HHS to crack down on providers blocking access to electronic medical records

The Department of Health and Human Services is getting serious about taking on medical providers and organizations engaged in information blocking practices that limit access to electronic health record data, according to a top official with the agency.

In a Tuesday blog post, Micky Tripathi — HHS assistant secretary for technology policy, national coordinator for health information technology and acting chief artificial intelligence officer — said the department is acutely aware that some bad actors are skirting information sharing requirements mandated by federal law. 

Tripathi wrote that HHS is “highly concerned about ongoing and recent reports that we have received about potential violations of both the letter and spirit of the various laws and regulations now in place to ensure information-sharing to improve our healthcare system and enhance the lives of all Americans.”

The 21st Century Cures Act, signed into law by President Barack Obama in December 2016, required, in part, that EHR systems be configured in such a way that patient information can be “accessed, exchanged and used without special effort through the use of application programming interfaces,” or APIs. There are eight specific exceptions to this requirement.

The law also prohibited information blocking, allowed patients to access their electronic health information and directed the HHS Office of the National Coordinator for Health Information Technology, or ONC, to create a process for the general public to report possible instances of information blocking.

The blog post came after HHS announced in July that it was reorganizing its internal offices and would be renaming ONC as the Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology. Tripathi was named the head of the joint office. 

Between April 5, 2021 and September 30, 2024, HHS reported that it received 1,095 information blocking claims through its submissions portal. The majority of these claims were filed by patients. 

Information blocking, however, has been a particular issue for clinicians trying to access records from other providers’ EHR systems. 

Tripathi said that, despite the 21st Century Cures Act’s specific wording that EHR and API technologies be accessible without “special effort,” some providers and organizations are still making it difficult for stored data to be interoperable or easily shareable across different systems. 

“What is abundantly clear is that it is behavior, rather than technology, that is far and away the biggest impediment to progress,” he wrote.

Some of the examples of information blocking reported to HHS included instances of API users —  typically physicians or healthcare providers — being prevented from connecting to EHR systems, API access being conditioned on fees and contractual terms prohibited by law, and providers or API developers “not providing written and timely responses to denials for access to electronic health information as required by regulation.”

The ONC created a voluntary Health IT Certification Program in 2010 to ensure that health information systems comply with HHS functionality, security and privacy standards. One of the program’s certification provisions includes promoting and supporting interoperability between systems. Tripathi noted in his blog post that over 96% of hospitals and approximately 78% of physician offices use EHR systems that have been certified through the program.

Tripathi said violating the conditions and maintenance of certification requirements by engaging in information blocking also violates the terms of the program. He added that HHS will continue a “direct review” of certified API developers and health IT systems to assess their compliance with the directive. 

“Certified health IT developers with identified non-conformities in their business practices or certified health IT could face suspension or termination of the affected certification(s),” he wrote. “Termination of certification of one or more of a developer’s health IT modules carries the added consequence of the developer being banned from the certification program.”

Moving forward, Tripathi said the department will also be upping its engagement with API users, working with certification bodies and “engaging” HHS’s Office of the Inspector General to address information blocking concerns. 

Beyond offering new educational resources and improvement feedback channels, Tripathi said his office will also expand its monitoring efforts. 

“[The Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology] will strengthen oversight and enforcement by implementing a more rigorous review process for API documentation, both at the initial certification stage and throughout ongoing certification maintenance,” he wrote. 

In a Tuesday post on X, Tripathi linked to his blog post and warned “we can do this the easy way....or the hard way.”