In August, the Office for Civil Rights (OCR) published guidance relating to individuals’ rights to access their protected health information (PHI) under HIPAA. As we covered in our earlier blog post about the August guidance, the new FAQs came amidst OCR’s continued enforcement focus on its Right of Access initiative, under which the OCR has brought over fifty enforcement actions to date.

On September 3, 2025, the U.S. Department of Health and Human Services (HHS) announced Secretary Robert F. Kennedy, Jr.’s crackdown on health data blocking, noting that HHS “will take an active enforcement stance against health care entities that restrict patients’ engagement in their care by blocking the access, exchange, and use of electronic health information.” This announcement signals the agency’s continued focus on patient access rights and healthcare interoperability.

HHS’s September 3rd press release references the 21st Century Cures Act, which was signed into law in 2016 and prohibits information blocking by requiring that patient information stored in electronic health record systems can be “accessed, exchanged, and used without special effort through the use of application programming interfaces.” This is a broad definition of information blocking and could include a provider’s refusal to share patient health records, unreasonable delays in providing requested records, or charging excessive fees for patient access.

The Cures Act imposes requirements on health ecosystem entities beyond providers, too. Health IT developers, for example, may engage in information blocking by executing restrictive contractual terms related to data sharing or disabling interoperability functions on their platforms. Health information exchanges and health information networks are also covered under the Cures Act, and could be found to engage in information blocking by imposing unfair fees to join an exchange or blocking certain organizations without valid justification.

Under the Cures Act, the Office of Inspector General (OIG) and the Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) are authorized to take enforcement action against information blocking in healthcare. In a September 4, 2025, Enforcement Alert following the HHS press release, ASTP warned that individuals found to have engaged in information blocking could face several types of enforcement actions, including civil monetary penalties of up to $1 million per violation against certain health IT developers, entities offering certified health IT, health information exchanges, and health information networks. CMS may also impose disincentives on providers if OIG refers information blocking cases to HHS. Notably, OIG has stated that it will prioritize enforcement where information blocking causes patient harm or significantly impairs a provider’s ability to deliver care.

Proponents of information blocking enforcement assert that these measures will increase patient access to information, promote interoperability, and enhance care coordination. On the other hand, critics note that broad data sharing raises security and privacy concerns. Greater access could increase the risk of breaches or misuse of sensitive health information. While there are exceptions to what constitutes information blocking, aggressive enforcement could pressure organizations into unnecessary disclosure, which runs counter to principles of data minimization and need-to-know sharing. Still, with HHS putting the healthcare ecosystem on alert, now is the time for providers, IT developers, and exchanges to take a look at their data practices. Organizations should not wait for an HHS inquiry to conduct internal audits, assess interoperability capabilities, and ensure any exceptions are well-documented. Overall, data sharing practices should balance appropriate information access with safeguards that prevent patient harm and minimize risk of information being misused. If your organization touches health information in any way, preparation for this increased regulatory focus now could prevent OCR scrutiny later.