HHS-OIG and ASTP Jointly Issue Information Blocking Enforcement Alert

On September 4, 2025, the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) and Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP) jointly issued an alert (the Enforcement Alert) signaling, after an extended period of inaction, the federal government’s intent to begin enforcing the information blocking regulations adopted under the 21st Century Cures Act (the Cures Act).

The Enforcement Alert followed an announcement the day before, via press release, by HHS Secretary Robert F. Kennedy, Jr. that information blocking enforcement is a priority for the Trump administration.¹ Specifically, HHS described the September 3, 2025, press release as “a warning to actors still engaging in information blocking to come into compliance with the rules governing the flow of patient information” and encouraged stakeholders to report alleged information blocking to HHS-OIG’s hotline.²

Taken together, these developments show the close coordination between HHS-OIG, ASTP, and HHS leadership with respect to information blocking matters. While HHS may continue information blocking education, it will also leverage enforcement to maximize compliance. The information blocking enforcement announcement is part of a broader push for greater healthcare data sharing. This summer, the White House convened a meeting of technology leaders to encourage seamless data sharing for care coordination and create patient-centric digital health tools. The Office of Civil Rights affirmed an expansive definition of “treatment,” within the meaning of the Health Insurance Portability and Accountability Act (HIPAA), when opining that a healthcare provider may disclose protected information, without consent, to participants in value-based care arrangements. This new initiative should also be viewed in the broader context of continued interest by the U.S. Department of Justice (DOJ), HHS-OIG, and the relator’s bar on health information technology security. ³ 

Accordingly, in the near term, regulated entities should consider prioritizing related risk assessments and mitigation efforts as part of their compliance program activities to keep abreast of the evolving landscape.

What Is Information Blocking?

The Cures Act, enacted in 2016, generally prohibits information blocking by healthcare providers, certified health information technology (IT) developers, and health information networks and exchanges (HIN/HIEs) (collectively, “regulated entities”) unless the conduct falls within a statutory exception. The Cures Act also granted HHS-OIG authority to pursue penalties against actors who engage in information blocking.

“Information blocking” refers to practices that are likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or specified in an information blocking exception, and that:

• If conducted by a certified health IT developer or HIN/HIE, the developer or HIN/HIE knows, or should know, are likely to interfere with access, exchange, or use of EHI
• If conducted by a healthcare provider, the provider knows are unreasonable and likely to interfere with access, exchange, or use of EHI

Why Now?

On July 3, 2023, HHS-OIG issued a final rule with an effective date of September 1, 2023 (the 2023 Final Rule) to implement its authority under the Cures Act to investigate claims of information blocking and assess civil monetary penalties of up to $1 million per information blocking violation (subject to inflation adjustments) by a certified health IT developer or an HIN/HIE. A “violation” is defined in the 2023 Final Rule as a practice (i.e., an act or omission) that constitutes information blocking.⁴ A determination regarding what constitutes a “practice” will be made by HHS-OIG on a case-by-case basis per the particular facts and circumstances.⁵

In an example provided in the preamble to the 2023 Final Rule, HHS-OIG indicated that the enactment of a policy that establishes an information blocking practice is one violation, and each instance of enforcing that policy would constitute a separate violation. In such situations, CMPs could potentially add up to much more than $1 million. HHS-OIG also indicated that it would consider factors such as the nature and extent of harm caused by the specific incident of information blocking, the number of patients and providers implicated and affected, and how long the information blocking lasted. Finally, developers with products certified by HHS’ Office of the National Coordinator could have their certifications terminated as a result of information blocking violations.⁶

On July 1, 2024, HHS issued a final rule (the 2024 Final Rule) to implement the Cures Act provision establishing penalties — referred to as “appropriate disincentives” — for certain healthcare providers determined by HHS-OIG to have committed information blocking. The disincentives for certain Medicare-participating hospitals and clinicians became effective July 31, 2024, while disincentives associated with the Medicare Shared Savings Program became effective January 1, 2025.

Though information blocking regulations enacted pursuant to the Cures Act have been in effect for more than a year, to date, HHS-OIG has not publicly released information about any investigation or enforcement action under such authorities. Indeed, the impetus for making information blocking a federal enforcement priority has not been clearly conveyed by the Trump administration. The increased scrutiny could, for example, be related to an increase in lawsuits against health technology companies.⁷ It could also simply be an attempt by the second Trump administration to differentiate its enforcement footprint from that of the prior administration.[[N: See, e.g., U.S. Department of Health and Human Services, Press Release, “HHS Announces Crackdown on Health Data Blocking,” Sept. 3, 2025 (stating “[i]nformation blocking was not a priority under the Biden Administration. That changed under President Trump and Secretary Kennedy. ‘Unblocking the flow of health information is critical to unleashing health IT innovation and transforming our healthcare ecosystem,’ said Deputy Secretary of Health and Human Services Jim O’Neill. ‘We will take appropriate action against any [healthcare] actors who are found to be blocking health data for patients, caregivers, providers, health innovators, and others.’”).]]

Compliance Is the First Line of Defense

The Enforcement Alert is intended to incentivize and enhance industry compliance, deter ongoing practices, address systemic barriers to data access, and ensure patients can freely access and share their health records. For regulated entities considering potential next steps, comprehensive compliance and cybersecurity risk assessments, including a review of current information sharing practices, can help identify areas of risk and inform remediation and mitigation efforts.

In connection with publication of the 2023 Final Rule, HHS-OIG made it clear that it lacks the resources to investigate the large volume of complaints it anticipates receiving. Instead, HHS-OIG intends to prioritize cases of alleged information blocking that:

• Resulted in, are causing, or had the potential to cause patient harm
• Significantly impacted a provider’s ability to care for patients
• Were of long duration
• Caused financial loss to federal healthcare programs or other government or private entities
• Were performed with actual knowledge

HHS-OIG indicated that it expects these priority enforcement areas to continue to evolve as it conducts investigations, and there is certainly nothing prohibiting it from conducting investigations outside of these priority areas. HHS-OIG also indicated that it intends to provide more information to stakeholders on its website on an ongoing basis. For the time being, however, the above-listed priority enforcement areas can be instructive for regulated entities as they design and conduct internal compliance assessments.

With respect to particular action items, potential next steps for regulated entities could include, for example:

• A review of policies, procedures, and practices affecting access, exchange, or use of EHI to confirm that they are consistent with the information blocking regulations and related laws (e.g., HIPAA and, for developers, ASTP’s Health IT Certification Program requirements) (for example, a review of compliance hotline logs for complaints regarding data access).
• Train personnel responsible for negotiating and implementing collaborations, partnerships, and other arrangements with third parties (e.g., digital health companies and consumer-facing app developers) seeking access, exchange, or use of EHI, to identify and avoid conduct that may lead to information blocking claims.
• Assess processes to create and retain records and other documents and information demonstrating the entity’s compliance with the information blocking regulations (including any relevant exceptions).
• Interview and identify defense counsel to help navigate a potential OIG investigation so that the organization is prepared in the event of an actual investigation.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.