Guide

The Cures Act information-blocking rules, in plaintiff terms

The 21st Century Cures Act made it unlawful for providers and their EHR vendors to interfere with electronic health information. Used correctly, it is pre-suit leverage and a completeness argument when a hospital slow-walks or strips an electronic records production — not a button that forces audit-trail production.

What the rule prohibits

The information-blocking regulations (45 CFR Part 171), adopted under the 21st Century Cures Act, prohibit a covered actor from engaging in a practice that is likely to interfere with the access, exchange, or use of electronic health information (EHI), unless the practice is required by law or fits a defined exception. It applies to three kinds of actors: health care providers, developers of certified health IT, and health information networks and exchanges (HINs/HIEs).

EHI is electronic protected health information to the extent it would be included in the designated record set — and it excludes psychotherapy notes and information compiled for use in litigation.

The eight exceptions

An actor can decline or condition a request only by meeting the conditions of a regulatory exception. There are eight, in two groups.

Exceptions that involve not fulfilling a request:

  • Preventing harm (§ 171.201)
  • Privacy (§ 171.202)
  • Security (§ 171.203)
  • Infeasibility (§ 171.204)
  • Health IT performance (§ 171.205)

Exceptions about the manner of fulfilling a request:

  • Content and manner (§ 171.301)
  • Fees (§ 171.302)
  • Licensing (§ 171.303)
An exception is a safe harbor with conditions, not a blanket excuse. A “too burdensome” or “we only produce on paper” response generally does not satisfy any of the eight on its own.

Enforcement has teeth

Developers of certified health IT and HINs/HIEs face civil monetary penalties from the HHS Office of Inspector General of up to $1,000,000 per violation. Health care providers are handled separately: under the disincentives final rule (effective 2024–2025), a provider that the OIG determines committed information blocking can lose “meaningful EHR user” status and Medicare Shared Savings Program eligibility. The practical effect is that audit data is more likely to exist, be retained, and be retrievable than a “we don't really keep that” objection suggests.

How it strengthens your position

The access right itself belongs to the patient (or their representative) under HIPAA and HITECH, and audit trails are obtained in discovery. The Cures Act sits alongside both: it gives you a federal obstruction framework when a provider or vendor interferes with an electronic production, supports preservation demands, and feeds a completeness or spoliation argument. Once the electronic record and audit trail are in hand, independent audit-trail analysis establishes what the documentation actually shows.

Frequently asked questions

Does the information-blocking rule force a hospital to hand over the audit trail?

No — it is not a discovery mechanism. Part 171 prohibits actors from interfering with the access, exchange, or use of electronic health information; it does not, by itself, compel production of a system's audit log. Audit trails are still obtained in discovery. What the rule does is undercut stalling, gatekeeping, and stripping of electronic records, which strengthens a completeness and preservation argument.

Who can actually be penalized for information blocking?

Two tracks. Developers of certified health IT and health information networks/exchanges face civil monetary penalties from the HHS Office of Inspector General of up to $1,000,000 per violation. Health care providers are not subject to those CMPs; instead they face 'disincentives' applied through Medicare programs (for example, losing 'meaningful EHR user' status or Shared Savings Program eligibility).

What counts as electronic health information (EHI)?

EHI is electronic protected health information to the extent it would be in the designated record set (45 CFR 164.501). It does not include psychotherapy notes or information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative proceeding.

What exceptions can a provider claim to justify not sharing?

There are eight exceptions in two groups. Five involve not fulfilling a request: preventing harm, privacy, security, infeasibility, and health IT performance. Three set conditions for how a request is fulfilled: content and manner, fees, and licensing. An exception is not automatic — the actor must meet its specific conditions.

How does this help a plaintiff firm before suit?

When a provider or its EHR vendor slow-walks an electronic records request, insists on paper, or produces a stripped-down chart, the information-blocking rules give you a federal framework to push back — and a narrative of obstruction that supports preservation demands and a later completeness or spoliation argument. It pairs with the patient-authorized HITECH access request as pre-suit leverage.

Is the rule still in effect given recent regulatory activity?

The core information-blocking framework in 45 CFR Part 171 and the provider-disincentive rule remain in effect. The regulatory landscape is active — a related interoperability proposed rule was withdrawn in late 2025 — so confirm the current status of any specific enforcement provision with counsel before relying on it.

This page is educational information, not legal advice. EMR Check provides consulting and analysis services, not legal representation, and using this site does not create an attorney–client relationship. Regulations and enforcement in this area change; citations are current as of mid-2026 and should be verified against the current rule before you rely on them.

Free case review

Records production being slow-walked?

Send what you've received and what's been withheld. I'll help you frame the completeness argument and the discovery you need — free case check.

Free case checkHow it works