Information blocking occurs when individuals or organizations intentionally interfere with the sharing or use of electronic health information (EHI), placing unnecessary obstacles in the way of timely access. This practice inhibits the ability of healthcare providers to deliver the best care and prevents patients from being fully engaged in their own treatment decisions. As Adler-Milstein and Pfeifer note in a study published in The Milbank Quarterly, “information blocking practices would privately benefit vendors and providers but limit the societal quality and efficiency benefits from EHR adoption.”
The responsibility for handling information blocking in the United States rests firmly with the Department of Health and Human Services (HHS) because it oversees national health policy, including health information technology (IT). Specifically, it is the Office of the National Coordinator for Health IT (ONC) within HHS that designs and enforces policies around health IT interoperability, which includes cracking down on information blocking practices.
The rationale for HHS oversight is its unique position to coordinate among the myriad players in the healthcare ecosystem, hospitals, clinicians, electronic health record (EHR) vendors, health information exchanges, and patients, and to establish uniform regulations that protect public health interests.
Also, “Because information blocking is largely legal today, the most effective policy response likely involves a combination of direct enforcement and the altering of market conditions that promote information blocking.” Without a centralized, authoritative body like HHS, the fragmented U.S. healthcare system would struggle to tackle the challenges posed by information blocking.
As defined by the ONC, information blocking occurs when an actor knowingly and unreasonably inhibits information flow without a valid reason, such as protecting patient privacy or safety. The regulation of information blocking emerged out of longstanding challenges in healthcare interoperability. As noted by the Public Health Reports journal article ‘The US 21st Century Cures Act: Interoperability, Information Blocking, and Implications for Hospitals,’ “interoperability across electronic health record systems has remained elusive, with persistent barriers to widespread electronic information exchange.”
This occurs where fragmented, siloed health data systems prevent providers and patients from accessing complete, timely health information needed for effective care delivery and coordination. Before regulatory intervention, the lack of clear prohibitions and penalties allowed private interests to restrict data sharing, adversely impacting care quality, patient outcomes, and innovation in health IT. The authors note that “there is evidence that some hospitals and vendors may engage in practices that unreasonably limit data exchange, such as charging high fees for interfacing or refusing to exchange information with competitors.”
The 21st Century Cures Act established the legal framework explicitly prohibiting information blocking and requiring enforcement mechanisms. The Act defines information blocking broadly to include any practice that is likely to interfere with, prevent, or materially discourage authorized access, exchange, or use of EHI, raising the standard for health IT vendors and providers to facilitate interoperability. The journal article states, “The Cures Act defines information blocking expansively and grants the HHS Office of Inspector General (OIG) enforcement authority to investigate and penalize actors found to be engaged in information blocking.”
The investigation process typically begins when OIG receives a complaint alleging information blocking. Recognizing that resource constraints exist, the OIG prioritizes cases using a set of criteria to allocate enforcement efforts efficiently. Priority is given to allegations that have resulted in or could result in patient harm, affected a provider’s ability to deliver care, persisted over long durations, caused financial losses to federal healthcare programs or other entities, or were carried out with actual knowledge of wrongdoing.
As stated in the final rule, “OIG will prioritize investigations of conduct that resulted in, is causing, or had the potential to cause patient harm; significantly impacted a provider’s ability to care for patients; was of long duration; caused financial loss to Federal health care programs, or other government or private entities; or was performed with actual knowledge.” This triage approach ensures that the most serious and impactful cases are addressed first.
Once a complaint is selected for further scrutiny, the OIG opens an official investigation. This involves collecting evidence through document requests, interviews, and data analysis, often in collaboration with the ONC, which provides expertise on technical standards and regulatory compliance related to information blocking. The investigatory phase evaluates whether the alleged conduct meets the legal definition of information blocking, acts that knowingly and unreasonably interfere with the access, exchange, or use of EHI without applicable exceptions. If initially the OIG finds no violation, the case is closed.
If a violation is identified, the OIG provides the entity under investigation an opportunity to discuss the findings and respond to concerns before final determinations are made. Should the OIG ultimately conclude that information blocking occurred, it issues a demand letter outlining the violation and potential penalties. Entities can then appeal the decision administratively, ensuring due process. As clarified in the rule, “OIG may impose a civil monetary penalty (CMP) of up to $1,000,000 per violation” and will consider “the nature and extent of the information blocking and the harm resulting from it” when determining penalties.
Information blocking can take the form of technical barriers or policy restrictions placed on email systems. Healthcare organizations might limit what health information can be shared via email due to concerns over HIPAA compliance and security risks. As a study published in the Journal of General Internal Medicine explains, “Communication via e-mail can be intercepted, altered, or forwarded without authorization, raising concerns regarding the privacy and security of personal health information”. For example, the lack of standardized and interoperable email platforms compatible with different EHR systems causes information to become siloed or lost in transit. The study notes that “the absence of universally accepted standards for secure communication between systems remains a major barrier to effective exchange of information.”
When laboratories, specialists, or primary care providers cannot seamlessly share test results, referral details, or treatment updates by email, care coordination suffers. Missed or delayed communications can contribute to diagnostic errors, duplicated tests, or fragmented care plans, all of which undermine patient outcomes. As authors caution, “incomplete or delayed transmission of critical patient information may result in errors, duplication of diagnostic testing, or inappropriate treatment.”
In an antitrust case reported in Reuters, Epic Systems, controlling medical records for up to 94% of Americans, faces allegations that it attempted to stifle competition by obstructing access to its health data ecosystem and discouraging clients from using a rival’s platform. As Particle Health’s lawsuit asserts, Epic allegedly tried to steer customers away from its competitor by erecting barriers to new business, concerns substantial enough to move forward in court.
In another telling example, a federal judge ruled that the removal of crimedical and public health webpages, ordered by Trump-era officials under controversial gender ideology directives, undermined clinicians' ability to provide timely care. The judge described the sudden content deletions as detrimental to public health, noting they were implemented without any public rationale or recourse, and ordered their immediate restoration.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Patients gain improved access to their own health information without delay and at no cost, fostering transparency, engagement, and better health outcomes through easier data sharing.
EHI generally includes ePHI that is part of a designated record set as defined under HIPAA, including clinical notes, test results, imaging data, and billing records, with certain exceptions such as psychotherapy notes.
Yes, HHS has defined multiple exceptions where withholding information is reasonable and allowed, including protecting patient privacy, preventing harm, security concerns, and technical infeasibility. These exceptions must be documented and justified.