Since April 2021, information blocking has been illegal under federal law. The Office of Inspector General can impose penalties. Healthcare organizations are on notice.

But most people in the industry, including many building healthcare applications, don't fully understand what information blocking actually means, how it's being enforced, or how recent regulatory changes expand its scope.

Here's what you need to know.

What Information Blocking Actually Means

Information blocking isn't just refusing to share data when asked. The definition is broader and more practical than most people realize.

Under the 21st Century Cures Act, information blocking includes any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.

That covers:

Technical barriers: Implementing APIs that technically exist but are so difficult to use that they effectively prevent access. Requiring proprietary formats when standards exist. Rate limiting so aggressively that practical use is impossible.

Business practices: Charging excessive fees for data access. Requiring contracts with unreasonable terms. Imposing delays that make timely access impractical.

Organizational policies: Requiring patients to request data in person when electronic options exist. Limiting the scope of data available through APIs without legitimate reason.

The law applies to healthcare providers, health IT developers (EHR vendors), and health information networks. If you're building healthcare applications, this means the organizations you're trying to get data from have legal obligations to cooperate.

Who Enforces It (And How)

Enforcement responsibility sits with the Office of Inspector General (OIG) at HHS. The OIG can impose civil monetary penalties:

• Up to $1 million per violation for health IT developers and health information networks

• Referral to appropriate agencies for healthcare providers (with potential impacts on Medicare participation)

Enforcement has been ramping up. In 2024 and 2025, HHS issued multiple warnings, published enforcement guidance, and began investigating complaints. The message is clear: this isn't just policy language - there are real consequences.

For healthcare builders, this creates leverage. When providers or EHR vendors create unreasonable barriers to patient-authorized data access, they're potentially violating federal law. You can, and should, push back.

The Exceptions (And Their Limits)

The information blocking rules include exceptions; situations where limiting data access is permissible. These include:

• Privacy: Protecting information when required by state or federal privacy laws

• Security: Implementing reasonable security measures

• Infeasibility: When compliance isn't technically possible

• Health IT performance: Reasonable system maintenance and downtime

But these exceptions have limits. The December 2025 HTI-5 proposed rule specifically addresses organizations using exceptions as loopholes:

"The proposed rule revises several information blocking exceptions to prevent those participating in health data exchanges from using technical or contractual loopholes to unfairly block data access."

Translation: regulators are watching for organizations that technically comply while practically obstructing. The spirit of the law matters, not just the letter.

HTI-5 Expands the Scope to AI

Here's where it gets interesting for healthcare AI companies.

The HTI-5 proposed rule updates the definitions of "access" and "use" to explicitly include autonomous AI systems. The rule aims to advance "AI-enabled interoperability solutions through modernized standards and certification."

What this means practically: when an AI application requests patient-authorized data, the same information blocking rules apply. Providers and EHR vendors can't treat AI-initiated requests differently from human-initiated requests.

This is significant. It signals regulatory intent to support AI healthcare applications that need programmatic data access. And it closes a potential loophole where organizations might have argued that information blocking rules only applied to human-readable access.

What This Means for Your Product

If you're building healthcare applications that need patient data, information blocking rules work in your favor. Here's how to use them:

Know your rights. When patients authorize your application to access their data, providers must comply. This isn't optional or negotiable, it's federal law.

Document barriers. If you encounter unreasonable fees, technical obstacles, or delays, document them. These may constitute information blocking.

Escalate when necessary. You can file complaints with ONC about potential information blocking. The complaint process is available at healthit.gov.

Reference the law. When negotiating with healthcare organizations or EHR vendors, you can reference information blocking rules. Many organizations will cooperate more readily when they understand the legal landscape.

The Infrastructure Advantage

Of course, knowing your rights and exercising them are different things. Fighting information blocking complaints while trying to ship product features isn't a great use of your time.

This is one reason infrastructure partners like Consolidate Health exist. We've already navigated the relationships with major EHR vendors. We've worked through the technical and business barriers. We've built compliant integrations.

When you use our API, you're accessing patient-authorized data through pathways that are already established and legally clear. The information blocking fights have already been fought.

You can go direct and assert your rights under the Cures Act. Or you can integrate with infrastructure that's already done that work.

Either way, understand the law. It's on your side.