What Is Information Blocking and How Is It Enforced in Healthcare?

Information blocking is a practice likely to interfere with the access, exchange, or use of electronic health information unless required by law or covered by an exception. It applies to healthcare providers, health IT developers of certified health IT, health information exchanges, and health information networks. In practice, it often shows up as an operations problem: exports that are harder than they should be, request workflows with no clear ownership, vendor terms that make portability painful, or release processes that force staff to reconstruct status from emails and phone calls.

HHS raised the stakes in its September 2025 crackdown on health data blocking. ASTP and OIG followed with an enforcement alert stating that enforcement is active and intensifying.

According to ASTP’s claims data, 1,631 portal submissions and 1,542 possible claims of information blocking were received from April 5, 2021, to March 31, 2026. This is no longer a theoretical compliance issue for future planning. It is part of the current operating environment.

Key Takeaways

• Information blocking is a practice likely to interfere with the access, exchange, or use of electronic health information unless a law requires it or an exception applies.
• Enforcement is active across ASTP, OIG, and CMS, with different consequence pathways depending on the actor involved.
• For healthcare IT leaders, information blocking risk often shows up in ordinary workflow design: export friction, weak status visibility, inconsistent intake, vendor lock-in, and poor auditability.

What Is Information Blocking in Healthcare?

According to ASTP’s information blocking overview, information blocking is a practice by an actor that is likely to interfere with the access, exchange, or use of electronic health information, except as required by law or specified in an exception. The law applies to healthcare providers, health IT developers of certified health IT, health information exchanges, and health information networks. That definition matters because many risky barriers do not start as explicit refusals. They start as ordinary workflow choices that pile up over time.

This topic belongs in day-to-day IT and HIM operations, not just in policy memos. Our healthcare interoperability guide explains the broader exchange problem, while interoperability benefits in release of information shows why status visibility, consistent intake, and cleaner fulfillment matter in the last mile of exchange. If legitimate access depends on inboxes, spreadsheets, or one-off follow-up, the organization may be creating avoidable friction even if no one intended to block data.

Who Enforces Information Blocking in Healthcare?

Enforcement is split across three agencies:

• ASTP administers the broader framework and maintains the information blocking rules and guidance
• OIG investigates claims of possible information blocking and can impose civil monetary penalties of up to $1 million per violation on health IT developers of certified health IT, entities offering certified health IT, health information exchanges, and health information networks
• CMS applies disincentives to certain Medicare-participating providers rather than imposing OIG civil monetary penalties directly.

Providers face a different consequence structure than a simple fine. The 2024 final rule established disincentives for certain Medicare-enrolled provider categories, including eligible hospitals and critical access hospitals in the Medicare Promoting Interoperability Program, MIPS eligible clinicians, and certain Medicare Shared Savings Program participants.

How Is Information Blocking Enforced in Practice?

According to ASTP’s claims data, 1,631 portal submissions and 1,542 possible claims of information blocking were received from April 5, 2021, to March 31, 2026. ASTP makes clear that a logged claim does not mean an investigation has begun or that a violation has been established. A complaint, an investigation, and an enforcement outcome are not the same thing.

What changed in 2025 and 2026 is the posture. The enforcement alert says the agencies are intensifying enforcement activity and prioritizing cases involving patient harm, significant impairment of a provider’s ability to deliver care, long duration, or financial loss to federal health care programs or other government or private entities.

That framing matters because it ties information blocking to operational consequences, not just legal definitions. A slow export process or a vendor-controlled bottleneck is easier to dismiss when it looks like an inconvenience. It becomes much harder to dismiss when it delays care, disrupts access, or creates measurable downstream costs.

That shift has practical consequences for day-to-day operations. Our information blocking enforcement coverage connects the federal posture to release and exchange workflows that healthcare teams manage every day. The strongest takeaway is simple: weak exchange processes now carry more visible compliance risk. If teams cannot show what happened to a request, who touched it, why it stalled, and what was ultimately sent, they are in a weaker position than they may realize.

Where Does Information Blocking Risk Show Up in Daily Operations?

Information blocking risk often arises from the gap between written policy and actual execution when practices rely on outdated systems like fax.

On paper, the organization supports exchange. In practice, intake is inconsistent, fulfillment occurs across disconnected systems, requestors call for updates because nobody can see the status, and staff piece together a request’s history from email threads, vendor portals, and notes.

That is not just inefficient. It is exactly the kind of friction that makes an exchange environment harder to defend.

Our analysis of medical records status update calls is useful here because it shows how poor visibility creates preventable follow-up work and pushes staff into reactive communication. In an information blocking discussion, that kind of visibility gap is often an early signal that the workflow is harder to operate, audit, and defend than it should be.

How Does TEFCA Relate to Information Blocking?

TEFCA is not the same thing as information blocking enforcement, and it is not mandatory for every organization. But it still matters because it is raising expectations for exchange maturity. As of March 2026, TEFCA’s map search shows more than 80,000 Participant and Subparticipant locations. That gives healthcare IT leaders a concrete signal that nationwide exchange expectations are becoming more operational, visible, and standardized.

As exchange becomes more standardized and more visible, it becomes harder to defend workflows that still depend on manual workarounds, fragmented tools, or proprietary bottlenecks. Our TEFCA explainer translates that framework into practical exchange-readiness questions for healthcare teams.

Why Do Auditability and Visibility Matter So Much?

When regulators, auditors, or executives ask whether a workflow created an unnecessary barrier, policy language is not enough. Organizations need proof. They need to show who handled the request, when it moved, what was released, what delay or exception was documented, and where the process stalled. That is why auditability is not a secondary issue here. It is central to defensibility.

The operational standard is straightforward: structured workflows, centralized tracking, and usable logs make it easier to prove that requests were handled consistently. Our HIPAA audit checklist guide and release of information operations page both support that point. Better visibility is not just good HIPAA hygiene. It is also the kind of evidence that matters when an organization needs to show that friction points were identified, documented, and remediated instead of ignored.

What Should Healthcare IT Directors Do Now?

Start with the real exchange environment, not the idealized one. Inventory every system and workflow that stores, transmits, exports, or fulfills electronic health information. Then map the points where legitimate access becomes slow, manual, opaque, or vendor-dependent. For many organizations, the weak spot is not the core EHR alone. It is the release and retrieval layer around it. That is where standardized intake, consistent routing, status visibility, and audit-ready fulfillment matter most.

Then review contracts with a compliance lens, not just a purchasing lens. Portability rights, implementation support, transition assistance, and access to request history matter more in an enforcement environment. Finally, treat status visibility as a control, not a convenience. When requestors and staff can see where work stands, organizations reduce follow-up, reduce improvisation, and make it easier to prove what happened.

How Does ChartRequest Reduce Information Blocking Risk?

The organizations best positioned in this enforcement environment are the ones that can show how data moves, where friction exists, and how avoidable barriers are being reduced over time. That requires a release and retrieval process built around structured intake, centralized tracking, real-time status visibility, and audit-ready fulfillment records.

ChartRequest is built for that. Our release of information platform delivers:

• 5-day average turnaround time guarantee for requests we fulfill, so requestors get records faster and staff spend less time fielding status calls
• Full lifecycle management from intake through delivery, with centralized tracking and real-time status visibility
• Request-level audit trails that show who handled each request, when it moved, and what was released
• SOC 2 Type II audited controls and a HIPAA-aligned security posture, so the compliance infrastructure behind the workflow is as defensible as the workflow itself

When a regulator or compliance team asks whether a workflow created unnecessary barriers to authorized access, ChartRequest gives your team something concrete to point to: consistent intake, documented exceptions, and a defensible record of every disclosure.

If your release environment still depends on fragmented, manual, or vendor-locked processes, ChartRequest closes that gap. Schedule a consultation to see how we can help your practice stay compliant with information blocking rules.

Frequently Asked Questions