Information blocking is any practice that interferes with the access, exchange, or use of electronic health information, unless it falls under a recognized exception. The term comes from federal law, specifically the 21st Century Cures Act passed in 2016, which made information blocking illegal for certain organizations and individuals in healthcare. The goal is straightforward: your health data should flow freely between the providers, systems, and platforms that need it, and no one should be putting up unnecessary barriers.
Who the Rule Applies To
Three categories of “actors” are regulated under the Cures Act. The first and broadest category is healthcare providers, which covers hospitals, clinics, physicians, pharmacies, laboratories, nursing facilities, surgical centers, mental health centers, rural health clinics, and essentially every type of clinical entity you might encounter. If an organization delivers or supports healthcare, it almost certainly qualifies.
The second category is health information networks and health information exchanges. These are the organizations that serve as intermediaries, setting the rules and running the infrastructure that lets different healthcare entities share data electronically. Think of them as the highways connecting separate medical record systems.
The third category is health IT developers of certified technology. These are the companies that build and sell electronic health record systems and other certified health software. If a company has products certified under the federal health IT certification program, it’s subject to the information blocking rules. A provider that builds its own internal system solely for its own use does not fall into this category.
What Information Blocking Looks Like in Practice
The rule targets any practice “likely to interfere” with the access, exchange, or use of electronic health information. That language is intentionally broad, covering both deliberate obstruction and policies that have the effect of blocking data flow even if that wasn’t the intent.
Common examples include charging unreasonable fees to share patient records electronically, using technical designs that make it unnecessarily difficult for other systems to connect, requiring patients to pick up records in person when electronic delivery is feasible, restricting how data can be used after it’s been shared, and delaying responses to data requests without a legitimate reason. A hospital that refuses to send records to a competing health system, or an EHR vendor that locks patient data behind proprietary formats, could both be engaging in information blocking.
The scope of data covered has expanded over time. The federal standard for what counts as shareable health data is the United States Core Data for Interoperability (USCDI), a standardized set of data categories maintained by ONC. The USCDI has gone through multiple versions (currently up to version 6, with version 7 in draft), each adding new types of clinical data that systems are expected to support.
Eight Exceptions to the Rule
Not every restriction on data sharing counts as information blocking. The regulations include eight specific exceptions that protect legitimate reasons for limiting access. Five of these cover situations where an actor doesn’t fulfill a request at all:
- Preventing Harm: Withholding data when sharing it poses a substantial risk of physical harm to a patient or another person.
- Privacy: Respecting a patient’s privacy preferences or complying with state or federal privacy laws that restrict certain disclosures.
- Security: Protecting systems and data from cybersecurity threats, provided the security practices are tailored and not used as a blanket excuse.
- Infeasibility: Situations where fulfilling a request is genuinely not possible due to technical limitations, resource constraints, or factors outside the actor’s control.
- Health IT Performance: Temporarily limiting access to maintain or improve the performance of a health IT system, such as during scheduled maintenance.
The remaining three exceptions apply when an actor fulfills the request but places conditions on how:
- Content and Manner: Offering data in a specific format or through a specific channel, as long as reasonable alternatives are available.
- Fees: Charging fees for data access, provided the fees are reasonable, based on objective costs, and not structured to discourage sharing.
- Licensing: Requiring licenses for the use of interoperability elements like software interfaces, as long as the terms are reasonable and non-discriminatory.
Each exception has detailed conditions that must be met. Simply claiming “security” or “privacy” without meeting the specific criteria laid out in the regulation won’t protect an actor from an information blocking finding.
Penalties and Financial Consequences
Enforcement falls to two federal agencies, and the consequences differ depending on which type of actor is involved. The Office of Inspector General (OIG) at the Department of Health and Human Services investigates information blocking claims and can impose civil monetary penalties of up to $1 million per violation against health IT developers and health information networks or exchanges.
Healthcare providers face a different enforcement structure. Rather than direct fines, providers are subject to financial disincentives through existing Medicare programs. A final rule published in 2024 laid out exactly how these work across three programs:
For hospitals and critical access hospitals participating in the Medicare Promoting Interoperability Program, a finding of information blocking means the hospital loses its status as a meaningful EHR user. Eligible hospitals forfeit three-quarters of their annual market basket increase, and critical access hospitals see their reimbursement drop from 101 percent to 100 percent of reasonable costs.
For clinicians in the Merit-Based Incentive Payment System (MIPS), an information blocking determination results in a zero score on the Promoting Interoperability performance category. Since that category typically accounts for about a quarter of a clinician’s total MIPS score, the financial impact ripples through their overall Medicare payment adjustment.
For providers participating in Medicare’s Shared Savings Program through accountable care organizations, the consequences can be even more severe. An information blocking finding can result in being barred from the program for at least one year, or having an ACO’s participation agreement terminated entirely. CMS reviews each case individually, considering the specific facts before deciding which disincentive to apply.
How to Report Information Blocking
Anyone who believes they’ve encountered information blocking can file a report with the OIG. If you’ve been denied access to your own health records, told you’d need to pay excessive fees, or encountered a provider or system that seems to be deliberately restricting data exchange, the OIG accepts complaints through its reporting channels. The agency then evaluates whether the practice meets the legal definition and whether any exceptions apply before determining whether enforcement action is warranted.
The practical effect of these rules has been a gradual shift in how health data moves through the U.S. healthcare system. Patient portals now offer broader access to test results, clinical notes, and other records. EHR vendors have opened up their systems to allow more third-party connections. The barriers haven’t disappeared entirely, but the legal framework gives patients and providers a concrete standard to point to when data isn’t flowing the way it should.