Information Blocking Complaints and Enforcement Playbook (2026)

What Changed: Concrete Enforcement Dates

On June 27, 2023, HHS OIG posted its final rule implementing civil monetary penalties for information blocking actors in scope for OIG CMP authority, including maximum penalties up to $1 million per violation. OIG states enforcement of those penalties began on September 1, 2023.

On July 1, 2024, HHS published the final rule establishing information blocking disincentives for certain health care providers under Cures Act authority. In parallel, ASTP/ONC and OIG issued an enforcement alert on September 4, 2025 signaling intensified enforcement and additional resources.

How Complaints Move Through the System

1. Complaint submitted through ASTP/ONC Information Blocking Portal.
2. ASTP/ONC shares claims with OIG and may follow up for additional detail.
3. OIG triages and investigates based on enforcement priorities.
4. If a violation is established, applicable penalties/disincentives are triggered through existing authority.

The practical implication: provider groups should assume complainants, regulators, and auditors will expect objective documentation for every denial, delay, or limitation in EHI sharing.

Top Complaint Patterns in Provider Operations

• Portal access process that is technically available but operationally obstructive.
• Manual delays for routine records where no valid exception is documented.
• Blanket policies that over-apply privacy/security rationale without case-by-case analysis.
• Vendor contract terms or workflow constraints that create de facto access barriers.
• No auditable tracking for intake, triage, exception review, and final response.

Operational Controls That Reduce Risk Fast

1. Centralize EHI request management

Route requests through one intake queue with timestamping, request type, requester category, and due-date SLA.

2. Exception decision template

For every denied or constrained request, require documented rationale, exception criteria, reviewer, date, and next-review trigger.

3. Weekly exception review board

Use clinical, compliance, legal, security, and IT reviewers for high-risk cases. This keeps decisions consistent and defensible.

4. Contract and vendor governance

Include interoperability SLAs, API availability obligations, and escalation terms in contracts. Many access problems are contractual, not technical.

5. Leadership dashboard

Track open requests, aged requests, denied requests by reason, and median response time by request type.

90-Day Remediation Plan for Large Provider Groups

• Days 1-15: inventory all request channels and standardize intake.
• Days 16-30: implement exception documentation template and reviewer assignment.
• Days 31-60: run weekly exception board and publish first KPI dashboard.
• Days 61-90: update vendor contracts/workflows where barriers persist.

Frequently Asked Questions

Who investigates information blocking complaints?

ASTP/ONC receives portal claims and shares them with OIG; OIG investigates potential violations. ONC also reviews certain developer certification non-conformity issues.

Can provider groups be penalized for information blocking?

Yes. Provider disincentives were finalized by HHS in 2024 under Cures Act authority.

What is the fastest way to reduce information blocking risk?

Standardize intake, enforce exception documentation, and track response-time performance with executive oversight.

Primary Sources

• HHS OIG Information Blocking Final Rule and Enforcement Details
• ASTP/ONC and OIG Enforcement Alert (September 4, 2025)
• ASTP/ONC Information Blocking Portal Process and Guidance
• 2024 Final Rule on Provider Disincentives (Federal Register posting)