On September 3, 2025, the US Department of Health and Human Services (HHS) announced that Secretary Robert F. Kennedy, Jr. has directed the agency to increase resources dedicated to curbing the practice of information blocking. HHS will take active enforcement against entities that interfere with patients’ access to, exchange of, or use of electronic health information (EHI).
The 21st Century Cures Act of 2016 authorized the Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (ASTP/ONC) and HHS Office of Inspector General (OIG) to take enforcement actions to hold those who block patient information accountable and to prevent future violations. ASTP/ONC, the principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology, and the OIG, the primary investigative division of HHS, will play leading roles in this initiative.
Many patients rely on access to their health information, directly, through their providers or through the use of health apps, to monitor chronic conditions, follow treatment plans, identify potential errors in their health records, and to track their progress in wellness and disease management programs. The Health Insurance Portability and Accountability Act (HIPAA) provides important protections around patients’ rights to access their health information, which intersect with the requirements under the 21st Century Cures Act.
“Patients must have unfettered access to their health information as guaranteed by law. Providers and certain health IT entities have a legal duty to ensure that information flows where and when it’s needed,” said Acting Inspector General Juliet T. Hodgkins. “HHS-OIG will deploy all available authorities to investigate and hold violators accountable. We are committed to enforcing the law and protecting patients’ access to health information.”
The ONC Cures Act Final Rule, which sought to improve health information access and health IT choice, maintains that (1) patients should have easy electronic access to their EHI at no cost, including via apps of their choice; and that (2) healthcare providers should be able to choose the digital tools that allow them to provide the best care, without excessive costs or technical barriers.
The press release outlines possible consequences for entities found to have committed information blocking:
- Healthcare providers participating in certain Centers for Medicare & Medicaid Services (CMS) programs could be subject to disincentives under those programs.
- Health IT developers of certified health IT, health information networks, and health information exchanges may face civil monetary penalties of up to $1 million per violation.
- Developers with certified products under the ONC Health IT Certification Program could lose their certification and be excluded from the program.
More information can be found at healthit.gov/informationblocking and via ASTP/ONC’s X account, @HHS_TechPolicy.
The press release can be accessed here.
Compliance Perspective
Issue
HHS has announced increased enforcement against information blocking. Entities that interfere with the access, exchange, or use of EHI may now face disincentives or civil monetary penalties, depending on their role. These actions build on the 21st Century Cures Act and the ONC Cures Act Final Rule, which require that patients be provided no-cost, easy, and timely access to their EHI, including through apps of their choice. The rule also defines information blocking and includes regulatory exceptions that identify when limitations on access, exchange, or use of EHI may be permitted. Facilities must ensure that their practices align with these requirements, as federal oversight becomes more active.
Discussion Points
- Review and update policies and procedures to ensure compliance with the Cures Act requirements for secure access, exchange, and use of EHI. Consider working with a knowledgeable consultant to evaluate whether current practices align with regulatory expectations, including the appropriate use of permitted exceptions to information blocking.
- Provide training for staff responsible for responding to medical record requests, with a focus on the HIPAA right of access, the definition of information blocking, applicable exceptions, and the importance of timely and secure access to EHI. Med-Net Academy offers the course HIPAA Right of Access and the Cures Act, which covers the access rights under HIPAA, information blocking and its eight exceptions, verification of requester identity, allowable fees, denial criteria, and how to navigate state laws that may differ from HIPAA requirements.
- Conduct periodic audits to verify that staff are following internal policies related to access and disclosure of EHI. If needed, a consultant can assist in performing a focused or modified audit to assess specific compliance risks or address areas identified through QAPI. Audit findings should be reported to the facility’s QAPI/QAA Committee, and corrective actions documented as appropriate.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*