When HHS Secretary Robert F. Kennedy, Jr. announced on September 3, 2025, that the Department would launch an aggressive crackdown on information blocking, it signaled a turning point in federal health IT policy. For years, patients, innovators, and providers alike have complained that electronic health information (EHI) was locked behind unnecessary barriers, whether technical, contractual, or bureaucratic. The promise of interoperability, despite billions invested since HITECH, often remained elusive.
The new directive has the potential to change the enforcement landscape dramatically. Secretary Kennedy has instructed the Office of Inspector General (OIG) and the Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (ASTP/ONC) to devote substantial resources to curbing the practice. The consequences are no longer hypothetical: HIEs, HINs, Developers of certified health IT, and health care providers who engage in blocking risk million-dollar civil monetary penalties, termination from ONC’s certification program, and CMS disincentives under federal payment programs. In short, the “warning period” is over.
The Legal Framework
Information blocking as a concept originated in the 21st Century Cures Act, which made it unlawful for certain “Actors” to engage in practices that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. Three categories of Actors are covered: health care providers, developers of certified health IT, and health information networks or exchanges.
ONC’s Cures Act Final Rule in 2020 gave practical shape to the prohibition, defining what constitutes “blocking,” creating eight narrow exceptions, and clarifying who qualifies as an HIE or HIN. The exceptions, ranging from privacy and security to infeasibility, licensing, fees, and health IT performance, were meant to balance access to EHI with legitimate concerns. But the burden is squarely on the Actor to demonstrate that one of these exceptions applies, and to do so with documentation.
HIEs and HINs fall within the regulatory net whenever they determine or control the policies and technology that enable EHI exchange among more than two unaffiliated entities for treatment, payment, or healthcare operations. That captures most operational exchanges in the country. The Final Rule also made clear that while HIPAA establishes a floor for privacy protections, voluntary policies that go beyond HIPAA cannot be used to justify withholding information in ways that discriminate or create unnecessary barriers.
Until recently, the enforcement mechanism remained largely theoretical. The OIG had authority to investigate and impose civil monetary penalties up to $1 million per violation, ONC could terminate certification, and CMS could penalize providers under its payment programs. But without political priority, enforcement languished. That changed with this Administration’s announcement.
The Crackdown & Its Implications
The September 3 Press Release from HHS could not have been clearer:
Unblocking the flow of health information is critical to unleashing health IT innovation and transforming our healthcare ecosystem.
Deputy Secretary Jim O’Neill emphasized that patients, caregivers, providers, and innovators alike are harmed when health data is restricted, and Acting Inspector General Juliet Hodgkins committed to deploying “all available authorities” against violators. ONC’s Tom Keane noted that certified developers are already under review and that technical assistance is being provided to OIG to support investigations.
The very next day, on September 4, OIG and ONC issued a joint Enforcement Alert on Information Blocking reiterating their shared priorities. Information blocking, they noted, undermines patient care, jeopardizes taxpayer investments in health IT, and weakens trust in the system. Enforcement will prioritize cases where patients are harmed, where providers’ ability to deliver care is materially impaired, where practices are systemic or of long duration, or where financial loss to federal programs is evident.
The Alert also underscored that voluntary compliance now can prevent catastrophic consequences later. In other words, HIEs, HINs, providers, and developers that are currently engaging in questionable practices should move swiftly to bring them into alignment with the law, because enforcement is no longer speculative.
What the Data Tells Us
ASTP/ONC’s Information Information Blocking Portal has been collecting submissions since April 2021, and as of August 2025 it had logged 1,420 reports, of which 1,336 were deemed possible claims of information blocking. Patients have been the most active reporters, but claims have also come from providers, attorneys, and even developers themselves. The alleged blockers span all categories: providers, developers, HIEs/HINs, and others.
It is critical to note that these are merely allegations, logging a claim does not mean ONC or OIG has made a determination. But these reports create a pipeline of potential enforcement cases. With HHS now elevating information blocking to a top enforcement priority, many of these claims are likely to move into active investigation.
The data also confirms that patients are the most frequent complainants, often alleging difficulty in getting access to their records, or facing obstacles in using apps of their choice. This reinforces the central theme of the Administration’s announcement:
Patients must have unfettered access to their own health information, and providers and networks who interfere do so at their peril.
The Compliance Dilemma for HIEs and Providers
While the crackdown applies to all Actors, HIEs and HINs may find themselves in the most precarious position. In a previous 2020 blog post, I described this as being caught “between a block and a hard place.” That dilemma has only grown sharper under active enforcement.
Here’s the problem: both providers and HIEs are Actors under the law. Providers often want to apply conservative interpretations of privacy rules, sometimes requiring patient consent even when HIPAA would permit disclosure without it. Historically, HIPAA allowed this. A provider could “go above the floor” and voluntarily adopt stricter policies. But under the Cures Act, these voluntary restrictions may now look like information blocking.
When an HIE is the provider’s business associate, it may be contractually bound through a Business Associate Agreement (BAA) to follow the provider’s stricter policy. Yet if doing so interferes with the lawful exchange of information, the HIE risks a million-dollar civil penalty. If it disregards the provider’s restriction, it may breach the BAA and the provider relationship. Either way, the HIE is exposed.
Consider a provider who insists on patient consent for every disclosure, including treatment disclosures permitted under HIPAA. Another provider requests data through the HIE, but the HIE denies the request because no consent is on file. From the provider’s perspective, this protects privacy. From OIG’s perspective, it may look like information blocking. The HIE is stuck in the middle.
HIPAA requires that the HIPAA BAA between a covered entity (i.e., health care provider) and a business associate (i.e., an HIE/HIN) must establish the permitted and required uses and disclosures of protected health information by the business associate (see 45 CFR 164.504(e)(2)(i)). Therefore, if a use and disclosure would be required under the ONC final rule on information blocking, then those should be established in the HIPAA BAA. Additionally, in many instances, covered entity health care providers have purposefully drafted-in restrictions on how a HIE/HIN may share their PHI, even when such sharing would otherwise be permitted under HIPAA. Such restrictions may now need to be revisited even if ONC has not specifically required HIPAA BAAs to be revised to align with its final rule on information blocking.
In the Preamble to the final rule, ONC states:
While the information blocking provision does not require actors to violate these agreements, a BAA or its associated service level agreements must not be used in a discriminatory manner by an actor to forbid or limit disclosures that otherwise would be permitted by the Privacy Rule.
Therefore, by getting a head start on reviewing the uses and disclosures of PHI established in their HIPAA BAAs and current information sharing practices, health care providers and their HIEs/HINs can potentially be better prepared for situations in the future where one party (i.e., the health care provider) believes that an IBR Exception applies (e.g., Privacy or Security) but the other party disagrees (i.e., the HIE/HIN).
Emforcement Priorities and Practical Risks
The enforcement priorities laid out by this Administration should guide compliance strategies. Practices that cause patient harm, whether by delaying critical records during a care transition or by impeding chronic disease management, are at the top of the list.
Systemic practices, such as imposing high fees for data exchange or using proprietary interfaces to lock out competitors, are equally high-risk. And because financial stewardship of federal programs is always a focus, any blocking that leads to cost overruns, delayed claims, or undermined value-based care initiatives will draw scrutiny.
For HIEs, the risk is not abstract. A single systemic policy, say, refusing to transmit EHI without a consent form across the board, could generate multiple violations, each carrying a $1 million penalty. For developers, certification termination could mean exclusion from the market. For providers, CMS disincentives could reduce reimbursement streams in an era when margins are already thin.
On July 1, 2024, HHS finalized a Final Rule establishing monetary disincentives for certain providers that commit information blocking as determined by OIG. These disincentives tie directly into CMS programs:
- hospitals may lose credit in the Medicare Promoting Interoperability Program,
- clinicians may see reduced scores in MIPS, and
- accountable care organizations risk exclusion or penalties in the Medicare Shared Savings Program.
Notably, not every provider type is currently covered, but for those that are, the financial consequences are significant. The rule reflects HHS’s intent to ensure that the prohibition against blocking carries weight not just for developers and exchanges, but also for providers themselves.
Charting a Path Forward
The crackdown demands a comprehensive response. For HIEs and HINs, the first step is a thorough review of governance frameworks, BAAs, participation agreements, and privacy policies. Over-restrictive clauses that once seemed prudent may now constitute a risk. Alignment with ONC’s definitions and exceptions is essential.
Operational readiness is equally important. Organizations should establish clear workflows for invoking exceptions such as privacy or security, ensuring documentation of decision-making. Training must be provided to staff and participants so they understand when withholding EHI is permitted and when it is not. Internal reporting systems should be in place to capture potential blocking issues before they escalate to external complaints.
On the technology side, exchanges and providers should verify that patient access is friction-free, cost-free, and consistent with the ONC rule. APIs and apps of the patient’s choice must be supported without unnecessary hurdles. Audit trails should be maintained to defend against allegations, demonstrating that decisions were made in compliance with the law.
Perhaps most importantly, this is a cultural shift. For decades, health care institutions have operated from a position of controlling information. The Cures Act, and now its active enforcement, demands the opposite: enabling information to flow wherever and whenever it is needed. Those who embrace this shift will reduce compliance risk and unlock new opportunities in innovation, patient engagement, and value-based care.
Conclusion
The implications of the September 3rd announcement are clear: HIEs, HINs, developers, and providers should carefully review their agreements, governance structures, and operational practices in light of heightened enforcement expectations. While the risks of inaction are significant, financial penalties, certification risks, and reduced reimbursement, the transition also presents an opportunity to align policies with evolving federal standards and strengthen trust in interoperability. The period of largely voluntary compliance is giving way to one of closer oversight and accountability, and organizations that prepare now will be better positioned to navigate this new environment.