top of page
Search

Understanding the OIG’s Information Blocking Enforcement Alert

  • Writer: Jessica Zeff
    Jessica Zeff
  • Dec 5
  • 2 min read
Flat-style illustration showing OIG Information Blocking Enforcement. The left side displays a blocked data path from a teal database with a yellow zig-zag arrow hitting a red warning circle. The right side shows an open path with yellow checkmarks guiding EHI to a hospital icon. The design uses Simply Compliance colors to contrast information blocking versus compliant data flow.

The term “information blocking” has been part of our compliance vocabulary for a few years now, but for many organizations, it remained more of a concept than a reality. That changed earlier this month.


On September 4, 2025, the Office of Inspector General (OIG) released an Enforcement Alert clarifying how it will approach investigations and penalties under the 21st Century Cures Act’s information blocking provisions. The message isn’t meant to be alarming—but it is meant to signal that enforcement is here, and it’s focused.


Why This Alert Matters

At its core, the alert is about ensuring that electronic health information (EHI) flows where it needs to—securely, appropriately, and without unnecessary delays or restrictions. This is about supporting better care, better coordination, and better access for patients.


The OIG’s new guidance confirms that they are prioritizing enforcement where information blocking:


  • Results in patient harm

  • Interferes with care delivery

  • Involves repeated or prolonged practices

  • Leads to financial loss for patients, payers, or government programs


For developers of certified health IT, Health Information Exchanges (HIEs), and Health Information Networks (HINs), civil monetary penalties up to $1 million per violation may apply. For providers, the Alert reinforces that CMS disincentives are on the table if blocking is found.


What Compliance Teams Should Consider

For those of us supporting compliance and privacy programs, this alert is a helpful reminder to revisit a few key areas:


  • Workflow reviews – Are requests for records or data sharing being handled efficiently? Are there delays or manual steps that could be seen as burdensome?


  • Exception use – If we rely on an exception to deny or delay access to EHI, is our rationale clearly documented?


  • Vendor arrangements – Do any IT contracts limit our ability to share data in ways that might run afoul of the rules?


  • Education and culture – Do staff understand the difference between HIPAA protections and information blocking obligations? Are we building a culture that encourages appropriate data sharing?


The Alert isn’t just about compliance with a rule—it’s about aligning with a larger goal: ensuring that the right people have access to the right information at the right time.


A Moment to Reconnect Strategy with Mission

If we’ve learned anything from the evolution of the information blocking rule, it’s that compliance isn’t just about preventing problems—it’s about supporting the systems that make care work. When patients, providers, and partners can access the data they need, care becomes safer, more efficient, and more responsive.


This Alert is a good opportunity to bring compliance, IT, privacy, and operations back to the table together. Not to panic—but to align.


Have questions about how the enforcement alert might apply to your organization?

Simply Compliance works with healthcare organizations to evaluate workflows, support documentation practices, and align policies with the Cures Act and information blocking rules.


Get in touch with Jessica Zeff @ Simply Compliance.

Comments

bottom of page