By Matt Fisher, Healthcare Attorney
LinkedIn: Matthew Fisher
X: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
Access to data and the enablement of data flow are significant issues and concerns within healthcare. In particular, individuals often have a hard time getting to their own data. Those difficulties exist even with different regulations in place designed to promote and require access to data.
The playing field on that front may start to change. It is often said that compliance is encouraged when enforcement occurs. Absent enforcement, there can be a perception that there is no stick to drive adherence to regulatory requirements perceived as burdensome or not aligned with business needs. A new announcement from the Office of the Inspector General of the Department of Health and Human Services (OIG) could shift the discourse for data access in healthcare.
What Enables Access?
Before getting to the announced intended actions from OIG, it is helpful to set the table by identifying the regulations that call for access. The starting point is with the individual right of access under the HIPAA Privacy Rule. While the HIPAA right of access is not mentioned in the OIG announcement, it has existed for a longer period of time and arguably should be more baked into compliance programs. The HIPAA right of access lets an individual request a copy of their designated record set held by a covered entity. While “designated record set” is a term of art under HIPAA, the quick summary is that it pretty much covers any information that a covered entity has about an individual used in decision making about the individual. That means it could be more expansive than just the records in an electronic medical record system.
While the right of access sounds simple, it has caused any number of headaches across the industry. Those headaches include failure to honor access requests and many hoops thrown up before the request will even considered. Those measures do not necessarily align with the text of the regulation, which is where the frustration comes in. The difficulties have resulted in a number of settlements imposed by the HHS Office for Civil Rights, though it is not really clear if those settlements have driven meaningful, widespread changes.
The regulation that is really the focus of the OIG is the information blocking regulation introduced by the 21st Century Cures Act. The information blocking regulation added additional requirements for access to data that went beyond those contained in HIPAA. The information blocking regulation was designed to enable the freer flow of data by letting individuals request data be sent to different applications of their choosing and overall is intended to support the seamless and secure access, exchange, and use of healthcare data in electronic form.
The goals sound great, but are ambitious. The fully open exchange of data comes with certain risks and also asks participants in healthcare to fundamentally change some of their operations. The risks to data are real because data could now go to holders not subject to regulation in the traditional healthcare industry. That exposure could lead to unintended consequences to data, but arguably those are not liabilities or concerns of the healthcare entity sending data at an individual’s request.
Changing business practices is a different ball of wax. Obfuscating data and throwing up barriers to access create friction with patients and could be seen as disconnected with the current environment. The business practice issue is also where compliance comes into play along with raising questions about intentions behind actions. This is likely where the government will turn its focus.
Getting back to the information blocking rule, the rule also includes certain identified and explained exceptions for practices that do not constitute improper blocking activities. Two of the more important exceptions are compliance with existing privacy and security regulations, which really means the HIPAA Privacy and Security Rules. There are other exceptions, some of which are technical in nature. A full explanation is not needed now, but there are resources that can be found pretty quickly providing as shallow or deep a dive as may be wanted.
The key concern for the moment is that the information blocking rule exists, it has been in place for a couple of years, and there has been no activity to monitor or mandate compliance.
The New Position
The lack of attention to industry adherence to the information blocking rule may change. According to an announcement from the OIG on September 4, 2025, attention is turning to compliance and utilization of the tools provided under relevant regulations to penalize entities viewed as not doing what they should.
The tools available to the OIG include:
- Imposing civil monetary penalties of up to $1 million per violation;
- Coordinating with the HHS Assistant Secretary for Technology Policy to ban a developer or terminate certification of an approved product; and
- Coordinating with the Centers for Medicare and Medicaid Services to impose financial disincentives against hospitals or clinicians.
The types of penalties that could be pursued depend on the nature of the entity or individual allegedly violating the information blocking rules, but all of the outcomes could materially impact operations.
The intended goal of actually using enforcement tools should result in compliance increasing. If there is a real threat of facing a penalty, then the cost of investing in compliance becomes a bit more justifiable. While it is certainly idealistic to hope that doing the right thing and complying with the law would just occur, that is certainly not always the case.
However, there will still be question marks as to the seriousness of the enforcement intentions. Resources and capabilities in the OIG and across HHS generally are stretched thin and only a small fraction of issues can be meaningfully addressed. It can also take years for an investigation and resulting penalty to be finalized. That reality may still delay compliance if entities feel that they can skate by without repercussion. The speed and scope of any OIG action will be important to watch in that regard. Organizations will likely take that approach to inform what should be done.
A cynical view also cannot be discounted. The cynical view is that depending on the entity, it may be willing to pay a penalty and deal with that consequence because it is cheaper than altering its practices. Will any organization follow that approach? Time will tell.
What to do Now
For now, the hopeful approach to be taken is just complying with stated regulatory requirements. If the regulations call for opening up access to and exchange of data, then it should be done. Why willfully avoid that requirement if it can carry a number of benefits? While the answer to that question is clear from some perspectives, the need for enforcement also shows that relying on good graces is not enough. Hopefully, the threat of looming enforcement will begin to shift that narrative.
This article was originally published on The Pulse blog and is republished here with permission.