What is Information Blocking Compliance in Healthcare and Why is it Prevalent?

“I think the regulators are trying to strike a balance here…of not hindering access because that’s important: patients need access to their data, [and] their providers need access to their data, but also realizing that these healthcare IT developers need to support the privacy and security of this electronic health information because they want to ensure that there’s public confidence in these technologies.”

Stephanie Gomes-Ganhão, JD, Associate at Day Pitney Law Firm

The digital revolution in the health sector has long promised a future of a smoother, faster healthcare system: a new reality where hospitals’ clinical workflow will be streamlined, where interactions with insurance companies will be automated, and spreadsheets and fax machines will become relics of the past.

The idea of an integrated digital system not only appeals to healthcare centers and hospitals, which would save big on time and operational costs, but also to patients, who would be able to seek and receive healthcare more quickly, have centralized access to their own health data, and enjoy a simplified experience interacting with the healthcare system overall.

While aspects of these ideas have been brought to fruition, the dream of a more unified, digitized healthcare system is still out of reach.

Why? One of the most crucial aspects of bringing this hypothetical system into reality is creating a secure channel for electronic health information (EHI) to flow through. Although the technology has long been available, implementation seems to be at a standstill.

The phenomenon of healthcare IT companies preventing or discouraging access or exchange of EHI has come to be known as information blocking.

Read on to learn more about what information blocking is, why it happens, and what is being done to integrate our fragmented healthcare system.

Meet the Experts

Harman Dhawan

Harman Dhawan is the CEO and founder of Bikham Healthcare, an IT solutions company that offers digital solutions for revenue cycle management, credentialing and enrollments, patient reports, and billing and compliance.

Bikham Healthcare’s clientele includes a mix of healthcare institutions, hospitals, physician groups, laboratories, durable medical equipment companies, and standalone physicians.


Stephanie Gomes

Stephanie Gomes-Ganhão is an associate at Day Pitney law firm in Connecticut. She advises corporations and organizations across diverse industries on data privacy, cybersecurity, and technology matters and has particular experience handling data breach matters, having counseled clients on dozens of ransomware, phishing, and other cybersecurity incidents.

Building upon a healthcare and insurer privacy background, she regularly counsels manufacturers, software companies, technology companies and financial institutions.

The Origins of Information Blocking

It’s difficult to name an industry that hasn’t undergone some form of digitization over the last decade, and healthcare is no exception. In fact, as one of the most highly data-driven and data-reliant industries, it stood to undergo one of the most major transformations.

In the 2000s and 2010s, countless electronic health record (EHR) vendors saw the potential to claim their market share, each debuting software with the goal of becoming the leading comprehensive data management system in the sector.

However, the lack of regulations in the new digital space meant that there was no incentive for industry players to design software products that were compatible with one another.

So, unless all the third parties—insurers, hospitals, providers, and patients—were customers of the same EHR service, there were often bottlenecks blocking the flow of data.

Information blocking can be intentional or unintentional. In some cases, it could occur due to an oversight in the software’s design. However, vendors had a clear motive to create barriers to accessing data: to corner their customers and their affiliates into using their product exclusively.

According to Harman Dhawan, CEO of Bikham, an IT solutions company in the revenue cycle management space, intentional information blocking became standard practice in the healthcare sector: “It’s closed doors, different ecosystems. They are [designed to be] disparate and siloed, not willing to talk to each other,” he says.

“So let’s say for example, it’s a big software company that has built their own database [with its] own subscribers. They want to hold onto that information. They don’t want [third parties] to tie in.”

Some software companies may charge excessive fees, use tactics to delay a practice’s switch from one vendor to another, or even create barriers for customers to report data accessibility issues. All of these practices are examples of information blocking.

“It’s backward thinking,” Dhawan says. “You have to be open, you have to succeed based on your performance, the value you actually bring.”

Information blocking has a negative impact on providers, who may be affected when trying to access patient records held by other hospitals, syncing electronic health records (EHRs), or moving data from one EHR to another.

But in the end, the true victims of these practices are patients. When data exchange is delayed or incomplete due to slow-moving or missing data, doctors and other hospital staff members can come to incorrect medical conclusions leading to misdiagnosis, improper prescriptions, and other potentially health-compromising mistakes.

A Legislative Maze for EHR Vendors

The government’s fragmented and late handling of information blocking has, somewhat ironically, contributed to the prominence of the practice.

In the late 1990s, when the digitization of the healthcare sector was in its infancy, new rules were needed to ensure patients’ privacy. The Health Insurance Portability and Accountability Act (HIPAA) was established, in large part, for that purpose.

While HIPAA provided a solid and lasting foundation to protect patients’ data from nefarious actors, it also created a major barrier toward healthcare interoperability (i.e., the ability to exchange and interpret patient health data electronically).

“It started from a good place, but now what’s happened is HIPAA created more fear [among IT companies],” Dhawan says.

While startups were premiering healthcare software solutions in the 2010s that digitized EHRs, the Office for Civil Rights was stepping up HIPAA compliance enforcement.

“Patients need access to their data, their providers need access to their data, [but] the public’s going to be concerned about how their information is being exchanged,” explains Stephanie Gomes-Ganhão, associate attorney at the law firm Day Pitney.

Violating HIPAA regulations became such a concern for healthcare IT companies that new consultancy ventures emerged—some strictly dedicated to advising on HIPAA compliance.

“There’s a whole industry around it,” Dhawan says.

In essence, ensuring data privacy and promoting software interoperability had become (and remains) a balancing act for players in healthcare digitization, hampering innovation and progress in the field.

In 2016, the Centers for Medicare and Medicaid Services (CMS) denied the assertion that HIPAA was in contradiction with data interoperability, according to a statement it released to Medical Economics. However, it was clear that legislation was needed to better enable patients and providers to access health records while still keeping patient data privacy protected.

The Office of the National Coordinator for Health Information Technology (ONC)’s 2015 Report on Health Information Blocking acknowledged the need to “enable an interoperable learning health system—one in which [electronic health information] is available and can be securely and efficiently shared, when and where it is needed, to support patient-centered care.”

The 21st Century Cures Act

In 2016, the landmark 21st Century Cures Act (Cures Act) was signed into law, creating a legal framework to forward the goal of an integrated, digitized health record system.

The Cures Act defined information blocking as practices that prevent or discourage the access, exchange, or use of electronic health information when an actor knows or “should know” that these practices are likely to interfere with access, exchange, or use of health information.

One of the key impacts of the Act was putting the onus on vendors to ensure interoperability.

“I think the regulators are trying to strike a balance here…of not hindering access because that’s important: patients need access to their data, [and] their providers need access to their data,” Gomes-Ganhão says, “but also realizing that these healthcare IT developers need to support the privacy and security of this electronic health information because they want to ensure that there’s public confidence in these technologies.”

It wasn’t until 2019 that the ONC issued a proposed rule for the Cures Act. During the following months, concerned parties were given time to rectify any practices that constituted information blocking. In 2020, it released its final rule, which established statutory penalties of up to a $1 million penalty per violation.

Penalties began being issued on September 1, 2023 for information blocking conduct that occurred on or after that date. However, it’s still unclear how strictly or loosely the Office of the Inspector General (OIG) will enforce the law and divvy out penalties.

“The rule is very, very broad. Interoperability, electronic health information, all these definitions [mentioned in the rule] are incredibly broad,” Gomes-Ganhão says. This ambiguity could make it difficult for industry players to comply or even know when they are acting in noncompliance.

Additionally, the exceptions defined in the Cures Act—defined as “reasonable and necessary” activities that are not information blocking—also add confusion and room for interpretation.

“There are eight exceptions in the rule that have various conditions that must be satisfied in order for an individual or entity subject to the rule to fall within that exception,” Gomes-Ganhão notes.

“These penalties, these enforcement decisions that we’ll see in the future, I think will be telling in terms of … where to draw the line, truly,” Gomes-Ganhão says. “Because right now you can take a very conservative approach and say, ‘That is likely to interfere with access to electronic health information,’…but again, it’s a very facts and circumstances issue.”

To make matters more confusing for industry players, additional information blocking legislation was introduced by the CMS in 2020, following a late-to-the-game Right of Access initiative, which was added to HIPAA in 2019. However, these are all necessary to protect patients and promote safe innovation.

After years of the government playing catch-up with the fast-changing IT sector, the dream of a point-and-click healthcare system is still a way down the road. However, enforcing the Cures Act is a sign that a more integrated system is on the horizon.

“Then hopefully, we can come up with an ecosystem that…forces the big players to have an open-ended integration strategy,” Dhawan says. “That’s how innovation happens.”

Nina Chamlou
Nina Chamlou Writer

Nina Chamlou is an avid freelance writer from Portland, OR. She writes about economic trends, business, technology, digitization, supply chain, healthcare, education, aviation, and travel. You can find her floating around the Pacific Northwest in diners and coffee shops, or traveling abroad, studying the locale from behind her MacBook. Visit her website at www.ninachamlou.com.