HHS Cracks Down: $1M Penalties Enforced for Blocking Patient Health Data Access

The era of impunity for blocking patient access to electronic health records appears over. The US Department of Health and Human Services (HHS) has declared it will take an "active enforcement stance" against healthcare providers, health IT developers, and information networks that illegally restrict the sharing of electronic health information (EHI). This move, announced via a formal notice and accompanying PDF, activates long-awaited penalties under the 2016 21st Century Cures Act.

"Patients must have unfettered access to their health information as guaranteed by law," stated acting HHS Inspector General Juliet Hodgkins. "Providers and certain health IT entities have a legal duty to ensure that information flows where and when it's needed."

The Long Road to Enforcement

The 21st Century Cures Act, signed by President Obama, mandated easy, cost-free electronic access for patients to their health data via apps of their choice. It also required health IT systems to be accessible to providers without excessive fees or technical barriers. However, a critical gap persisted:

• Initial Penalty Scope: The original law only established clear civil monetary penalties for health IT developers, networks, and exchanges.
• Provider Penalty Void: Consequences for non-compliant healthcare providers (hospitals, clinics, doctors) were left undefined, requiring HHS rulemaking.
• Delayed Action: Draft disincentives for providers didn't emerge until late 2023 under the Biden administration, with final rules only published in July 2024. HHS officials attributed part of the delay to the prior administration's lack of prioritization.

Enforcement Mechanisms Take Effect

Despite the slow rollout, the penalties now carry significant weight:

1. Health IT Entities (Developers, Networks, Exchanges): Face civil monetary penalties up to $1 million per violation. Participants in the HHS Health IT Certification Program risk decertification and program exclusion.
2. Healthcare Providers: Subject to unspecified "disincentives" within the Medicare program, potentially impacting reimbursement rates or participation eligibility. Medicaid disincentives may also apply.

Context and Questions

HHS data reveals only 1,336 potential information blocking reports filed since the reporting portal launched in April 2021 – less than one per day. This low volume raises questions about whether information blocking is a systemic crisis or a series of isolated incidents. However, proponents argue:

• The threat of penalties acts as a crucial deterrent, potentially preventing more widespread issues.
• Low reporting figures might reflect a previous lack of faith in enforcement, which could now increase.
• Ensuring seamless data flow is foundational for modern healthcare innovation, patient agency, and coordinated care, making enforcement vital regardless of current complaint numbers.

HHS declined to provide further comment on specific enforcement procedures or the rationale behind the timing. The move signals a concrete step towards realizing the Cures Act's promise of patient data ownership and interoperability, placing tangible consequences on entities that build or uphold digital walls around health information. The true impact on healthcare data fluidity will unfold as enforcement actions begin.