Info Blocking Explained: What It Is, Exceptions, Penalties, and How to Comply

Definition of Information Blocking

Information blocking is any practice by an “actor” that is likely to interfere with the access, exchange, or use of Electronic Health Information (EHI), unless the practice is required by law or fits a regulatory exception. Actors include healthcare providers, Health IT Certified Developers (developers of certified health IT), and Health Information Networks or exchanges.

The knowledge standard differs by actor. Health IT Certified Developers and Health Information Networks are liable if they know, or should know, a practice is likely to interfere with information sharing. Healthcare providers are liable when they know the practice is unreasonable and likely to interfere with EHI access, exchange, or use.

EHI generally means electronic protected health information in a HIPAA designated record set, such as clinical notes, test results, problem lists, medications, allergies, imaging reports, and billing records. The Office of the National Coordinator (ONC) oversees the policy framework and clarifies terms through rulemaking and guidance.

Information Blocking Exceptions

Exceptions define reasonable and necessary activities that, when all conditions are met, are not treated as information blocking. Document decisions carefully, apply them consistently, and keep evidence of how you satisfied the conditions.

Preventing Harm

Temporarily limiting EHI to avert a substantial risk of harm to a patient or another person, when the restriction is no broader or longer than necessary and decision-making is documented.

Privacy

Withholding EHI to protect an individual’s privacy when legal preconditions (like consent) are unmet, when an individual requests a restriction, or—if you are a developer not covered by HIPAA—when your disclosed, consistent privacy policies justify it.

Security

Practices that reasonably and directly protect the confidentiality, integrity, and availability of EHI (for example, temporarily blocking a suspicious app) if they are tailored to the risk and applied in a non-discriminatory way.

Infeasibility

Denying a request that truly cannot be met, including when: uncontrollable events prevent fulfillment; requested data cannot be segmented from restricted EHI; a third party seeks to modify EHI and lacks appropriate status; or you have exhausted the Manner Exception. When used, provide the requestor a written explanation within 10 business days.

Health IT Performance

Temporary, necessary downtime or throttling to maintain or improve system performance, implemented consistently and for no longer than needed.

Protecting Care Access

Narrow practices that reduce potential exposure to legal action while safeguarding access to lawful care (for example, certain reproductive health scenarios), when all conditions are met and applied consistently.

Manner (formerly “Content and Manner”)

Fulfilling a request in an alternative, feasible manner when the specific manner requested is not technically possible or agreeable. You must offer acceptable alternatives and avoid discriminatory terms. (The prior “Content” limitation ended on October 6, 2022.)

Fees

Charging reasonable, cost-based fees related to access, exchange, or use of EHI. Profit- or competition-protecting fees, or fees that discriminate among similarly situated requestors, do not qualify.

Licensing

Licensing interoperability elements (such as APIs or schemas) on reasonable and non-discriminatory terms, with transparent processes.

TEFCA Manner Exception

When both parties participate in the Trusted Exchange Framework and Common Agreement (TEFCA), fulfilling certain requests solely via TEFCA can qualify, subject to conditions (for example, not for standardized API requests).

Penalties for Health IT Developers

Health IT Certified Developers and Health Information Networks/exchanges face Civil Monetary Penalties of up to $1,000,000 per violation. Civil Monetary Penalties have been in effect for these actors since September 1, 2023.

Separately, under ONC’s Conditions and Maintenance of Certification, developers must not engage in information blocking. Violations can trigger certification actions, including corrective action plans, suspension, or termination, which can jeopardize market access and customer contracts.

ONC also publicly posts actors determined to have committed information blocking once penalties or resolutions are final, increasing reputational risk.

Penalties for Healthcare Providers

Healthcare providers are not subject to Civil Monetary Penalties for information blocking. Instead, disincentives—tied to Medicare Participation—apply when the HHS Office of Inspector General (OIG) determines a provider committed information blocking:

• Hospitals and CAHs: Not considered meaningful EHR users under the Medicare Promoting Interoperability Program for the applicable period. For IPPS hospitals, this can reduce the market basket update; for CAHs, payment can drop from 101% to 100% of reasonable costs for that year.
• MIPS Promoting Interoperability: A MIPS-eligible clinician receives zero points in the PI performance category for the affected performance period, potentially lowering the overall MIPS score and leading to a negative payment adjustment. If one clinician in a group is referred, the disincentive applies only to that individual.
• Medicare Shared Savings Program (ACOs): An ACO, ACO participant, or ACO provider/supplier can be ineligible to participate for at least one year, forfeiting potential shared-savings revenue during that period.

ONC publicly posts finalized disincentives and related determinations. Providers should also note that information blocking findings may affect other compliance exposure outside these disincentives.

Enforcement Timeline

• December 13, 2016: Congress enacts the 21st Century Cures Act, establishing the information blocking statute.
• May 1, 2020: ONC publishes the Cures Act Final Rule defining information blocking and the initial exceptions.
• April 5, 2021: Applicability date—prohibition takes effect for all actors. From April 5, 2021 through October 5, 2022, EHI for information blocking purposes is limited to the USCDI v1 data set.
• October 6, 2022: Scope expands—actors must make available all requested EHI in the designated record set (not just USCDI).
• September 1, 2023: OIG begins enforcing Civil Monetary Penalties (up to $1 million per violation) against Health IT Certified Developers and Health Information Networks/exchanges.
• January 9, 2024 (effective February 8, 2024): ONC’s HTI-1 Final Rule updates definitions and exceptions; “Content and Manner” becomes the Manner Exception; new TEFCA Manner and Infeasibility conditions are finalized.
• July 31, 2024: Provider disincentives rule becomes effective; OIG investigations and referrals of providers apply only to conduct on or after this date. The ACO disincentive applies beginning with program years on or after January 1, 2025.
• December 17, 2024: ONC finalizes the Protecting Care Access Exception to address certain lawful care contexts while preserving information sharing.

Reporting Information Blocking

Anyone may report suspected information blocking through the federal information blocking reporting portal. After you submit, you receive a confirmation and tracking number; the report is shared with OIG for potential investigation. You may report anonymously, and identities are protected to the extent permitted by law.

Provide dates, actors involved, what EHI was affected, the request method (portal, API, HIE, TEFCA), why access was denied or delayed, and any cited exception. Keep your own chronology, screenshots, messages, and contracts to support the claim. Urgent patient-safety issues should also follow your organization’s escalation policies.

Recommendations for Compliance

Build governance and accountability

• Appoint an information sharing lead and cross-functional team (compliance, legal, privacy, security, clinical, IT, revenue cycle).
• Train staff on actors, EHI scope, and the differing knowledge standards. Refresh at least annually.

Operationalize request handling

• Map all inbound/outbound EHI flows (portal, API, HIE, TEFCA, release-of-information). Standardize intake, tracking, and response SLAs.
• Publish how requestors can obtain EHI, including at least two feasible “Manner” alternatives. If you deny under Infeasibility, send a written rationale within 10 business days.

Use exceptions narrowly and document

• Adopt decision trees and checklists for Preventing Harm, Privacy, Security, Infeasibility, Health IT Performance, Protecting Care Access, Fees, Licensing, and the Manner/TEFCA Manner Exceptions.
• Record who decided, what condition(s) were met, timeframe, and why the action was the minimum necessary to address the risk.

Modernize technology and contracts

• For Health IT Certified Developers: align product behavior and support processes to avoid throttling, gating, or discriminatory terms; maintain uptime SLAs consistent with the Health IT Performance Exception.
• For providers: ensure APIs are enabled consistent with certification; remove contract clauses that restrict data sharing; align BAAs and participation agreements with information sharing obligations.

Align with Medicare Participation programs

• Track MIPS Promoting Interoperability measures, Medicare Promoting Interoperability requirements, and ACO policies so information sharing workflows support attestation and audit.
• Monitor OIG and ONC updates and prepare for evolving requirements (for example, USCDI v3 baseline within ONC’s certification program beginning January 1, 2026).

Measure, monitor, and improve

• Audit release timeliness, denial reasons, API success rates, and patient portal availability. Address outliers quickly.
• Prepare playbooks for suspected information blocking issues, including rapid remediation and external reporting when appropriate.

Conclusion

Information blocking rules make the access, exchange, and use of EHI the default. Know who you are as an actor, apply exceptions precisely, and align operations with ONC’s framework. With clear governance, modernized workflows, and disciplined documentation, you can protect patients, maintain Medicare Participation standing, and avoid Civil Monetary Penalties or disincentives.

FAQs.

What practices constitute information blocking?

Common examples include unjustified delays in releasing test results to patients; turning off or throttling APIs that enable app access; charging excessive or non-cost-based fees for interfaces; refusing to share EHI with other providers or Health Information Networks without meeting an exception; using non-standard formats when a reasonable standard is available; or contract clauses that prohibit necessary data sharing. Whether a practice is information blocking depends on facts, the actor’s knowledge standard, and whether an exception’s conditions are fully met.

What are the exceptions to information blocking?

The principal exceptions are Preventing Harm, Privacy, Security, Infeasibility, Health IT Performance, Protecting Care Access, Manner (formerly Content and Manner), Fees, and Licensing. A separate TEFCA Manner Exception allows fulfilling certain requests solely via TEFCA when conditions are met. Each exception is voluntary but requires satisfying all specified conditions, consistent application, and thorough documentation.

What penalties apply to health IT developers for information blocking?

Health IT Certified Developers and Health Information Networks/exchanges face Civil Monetary Penalties of up to $1,000,000 per violation. ONC may also take certification actions under its program, and finalized determinations can be publicly posted. These penalties have applied to developers and networks since September 1, 2023.

How can healthcare providers ensure compliance with information blocking rules?

Designate an information sharing lead; standardize EHI request intake, tracking, and responses; publish feasible “Manner” options; use exceptions sparingly with documented rationales; modernize APIs and contracts; align operations with MIPS Promoting Interoperability, Medicare Promoting Interoperability, and ACO rules; monitor metrics (timeliness, denial reasons, API success); and remediate quickly. This approach reduces risk of OIG referrals, protects Medicare Participation, and supports high-quality, coordinated care.