Enforcement of information blocking has moved from concept to practice. On September 3, 2025, the U.S. Department of Health and Human Services (HHS) press release signaled an active enforcement posture and directed more resources to curb practices that interfere with the access, exchange, or use of electronic health information. The announcement clarifies the consequences for different stakeholders and invites more reporting from patients, providers, innovators, and others.

What is information blocking

Information blocking is a practice by an individual or entity that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information (EHI), unless required by law or covered by a regulatory exception. The Assistant Secretary for Technology Policy (ASTP) has issued regulations defining the scope and exceptions under 45 CFR Part 171. The final rule, which sought to improve health information access and health IT choice, maintains that:

• Patients should have easy electronic access to their EHI at no cost, including via applications (apps) of their choice; and that
• Health care providers should be able to choose the digital tools that allow them to provide the best care, without excessive costs or technical barriers. https://www.hhs.gov/press-room/hhs-crackdown-health-data-blocking.html?

Timeline at a glance

• December 2016: Congress enacted the 21st Century Cures Act, including Section 4004 on information blocking.
• May 2020: The federal final rule on Interoperability and Information Blocking was published, establishing core obligations and the certification framework. Compliance began in 2021 with staged dates.
• October 6, 2022: The “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program” final rule expanded the definition of electronic health information beyond the United States Core Data for Interoperability (USCDI), increasing the practical scope of obligations.
• June 27, 2023: The HHS Office of Inspector General (OIG) finalized its Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General's Civil Money Penalty Rules with civil monetary penalties, effective September 1, 2023.
• June 24, 2024: HHS finalized provider disincentives under Medicare programs, with effective dates beginning July 31, 2024, and additional program timing in 2025.
• June 25, 2024: Chief Healthcare Executive published an article titled “Feds Announce Final Penalties for Information Blocking,” summarizing provider concerns and estimated financial impact. (Chief Healthcare Executive, June 25, 2024)
• December 17, 2024: HHS adopted targeted updates to information blocking exceptions in the Health Data, Technology, and Interoperability rule.
• September 3–4, 2025: HHS issued a press release and the OIG issued an Enforcement Alert outlining enforcement priorities, reporting pathways, and consequences.

Current enforcement and penalties

With enforcement rules finalized and reporting channels open, the focus now shifts to what happens if an organization is found in violation. The government has drawn clear lines around who can be penalized, what those penalties look like, and how providers will feel the impact through existing Medicare programs.

Civil monetary penalties

The OIG may impose fines up to $1 million per violation on technology developers of certified health IT, entities offering certified health IT, health information exchanges (HIEs), and health information networks (HINs). 

Certification consequences

ASTP may ban a developer from the federal certification program and revoke certification of implicated products. 

Provider disincentives

Rather than civil penalties, healthcare providers face financial disincentives. According to the June 24, 2024, final rule:

• Hospitals and Critical Access Hospitals (CAHs) under the Medicare Promoting Interoperability Program risk losing meaningful user status—leading to a 75% reduction in the market basket increase (or payment to 100% of reasonable costs for CAHs).
• Clinicians under the Merit-based Incentive Payment System (MIPS) risk a zero in the Promoting Interoperability category—impacting incentive payments.
• Accountable Care Organizations (ACOs) may be barred from the Medicare Shared Savings Program for at least one year.

Details about these fines and disincentives are outlined in the Enforcement Alert.

Who can report and how to report

Anyone can report suspected information blocking. The preferred platform is the ASTP Information Blocking Portal, which accepts anonymous submissions. Complaints may also be filed via the HHS OIG Hotline or by calling 1-800-HHS-TIPS. The Enforcement Alert clarifies that identities are protected to the extent allowed by law.

What happens after a report is filed

OIG follows a structured process:

1. Complaint intake and triage using enforcement priorities (e.g., patient harm, care impact, duration, financial effect, knowledge level).
2. Case initiation if merited, including fact-finding with possible ASTP consultation.
3. Opportunity for the subject to respond.
4. Issuance of a demand letter proposing penalties.
5. Appeal options are available. See the OIG’s information blocking overview for more. (OIG enforcement priorities)

Real-world impacts by stakeholder

• Health IT developers, HIEs, HINs, and entities offering certified technology face civil monetary penalties and risk losing certification of systems/modules. Organizations should bolster logging, contract language, and exception tracking.
• Hospitals, CAHs, and clinicians risk financial loss through Medicare disincentives. Compliance programs should prioritize policies around patient record access, third-party app onboarding, and transparent exception handling.
• Accountable Care Organizations could lose shared savings revenue and disrupt coordinated care. ACOs should standardize information-sharing policies across members.
• Patients and innovators will experience increased reporting pressure, which may drive faster access improvement and heightened accountability.

Ripple effects and unintended consequences

• Competition-driven reporting. Rivals may report to each other during messy system migrations or contract negotiations.
• Upward trend in patient complaints. Delayed or confusing access could trigger increased reporting volume—potentially overloading intake systems.
• Slower innovation cycles. Vendors may delay new feature rollouts to ensure compliance with exception requirements.
• Administrative drag. Practices may need more staff and process documentation to prove compliance continuously.
• Equity challenges for smaller providers. Rural or under-resourced organizations might struggle to manage compliance and appeals effectively.

Bottom line

From the 21st Century Cures Act (2016) to rulemaking in 2020–2022, followed by enforcement rules in 2023–2024, we’ve reached a point of active enforcement in 2025. Expectations are now clear, and pathways to accountability are in place. Organizations must verify exception use, tighten response workflows, and track patient and app access times.

POCP can help you cut through the noise. Our Regulatory Resource Center team tracks every policy shift and enforcement update so your team doesn’t have to. We go beyond compliance checklists to help stakeholders understand the broader implications of the information blocking crackdown—how it may affect your business strategy, where it could reshape industry dynamics, and what it means for your roadmap and investment priorities. Whether you need clear guidance on the rules, analysis of the potential ripple effects, or support in aligning future projects with this evolving landscape, POCP brings the expertise and perspective to keep you ahead.