In what seems like almost a regular cadence now, the Office of the Inspector General and Assistant Secretary for Technology Policy (“ASTP”) have announced a crackdown on information blocking nearly nine years after the passage of the 21st Century Cures Act in 2016. I say this is like a cadence because, like I told my clients in the beginning, this statute won’t be enforced until the day it is. That day has come, and people will pay for non-compliance, just like they did with the requirements of the ASTP’s certification program and the meaningful use program. Tom Keane, the Assistant Secretary at ASTP, had this to say:
“We have already begun reviewing reports of information blocking against developers of certified health IT under the ONC Health IT Certification Program and are providing technical assistance to our colleagues at OIG for investigations[.]”
This in response to what I understand is a large outstanding backlog of information blocking complaints. These will be overwhelmingly against providers, but he is signaling, almost surprisingly, that developers are the real target. When read in conjunction with the OIG’s statements, this means that they are going to prioritize on complaints against developers that affect patient care and financial loss to federal programs. The OIG alert specifically states that:
“OIG will prioritize enforcement where practices cause patient harm, significantly impact or impair a provider’s ability to deliver patient care, are of long duration, or cause financial loss to Federal health care programs or other Government or private entities.”
In what I think is a mild understatement, the OIG states that “[v]oluntary compliance now can prevent serious consequences.” Those consequences, for a developer of health information technology, healthcare provider, or health information exchange, can amount to $1 million dollar fines, actions under the federal False Claims Act, and de-certification by the ASTP. I will add that compliance is best achieved by a set of policies and procedures the help you not just achieve compliance, but document and prove it when the time inevitably comes.
This is not a drill, and it comes from the top. Secretary Kennedy himself put out a video to the general public explaining this effort on X. It an HHS component of the President’s AI Action Plan. This is going to have the same affect as the initial wave of Anti-kickback Statute investigation in healthcare technology, and you should brace yourself.
Below are some posts to help you acquaint yourself with this law, if you haven’t already (and if you haven’t, you should also contact a lawyer).
- This post covers tortious interference and anti-competitive claims in the context of information blocking in a state court action: https://ehealthlawblog.com/2025/05/22/information-blocking-the-tortious-interference-edition/
- This post covers the proposition that information blocking can become the basis of a state claim under that state’s anti-competitive laws: https://ehealthlawblog.com/2025/03/14/a-private-right-to-action-for-information-blocking-not-quite-but-almost/
- This post, which will really hit home for providers, is about how information blocking can be leveraged against an organization in routine records requests: https://ehealthlawblog.com/2021/08/13/is-it-information-blocking-the-civil-discovery-edition/
- This post talks about who is covered as a developer under the statute: https://ehealthlawblog.com/2020/03/19/21st-century-cures-part-3-whos-a-health-it-developer/
- This post provides a general overview: https://ehealthlawblog.com/2020/03/09/21st-century-cures-part-1/
Be safe out there, and give people data when they ask for it and are entitled to it.
eHealth Law Blog 