Client Alert: US DHHS Issues “Information Blocking” Warning
CLIENT ALERT
September 4 Alert Signals Aggressive Intensification of Enforcement
By Attorney Andrew Eills
With the enactment of the 21st Century Cures Act in 2016, health care providers, along with health IT developers of “certified health IT” and health information exchanges/networks, became subject to penalties under the Cures Act’s “information blocking” provisions.
Parties subject or potentially subject to the information blocking prohibitions should take notice of the Department of Health and Human Services ‘ (HHS) latest Enforcement Alert.
In basic terms, “information blocking” is an illegal practice by a health care provider, a developer of health IT, or a health information network to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information (EHI). In short, the Cures Act’s aim is to unleash the full potential and power of shared and transferable electronic health information – between patients, providers, health IT developers, and health information exchanges – to buttress coordinated and safer care and to promote the sharing of medical data in a variety of areas.
Under the Cures Act, engaging in “information blocking” may result in significant civil monetary penalties (CMPs) of up to $1million per violation. In addition, HHS has enacted regulatory guidance to incentivize the exchange of EHI and to discourage “actors” from “blocking” EHI that otherwise could be employed to accomplish the Cures Act’s objectives.
In June 2024 HHS, through its agencies – the Office of Inspector General (OIG) and the Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) – issued a formal “Disincentive Final Rule” that added additional tools to the enforcement toolbox. Specifically, violations by an otherwise eligible hospital may result in a reduction of .75 percent – a significant decrease – in the hospital’s CMS healthcare payment rates (also known as the “annual market basket update”). For their part, critical access hospitals in violation may see their payment reduced by a full percentage point.
The 2024 Disincentive Final Rule addresses, as well, clinicians participating in the Merit-based Incentive Payment System (MIPS). As part of the “disincentive” to engage in or overlook information blocking, clinicians found to have violated the Cures Act will not be considered “meaningful users “ of certified EHI technology. As a result, they receive a “zero score” under the MIPS program and thus can lose their eligibility for merit-based incentive payments. Finally, the Disincentive Final Rule targets Accountable Care Organizations, ACO participants, and ACO providers. A finding that an ACO participant has engaged in information blocking may result in exclusion from CMS’ Shared Savings Program, and thus the loss of significant revenue.
Despite, however, the CMPs set forth in the Cures Act, and notwithstanding the Disincentive Final Rule issued last year, complaints concerning information blocking and its perceived negative effects appear to have continued. In response, policy makers believe additional action is essential. Because a stated priority of the Secretary of HHS is to stimulate “friction-free” sharing of EHI, on September 4, 2025, he directed the OIG and ASTP/ONC to issue an Enforcement Alert to entities and individuals subject to the Cures Act and its information blocking rules. The Enforcement Alert reiterates both the enforcement mechanisms available to the OIG and the penalties it may impose. While HHS “Enforcement Alerts” are not unheard of, they are rare enough that parties subject to them should take notice. This Enforcement Alert is no exception and is a clear signal that the OIG will prioritize its regulatory oversight of activities that may be considered information blocking and aggressively enforce the information blocking rules.
As a result, health IT developers of certified health IT, health information networks, and health providers should evaluate their practices to ensure compliance. As the Enforcement Alert reminds us, the “statutory and regulatory framework is in place, and enforcement is active.”[1]
[1] https://www.healthit.gov/topic/information-blocking/enforcement-alert, last visited September 4, 2025.
Andrew Eills is a member of Sheehan Phinney’s Healthcare Practice Group where his practice encompasses contracts, mergers and acquisitions, and other transactional matters, federal and state regulatory issues, and corporate and non-profit governance.
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice.