HHS Announces New and Renewed Efforts to Promote Health Information Sharing and Interoperability

In the past few months, the U.S. Department of Health and Human Services (“HHS”) has announced new and renewed initiatives to promote health information sharing and interoperability among health information technology (“health IT”) systems. These include: (1) a “crackdown on health data blocking” through enforcement of pre-existing federal information blocking regulations; (2) a new “Health Technology Ecosystem” initiative (the “Ecosystem”) from the Centers for Medicare & Medicaid Services (“CMS”); and (3) updates to federal certification criteria for electronic health records software (“EHRs”) and other health IT to increase efficiency and transparency with respect to drug pricing and coverage of health care services at the point of care. Collectively, these efforts signal HHS’s focus on using both carrots and sticks to improve the state of health information exchange nationally. Health care industry stakeholders should review and understand these developments and take action to ensure that they are appropriately sharing health information and adopting interoperable health IT in accordance with applicable requirements.

Information Blocking Enforcement Alert

On September 4, 2025, the HHS Office of Inspector General (“OIG”) and HHS Assistant Secretary for Technology Policy and Office of the National Coordinator for Health IT (“ASTP/ONC”) released an enforcement alert announcing that enforcement of federal information blocking regulations will be a “top priority” for HHS under the Trump administration (the “IB Enforcement Alert”).¹ Under the regulations, developers of federally certified health IT, health information exchanges and health information networks (“HIE/HINs”), and health care providers (collectively, “Actors”) are prohibited from interfering with legally permissible access, exchange, or use of electronic health information (“EHI”) in most cases, unless an information blocking exception applies. A more lenient intent standard applies to health care providers, who must know that their action is unreasonable and likely to interfere, whereas certified health IT developers and HIE/HINs may violate the prohibition when they know, or should know, that their action is likely to interfere with access, exchange, or use of EHI.² In effect, these regulations establish a mandate for Actors to share EHI in most instances when it is legally permissible to do so.

HHS first issued these regulations in 2020 and has since revised them several times; however, to date, it has not imposed sanctions for non-compliance. The IB Enforcement Alert suggests that may change soon. Over 1,300 possible claims of information blocking have been reported to ASTP/ONC through a dedicated information blocking portal,³ and potential sanctions for violations can be severe. Certified health IT developers and HIE/HINs may be subject to $1 million civil monetary penalties (“CMPs”) per violation, and developers may have their products de-certified and be banned from the ASTP/ONC Health IT Certification Program (“HIT Certification Program”), which would mean that their health IT could not be used by providers as certified EHR technology (“CEHRT”) for purposes of Medicare Promoting Interoperability (“PI”) reporting.⁴ Health care providers are not subject to CMPs, but they may be subject to disincentives under certain CMS programs. Specifically, hospitals and clinicians that report under the Medicare PI program or the PI Performance Category of the Medicare Merit-Based Incentive Payment System would not be considered “meaningful users” of CEHRT, which could lead them to receive decreased Medicare payments, and providers may be banned from participation in the Medicare Shared Savings Program.⁵

If they have not done so already, Actors should review their policies and procedures for reviewing and responding to requests for EHI from patients, providers, health insurers, patient representatives, patient-facing technologies, and other legally permissible requestors to ensure compliance with information blocking requirements.

CMS Health Technology Ecosystem

Unlike the IB Enforcement Alert, the Ecosystem does not seek to impose sanctions for failure to share health information. Instead, it represents an initiative that encourages voluntary private sector participation to improve health information sharing nationwide.⁶

CMS Administrator Dr. Mehmet Oz announced the Ecosystem on July 30, 2025 in a press conference alongside President Trump and HHS Secretary Robert F. Kennedy Jr., with representatives of many private companies that have pledged to participate in the Ecosystem attending. The announcement followed a Request for Information published in the Federal Register in May, which solicited input regarding patients, health care providers, payers, technology vendors, and value-based care organizations.⁷ Among other goals, CMS hopes that the Ecosystem will improve patient experience and care outcomes by making it easier for patients to manage and share their health information with different health care providers. CMS has explained its intention for the Ecosystem to “kill the clipboard” that many providers use for patients to fill out registration and medical history forms. Instead, CMS envisions patients maintaining a digital database of their important health and registration information, which can be shared with providers digitally through a QR code. CMS is also focused on encouraging development of artificial intelligence (“AI”)-powered virtual assistants to help patients manage their care, including by reminding them to take their medications or suggesting follow-up appointments with providers when appropriate.

The Ecosystem calls on private sector companies to commit to interoperability goals and to comply voluntarily with a shared CMS Interoperability Framework for data access and exchange (“CMS Framework”). The principles underlying the Ecosystem align with the work of CMS and ASTP/ONC over the past several years to regulate and encourage adoption of certified health IT, prevent information blocking, and promote nationwide interoperability and health information exchange through the voluntary Trusted Exchange Framework and Common Agreement (“TEFCA”).

There are five broad categories of CMS Framework criteria: (1) Patient Access & Empowerment; (2) Provider Access & Delegation; (3) Data Availability & Standards Compliance; (4) Network Connectivity & Transparency; and (5) Identity, Security & Trust. Among other things, the CMS Framework criteria set the goals that “[p]atients, using applications of their choice, can access their electronic medical information anywhere that it lives on the network” and that providers have full access to all EHI on the patient except where restricted by law.⁸ Further, data networks recognized as CMS Aligned Networks must provide or facilitate access to data using Fast Healthcare Interoperability Resources (“FHIR”) application programming interfaces that adhere to the U.S. Core FHIR implementation guide and United States Core Data for Interoperability version 3 (or later).⁹

The Ecosystem also involves five categories of participants that commit to CMS Framework and Ecosystem principles: (1) CMS Aligned Networks (i.e., data networks that meet applicable CMS Framework criteria); (2) health care providers connecting to CMS Aligned Networks; (3) EHRs connecting to CMS Aligned Networks; (4) payers connecting to CMS Aligned Networks; and (5) patient-facing applications that leverage CMS Aligned Networks. Each type of participant must satisfy CMS Framework criteria that correspond to their role. For example, EHRs, providers, and payers that participate in the CMS Framework must join or create CMS Aligned Networks and make clinical and claims data available to the CMS Aligned Networks. Patient-facing applications that leverage CMS Aligned Networks must focus on one of three initial use cases: (1) “kill the clipboard” (i.e., elimination of manual check-in forms and fragmented data collection); (2) conversational AI assistants to help patients access and interpret their medical information; and (3) diabetes and obesity prevention and management. CMS emphasizes that Ecosystem participants must still meet any applicable federal and state health care and privacy laws, including the Health Insurance Portability and Accountability Act. Although the Ecosystem is still in its early stages, 60 companies have already pledged to become “early adopters” across the five participant categories, including 21 CMS Aligned Networks (10 of which are also qualified health information networks under TEFCA).

Ecosystem participants already include high-profile companies, including EHR vendors like athenahealth and Epic; HIE/HINs like Health Gorilla, Kno2, KONZA Health, and Surescripts; other technology companies like Amazon, OpenAI, Apple, and Google; and health care providers and payers like Cleveland Clinic and UnitedHealth Group. Time will tell whether this promising early participation will deliver the administration’s desired results and how the Ecosystem will interact with other efforts, such as information blocking enforcement, the HIT Certification Program, and TEFCA.

HIT Certification Program Updates

On August 4, 2025, CMS and ASTP/ONC published a related final rule that implements annual updates to the Medicare hospital inpatient prospective payment systems and changes to the HIT Certification Program (the “Final Rule”).¹⁰ Among other things, the Final Rule establishes new health IT certification criteria for real-time prescription benefit checks and electronic prior authorization, which will increase efficiency and transparency with respect to drug pricing and coverage of health care services at the point of care. Health IT developers may seek certification to the real-time prescription benefit check criterion beginning on October 1, 2025, and the criterion will be among the minimum “Base EHR” capabilities to which CEHRT must be certified beginning on January 1, 2028. The new electronic prior authorization criterion, which will be available to health IT developers beginning on October 1, 2025, will allow providers to query for coverage information and request a prior authorization decision from within CEHRT or other certified health IT module. This criterion will support hospitals and providers participating in the Medicare PI program and the MIPS PI Performance Category, who will be required to report on an electronic prior authorization measure beginning in 2027.¹¹

Conclusion

Over the past several months, ASTP/ONC, HHS-OIG, and CMS all have signaled a renewed focus on interoperability, whether through rulemaking, introduction of the Ecosystem, or through alerting the public that the agencies intend to take enforcement action against information blocking violations. In light of the IB Enforcement Alert, Actors should revisit their EHI-related practices to determine whether any of their conduct could be viewed as engaging in information blocking. At the same time, the Ecosystem demonstrates CMS’s and ASTP/ONC’s innovative approach to encouraging nationwide health IT interoperability and modernization through broad, voluntary private sector participation. These developments leave no question that the agencies continue to focus on facilitating health IT development and interoperability to “improve patient outcomes, reduce provider burden, and drive value.”¹²

1. ^{The IB Enforcement Alert is available online at https://www.healthit.gov/topic/information-blocking/enforcement-alert. See also HHS, “HHS Announces Crackdown on Health Data Blocking” (Sept. 3, 2025), https://www.hhs.gov/press-room/hhs-crackdown-health-data-blocking.html.}
2. ^{See 45 C.F.R. § 171.103 (defining information blocking).}
3. ^{ASTP/ONC, Information Blocking Claims By the Numbers, HealthIT.gov (Aug. 31, 2025), https://www.healthit.gov/data/quickstats/information-blocking-claims-numbers; ASTP/ONC, Information Blocking Portal, HealthIT.gov, https://inquiry.healthit.gov/support/plugins/servlet/desk/portal/6 (last visited Sept. 5, 2025).}
4. ^{See Christine Moundas, Gideon Zvi Palte & Carolyn Lye, Renewed Focus on Information Sharing as OIG Finalizes Penalties of up to $1 Million per Information Blocking Violation, Ropes & Gray LLP (July 11, 2023), https://www.ropesgray.com/en/insights/alerts/2023/07/information-blockers-beware-oig-announces-penalties-of-up-to-1-million-per-information-blocking.}
5. ^{See Christine Moundas & Gideon Zvi Palte, New Teeth to the Information Blocking Rule: Long-Awaited Disincentives for Health Care Providers Finalized, Ropes & Gray LLP (July 1, 2024), https://www.ropesgray.com/en/insights/alerts/2024/07/new-teeth-to-the-information-blocking-rule-long-awaited-disincentives-for-health-care-providers.}
6. ^{See CMS, Health Technology Ecosystem (last rev. Jul. 30, 2025), https://www.cms.gov/health-tech-ecosystem.}
7. ^{CMS, “Request for Information; Health Technology Ecosystem,” 90 Fed. Reg. 21,034 (May 16, 2025).}
8. ^{See CMS, Interoperability Framework, (last rev. Jul. 30, 2025), https://www.cms.gov/health-technology-ecosystem/interoperability-framework.}
9. ^Id.
10. ^{HHS, “Medicare Program; Hospital Inpatient Prospective Payment Systems for Acute Care Hospitals (IPPS) and the Long-Term Care Hospital Prospective Payment System and Policy Changes and Fiscal Year (FY) 2026 Rates; Changes to the FY 2025 IPPS Rates Due to Court Decision; Requirements for Quality Programs; and Other Policy Changes; Health Data, Technology, and Interoperability: Electronic Prescribing, Real-Time Prescription Benefit and Electronic Prior Authorization,” 90 Fed. Reg. 36,536 (Aug. 4, 2025).}
11. ^{See Christine Moundas, Gideon Zvi Palte & Carolyn Lye, CMS Finalizes New Electronic Prior Authorization Requirements for Payers and Providers, Ropes & Gray LLP (Jan. 23, 2024), https://www.ropesgray.com/en/insights/alerts/2024/01/cms-finalizes-new-electronic-prior-authorization-requirements-for-payers-and-providers.}
12. ^{CMS, “White House, Tech Leaders Commit to Create Patient-Centric Healthcare Ecosystem” (July 30, 2025), https://www.cms.gov/newsroom/press-releases/white-house-tech-leaders-commit-create-patient-centric-healthcare-ecosystem.}