In the first week of September, the U.S. Department of Health and Human Services (HHS) announced a renewed enforcement focus on information blocking through a press release and joint enforcement alert issued by the Office of Inspector General (OIG) and the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC).

Information blocking is a practice that is likely to interfere with, prevent, materially discourage, or otherwise inhibit the access, exchange, or use of electronic health information or “EHI”, except those practices that are required by law or comply with one of the nine enumerated exceptions to the federal information blocking regulations (45 C.F.R. Part 171). Examples of information blocking include delaying patient access to electronic records or imposing unreasonable fees for data sharing.

HHS Secretary Robert F. Kennedy, Jr. has directed HHS to allocate additional resources and adopt an active enforcement posture to identify and address violations of the law by regulated actors, which include health care providers, health IT developers of ASTP/ONC-certified health IT, and health information networks and health information exchanges (HINs/HIEs).

This announcement marks a significant escalation in enforcement of the 21st Century Cures Act (Cures Act); a law that was originally enacted in 2016, during the Obama administration. While the Biden administration finalized key components of the regulatory regime, including OIG’s enforcement rule in 2023 and CMS’s enforcement rule in 2024, enforcement is now being escalated under the Trump administration, aligning with all three prior administrations’ focus on patient health data access.

Both OIG and ASTP/ONC will lead this initiative, prioritizing investigations, reviewing complaints, and pursuing enforcement actions against regulated actors found to be engaging in information blocking. Civil monetary penalties can reach $1 million per violation by certified health IT developers or HIN/HIEs. Health IT developers also risk decertification under ASTP/ONC’s Health IT Certification Program. Medicare-participating providers may face penalties under three Medicare payment programs: the Medicare Promoting Interoperability Program; the Quality Payment Program; and the Medicare Shared Savings Program. Information blocking penalties will vary based on the provider type and payment system.

According to ASTP/ONC, as of August 31, 2025, the agency has received approximately 1,300 claims of information blocking through its “Report Information Blocking Portal” since the information blocking regulations became effective in April 2021. Most claims are submitted by patients, and most claims include allegations made against health care providers.

HHS stated that enforcement will be prioritized in instances where practices are longstanding, result in patient harm, significantly impact a provider’s ability to deliver care, or cause financial loss to federal health care programs or private entities.

The announcement coincides with a recent Texas state law that requires a mandatory delay on electronic release of certain sensitive test results. Such state laws are intended to temper the information blocking regulations in instances where the state believes that delaying access to certain sensitive health information (e.g., pathology or radiology reports and genetic test results) is appropriate to afford health care providers an opportunity to communicate that information directly to the patient, as opposed to an auto-release through a web-based patient portal.

Practical Takeaways

With HHS escalating its enforcement, regulated actors must proactively reevaluate their compliance posture under the Cures Act and applicable state law to mitigate potential regulatory exposure. Key steps include:

• Review and update, as needed, relevant policies, procedures, and internal documentation processes to align with information blocking regulations and any applicable state law carve-outs.
• Maintain robust documentation demonstrating compliance with all applicable requirements.
• Conduct ongoing training for personnel on identifying, escalating, and mitigating information blocking risks.
• Assess current practices around EHI access, exchange, and use to identify and address compliance gaps.

Reed Smith will continue to monitor developments related to information blocking enforcement. If you have any questions about compliance with the Cures Act or potential exposure under the new enforcement regime, please contact the authors of this post or the health care lawyers at Reed Smith.