Information blocking enforcement is no longer theoretical. The HHS Office of Inspector General is actively investigating complaints, imposing civil monetary penalties, and publishing enforcement actions. For health IT developers, health information networks, and healthcare providers, understanding what constitutes information blocking — and what doesn’t — is now an operational necessity, not just a compliance checkbox.
Our experts are ready to understand your business goals.
Under the 21st Century Cures Act, information blocking is a practice by a health IT developer of certified health IT, a health information network/exchange, or a healthcare provider that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information (EHI) — except as required by law or covered by a regulatory exception.
The definition is deliberately broad. It covers not just outright refusal to share data, but any practice that creates unreasonable barriers — technical restrictions, excessive fees, unnecessary delays, restrictive licensing terms, or organizational policies that limit data access without meeting an exception’s requirements.
Who it applies to:
Not every restriction on data access is information blocking. ONC defined eight exceptions that, when their conditions are fully met, protect actors from information blocking liability:
Allows restricting access when there is a reasonable belief that sharing would endanger a patient’s life or physical safety. Requires individualized assessment — blanket policies restricting access to entire data categories (like behavioral health notes) don’t qualify. Must use a consistent, organizational harm determination process.
Allows restricting access to comply with federal or state privacy laws — HIPAA, 42 CFR Part 2, state health data privacy laws. Also allows respecting an individual’s privacy preferences not to share data. The restriction must be narrowly tailored — don’t block more data than the privacy law requires.
Allows restricting access to protect the security of EHI — encryption requirements, authentication controls, network security measures. Security practices must be tailored, directly related to protecting EHI, and consistent with applicable security standards. Using “security” as a blanket justification for restricting API access without specific, documented security rationale doesn’t qualify.
Allows declining to fulfill a request when it is technically infeasible — the data doesn’t exist, the system can’t produce the requested format, or the request would require developing entirely new functionality. Cannot be used to avoid building capabilities you’re required to have under ONC certification.
Allows temporary restrictions during maintenance windows, system upgrades, and performance degradation events. Must be for a limited time, applied consistently, and not used as a pretext for ongoing access restrictions.
Allows charging reasonable fees for data access — but fees must be based on actual costs, non-discriminatory, and transparent. Fees that are designed to discourage access rather than recover costs may constitute information blocking.
Allows applying reasonable licensing terms to interoperability elements (APIs, data formats, interfaces). Licensing terms must be non-discriminatory, reasonable, and based on objective criteria. Licensing designed to restrict competition or lock in customers may constitute information blocking.
ONC investigates complaints and refers substantiated violations to the HHS OIG. The OIG can impose civil monetary penalties of up to $1,000,000 per violation. Each discrete practice that constitutes information blocking can be treated as a separate violation. The OIG considers the nature and extent of the blocking, the harm caused, the history of prior violations, and the actor’s financial condition when determining penalties.
Provider enforcement follows a different path — through existing CMS authorities. Non-compliance may affect conditions of participation in Medicare/Medicaid, result in referral to appropriate federal agencies, and impact participation in CMS quality programs. Civil monetary penalties for providers may be established through future rulemaking.
Anyone can file an information blocking complaint with ONC — patients, providers, developers, or other stakeholders. ONC reviews complaints, investigates, and determines whether the practice constitutes information blocking. Substantiated complaints against developers/HINs/HIEs are referred to OIG for penalty determination.
Audit your data access practices. Review every point where your organization restricts, limits, or conditions access to EHI — API rate limits, app onboarding processes, data export limitations, fee structures, licensing terms, and organizational policies. For each restriction, map it to a specific exception and document how the exception’s conditions are met.
Ensure FHIR API completeness. Incomplete FHIR implementations — missing resource types, unsupported search parameters, limited data scope — can constitute information blocking if they prevent access to EHI. Verify your API exposes all USCDI data classes and handles standard FHIR interactions correctly.
EHI export must be comprehensive. The EHI export capability must include all electronic health information your system maintains — not just USCDI data classes. Custom fields, proprietary data types, and non-standard data that constitutes EHI must be exportable.
App onboarding must be reasonable. If third-party SMART on FHIR apps experience unreasonable delays, excessive documentation requirements, or opaque approval criteria when attempting to connect to your system, this may constitute information blocking. Document your app onboarding process, set reasonable timelines, and apply criteria consistently.
API documentation must be public. Service base URLs, developer documentation, app registration instructions, and API gateway policies must be publicly accessible without requiring NDAs or sign-ups.
Train your organization. Information blocking isn’t just a technology issue — it’s an organizational practice issue. Clinical staff who refuse to share records, administrative policies that restrict data release beyond what HIPAA requires, and IT practices that limit API access without documented justification all create liability. Train staff across departments.
Policy and governance:
At Taction, our team helps health IT developers, HIEs, and healthcare organizations build information blocking compliance into their technology and operational practices.
What we do:
Your email address will not be published. Required fields are marked *
Our expert reaches out shortly after receiving your request and analyzing your requirements.
If needed, we sign an NDA to protect your privacy.
We request additional information to better understand and analyze your project.
We schedule a call to discuss your project, goals. and priorities, and provide preliminary feedback.
If you're satisfied, we finalize the agreement and start your project.