjunction with these public statements, ASTP held an in-person boot camp on September 4, 2025, for actors that interact with certified health IT, highlighting current capabilities to access, exchange, and use EHI as well as the complaint system process for allegations of information blocking. ASTP is planning additional outreach and engagement activities in the future.

Next steps

All regulated actors should consider the following next steps:

  • Review policies, procedures, and practices affecting access, exchange, or use of EHI to confirm that they are consistent with the information blocking regulations and related laws, such as HIPAA and, for developers, ASTP’s Health IT Certification Program requirements.
  • Review, update, or create documentation describing the organization’s commitment to health information sharing consistent with the information blocking regulations.
  • Train personnel responsible for negotiating and implementing collaborations, partnerships, and other arrangements with third parties (e.g., digital health companies and consumer-facing app developers) seeking access, exchange, or use of EHI, to avoid conduct that may lead to information blocking claims.
  • Refine processes to create and retain records and other documents demonstrating the organization’s compliance with the information blocking regulations, including relevant exceptions.
  • Interview and identify defense counsel to help navigate a potential OIG investigation so the organization is prepared in the event of an actual investigation.

Because ASTP has emphasized information sharing practices through certified application programming interface (API) technology in multiple guidance documents during the past 12 months, certified health IT developers should consider the following next steps:

  • Review deployments of certified API technology to confirm compliance with the Health IT Certification Program’s conditions and maintenance of certification requirements specific to certified APIs.
  • Review certified API practices, informed by the practices ASTP highlighted in its API guidance, to confirm compliance and identify potential information blocking exceptions that may apply to related practices.
  • Promptly evaluate and, if appropriate, address any complaints from certified API users alleging noncompliance with any certification requirements.

Health care providers should consider the following steps with respect to their certified API technology deployments:

  • Review the provider’s certified API practices, informed by the practices ASTP highlighted in its guidance, to confirm compliance and identify potential information blocking exceptions that may apply to related practices.
  • Promptly evaluate and, if appropriate, address any complaints from certified API users alleging noncompliance with any certification requirements.

For more information about ASTP’s API guidance, see our On the Subject about the ASTP fact sheet released October 29, 2024.

Please contact your regular McDermott Will & Schulte lawyer or any of the authors of this article if you have questions about compliance with the information blocking regulations or responding to OIG inquiries.