HHS finalized the 21st Century Cures Act provider disincentive rule on June 24, 2024, with an effective date of July 31, 2024. The rule applies federal financial penalties to providers found to have committed information blocking. Hospitals lose three-quarters of their annual market basket update for the relevant year. Critical access hospitals see their payment reduced to 100 percent of reasonable costs, down from 101 percent. Eligible MIPS clinicians receive a zero score in the Promoting Interoperability performance category, typically a quarter of an individual final MIPS score. ACOs in the Medicare Shared Savings Program face removal for at least one performance year. As of 2026, ASTP (the Office of the Assistant Secretary for Technology Policy, formerly ONC) is processing complaints in volume, and the operational risk for billing teams is real.
What information blocking actually means
The 21st Century Cures Act defines information blocking, at 45 CFR Part 171, as a practice that is likely to interfere with access, exchange, or use of electronic health information, when conducted by a provider that knows that practice is unreasonable. The definition catches more behavior than most billing teams realize. Withholding records from a patient who requested them, charging unreasonable fees for record release, requiring legacy paper-only release forms when electronic forms are technically feasible, and delaying release beyond reasonable timeframes can all qualify. The rule applies to electronic health information defined under HIPAA, including billing-related records that touch the medical record.
Where billing teams trigger the rule
The most common information blocking triggers in a billing context include:
- Refusing to release itemized billing statements that contain electronic health information when the patient asks.
- Charging fees for electronic record release that exceed the cost of preparation and transmission.
- Requiring patients to submit release-of-information forms exclusively in person or by mail when the practice has electronic submission capability.
- Withholding records from a third-party billing partner the patient has authorized.
- Delaying transmission of records to a subsequent provider beyond the timeframe required to coordinate care.
The eight regulatory exceptions
The rule allows eight categorical exceptions where withholding or delaying access does not count as information blocking, provided the practice meets specific conditions. The exceptions cover preventing harm, privacy, security, infeasibility, health IT performance, content and manner, fees, and licensing. Each exception has detailed conditions that must be met. Practices commonly invoke the privacy exception (for example, withholding part of a record at a parent’s request when state law gives the minor patient the right to confidentiality), but inconsistent application of the exception can be its own information blocking finding. Documentation that ties each withholding decision to a specific exception is the defense.
The complaint process and ASTP review
Patients, family members, other providers, payers, and even certified health IT developers can file information blocking complaints with ASTP through a public complaint portal. ASTP reviews each complaint, may request information from the provider, and refers substantiated cases to the Office of Inspector General (for actor-type penalties) or to CMS (for the provider disincentives). The complaint window is broad, and providers are typically notified only after the agency has done initial review. The first defensive move is operational: have a written record-release policy that handles requests within the timeframes the rule expects, with documentation of every fulfilled and denied request.
Fees: the most common compliance gap
Charging fees for electronic record release is allowed only when the fee meets the conditions of the fees exception. The fee must be based on costs reasonably incurred, not a flat per-page rate copied from paper-era policies. For records released electronically through a patient portal, the rule typically does not allow any fee at all. Practices that maintain a per-page fee schedule for electronic release are creating audit risk on every release. The fix is a tiered fee schedule that distinguishes paper from electronic, charges only the actual cost for electronic delivery, and is documented in writing.
Compliance program for billing operations
A defensible compliance program has five elements: a written information blocking policy that names each exception used and the conditions for invoking it; staff training on the policy at hire and annually; a request log that tracks every records request, the response time, and the outcome; a fee schedule that aligns with the fees exception; and a designated compliance contact who handles ASTP complaints when they arrive. Practices that have these in place pass through ASTP review quickly. Practices that respond ad hoc spend months explaining themselves and may absorb the disincentive on top of the operational cost.
How MHB helps billing teams stay compliant
For practices that want their record-release workflow, fee schedule, and request-log discipline reviewed against the information blocking rule, our team supports end-to-end medical billing operations with compliance review built into the daily workflow. The work runs in the practice’s existing systems.
The bottom line
The information blocking disincentives are not theoretical. The rule has been live since July 2024, ASTP is processing complaints, and the financial penalties for hospitals, CAHs, MIPS clinicians, and ACOs are concrete. Billing teams that handle records release as routine operations, with documented exceptions and reasonable fees, stay clear. Teams that treat the rule as someone else’s problem will eventually find a complaint on their desk.
Authoritative sources
This article cites the following primary sources for billing-code and regulatory guidance. Always confirm current rules and codes with the publishing authority before applying to a specific claim.
