ChartRequest - Logo - Light
Schedule Demo

HHS Intensifies Information Blocking Enforcement: What Healthcare Leaders Need to Know

HHS Intensifies Information Blocking Enforcement

On September 3, 2025, the U.S. Department of Health and Human Services (HHS) issued a press release announcing nationwide information blocking enforcement. This announcement marks the most aggressive enforcement action since the 21st Century Cures Act became law.

The release confirmed that the Office of Inspector General (OIG) will investigate suspected violations and impose penalties, while the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (ASTP/ONC, referred to below as ONC) will expand certification audits. Health IT developers and networks face civil monetary penalties of up to one million dollars per violation. Providers risk reduced Medicare reimbursements, negative MIPS adjustments, and exclusion from shared savings programs.

For healthcare executives, the implications are immediate. Early cases are expected to be publicized, and organizations that are unprepared face both financial consequences and reputational harm among patients, partners, and payers.

ChartRequest helps providers address this moment directly. By automating the release of information, creating defensible audit trails, and reducing turnaround times with a 5-day guarantee, ChartRequest positions organizations to meet information blocking enforcement expectations and protect both margins and reputation.

Information blocking enforcement is here after the September 3 press release from HHS

HHS Announces Information Blocking Enforcement Crackdown 

The September 2025 press release did more than restate the law. It signaled that patient access to records is now a federal enforcement priority. OIG has been directed to pursue enforcement for information blocking complaints, and ASTP/ONC will scrutinize developers for practices that limit interoperability or impose hidden costs under the certification program.

HHS leadership framed the crackdown around patient rights. The message is that patients deserve timely and complete access to their records. The announcement reflects a cultural shift from education to accountability. HHS has committed to active information blocking enforcement with increased resources. Penalties and case outcomes will be visible.

HHS also described the announcement as a warning to actors still engaging in information blocking and encouraged stakeholders to report alleged information blocking for enforcement.

For executives, the key takeaway is urgency. Regulators intend to establish examples through early information blocking enforcement cases, particularly where organizations create systemic barriers to access. Boards should now treat information blocking enforcement as a financial risk that requires direct oversight and measurable action.

ChartRequest partners already avoid these risks with centralized request management, automated delivery, and built-in exception documentation.

What Is Information Blocking?

Information blocking occurs when a provider, health IT developer, or health information network interferes with the access, exchange, or use of electronic health information (EHI) without applying one of the nine recognized exceptions. The 21st Century Cures Act defines the practice broadly, which gives regulators the authority to investigate a wide range of behaviors and pursue information blocking enforcement across the industry.

Common Information Blocking Behaviors

While the September 2025 press release did not list specific examples, enforcement under the Cures Act and ONC rules targets practices such as:

  • Delays in record delivery beyond required timelines.
  • Excessive or discriminatory fees for API or third-party access.
  • Refusal of valid requests that meet all legal requirements.
  • Incomplete or partial records that prevent patients and clinicians from seeing the full picture of care.

These examples reflect how ONC certification reviews and OIG investigations evaluate real-world behavior under the Cures Act. These enforcement targets reflect the Cures Act framework and ONC’s certification oversight rather than a list from the September 3, 2025 announcement.

These behaviors were once dismissed as workflow inefficiencies. The September 2025 announcement reframed them as compliance failures that now fall under information blocking enforcement scrutiny and carry financial and reputational penalties.

Executives should ensure every department understands how the rules apply, when exceptions are legitimate, and how to produce defensible documentation. ChartRequest supports this work through dashboards, automated exception logging, and audit-ready reports that give leaders visibility into compliance performance across the enterprise.

Timeline: From the Cures Act to Enforcement

The crackdown is the result of nearly a decade of incremental policy development. Each milestone paved the way for September 2025 information blocking enforcement.

2016: The Cures Act

Congress passed the 21st Century Cures Act, outlawing information blocking and mandating enforcement for interoperability rules that elevate patient access.

2020: ONC Interoperability Rule

ONC finalized its interoperability rule, setting technical standards for APIs and certified health IT that enable secure, standardized exchange of EHI and support information blocking enforcement.

2021: Rules Take Effect

Information blocking enforcement rules began for health IT providers. HHS emphasized education and voluntary alignment during the initial period.

2024: Provider Disincentives Finalized and Effective

HHS issued the final rule establishing appropriate disincentives for certain providers on July 1, 2024. Information blocking enforcement disincentives took effect July 31, 2024 for hospitals and clinicians, and January 1, 2025 for the Medicare Shared Savings Program.

2025: Crackdown Announced

HHS declared enforcement an active priority. OIG and ONC now have clear directives and resources to pursue information blocking enforcement for data violations.

The press release is the endpoint of this timeline. It signals that grace periods are over and accountability has begun.

These information blocking exceptions are critical for understanding enforcement.

The Eight Information Blocking Exceptions

HHS recognizes eight information blocking exceptions that balance patient access with privacy, safety, and technical feasibility. The September 2025 announcement emphasized that these exceptions are narrow and central to information blocking enforcement. 

Every use must be justified with documentation that shows why it applied.

Preventing Harm

Providers may restrict access if releasing information could cause harm. For example, withholding psychiatric notes during an acute crisis may protect the patient. Preventing information blocking enforcement requires proof that the decision was clinically necessary and time-bound.

Privacy

Patients may request restrictions, and providers must comply with privacy laws. A patient might choose to block sensitive reproductive health data from portal access. Regulators will not accept vague claims of privacy concerns as reasons for delay.

Security

Access may be limited to protect against cybersecurity threats. Suspending connections during a ransomware attack is appropriate, and access should be restored promptly once risk subsides. Organizations should record the risk that prompted the restriction and the timing of restoration.

Infeasibility

This exception applies in rare cases where fulfilling a request is impossible, such as during a natural disaster that disrupts infrastructure. Outdated systems or staffing shortages do not qualify. Regulators will expect a resilience plan rather than recurring reliance on infeasibility.

Health IT Performance

Temporary downtime for maintenance or upgrades is permitted. Leaders should ensure outages are brief, communicated, and well documented. Extended or repeated downtime will attract scrutiny.

Content and Manner

If full compliance is technically impossible, data may be provided in an alternative format. Delivering PDFs instead of API access may be acceptable for a short period while the organization resolves a technical barrier. Routine reliance on less functional formats raises enforcement risk.

Fees

Organizations may charge reasonable, cost-based fees. Excessive or discriminatory charges for API access can be treated as blocking. Transparency in fee structure supports compliance.

Licensing

Developers may require licensing terms to protect intellectual property, but those terms must be fair and nondiscriminatory. Licensing that delays or restricts practical access risks enforcement.

For leaders, the message is clear. Exceptions are safeguards that protect patients and systems in specific conditions. Each requires evidence that the organization used the exception appropriately and restored access as soon as conditions allowed. ChartRequest’s automated documentation helps ensure consistent application and defensibility during audits.

Penalties and Disincentives in Information Blocking Enforcement

The September 2025 press release made information blocking enforcement a priority. ASTP/ONC and OIG were identified as the lead information blocking enforcement partners. Both developers and providers face financial and reputational consequences. 

According to ONC’s public enforcement guidance, OIG will prioritize cases involving patient harm, significant impact on a provider’s ability to deliver care, or patterns that broadly impede access.

Developers, HINs, and HIEs

  • OIG may impose civil monetary penalties of up to one million dollars per violation.
  • ONC can decertify noncompliant products, removing them from the certification program and market.
  • Vendors are expected to demonstrate compliance throughout the certification lifecycle, including between renewals.

Providers

  • Reduced Medicare reimbursements create an immediate financial impact.
  • Negative MIPS adjustments lower quality scores and affect payer negotiations.
  • Exclusion from the Medicare Shared Savings Program can eliminate revenue streams.

Early information blocking enforcement cases will likely be publicized to establish examples. Organizations that are unprepared may face lasting reputational harm in addition to financial penalties.

ChartRequest helps organizations reduce this risk by standardizing release processes, automating delivery, and maintaining complete audit trails. These capabilities demonstrate compliance and protect against the penalties regulators have prioritized.

Preview of a white paper about HIPAA compliance. Click to access the white paper.
Learn about the latest regulations and stay compliant during the release of information.

Industry Challenges and Pushback

Healthcare leaders acknowledge that compliance is difficult, yet regulators have stated these challenges do not excuse failures under information blocking enforcement.

Common Challenges

  • Legacy EHR systems that cannot easily support modern APIs.
  • Staffing and resource shortages, especially in smaller and rural organizations.
  • Complex privacy requirements across federal and state laws.
  • High implementation costs for upgrades and staff training.
  • Heavy administrative burden on compliance and HIM teams.

Why Challenges Will Not Delay Enforcement

The September 2025 press release emphasized active enforcement and centered patient rights. It did not enumerate operational barriers or create new allowances.

Analyses following the announcement highlight three practical implications for leaders:

  • Operational hurdles are not treated as valid reasons for blocking.
  • Providers and developers are expected to adopt solutions that enable timely access.
  • Enforcement will continue despite industry objections or resource constraints.

For leaders, the takeaway is direct. Acknowledge the burden, invest in fixes, and ensure teams can deliver timely access with defensible documentation to prepare for information blocking enforcement.

ChartRequest helps organizations move beyond these challenges by automating requests, streamlining processes, and producing audit-ready documentation. These capabilities allow leaders to demonstrate progress and reduce exposure.

How to Assess Your Risk for Information Blocking Enforcement

The crackdown makes risk assessment a high-priority responsibility. Leaders should evaluate where their organizations are most exposed and how to produce proof of compliance that can withstand information blocking enforcement scrutiny.

Exposure Areas

  • Record delivery timelines that regularly exceed required deadlines.
  • Exceptions applied inconsistently or without documentation.
  • Fee structures that appear inflated or lack transparency.
  • Manual workflows that create errors and bottlenecks.
  • Limited visibility into compliance performance across departments.

Actions for Executives

  • Order a cross-departmental compliance audit involving HIM, IT, and legal.
  • Review exception logs for consistency and evidence.
  • Test real-world performance by tracking a sample of requests from start to finish.
  • Benchmark turnaround times against federal deadlines and internal goals.
  • Engage external partners if internal fixes are insufficient or slow.

Proof for Regulators

Intent is not enough. Regulators expect evidence that compliance is happening in practice. ChartRequest provides:

  • Real-time dashboards to track request status and turnaround.
  • Automated exception documentation that creates a consistent and defensible record.
  • Audit-ready reports that can be shared directly with investigators.

The crackdown is designed to uncover weak points. Organizations that build visibility and proof into daily operations will be best positioned to prevent issues and information blocking enforcement.

Broader Implications of Information Blocking Enforcement

The crackdown is more than a compliance exercise. It signals a cultural and operational shift across healthcare.

Patients

  • Faster and more reliable access to their records.
  • Lower costs through reduced duplication of tests and procedures.
  • Confidence that their rights under the Cures Act are protected.

Providers

  • A direct opportunity to build trust by demonstrating transparency and responsiveness.
  • Competitive advantage through efficient and compliant operations.
  • Risk of information blocking enforcement penalties and reputational harm if outdated workflows persist.

Industry

  • Interoperability becomes a baseline expectation for care delivery.
  • Vendors and providers are measured by their ability to share information securely and efficiently.
  • Enforcement actions will set benchmarks that guide future practices.

ChartRequest partners see these benefits daily, reducing turnaround times and improving patient satisfaction while aligning with federal priorities.

Looking Ahead After the HHS Announcement

The September 2025 crackdown is the beginning of active enforcement, and further developments are likely over the next several years.

Expansion of Enforcement

OIG is expected to prioritize high-impact information blocking cases for enforcement first, especially those involving systemic barriers or broad patient impact. Once precedents are established, information blocking enforcement may broaden to include smaller organizations that demonstrate similar patterns.

Greater CMS Integration

CMS may expand information blocking enforcement disincentives beyond MIPS and the Shared Savings Program to additional reimbursement models. Future rulemaking could tie compliance more tightly to value-based care initiatives, which raises financial stakes across a wider set of programs.

State-Level Enforcement

States are monitoring federal actions closely. Some may introduce their own information blocking enforcement systems for obstructing access. Multi-state systems should plan for a patchwork of expectations and coordinate policies accordingly.

Rising Patient Expectations

Patients who see enforcement headlines will expect seamless access. Meeting the letter of the law will not satisfy those expectations. Providers that deliver a clear, quick, and convenient release process will stand out.

ChartRequest clients are preparing for this future now. With automation, interoperability, and defensible documentation, they are positioned to thrive as enforcement intensifies and patient expectations grow.

ChartRequest Simplifies Compliance

The September 2025 HHS crackdown ends any ambiguity around information blocking enforcement. OIG and ONC are enforcing patient access rights with seriousness and resources. For executives, the question is how prepared their organizations are when inquiries begin.

ChartRequest helps healthcare organizations align with information blocking enforcement priorities through automation, transparency, and audit-ready workflows. By reducing turnaround times, centralizing requests, and documenting exceptions, ChartRequest enables providers to simplify health information management while delivering a better patient experience.

Schedule a demo today to see how ChartRequest can help your organization reduce compliance risk, protect revenue, and stay ahead of information blocking enforcement.

Facebook
Twitter
LinkedIn
Stay Updated
Find out the latest news and tips in our newsletter.
100% Privacy. No spam guaranteed.
Recent Posts