What Is Information Blocking in Healthcare? Definition, Examples, and Penalties

Definition of Information Blocking

Core concept

Information blocking in healthcare is a practice that is likely to interfere with the access, exchange, or use of electronic health information (EHI) when a patient or authorized party is legally allowed to obtain it. Under the Information Blocking Rule, an action is problematic when it is known to be unreasonable and is not protected by a regulatory exception.

Who is an “actor”?

The rule applies to three actor types: healthcare providers, health IT developers of certified health IT, and health information networks/exchanges. Each actor has obligations to support Health IT Interoperability and must avoid policies or behaviors that unreasonably impede data sharing.

What counts as Electronic Health Information (EHI)?

EHI generally aligns with the HIPAA “designated record set” and includes clinical notes, test results, medications, care plans, claims, and other data used to make decisions about an individual. Psychotherapy notes and information compiled for legal proceedings are excluded. You should assume EHI spans beyond the USCDI to what is maintained and needed to support care and patient rights.

Permitted exceptions under the Information Blocking Rule

The rule recognizes that not every request can or should be fulfilled. Eight targeted exceptions allow you to decline, limit, or delay data sharing when specific conditions are met:

• Preventing harm
• Privacy
• Security
• Infeasibility
• Health IT performance
• Content and manner
• Fees
• Licensing

To claim an exception, document the rationale and satisfy all criteria. The exception must be narrowly applied and not serve as a blanket restriction.

Examples of Information Blocking

Common provider practices

• Delaying release of lab results, imaging, or clinical notes to patient portals without a valid exception or patient request.
• Requiring patients to pick up records in person when electronic delivery is feasible and authorized.
• Refusing to share EHI with outside clinicians due to nonclinical concerns (for example, competitive reasons) despite appropriate patient authorization.
• Releasing only summaries when full EHI is requested and available in the designated record set.

Health IT developer behaviors

• Charging unreasonable fees for APIs, exports, or maintenance that effectively block routine exchange of EHI.
• Disabling standardized APIs (such as FHIR) for certain partners or apps without a security basis that meets an exception.
• Contract terms that prohibit customers from sharing data with third parties chosen by patients or providers.

Health information networks/exchanges (HIN/HIE) issues

• Blocking queries from qualified participants or imposing nontransparent criteria that selectively restrict access.
• Using proprietary formats when accepted standards are available, resulting in avoidable conversion barriers.

Neutral policies with negative effects

Even seemingly neutral policies—like overly narrow app whitelists, excessive identity-proofing beyond risk needs, or throttling data requests—can be information blocking if they unreasonably impede exchange and do not meet an exception.

Regulatory Framework and 21st Century Cures Act

Foundation of the rule

The 21st Century Cures Act directed the U.S. Department of Health and Human Services to curb practices that stifle Health IT Interoperability and patient access. The Office of the National Coordinator for Health IT (ONC) issued the Information Blocking Rule and certification updates that promote standardized exchange, including modern APIs.

Actors, standards, and exceptions

The framework defines actors, EHI, and eight exceptions that balance access with privacy, security, and feasibility. ONC’s certification criteria reinforce the use of interoperable formats and APIs so patients and authorized stakeholders can reliably access data.

Enforcement and program alignment

The HHS Office of Inspector General (OIG) investigates potential violations and pursues enforcement. CMS aligns incentives and disincentives through Medicare and Medicaid regulations to encourage 21st Century Cures Act Compliance by providers, including those in value-based arrangements and Accountable Care Organizations.

Penalties for Health IT Developers

Civil Monetary Penalties and corrective action

Health IT developers of certified health IT, as well as HINs/HIEs, can face civil monetary penalties for information blocking. Penalties can reach up to $1,000,000 per violation, alongside potential corrective action plans, reporting obligations, or impacts to certification status.

Enforcement considerations

OIG typically evaluates the nature and scope of the conduct, intent, harm to patients or competition, and the developer’s cooperation and remediation. Documented governance, transparent pricing, and consistent API availability can mitigate risk.

Penalties for Healthcare Providers

Appropriate disincentives

Unlike developers, healthcare providers generally face programmatic disincentives rather than civil monetary penalties. These may include negative effects on Medicare Promoting Interoperability status, Merit-based Incentive Payment System (MIPS) scoring, or eligibility for certain value-based programs.

Medicare and Medicaid Regulations

Information blocking can trigger consequences under Medicare and Medicaid regulations—such as payment adjustments, public reporting impacts, or loss of program credit—when a provider is determined to have committed information blocking. State laws, payer contracts, and malpractice exposure can compound these risks.

Accountable Care Organizations

In Accountable Care Organizations, withholding EHI undermines care coordination and quality metrics. Determinations of information blocking can jeopardize participation standing, shared savings opportunities, and partner trust across the ACO network.

Consequences for Patient Care

Clinical safety and outcomes

When EHI is delayed or withheld, clinicians may order duplicative tests, miss critical history, or make decisions with incomplete information. These gaps increase safety risks and degrade outcomes, especially during care transitions.

Experience, equity, and trust

Timely access to records strengthens patient engagement, supports caregivers, and advances health equity. Information blocking disproportionately harms patients who already face barriers to care, eroding trust in the healthcare system.

Cost and operational efficiency

Blocking practices raise administrative burden, slow referrals, and inflate costs across networks. For value-based programs and ACOs, they directly conflict with quality and cost containment goals.

Strategies to Prevent Information Blocking

Establish clear governance and policies

• Adopt an enterprise policy that affirms patient access to EHI and defines roles for intake, review, approval, and fulfillment of requests.
• Map each restriction you use to a specific Information Blocking Rule exception and keep evidence (risk analyses, logs, and decision trees).

Strengthen technical interoperability

• Enable standards-based APIs and ensure your FHIR endpoints, bulk data exports, and CCD/C-CDA exchange work as advertised.
• Maintain uptime and performance SLAs for data exchange; monitor latency and error rates, and resolve defects quickly.

Optimize information release workflows

• Default to real-time release of labs, imaging, and clinical notes unless a documented exception applies or patients opt to delay.
• Offer multiple delivery channels—patient portal, app of choice, secure direct messaging, and interoperable exchange—based on the requester’s authorized preference.

Align contracts and fees

• Review vendor and partner agreements for clauses that restrict sharing EHI with authorized recipients; remove noncompliant terms.
• Structure fees so they are reasonable, cost-based where required, and transparent; avoid charges that functionally deter exchange.

Educate teams and measure compliance

• Train clinicians, HIM staff, IT, and compliance officers on EHI scope, patient rights, and the eight exceptions using case-based examples.
• Track request turnaround times, denied requests, API usage, and complaints. Use dashboards to flag bottlenecks and demonstrate continuous improvement.

Coordinate across programs

• Align information-blocking compliance with HIPAA right-of-access processes, ONC certification capabilities, and CMS program requirements.
• For ACOs and other value-based arrangements, embed data-sharing expectations into care pathways and partner agreements.

Conclusion

Information blocking undermines patient rights, interoperability, and value-based care. By understanding EHI, applying exceptions correctly, and aligning technology, workflows, and contracts, you can achieve 21st Century Cures Act Compliance, avoid penalties, and improve outcomes.

FAQs.

What constitutes information blocking in healthcare?

Information blocking occurs when an actor’s practice is likely to interfere with access, exchange, or use of Electronic Health Information and the practice is not required by law or justified under a specific exception. Examples include unnecessary delays, restrictive contracts, nonstandard formats, unreasonable fees, or disabling interoperable APIs.

What penalties apply to information blocking violations?

Health IT developers and HINs/HIEs can face Civil Monetary Penalties of up to $1,000,000 per violation and may be required to implement corrective actions. Healthcare providers are generally subject to programmatic disincentives—such as impacts to Medicare and Medicaid program participation, payment adjustments, or public reporting—based on determinations of information blocking.

How does information blocking affect patient care?

Blocking practices create delays, duplicate tests, and care coordination failures. Patients lose timely visibility into results and treatment plans, clinicians make decisions with incomplete data, and organizations face higher costs and poorer outcomes—especially harmful in coordinated models like Accountable Care Organizations.

What measures can be taken to prevent information blocking?

Adopt clear policies mapped to the eight exceptions, enable standards-based APIs, release information promptly by default, remove restrictive contract terms, price reasonably, train staff, and monitor metrics. Align these steps with HIPAA processes, ONC certification capabilities, and CMS program requirements to support sustainable compliance.