Skip to main content
InterScripts
Cluster · Compliance

21st Century Cures Act — information blocking explained

The short answer: The 21st Century Cures Act information-blocking rule (45 CFR Part 171) prohibits healthcare providers, IT developers, and HIEs / HINs from engaging in practices that interfere with the access, exchange, or use of electronic health information. The rule is enforced by ONC and OIG, with civil monetary penalties up to $1 million per violation for IT developers and HIEs and disincentives for providers. Exceptions allow legitimate reasons to limit disclosure.

Chad Campbell
Chad Campbell · AVP, Compliance & Transitions· Reviewed 2026-05-15

Key takeaways

  • Prohibits interference with EHI access, exchange, and use
  • Applies to providers, IT developers, and HIEs / HINs
  • CMPs up to $1M per violation for IT developers and HIEs; disincentives for providers
  • Eight exceptions allow legitimate reasons to limit disclosure
  • USCDI v3 defines the scope of EHI in the near term; full EHI definition applies long term

The numbers

$1M
Civil monetary penalty per violation (IT developers, HIEs)
ONC
8 exceptions
Permitted practices under the rule
45 CFR Part 171
USCDI v3
Near-term scope of EHI
ONC

The eight exceptions

The rule provides eight exceptions to information blocking — practices that would otherwise look like blocking but are permitted because they serve a legitimate purpose. Examples: preventing harm, privacy, security, infeasibility, content and manner, licensing, fees, and health IT performance.

Sources & references

Frequently asked questions

What is information blocking under the 21st Century Cures Act?

A practice — except as required by law or covered by an exception — that interferes with the access, exchange, or use of electronic health information. The rule applies to providers, health IT developers, and HIEs / HINs.

What are the penalties for information blocking?

For IT developers and HIEs / HINs: civil monetary penalties up to $1 million per violation, enforced by OIG. For providers: disincentives administered by CMS (such as reduced Medicare promoting interoperability score). Eight exceptions allow legitimate reasons to limit disclosure.

Related in this pillar

Cerner-to-Epic data migration — step-by-step

How to migrate from Oracle Health (Cerner) Millennium to Epic — three workstreams, clinical-data mapping patterns, defensible archival, and the credentialed go-live bench.

Meditech Magic to Expanse migration playbook

Migrate from Meditech Magic to Meditech Expanse — community-hospital playbook covering Magic data extraction, Expanse onboarding, defensible archival, and go-live support.

FHIR R4 explained for healthcare CIOs

FHIR R4 explained for healthcare CIOs — what FHIR is, why R4 is the deployed version in 2026, how it relates to USCDI v3 and the 21st Century Cures Act, and where R5 fits.

TEFCA and the QHIN designation explained

TEFCA and the QHIN designation explained — what TEFCA is, who runs it, the named QHINs as of 2026, and how QHIN exchange affects health-system interoperability strategy.

Bring this to your team

Book a 30-minute walkthrough with the InterScripts experts who wrote this. We will tailor it to your systems, retention obligations, and federal compliance posture.

Schedule a meeting