Many healthcare organizations still treat data sharing like a privilege they grant when conditions are right. Under the information blocking rule, it's the opposite: you share by default, and you need a documented exception to decline.
That shift trips up even organizations with strong HIPAA programs, because the information blocking rule reaches well beyond privacy. Charging fees above cost recovery, delaying responses without a valid reason, and restricting API access without a qualifying exception are all information blocking examples that can trigger enforcement.
This blog walks through what the rule actually requires, how it interacts with HIPAA, and what compliance looks like when someone requests your EHI.
TLDR:
The 21st Century Cures Act formally defined it as conduct that is likely to impede the sharing of EHI, and the rule took full effect in 2022.
The stakes are real. When patients cannot access their own records, or when providers cannot receive data needed for care decisions, outcomes suffer. The rule pushes the entire healthcare system toward genuine interoperability instead of compliance theater. It sits alongside HIPAA but is enforced separately.
The information blocking rule applies to three categories of actors defined under the 21st Century Cures Act. Health IT developers of certified health IT, health information networks (HINs), and health information exchanges (HIEs) fall under one category. The second covers healthcare providers, a group that spans hospitals, physician practices, labs, pharmacies, and any other entity that furnishes health services and bills for them. The third covers health information networks and exchanges more broadly.
If your organization touches electronic health information in any of these roles, the rule applies to you. Non-compliance carries enforcement consequences for all three actor types: developers and networks face civil monetary penalties, while providers face separate disincentive-based enforcement through federal program participation.
EHI refers to electronic protected health information (ePHI) as defined under HIPAA, but with a broader scope. The rule covers all ePHI that an actor has the ability to make available, which includes clinical notes, lab results, diagnoses, medications, imaging, and more.
Starting in October 2022, the scope expanded to cover all EHI instead of the limited data set tied to the USCDI v1. Health systems, clinics, and health IT developers must now make the full range of patient health data accessible when requested, beyond a narrow subset.
Key categories of EHI covered include:
HIPAA and the information blocking rule solve different problems. HIPAA is a privacy law built around permission: it defines when disclosure is allowed, not when it's required. Organizations raised on HIPAA compliance often default to caution, treating any data request as something to review carefully before acting.
The information blocking rule reverses that posture. Withholding or delaying EHI access is presumed problematic unless a recognized exception applies or sharing is expressly prohibited by law. The question changes from "are we allowed to share?" to "do we have a valid reason not to?"
Full HIPAA compliance offers no protection against an information blocking finding. Fee structures, technical barriers, and restrictive contract terms can all constitute blocking even when every HIPAA requirement is met.
Violations often look like routine policy decisions until measured against the rule. Common patterns include:
The rule recognizes that some restrictions on EHI sharing serve legitimate purposes. Ten exceptions exist as compliant pathways, and each comes with specific conditions that must actually be met to qualify. The original eight were expanded by the HTI-1 final rule in December 2023, which added the TEFCA Manner Exception, and again in December 2024 with the Protecting Care Access Exception.
| Exception | Core Purpose |
|---|---|
| Preventing Harm | Withhold or limit access when sharing creates a substantial risk of harm to a patient or third party |
| Privacy | Cover privacy concerns that go beyond standard HIPAA requirements in specific circumstances |
| Security | Respond to documented, legitimate security risks tied to a particular request or access method |
| Infeasibility | Cover situations where legal, technical, or practical barriers genuinely prevent timely compliance |
| Health IT Performance | Allow temporary unavailability during maintenance or activities needed to preserve system integrity |
| Manner | Provide flexibility to respond using different formats or methods when the requested format is not supported |
| Licensing | Permit actors to negotiate reasonable terms for accessing EHI through interfaces built on proprietary tech |
| Fees | Permit actors to charge reasonable fees for accessing or exchanging EHI, provided the fees are based on objective, verifiable criteria and do not exceed the cost of providing access |
| TEFCA Manner | Permit actors to fulfill EHI requests through TEFCA when the requestor is connected through TEFCA for the information they seek |
| Protecting Care Access | Permit actors to restrict access, exchange, or use of EHI containing reproductive health information when the actor has a good faith belief that sharing could expose a patient, provider, or facilitator of lawful reproductive healthcare to legal action |
The Office of the National Coordinator for Health IT (ONC) and the HHS Office of Inspector General (OIG) share enforcement authority. OIG can levy civil monetary penalties up to $1 million per violation against actors found to be blocking information. ONC handles disincentives for healthcare providers, which under 2024 rulemaking can include exclusion from Medicare and Medicaid programs. Repeat or egregious violations carry steeper consequences. Because complaints can be filed by any affected party, including patients, the exposure is broad. As of early 2026, enforcement is actively underway: ASTP has begun issuing notices of investigation to health IT developers, and regulators are working through a backlog of nearly 1,600 complaints filed since 2021. Compliance gaps that went unaddressed before 2024 are now being reviewed in formal investigations.
Staying compliant with the information blocking rule requires more than a written policy. It calls for consistent day-to-day practices across the organization.
A few areas deserve particular attention:
Organizations should also assign clear ownership of information blocking compliance internally, whether that sits with a compliance officer, privacy officer, or a designated team, so accountability does not fall through the cracks.
Staying compliant with information blocking rules requires more than policy updates. Health systems, clinics, and vendors need reliable infrastructure to actually share data when patients and providers request it. APIs built on HL7 FHIR standards are now the primary mechanism for meeting these obligations, letting organizations exchange structured clinical data across EHRs, apps, and care networks without manual workarounds. Providers that lack interoperability infrastructure face real exposure: ONC can investigate complaints and refer violations to the HHS Office of Inspector General for civil monetary penalties.
Information blocking compliance comes down to your day-to-day operations and written policies alike. Every delay, every fee structure, and every vendor contract can become a violation if it restricts access without a valid exception. Train your staff on what the rule actually prohibits and keep records of why you invoked any exception. The regulators are watching and complaints can come from anyone.
Information blocking is a separate rule from HIPAA that prohibits practices interfering with the access, exchange, or use of electronic health information. While both laws apply to healthcare organizations, information blocking focuses on removing barriers to data sharing, whereas HIPAA governs when disclosure is permitted, and full HIPAA compliance does not protect against information blocking violations.
Yes. The information blocking rule assumes withholding or delaying EHI access is problematic unless a recognized exception applies, regardless of HIPAA compliance status. Fee structures, technical barriers, and restrictive contract terms can all constitute blocking even when every HIPAA privacy requirement is met.
Common violations include charging fees beyond what regulations permit, requiring patients to submit requests through unnecessarily complex processes, delaying responses without documented reasons, configuring EHR systems to withhold data from third-party apps without valid exceptions, and refusing to share data by citing vague security concerns that don't meet any recognized exception criteria.
Information blocking penalties reach up to $1 million per violation for health IT developers and networks, enforced by the HHS Office of Inspector General. Healthcare providers face disincentives including potential exclusion from Medicare and Medicaid programs under 2024 rulemaking. HIPAA violations carry separate penalties ranging from $100 to $50,000 per violation depending on the level of culpability.
Invoke one of the ten recognized exceptions only when specific conditions are genuinely met and you can document the justification. Each exception (from preventing harm to protecting care access) requires meeting particular criteria, and ONC or OCR may request evidence that you applied it correctly during investigations or audits.
Get the latest updates and blog posts from the Metriport team.
