Back to Resources
    ComplianceFebruary 2026

    Cures Act Compliance: Navigating Information Blocking Rules and Enforcement

    As of 2026, the landscape of healthcare data exchange has fundamentally shifted, with electronic health information (EHI) sharing now established as the "expected norm" in the United States. Under the 21st Century Cures Act, practices that interfere with the access, exchange, or use of this information are strictly prohibited—a concept known as information blocking.

    What is Information Blocking?

    Information blocking is defined as any practice by an "actor" that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. The law identifies three specific categories of actors who must comply:

    • Health care providers (broadly defined).
    • Health IT developers of certified health IT.
    • Health Information Exchanges (HIEs) and Health Information Networks (HINs).

    The standard for a violation depends on the actor. For developers and HIEs/HINs, the rule applies if they know, or should know, that a practice is likely to interfere with EHI. For healthcare providers, the practice must be unreasonable, and the provider must know it is likely to interfere with the information.

    Understanding the Scope of EHI

    While initial regulations focused on a limited data set called the USCDI, the requirement has since expanded to include the entire electronic designated record set (DRS) as defined by HIPAA. This includes:

    • Medical and billing records.
    • Enrollment, payment, and claims records.
    • Any records used to make decisions about individuals.

    The rule specifically excludes psychotherapy notes and information compiled in reasonable anticipation of legal proceedings.

    The Nine Regulatory Exceptions

    HHS has defined specific "exceptions"—reasonable and necessary activities that do not constitute information blocking if all conditions are met. These are divided into two categories:

    Exceptions for Not Fulfilling Requests:

    • Preventing Harm: Withholding EHI to prevent a substantial risk of harm to a patient or another person.
    • Privacy: Protecting an individual's privacy, such as when a legal precondition (like consent) is not met.
    • Security: Practices tailored to specific security risks to protect the confidentiality and integrity of EHI.
    • Infeasibility: When an actor cannot fulfill a request due to uncontrollable events (like natural disasters) or technical limitations.
    • Health IT Performance: Taking health IT offline temporarily for necessary maintenance or improvements.

    Exceptions for Procedures in Fulfilling Requests:

    • Content and Manner: Allowing actors to fulfill requests in an alternative manner if they are technically unable to fulfill them as requested.
    • Fees: Charging fees for EHI access that are based on objective, verifiable criteria and include a reasonable profit margin, provided they aren't "rent-seeking."
    • Licensing: Licensing interoperability elements on reasonable and non-discriminatory terms.
    • TEFCA Manner: Fulfilling certain requests via the Trusted Exchange Framework and Common Agreement (TEFCA) when both parties are participants.

    The Cost of Non-Compliance: Active Enforcement

    As of 2026, enforcement is officially active. The HHS Assistant Secretary for Technology Policy (ASTP) has begun issuing notices of investigation regarding potential nonconformity.

    The penalties for information blocking are substantial:

    • Health IT Developers and HIEs/HINs: Face civil monetary penalties of up to $1 million per violation, along with potential loss of health IT certification.
    • Health Care Providers: Face "disincentives" through CMS programs, including:
      • Medicare Promoting Interoperability Program: Reduction in annual market basket updates for hospitals.
      • MIPS: A zero score in the Promoting Interoperability performance category.
      • Medicare Shared Savings Program: Ineligibility to participate in an ACO for at least one year.

    5 Red Flags to Avoid

    To mitigate risk, organizations should avoid these common practices that may be flagged as information blocking:

    • Routine Delays: Withholding lab results until a provider can review them with the patient (this is only allowed in rare, individualized cases of potential harm).
    • Slow Responses: Failing to provide "immediate" access to requested EHI; the HIPAA 30-day response window does not apply here.
    • Restricted Portals: Failing to enable features that allow patients to transmit their EHI to third-party apps.
    • Unnecessary Paperwork: Requiring written consent for treatment-related sharing with unaffiliated providers when not required by law.
    • Reporting Failures: Failing to report mandatory conditions (like child abuse or infectious diseases) as required by state law.

    Strategic Compliance Checklist

    Organizations should take the following steps to ensure alignment with current regulations:

    • Assess Actor Status: Determine if your organization qualifies as an entity "offering certified health IT," which increases exposure to $1 million fines.
    • Define your DRS: Document exactly what constitutes your Designated Record Set so staff knows what must be shared.
    • Update Policies: Ensure organizational policies promote seamless EHI exchange and align with the latest rules.
    • Formalize Exception Documentation: Maintain contemporaneous records of why an exception was used (e.g., a written response within 10 days for the Infeasibility Exception).
    • Train Staff: Provide comprehensive training for health IT, privacy, and health information management teams on the current 2026 enforcement landscape.

    Note: This article is for informational purposes and does not constitute legal advice. Because laws vary by jurisdiction and are subject to change, organizations should consult with legal counsel regarding specific compliance needs.