Information Blocking

regulatory framework regulatory compliancehealthcareinteroperabilityprivacy
Source: ONC System: https://www.healthit.gov/topic/information-blocking Code: Information Blocking Reviewed: 12/01/2026 License: CC-BY-4.0

Information Blocking

One-sentence definition: Information blocking is a practice by a covered actor — a health IT developer, health information network, or healthcare provider — that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI) without a valid regulatory exception.

Full Definition

Information blocking is defined in the 21st Century Cures Act (2016) and implemented through ONC regulations at 45 CFR Part 171. The definition is intentionally broad: any practice that interferes with, prevents, or materially discourages patients, providers, or other authorized parties from accessing or using EHI — unless the actor can demonstrate that the practice falls within one of the eight defined exceptions.

The term describes a spectrum of behavior, from clearly intentional obstruction (charging excessive fees to release patient data) to less obvious practices (designing systems that make data sharing technically burdensome, or writing contracts that restrict interoperability). What matters is the likely effect, not the actor’s stated intent. If a practice is likely to interfere with EHI access, it is presumptively information blocking unless an exception applies.

EHI, for information blocking purposes, is defined as electronic protected health information that would be included in a Designated Record Set — a concept from HIPAA that encompasses records used to make care decisions about an individual. This is substantially broader than USCDI; it is not limited to a specific data class list.

For implementation context — how information blocking intersects with API requirements, what constitutes a valid claim under each exception, and how ONC and OIG enforce these rules — see the canonical reference → Information Blocking and ONC Rules.

Context and Usage

Where This Term Appears

Information blocking appears in:

  • ONC health IT certification requirements — certified health IT must not engage in information blocking and must support standardized APIs to prevent it
  • Vendor and provider contracts — information blocking provisions now appear in technology agreements, business associate agreements, and data use agreements
  • OIG enforcement actions — the Department of Health and Human Services Office of Inspector General has authority to investigate provider and HIN violations
  • Procurement checklists — health systems and payers increasingly require attestations of non-information-blocking compliance from vendors
  • Patient access disputes — when a patient is denied access to their own health records, information blocking may be the applicable regulatory framework

Common Usage Examples

In conversation: “Our legal team flagged this data restriction clause — it could constitute information blocking if it prevents the patient from getting their own records.”

In documentation: “The certified EHR must not engage in practices that interfere with data export functionality, per the information blocking regulation at 45 CFR Part 171.”

In technical contexts: A system that charges a fee above the cost of labor for exporting a patient’s records as a bulk FHIR download, or that deliberately throttles an API used by a competing application, may constitute information blocking.

Why Information Blocking Rules Exist

Before the Cures Act, patients and providers frequently encountered deliberate or structural barriers to accessing health data. EHR vendors wrote contracts restricting data portability, health systems charged prohibitive fees for record release, and technology designs made it difficult — but not impossible — to share data with competing systems.

The Cures Act’s information blocking prohibition was a Congressional response to documented patterns of anticompetitive behavior in health IT. The goal was to shift the default from “share only when legally required” to “share unless a specific exception applies.” ONC implemented the rule in 2020; enforcement began in phases from 2022 onward.

What Constitutes Information Blocking

Covered Actors

The information blocking prohibition applies to three categories of actors:

  • Health IT developers of certified health IT — vendors of ONC-certified EHR and health IT products
  • Health Information Exchanges and Networks (HIEs/HINs) — organizations that facilitate electronic health data exchange between parties
  • Healthcare providers — hospitals, physician practices, long-term care facilities, and other healthcare entities

Patients are not covered actors — only organizations and vendors that control health IT systems or data flows.

Electronic Health Information (EHI)

EHI in this context means electronic protected health information to the extent it would be in a Designated Record Set under HIPAA. This is broader than USCDI: it includes any electronic information used, relied upon, or generated in the course of caring for a patient. Billing records, clinical notes, lab results, imaging, and care plans are all EHI.

Interference Practices

The regulation does not enumerate every prohibited practice. Instead, it defines information blocking by its likely effect. Examples that ONC has identified as potentially constituting information blocking:

  • Charging unreasonably high fees for data access or export
  • Delaying responses to data requests beyond reasonable timeframes
  • Designing technology to make interoperability unnecessarily difficult
  • Writing contracts that restrict interoperability or data portability
  • Refusing to share data with health apps authorized by a patient

Exceptions to Information Blocking

Eight regulatory exceptions define when a potentially interfering practice is permitted. Satisfying an exception requires meeting all of the conditions specified for that exception — partial compliance is not sufficient.

  • Preventing Harm: restricting access to protect patient or third-party safety
  • Privacy: limiting sharing to comply with applicable privacy laws (beyond HIPAA minimums)
  • Security: responding to genuine, documented security threats
  • Infeasibility: technically or legally impossible to comply
  • Health IT Performance: maintenance, updates, or downtime — defined windows only
  • Content and Manner: responding to a request in a different content or format than requested, when the requested format is unavailable
  • Fees: charging reasonable, cost-based fees for EHI access
  • Licensing: conditions on licensing interfaces, technology, or data necessary for interoperability

Penalties and Enforcement

Penalties differ by actor type:

  • Health IT developers — ONC can pursue civil monetary penalties up to $1 million per violation and can revoke product certification
  • Healthcare providers and HIEs/HINs — OIG has authority to investigate and refer for civil monetary penalties (added by the Cures Act and regulations effective 2023); penalties up to $1 million per violation

OIG maintains a public disincentives process: provider information blocking findings can result in exclusion from federal healthcare programs and other reputational consequences, even without monetary penalty in every case.

Relationship to Other Terms

  • 21st Century Cures Act — the federal legislation that created the information blocking prohibition
  • ONC — the agency that wrote the implementing regulations and oversees health IT developer compliance
  • USCDI — the data standard that defines a minimum set of health data elements; EHI for information blocking is broader than USCDI
  • FHIR — the API standard required by ONC certification to prevent information blocking through technical barriers

Common Misconceptions

Misconception 1: Information Blocking Eliminates All Data Access Controls

  • Incorrect belief: The information blocking rule means organizations must share all health data with anyone who asks, without restriction.
  • Reality: Eight exceptions permit organizations to withhold or restrict EHI in defined circumstances — to protect patient safety, respond to genuine security threats, comply with other laws, or charge reasonable fees. The rule shifts the burden: the actor must demonstrate an exception applies, rather than the requesting party having to prove a right of access.
  • Why it matters: Organizations designing data access policies can — and should — use the defined exceptions framework rather than treating information blocking as an absolute prohibition. Understanding which exceptions apply to each use case is essential compliance work.

Misconception 2: Only Vendors Can Commit Information Blocking

  • Incorrect belief: Information blocking is only a concern for health IT developers (EHR vendors, software companies) — not for hospitals, physician practices, or HIEs.
  • Reality: Healthcare providers and health information networks are explicitly covered actors. A hospital that charges excessive fees for record release, refuses to transmit records to a competing health system, or uses contract terms to prevent a patient from accessing their data through a third-party app may be engaging in information blocking.
  • Why it matters: Compliance programs at healthcare organizations need to include information blocking alongside HIPAA — they are separate legal frameworks with different covered actors, obligations, and enforcement bodies.

Why Information Blocking Matters

Information blocking is the regulatory mechanism that operationalizes the Cures Act’s interoperability mandate. It shifts health data from a resource that organizations can strategically withhold to a resource that patients and their authorized agents can access. For health IT teams, it creates affirmative obligations: systems must support standardized API access, must not impose technical barriers to portability, and must operate within the exception framework when restricting access.

The practical effect is that any integration or data access decision — API throttling rates, export fees, contract restrictions on portability — now has a regulatory dimension that didn’t exist before 2020.

Cross-References

  • 21st Century Cures Act — the legislation that created the information blocking prohibition
  • ONC — the agency that implements and enforces the rule for health IT developers
  • USCDI — the data standard closely associated with ONC’s interoperability framework, though EHI is broader

Last reviewed: January 12, 2026 Definition authority: ONC Content status: Canonical reference