For years, the healthcare industry operated under a "data hoarding" mentality. Information was a proprietary asset, locked behind silos and protected by a convenient, albeit often incorrect, interpretation of HIPAA. Those days are officially over. The Department of Health and Human Services (HHS) and the Office of Inspector General (OIG) have moved past the education phase and into the enforcement era.
Recent data suggests a staggering 59% of healthcare executives admit their organizations are currently unable to comply with the 21st Century Cures Act’s information blocking rules. Furthermore, 57% lack the fundamental technical capabilities to manage patient data in an interoperable environment. This is not just a technical oversight; it is a massive legal and financial liability. With penalties reaching up to $1 million per violation for certain entities, the "wait and see" approach is no longer a viable strategy.
At US Healthcare Today, we believe in a direct, no-nonsense assessment of the regulatory landscape. We see the systemic failures occurring in hospital administrative offices and C-suites across the country. Below, we outline the seven most critical mistakes your organization is likely making regarding information blocking compliance, and how the HHS is positioned to find them.
1. The "Doctor Must See It First" Trap
The most common violation we observe involves delaying the release of test results to patients. Many providers still operate under the outdated belief that they have a right, or even an obligation, to review lab results or imaging before the patient sees them.
While the "Preventing Harm" exception exists, it is incredibly narrow. It does not apply to the general "anxiety" a patient might feel seeing a result before a clinical explanation. If your EHR is configured to hold results for 24, 48, or 72 hours by default, you are likely in violation. HHS is clear: Electronic Health Information (EHI) must be made available to patients in parallel with the ordering clinician. Using a blanket "review period" is a systemic failure that will be easily flagged during an audit of your system’s latency logs.
2. Using HIPAA as a Shield, Not a Filter
For two decades, HIPAA was the ultimate "no" button. If a request for data felt uncomfortable or complex, "HIPAA" was the catch-all excuse to deny access. Today, that excuse has become a liability.
We see organizations withholding EHI because they are applying an "overly cautious" interpretation of privacy laws. Under the Cures Act, if HIPAA permits the disclosure, the Information Blocking Rule often requires it. If you are still using HIPAA to justify restrictive data practices, you are misaligned with federal law. The HHS Office for Civil Rights (OCR) and the OIG are now looking specifically for entities that use privacy as a pretext for anti-competitive behavior or data blocking.
3. Unreasonable Contractual Barriers
Information blocking isn’t always about a "no." Often, it’s about making the "yes" so difficult or expensive that the requester gives up. We frequently see healthcare organizations imposing contractual terms that are "objectively unreasonable."
This includes demanding indemnity clauses that go far beyond standard business associate agreements or requiring third-party app developers to jump through non-standard security hoops that your own internal apps don't face. If your legal department is adding layers of contractual friction to data exchange, you are creating a paper trail that leads directly to an information blocking violation. You can read more about the intersection of policy and practice in our News Analysis section.
4. Charging the "Interoperability Tax"
Money remains one of the most significant barriers to data flow. While the Information Blocking Rule allows for certain "Fees" and "Licensing" exceptions, these are not a license to profit from a patient's right to their own data.
We see organizations charging excessive fees for API access or manual data exports that should be automated. If your fee structure is designed to recover more than the actual, reasonable costs incurred, or if it is intended to discourage competitors from accessing data, it will be viewed as a violation. The OIG is particularly sensitive to fee-based blocking, as it directly impacts Healthcare Economics and patient choice.
5. Technical Incompetence as a Defense
"Our system just doesn't do that" is no longer an acceptable answer. In 2024, the inability to provide EHI in a machine-readable format is viewed as a choice, not a technical limitation.
Many organizations are still operating on legacy systems that lack the FHIR (Fast Healthcare Interoperability Resources) API capabilities required by the ONC. Relying on outdated technology is a systemic failure of leadership. When the HHS investigates a complaint, they won't care that your vendor is behind on their roadmap; they will hold the provider responsible for failing to ensure their technology stack meets federal standards. For more on the future of compliant tech, visit our AI & Digital Health category.
6. Response Time Latency
The law doesn't just require that you provide the data; it requires that you provide it in a timely manner. We see a recurring mistake where organizations treat EHI requests like traditional medical record requests from the 1990s, taking 30 days to respond.
The expectation for electronic data is near-instantaneous access. If a patient or a competing provider requests data through a certified API, the response should be automated and immediate. If your process involves manual intervention, printing to PDF, or "reviewing" each request individually, you are creating an unnecessary impediment. HHS tracks these response times through patient complaints and can easily spot patterns of intentional delay.
7. Failing the Documentation Test
If you invoke an exception, such as "Infeasibility" or "Preventing Harm", you must document exactly why that exception applies to that specific request. We see many organizations claiming exceptions without a contemporaneous written record.
In an audit, if it isn't documented, it didn't happen. If you deny a request for EHI and cannot produce a detailed justification that aligns with the eight regulatory exceptions, you are defenseless. The OIG’s final rule, implemented in June 2023, emphasizes that intent matters, but so does the evidence of a compliance-first culture.
How the HHS Will Find You
You might think your organization is too small or too remote to be on the federal radar. You are wrong. The HHS does not need to send a team of auditors to your front door to find a violation. They have three primary "tripwires":
1. The Public Reporting Portal
The ONC maintains a public "Report Information Blocking" portal. It is remarkably easy for a frustrated patient, a disgruntled former employee, or a competing health system to file a report. These complaints are the primary lead source for OIG investigations.
2. The "Wall of Shame" and Data Aggregators
Just as the OCR maintains a portal for HIPAA breaches, the industry is moving toward greater transparency regarding data sharing. Developers of certified health IT are required to report on their clients’ interoperability (or lack thereof). If your organization is consistently the "black hole" where data requests go to die, your vendors and partners will eventually report you to protect their own certifications.
3. CMS "Promoting Interoperability" Audits
For healthcare providers, the "teeth" of enforcement come through financial disincentives in CMS programs. During MIPS or ACO audits, CMS can verify if you have checked the "yes" box on information blocking attestations while your actual data logs show a pattern of blocking. A single audit can trigger a look-back period that puts years of incentive payments at risk.
The Bottom Line
Information blocking compliance is not a "check the box" exercise for your IT department. It is a fundamental shift in how healthcare organizations must treat data. The OIG’s $1 million per violation penalty is a clear signal: the federal government is serious about ending data silos.
We urge healthcare executives to move beyond the 59% who remain unready. Conduct a gap analysis of your EHR workflows, review your "standard" contractual terms, and ensure your clinicians understand that their desire to "review first" does not override federal law.
The HHS is already looking. The question is: what will they find when they look at you?
If you need to evaluate your current digital infrastructure or reach out for more information on regulatory shifts, please visit our Contact Forms page to connect with our team. We provide the critical analysis necessary to navigate this increasingly hostile regulatory environment.
Leave a Reply