The information-blocking rule, issued by the Office of the National Coordinator for Health IT (ONC) under the 21st Century Cures Act, prohibits 'actors' — health care providers, certified EHR developers, and health information exchanges or networks — from engaging in practices that are likely to interfere unreasonably with the access, exchange, or use of electronic health information. The rule recognizes that not all friction is illegitimate, so it defines a set of exceptions — for genuine privacy, security, infeasibility, and similar reasons — that an actor can fit within to avoid liability.
For a team building integrations with electronic health record (EHR) systems, the rule is leverage. An EHR vendor that refuses reasonable, standards-based API access to a provider's data may be engaging in information blocking rather than exercising a legitimate business right. Enforcement has teeth: the HHS Office of Inspector General (OIG) can impose civil monetary penalties on developers and exchanges up to roughly one million dollars per violation, and providers face separate disincentives. That backdrop is worth invoking explicitly in data-access negotiations.
The practical engineering implication is that modern EHRs are increasingly required to expose standards-based access — particularly via HL7 FHIR APIs — and stonewalling an integrator is no longer a safe default posture for them. The common mistake on the integrator side is accepting a flat 'no' or an artificial paywall as final; framing the request around the information-blocking rule and its narrow exceptions often reopens a door that a vendor would prefer to keep shut. Conversely, if you become a certified developer yourself, the rule binds you too.
