Everything you need to know about information blocking

Information blocking in healthcare is a practice by healthcare providers, health IT developers, or health information networks that knowingly and unreasonably interfere with the access, exchange, or use of electronic health information (EHI). Despite regulatory efforts under the 21st Century Cures Act and ongoing enforcement by the Department of Health and Human Services (HHS) and the Office of Inspector General (OIG), information blocking persists. 

According to a Journal of American Medical Informatics Association study ‘Experiences with information blocking in the United States’ a national survey of hospitals’ 42% of hospitals reported observing behaviors perceived as information blocking, with 36% perceiving healthcare providers as engaging in such practices, and 17% and 19% perceiving health IT developers and health information exchanges respectively as blockers. 

Healthcare organizations should understand that information blocking can delay health information sharing, leading to increased medical errors, duplicated testing, and fragmented care. It can also expose them to penalties, including fines up to $1 million per violation for developers and networks, and financial disincentives for providers through programs like Medicare’s Promoting Interoperability, Merit-based Incentive Payment System (MIPS), and Accountable Care Organizations (ACOs). 

Exceptions to information blocking exist, but organizations must carefully navigate these to maintain compliance. Recent regulatory updates have also introduced new exceptions, like the Protecting Care Access exception, and expanded the scope of EHI to include all electronic medical information. 

What exactly is information blocking?

The Public Health Reports study ‘Health Information Blocking: Responses Under the 21st Century Cures Act’ provides an overview of information blocking as we know it, noting, “The 21st Century Cures Act... defines information blocking as a practice that ‘is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information’ and expressly prohibits it.”

According to the Office of the National Coordinator for Health IT (ONC), information blocking requires three elements: identifiable interference with EHI exchange, knowledge or reason to know that the conduct will interfere, and the absence of a reasonable justification for such interference, balancing public health interests with privacy, security, and innovation incentives.

Examples include policies or technical barriers that prevent sharing EHI across providers or networks, encrypting data to make it inaccessible, refusing to connect with other providers, or charging excessive fees for data access. 

The function of information blocking, though often unintentional or driven by competitive or economic motives, effectively restricts interoperability and patient access, impeding clinical decision-making, causing delays in care, increasing duplicative testing, and reducing care coordination. It also limits patients’ ability to switch providers and undermines competition, while hindering biomedical research and public health efforts that rely on comprehensive data exchange.

The actors in information blocking

The primary actors subject to information blocking regulations include healthcare providers, health IT developers (such as electronic health record [EHR] vendors), and health information networks or exchanges (HIEs/HIOs). The Milbank Quarterly investigation on information blocking, “EHR vendors can improve their bottom-line by charging high fees for HIE and may also benefit if they make cross-vendor connectivity difficult.”

Healthcare providers encompass hospitals, clinicians, and other care entities responsible for delivering patient care, while health IT developers create and maintain the software and systems that enable health data interoperability. Health information exchanges serve as intermediaries facilitating data sharing across organizations. 

The 21st Century Cures Act and ONC’s Information Blocking Final Rule explicitly identify these actors and prohibit their engagement in practices that knowingly and unreasonably interfere with EHI exchange unless justified by specific exceptions like patient safety or technical infeasibility. 

The distinction between electronic health information vs. ePHI

A Cureus study exploring health record databases and security concerns, “Health information databases contain sensitive patient information, including their names and addresses, tests, diagnoses, treatment, and medical history. This information should be secured and protected from manipulation and fraudulent use by third parties.”

EHI broadly refers to any electronically stored or transmitted health information about an individual that is maintained or used by healthcare organizations typically found in EHRs. EHI includes all electronic protected health information that would be part of a designated record set (DRS), which is the group of records used by or for a covered entity to make decisions about individuals’ care. 

This definition of EHI is expansive and includes data covered under HIPAA and electronic health information held by entities not subject to HIPAA, reflecting the broad scope necessary for interoperability and information blocking regulations. Electronic protected health information (ePHI) is a subset of EHI defined specifically by HIPAA as any PHI that is created, stored, transmitted, or received in electronic form by a covered entity or its business associates. ePHI is the subset of EHI that is protected under HIPAA’s Privacy and Security Rules due to its identifiable nature and electronic form.

Impact on patient care and healthcare systems

The above mentioned JAMIA survey revealed that 42% of hospitals reported observing practices they perceived as information blocking, most frequently attributed to other healthcare providers, indicating that data sharing among care teams is often hindered by competitive and organizational dynamics, which can lead to delays in care and fragmented treatment plans. 

Information blocking can prevent clinicians from accessing patient data when needed, increasing the risk of medical errors, redundant testing, and misdiagnoses, all of which contribute to poorer health outcomes and higher healthcare costs. Patients suffer when their ability to access their own health information is limited, as it restricts their capacity to engage actively in their care, understand their diagnoses, and adhere to treatment plans, which are all components of patient-centered care. 

The regulatory framework governing information blocking

The 21st Century Cures Act 

The 21st Century Cures Act governs information blocking by establishing a clear legal framework that prohibits practices by healthcare providers, health IT developers, and health information networks that knowingly and unreasonably interfere with the access, exchange, or use of EHI. Signed into law in December 2016, the Act incorporates definitions of interoperability and information blocking into Title IV of the Public Health Service Act. 

The Act also requires that patients have timely, free access to their electronic health information, requiring providers to share data without unnecessary delays, thereby promoting transparency and patient empowerment. The Act’s enforcement provisions enable the HHS and the OIG to investigate alleged violations, assess penalties, and refer cases to appropriate agencies, creating a mechanism to hold actors accountable and deter information blocking behaviors. 

The ONC Final Rule  

The journal article ‘The 21st Century Cures Act Information Blocking Rule in Post-Acute Long-Term Care’ noted the nature of the Act, “Included as part of the Act, the information-blocking rule entered the first compliance phase in April 2021…Under the blocking rule, health systems now must promptly respond to requests from patients and their delegates for access, exchange, or use of the digital components in their health records that meet the organization’s HIPAA-defined designated record set.”

For health IT developers and networks, the standard for information blocking is whether they know or should know that a practice is likely to interfere with EHI access, exchange, or use; for healthcare providers, the standard is higher, requiring that the provider knows the practice is unreasonable and likely to interfere. 

The Final Rule also establishes a phased approach to the scope of EHI covered, initially focusing on data elements defined in the United States Core Data for Interoperability (USCDI) version 1, with plans to expand to all EHI by October 2022, thereby progressively broadening the data subject to sharing requirements. 

The rule codifies a series of exceptions to information blocking, recognizing legitimate reasons to limit data sharing, including protecting patient safety (Preventing Harm Exception), safeguarding privacy and security (Privacy and Security Exceptions), addressing technical infeasibility (Infeasibility Exception), and maintaining health IT performance (Health IT Performance Exception), among others. 

The exceptions to information blocking 

HealthIT’s Cures Act Final Rule information sheet notes, “On behalf of HHS, ONC has defined eight exceptions that offer actors (i.e., health care providers, health IT developers, health information networks (HINs) and health information exchanges (HIEs)) certainty that, when their practices with respect to accessing, exchanging, or using electronic health information (EHI) meet the conditions of one or more exceptions, such practices will not be considered information blocking.” These eight include:

• An actor may withhold or delay EHI if disclosing it is reasonably likely to cause harm to a patient or another person, such as in cases of imminent threat to safety or abuse situations, provided certain conditions are met to justify the action.
• An actor may limit access to EHI to protect an individual’s privacy rights, consistent with HIPAA and other applicable privacy laws. This includes respecting patient requests to restrict sharing but prohibits improper inducement or coercion to block information.
• Practices that protect the security of EHI, such as preventing unauthorized access or cyberattacks, are exempt. This covers reasonable measures to safeguard data integrity and confidentiality.
• When fulfilling a request to access, exchange, or use EHI is not feasible due to technical limitations, unavailability of data, or other legitimate barriers, actors are exempt from information blocking claims.
• Temporary delays or restrictions on EHI access, exchange, or use are allowed when necessary to maintain or restore health IT system performance, such as during maintenance or unexpected outages.
• Actors may limit the content or manner of EHI sharing if it is reasonable and necessary to protect the integrity of the data, prevent misinterpretation, or comply with legal or regulatory requirements, including formatting or timing restrictions.
• Charging fees that are reasonable, non-discriminatory, and cost-based for accessing, exchanging, or using EHI is permitted. Excessive or discriminatory fees, however, may constitute information blocking.
• Reasonable and non-discriminatory licensing terms for health IT interoperability elements, such as APIs or software, are allowed, provided they do not unreasonably limit access or use of EHI.
  
  

The present day challenges that come with information blocking

A 2024 survey of nearly 200 U.S. healthcare executives revealed that many organizations are unprepared to meet the 21st Century Cures Act requirements, with 59% reporting inability to comply with information blocking rules and 57% lacking key capabilities in patient data management and interoperability. These gaps threaten care quality and patient safety, as data mismatches and poor interoperability can lead to errors and fragmented care. 

Despite regulatory progress, healthcare providers and health IT vendors report operational difficulties implementing the rules. Industry reports from 2024 reveal that many organizations feel overwhelmed by the scope and complexity of information blocking regulations and seek further clarifications from regulators. The need to redesign workflows, upgrade IT infrastructure, and manage increased patient data access requests poses resource and training challenges. 

Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

How can individuals report suspected information blocking?

Individuals who believe they have experienced information blocking can report it through the ONC Information Blocking Portal. Reports are assigned tracking numbers, and depending on the details, ONC may contact the submitter for more information. ONC shares claims with OIG for investigation. Confidentiality protections apply to reporters under the Cures Act.

Are penalties for information blocking currently being enforced?

While the regulations are in effect, penalties and disincentives for actors engaging in information blocking have not been fully finalized or broadly enforced yet. The OIG is responsible for investigating claims and may impose civil monetary penalties up to $1 million per violation for health IT developers and networks. For healthcare providers, enforcement involves referrals for appropriate disincentives, but typically OIG does not pursue penalties for innocent mistakes or accidental conduct. 

What are the requirements regarding the use of certified health IT in relation to information blocking?

Actors are required to have or use certified health IT or upgrade existing certified health IT to meet interoperability standards. However, the regulations do not mandate any specific standard or functionality.