By: Kathie McDonald-McClure
The 21st Century Cures Act of 2016 (Cures Act) was passed by Congress and signed into law by President Obama on December 13, 2016. The Cures Act seeks to ensure access, exchange, and use of electronic health information. The Act mandated the U.S. Department of Health and Human Services (HHS) to establish rules prohibiting “information blocking” by developers of certified electronic health information technology (CEHRT), healthcare providers, health information networks (HINs), and health information exchanges (HIEs).
HHS, during the first Trump Administration, proposed and finalized initial information blocking rules for CEHRT developers and healthcare providers. The rules were initially set to take effect in November 2020 but were delayed due to the COVID-19 pandemic. The Biden Administration HHS announced that there would be no further delays and those initial information blocking rules became effective on April 21, 2021. These rules are applicable to developers of CEHRT and healthcare providers as well as HINs and HIEs. See 45 C.F.R. Part 171—Information Blocking and see our April 6, 2021 article discussing these complex rules, “Information Blocking Rule Effective April 5, 2021: Are Providers Ready?”
The next mandate under the Cures Act was to establish civil monetary penalties (CMPs) for CEHRT developers and “appropriate disincentives” for healthcare providers who violate the information blocking rules. The Biden Administration HHS Office of Inspector General (OIG) proposed and finalized the CMPs of not more than one million dollars per violation for CEHRT developers who commit information blocking. Those rules became effective September 1, 2023. See 42 C.F.R. Part 1003 Subpart N.
The Biden Administration HHS also proposed and finalized the disincentives for certain healthcare providers who run afoul of the information blocking rule. These disincentives became effective on July 31, 2024. See 45 C.F.R. 171.1000.
On September 3, 2025, HHS, under the direction of Secretary Robert F. Kennedy, Jr., announced a crackdown on information blocking violations. The announcement states that the Cures Act was “published” during the first Trump Administration despite being signed into law by President Obama. The announcement goes on to say that “[i]nformation blocking was not a priority under the Biden Administration” despite the implementation of penalties and disincentives for violations.
Nevertheless, it is important to note the intent of HHS under Secretary Kennedy to prioritize enforcement of the information blocking rules. The announcement summarizes the penalties and disincentives for information blocking violations. The disincentives for hospitals, critical access hospitals, and clinicians are not as straightforward as the CMPs for CEHRT developers because they are tied to Medicare payment formulas. Although not detailed in the HHS announcement, we discuss the disincentives in more depth in our July 3, 2024 article, “HHS Adds New Teeth to Information Blocking Law for Health Care Providers.”
Looking for assistance in navigating compliance and avoiding the pitfalls associated with the information blocking rules? We work with our clients regarding their policies and procedures related to compliance with information blocking, HIPAA and other data privacy and security laws and regulations. If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Levi Young at (859) 288-7469. To learn more about Wyatt’s health care, data privacy and cyber security practice, visit the following Wyatt website pages: Wyatt Data Privacy & Cyber Security and Wyatt Health Care.
wyatthitechlaw.com 