Join us in Nashville, TN for the joint Sequoia Project and Carequality 2025 Annual Meeting – Register Now
Member Login
Resource

Enforcement Process for Information Blocking Penalties

Last updated: November 6, 2025
Section 1

Understanding the Enforcement Process

Enforcement of Information Blocking (IB) Penalties

On July 3, 2023, the U.S. Department of Health and Human Services Office of Inspector General (HHS/OIG) finalized its rule implementing civil monetary penalties for information blocking (IB), as authorized by the 21st Century Cures Act. As of September 1, 2023, OIG may impose penalties of up to $1 million per violation on certain entities – specifically:

  • Health IT developers of certified health IT
  • Entities offering certified health IT
  • Health Information Exchanges (HIEs) / Health Information Networks (HINs)

Establishment of Disincentives for Health Care Providers

In a separate rule, HHS established disincentives, rather than monetary penalties, for certain healthcare providers who commit IB. These apply to specific Medicare and Medicaid program participants and can affect:

  • Participation status in CMS programs (e.g., Promoting Interoperability)
  • Scoring in value-based programs
  • Eligibility for incentive payments

Who enforces the rules?

Assistant Secretary for Technology Policy (ASTP)

ASTP receives and reviews complaints, and can also take enforcement action against Health IT Developers of Certified Health IT through the ASTP/ONC Health IT Certification Program (e.g., corrective action plans, suspension, or termination of certification).

Visit website

Office of Inspector General (OIG)

OIG investigates violations and enforces penalties on rule breaking entities.

Visit website

Centers for Medicare & Medicaid Services (CMS)

CMS applies disincentives to Medicare/Medicaid providers under its programs.

Visit website

View the Final Rules

Section 2

Complaints & Investigation

How is enforcement triggered?

Through complaints filed by individuals or entities

Where to file a complaint?

What happens after a complaint is filed?

  1. OIG reviews the complaint and consults with ASTP/ONC when appropriate.
  2. OIG investigates and determines whether enforcement is warranted.
  3. ASTP/ONC Complaint Trends: View Complaint Data
OIG Prioritization

To prioritize cases, OIG will focus on those that:

  • resulted in, is causing, or had the potential to cause patient harm;
  • significantly impacted a provider's ability to care for patients;
  • was of long duration;
  • caused financial loss to Federal health care programs, or other government or private entities; or
  • was performed with actual knowledge.1

[1] Information Blocking | Office of Inspector General | Government Oversight | U.S. Department of Health and Human Services

Source: OIG Website – https://oig.hhs.gov/reports/featured/information-blocking/

Section 3

Preparing for Enforcement

Legal Disclaimer:

This resource does not constitute legal advice. Please consult with your legal counsel to determine whether the IB Rules apply to you or your organization and what compliance and enforcement might mean for you or your organization.

Why preparation matters

While enforcement is complaint-driven, OIG prioritizes investigations based on patient harm, impact to care, or willful violations. Organizations that can demonstrate a proactive compliance posture are better positioned in the event of an investigation, or to prevent violations in the first place.

Start with a Compliance Program

Establish or update an (IB) Compliance Program that includes: 

  • Clear internal policies aligned with ASTP/ONC's IB regulations
  • Designated staff responsible for compliance
  • Defined procedures for handling electronic health information (EHI) access requests

Six Readiness Tips for all Organizations

Here are some tips to ensure your organization is ready in the event of an investigation. Note that The Sequoia Project has an array of resources available that provide much more detail on strategies for IB compliance. Information Sharing Workgroup Resources – The Sequoia Project.

  1. Review and centrally store your policies and procedures for information sharing, including your definition of the designated record set.
  2. Respond promptly to requests for information by creating workflows to address patient and third-party data requests
    1. Document information requests and your decisions, especially when denying or delaying access to EHI.
  3. Educate staff to ensure everyone understands IB basics and how to communicate with requestors and how to engage compliance when needed.
  4. Use certified health IT effectively to configure settings to support access and exchange
    1. Work with your vendor and implementation specialist to ensure access capabilities such as Application Programming Interfaces (APIs) are appropriately leveraged and maintained.
  5. Conduct internal audits to regularly check compliance and fix gaps
    1. Consider establishing an internal complaint line.
    2. Consider conducting tabletop exercises.
  6. Identify your investigation response team
    1. Who is on point to interact with OIG?
    2. Who is on the multi-disciplinary support team to answer questions and provide needed information (legal, compliance, privacy, health information management, information technology, etc.)?

Three tips for an active investigation

Gather information about the request that triggered the investigation and identify the scope of those requests (if possible)

Maintain a posture of cooperation with investigators, while documenting all interactions and an inventory of documents shared

Follow generally accepted practices for retention and maintenance of records

Tailored Readiness and Response

Not all actor types have the same capabilities for readiness and response. The following section provides more tailored tips by organization type and size.

Large Health System

Key Readiness Focus: Ensure enterprise-wide consistency in IB policies; centralize logging and audit capabilities.

Key Response Steps: 

  • Activate your investigation response team to review the IB complaint and any materials provided by OIG.
  • Determine a single point of contact for communication with OIG, with all other staff working through that individual or team.
  • Conduct analysis of request and response:
  • Assess organizational actions against internal policies and procedures and document findings, including whether the conditions of relevant exceptions to the IB rules were met.
  • Assess possible role of partner organizations, such as an HIE or vendor, and, as appropriate, review contract terms, service level agreements, and other ancillary documentation to understand each party’s responsibilities and any communications related to IB complaint.
  • After complaint process is complete, conduct a review to identify any needed changes to policies, procedures, and staff training.
Small Provider Practice

Key Readiness Focus: Use ASTP/ONC tip sheets and FAQs; assign a compliance lead even if part-time

Key Response Steps: 

  • Contact and inform legal counsel and/or individual responsible for compliance.
  • Identify and preserve all records related to the IB complaint.
  • Conduct analysis of request and response:
  • Assess practice actions against internal policies and procedures and document findings;
  • Assess possible role of partner organizations, such as an HIE or vendor, and, as appropriate, review contract terms, service level agreements, and other ancillary documentation to understand each party’s responsibilities and any communications related to the IB complaint.
  • After investigation is complete, review organizational policies procedures with staff to ensure IB compliance is maintained. Consider procuring external training, as needed, to fulfill compliance needs.
Health IT Developer of Certified Health IT

Key Readiness Focus: Align product documentation and customer agreements with IB requirements

Key Response Steps: 

  • Convene IB response team meeting to review complaint and materials provided by OIG.
  • Determine a single point of contact for communication with OIG, with all other staff working through that individual or team.
  • Engage appropriate resources at your company to review complaint, identify appropriate policies, documentation, and records related to the EHI request/complaint.
  • Once resources and records have been identified, review and perform an analysis to determine if the facts and circumstances indicate EHI was involved, if the activity/practice falls within the scope of the IB definition, and whether the conditions of relevant exceptions to the IB rules were met.
  • If complaint involves another entity or actor, review contract terms, service level agreements, and other ancillary documentation to understand each party’s responsibilities and any communications related to IB complaint.
  • After complaint process is complete, conduct a review to identify any needed changes to policies, procedures, and staff training.
Section 4

Resources

Disclaimer:

Links to federal websites may not be active during the Government Shutdown.

ASTP

OIG Landing Page

OIG General Compliance Program Guidance

Other OIG Compliance Guides

Inspection and Evaluation Organizations

Inspection and Evaluation Peer review

Guide
Schedule
Toolkit

Other Resources

Table of Contents
    Add a header to begin generating the table of contents