After several years of education, guidance, and rulemaking, federal enforcement of the information blocking provisions of the 21st Century Cures Act may finally be entering into a new—and more active—phase. Civil monetary penalties (CMPs) for nonprovider actors have been in effect since September 2023, Medicare payment disincentives for providers have been live since mid-2024, and in September 2025 the Department of Health and Human Services (HHS) publicly announced that information blocking enforcement is now a priority.
Most recently, on February 11, 2026, the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health IT (ASTP/ONC) announced that it has begun issuing letters of nonconformity to certain electronic health record (EHR) developers based on potential information blocking and API-related noncompliance, marking the clearest indication yet that enforcement is shifting from theoretical to reality.
What Is “Information Blocking”?
The 21st Century Cures Act defines information blocking as a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI), unless the practice is required by law or meets a regulatory exception.
The regulations apply to three categories of “actors”:
- Health care providers.
- Developers of certified health information technology (IT).
- Health information exchanges and networks (HIE/HINs).
The intent standard differs by actor type. Providers must know a practice is unreasonable and likely to interfere with EHI access, while developers and HIEs/HINs are liable if they know or should know the practice is likely to interfere.
Since October 6, 2022, the scope of EHI subject to the rule includes all electronic protected health information (PHI) that would be part of a Health Insurance Portability and Accountability Act (HIPAA)“designated record set.” So essentially all PHI that is held in electronic form and used to make decisions about the patient is subject to the information blocking prohibition.
Policy Rationale
Congress enacted the information blocking provisions to address persistent barriers to interoperability that remained even after widespread EHR adoption. Federal policymakers concluded that contractual restrictions, proprietary APIs, excessive fees, and strategic delays in data sharing undermined patient access, care coordination, competition, and the return on federal health IT investments.
HHS has repeatedly emphasized that information blocking can harm patients, distort markets, and increase costs through duplicative testing and inefficient care delivery.
Enforcement Framework: Penalties and Disincentives
Civil monetary penalties for developers, HIEs, and HINs
In July 2023, the HHS Office of Inspector General (OIG) finalized regulations authorizing civil monetary penalties of up to $1 million per violation for information blocking by health IT developers of certified health IT, HIEs, and HINs. Enforcement authority became effective September 1, 2023, with no retroactive application.
OIG has stated that enforcement will prioritize practices that result in patient harm, significantly impair care delivery, persist over time, or cause financial losses to federal health care programs.
Medicare disincentives for providers
For health care providers, Congress directed HHS to establish “appropriate disincentives” rather than CMPs. Those disincentives were finalized in July 2024 and are now in effect.
Key consequences include:
- Hospitals and critical access hospitals. Loss of “meaningful EHR user” status under the Medicare Promoting Interoperability Program, resulting in reduced Medicare payment updates.
- Clinicians. A zero score in the Promoting Interoperability category under the Merit-based Incentive Payment System (MIPS) for the relevant performance period.
- Accountable Care Organizations (ACOs) and Medicare Shared Savings Program (MSSP) participants. Ineligibility to participate in the MSSP for at least one year.
The rule also requires public posting of actors determined to have committed information blocking, significantly increasing reputational and litigation risk.
Information Blocking Exceptions
ONC’s regulations establish a set of voluntary exceptions that, if fully satisfied, protect an actor from information blocking liability. These include exceptions for:
- Preventing harm.
- Privacy.
- Security.
- Infeasibility.
- Health IT performance.
- Protecting care access (related to reproductive health care).
- Manner.
- Fees.
- Licensing.
- Trusted Exchange Framework and Common Agreement (TEFCA)-related practices (although this has been proposed to be removed in the recent HTI-5 proposed rule).
Importantly, failure to meet an exception does not automatically establish a violation; OIG evaluates conduct based on the totality of the circumstances.
Recent Regulatory Developments
HTI-1 and expanded exceptions
In January 2024, ONC finalized the HTI-1 rule, which revised information blocking definitions, narrowed the scope of who is considered to “offer health IT,” and added a new exception for certain exchanges conducted through TEFCA.
HTI-1 also modified the infeasibility exception, including new conditions addressing third-party modification requests and alternative interoperable manners of exchange.
Late-2024 and 2025 updates
Subsequent HTI-2 and HTI-3 rules finalized federal governance for TEFCA and added or refined information blocking exceptions related to reproductive health data and TEFCA participation.
In December 2025, ASTP/ONC issued new FAQs clarifying that:
- Conditioning EHI access on revenue-sharing or royalty arrangements generally does not satisfy the Fees Exception.
- Actors must carefully evaluate delays or restrictions affecting automated access to EHI.
- The “manner” exception requires timely fulfillment in alternative formats when the requested manner is not feasible.
On December 29, 2025, ASTP/ONC also published its HTI-5 proposed rule, which among other things, proposes refining several definitions, narrowing some of the exceptions, and eliminating the TEFCA manner exception. Comments are due on February 27, 2026.
February 11, 2026: letters of nonconformity signal active oversight
On February 11, 2026, ASTP/ONC announced that it has begun issuing letters of nonconformity to certain certified EHR developers, citing concerns related to API performance, interoperability, and potential information blocking practices. The announcement coincided with data showing that nearly 500 million records have now been exchanged through TEFCA, underscoring the government’s expectation that certified health IT operate in a manner consistent with nationwide data liquidity.
Although letters of nonconformity are not themselves CMPs, they are a formal compliance mechanism under the ONC Health IT Certification Program and may lead to corrective action plans, certification suspension or termination, or referral to OIG for enforcement. For developers, the announcement represents the strongest signal yet that federal agencies are actively scrutinizing real-world interoperability behavior—not just policy frameworks.
Enforcement Trends to Watch in 2026
Based on recent agency statements and regulatory activity, we expect:
- Increased enforcement coordination among ASTP/ONC, OIG, CMS, OCR, and potentially DOJ, particularly where information blocking intersects with payment, privacy, or competition issues.
- Public enforcement actions to establish precedents, especially involving developers and networks whose practices affect large patient populations.
- Narrower reliance on exceptions, particularly the Fees and Manner exceptions, as ONC guidance and proposed HTI-5 changes constrain aggressive interpretations.
- Greater pressure on providers, as CMS disincentives and public posting increase the financial and reputational stakes of noncompliance.
- Increased civil litigation using information blocking as a basis for unfair competition and similar claims under state law.
Conclusion
The federal information blocking regime has moved decisively into an enforcement-driven phase. The February 11, 2026 ASTP/ONC announcement confirms that regulators are no longer waiting for complaints to accumulate—they are actively testing compliance against real-world interoperability performance.
Health care providers, health IT developers, and data-exchange organizations should expect continued scrutiny in 2026 and should proactively align policies, contracts, and technical workflows with the evolving expectations of ONC, OIG, and CMS.
AlstonHealth State Law Hub
Alston & Bird’s Health Care team highlights state legislation and regulatory actions with direct implications for operations, reimbursement, privacy, and enforcement risk. Designed for in-house counsel, the tracker supports legal teams in proactively managing risk and aligning business strategy with a rapidly evolving state regulatory environment.
Learn more on the AlstonHealth State Law Hub.
If you have any questions, or would like additional information, please contact one of the attorneys on our Health Care team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.