Listen to this post

This post is part of our The Top 2025 Privacy and Security Issues Still Shaping Healthcare series, in which our team of attorneys provides essential strategies and insights for healthcare privacy and security.

HHS Ramps Up Enforcement Against Information Blocking

2025 marks a significant turning point in federal enforcement against “information blocking” in healthcare. In a series of announcements this September, the U.S. Department of Health and Human Services (“HHS”) signaled a major crackdown on healthcare entities—especially health IT developers, health information networks, and certain providers—that restrict patient access to their electronic health information (“EHI”).

Under the direction of Secretary Robert F. Kennedy, Jr., HHS has dedicated increased resources and issued clear warnings that enforcement of information blocking rules is now a top priority. This includes the threat of substantial civil monetary penalties (“CMPs”)—up to $1 million per violation—for certain actors, as well as program-specific disincentives for providers who participate in Medicare and other federal programs. 

What Is Information Blocking and Who Is at Risk?

The concept of “information blocking” was established by the 21st Century Cures Act of 2016 and clarified in subsequent regulations (45 CFR Part 171). Information blocking refers to practices that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI—unless required by law or justified under a regulatory exception. 

Entities subject to these rules include: 

  • Health IT developers of certified health IT, 
  • Entities offering certified health IT, 
  • Health information exchanges and networks, 
  • Healthcare providers that participate in certain federal programs. 

Notably, while regulations have been in effect for more than a year, to date HHS-OIG has not publicly released information about any investigation or enforcement action under such authorities. 

Fines and Penalties: What’s Changed? 

The stakes are higher than ever. HHS has made enforcement a clear priority, with public alerts and coordination between the Office of Inspector General (OIG) and the Office of the Assistant Secretary for Technology Policy/National Coordinator for Health IT (ASTP/ONC). 

Under the final Information Blocking Penalties Rule (42 CFR Parts 1003 and 1005), OIG can impose CMPs of up to $1 million per violation against health IT developers, health information networks, and health information exchanges. These penalties may be assessed for each act of information blocking, and the rule clarifies that “willful neglect” or repeat violations will be treated especially harshly. 

For providers, the Centers for Medicare & Medicaid Services (CMS) has established program-specific disincentives that could mean losing eligibility for incentive payments or even exclusion from value-based purchasing programs. The July 2024 final rule (42 CFR Parts 414, 425, and 495) details how providers found to have engaged in information blocking may face significant financial consequences. 

Why This Matters: Risks and Implications for Healthcare Entities 

  • Enforcement Is No Longer Theoretical: After years of limited action, HHS is now actively investigating and encouraging reports of information blocking. Compliance is no longer optional. The September 2025 enforcement alert from HHS-OIG and ASTP/ONC makes clear that enforcement is now active, coordinated, and resourced. HHS is encouraging patients, providers, and innovators to report suspected information blocking—and has established dedicated portals and hotlines to facilitate tips and complaints. 
  • Penalties Are Substantial—and Growing: Civil and criminal penalties for HIPAA violations were recently updated to reflect inflation, and the same trend is evident for information blocking. The risk of $1 million penalties per violation, loss of certification, or exclusion from federal programs creates a powerful incentive for organizations to prioritize compliance. At the same time, with HIPAA enforcement in 2025, we have seen settlements up to $600,000 for failures to conduct proper risk assessments and implement adequate protections for EHI—foreshadowing similar outcomes for information blocking. (Resolution Agreements, HIPAA Compliance and Enforcement). 
  • Compliance Requires Proactive Review and Documentation: Healthcare organizations, health IT developers, and networks must proactively review their data sharing practices, update policies and procedures, and ensure that any denials of access to EHI are well-documented and justified under an exception. Technical barriers, excessive fees, or slow responses to requests could trigger enforcement.

 Why This Development Is Interesting and Relevant

  • Digital Health Momentum: As digital health tools proliferate and patients demand more seamless access to their data, the government’s stance signals a broader push for interoperability and transparency. 
  • Compliance Complexity: The layering of federal requirements (information blocking and HIPAA) with state-level privacy laws means compliance is more complex than ever. Entities operating across jurisdictions must harmonize their practices to avoid enforcement risk. 
  • Competitive Advantage: Organizations that can demonstrate robust, patient-friendly data sharing practices may gain a competitive edge, building trust and avoiding costly enforcement actions. Conversely, those that fall behind in these areas face reputational and financial harm. 
  • Enforcement Watch: Although no public enforcement actions have been announced as of December 2025, the coordinated alert from HHS-OIG and ASTP/ONC is a clear warning: enforcement is imminent, and the first high-profile penalties are likely to set the tone for years to come. 

With active enforcement, higher penalties, and a clear call to action for patients and innovators to report violations, healthcare entities must act now to review and strengthen their information sharing practices. Those who fail to adapt risk enforcement actions as well as significant financial, legal, and reputational consequences in the new era of health IT regulation.

Contact us

For further details or additional information, please contact Noreen Vergara or another member of the Husch Blackwell Healthcare Privacy and Security Work Group.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Taylor Crossley Taylor Crossley

Taylor focuses on healthcare regulatory matters. At Husch Blackwell, she focuses on matters such as healthcare privacy, confidentiality, and mental health law (including 42 C.F.R. Part 2, the Mental Health Parity and Addiction Equity Act, the SUPPORT for Patients & Communities Act, and

Taylor focuses on healthcare regulatory matters. At Husch Blackwell, she focuses on matters such as healthcare privacy, confidentiality, and mental health law (including 42 C.F.R. Part 2, the Mental Health Parity and Addiction Equity Act, the SUPPORT for Patients & Communities Act, and emerging therapy). She also assists with issues relating to healthcare quality, including adverse event reporting, licensure and certification questions, and the Health Care Quality Improvement Act.

Read more about Taylor Crossley
Show more Show less
Photo of Noreen Vergara Noreen Vergara

As a Healthcare Regulatory Attorney and former executive, Noreen is a transparent communicator and innovative problem solver with a deep background in operations and risk management.

Noreen’s career in healthcare operations, healthcare compliance and executive leadership began as a behavioral health admissions representative

As a Healthcare Regulatory Attorney and former executive, Noreen is a transparent communicator and innovative problem solver with a deep background in operations and risk management.

Noreen’s career in healthcare operations, healthcare compliance and executive leadership began as a behavioral health admissions representative – she understands the day-to-day regulatory hurdles facing healthcare clients. Most recently, Noreen served as Acting CEO, General Counsel and Chief Human Resources Executive for a national managed behavioral health venture with employees across 50 states. In this position, Noreen leveraged her experience in strategic planning, corporate governance, complex contracts, employment law and compliance. Noreen navigated tough decisions including guiding 500 percent growth over 6 years, moving online quickly during COVID-19 and helping secure the largest contract in company history. Earlier in her career, Noreen collaborated in-house at the National Association of Insurance Commissioners (NAIC), where oversight, peer review, best practices and standards are established by state regulators.

Read more about Noreen VergaraNoreen's Linkedin Profile
Show more Show less
Related Posts
 CMS Expands PPEO and EPR to Georgia and Ohio
January 8, 2026
Laboratory Testing
OIG Announces 2025 Work Plan Review: What Clinical Laboratories Need to Know About Medicare Payments for Diagnostic Lab Tests
July 18, 2025
 Georgia Physician Awaits $27+ Million Judgment Following False Claims Act Trial Loss
June 22, 2023