HHS Previews Data Crackdown: Potential Impacts on Providers, EHRs and HIEs
Two recent announcements from the Trump Administration promise increased enforcement of two important health data laws: the federal and the . If the Trump Administration follows through, it could lead to more scrutiny of data practices of health care providers, electronic health record vendors, health information exchanges and others in the health care system. The announcements further the Trump Administration’s agenda of increased digital health access by patients and reduced duplication of services through interoperability and data sharing.
The Context
These announcements follow the launch of the Health Tech Ecosystem in July 2025 by the White House and the Centers for Medicare and Medicaid Services (CMS), which is aimed at expanding digital health access for patients. As part of the initiative, the Trump Administration secured voluntary commitments from over 60 major health care and technology companies to help drive progress.
Earlier in May, CMS and the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology issued a Request for Information (RFI). The RFI sought input on a range of health care topics, including strategies to improve the exchange of health information. As an example, the RFI asked for ideas to increase the number of information blocking complaints submitted by patients and caregivers.
Additionally, the agencies expressed interest in identifying which Fast Healthcare Interoperability Resource application programming interfaces could be enhanced or expanded and in better understanding the barriers that prevent patients and providers from adopting digital health tools.
Substance Use Disorder Confidentiality Enforcement
On August 26, Department of Health and Human Services (HHS) Secretary Robert F. Kennedy, Jr. announced that he was delegating authority to the HHS Office for Civil Rights (OCR) to enforce the federal confidentiality of substance use disorder (SUD) regulation, commonly known as 42 CFR Part 2. Substance Abuse and Mental Health Services Administration (SAMHSA) had issued a revised final Part 2 rule in February 2024 to align Part 2 regulations more closely with the Health Insurance Portability and Accountability (HIPAA) rules as required by the 2020 CARES Act. With these revisions, stakeholders have called for new enforcement measures.
Part 2 applies to certain SUD records and, unlike HIPAA rules, has historically not permitted the sharing of information without written patient consent. Part 2 has long been viewed as a barrier to sharing critical health data among providers. However, the revised Part 2 rule aims to address some of these challenges. The updated rule is designed to improve care coordination for patients receiving treatment for SUDs, ease concerns around patient privacy and reduce the complexity of compliance. It also gives patients additional rights. The revised Part 2 rule, however, does not change the fundamental need for written patient consent for nearly all disclosures of Part 2 information. Previously, Part 2 regulations were within the purview of SAMHSA, which was also responsible for enforcement, though it rarely exercised this authority.
OCR, in contrast, has actively enforced HIPAA. OCR has imposed civil monetary penalties on covered entities and business associates that have made unauthorized disclosures of protected health information, including due to cybersecurity incidents. In addition, OCR has recently imposed fines on covered entities that fail to respond to patient requests for access to their own data. With this new delegation moving Part 2 regulations from SAMHSA to OCR, OCR may begin to impose similar penalties for Part 2 violations, regardless of whether the enforcement action is focused on improper disclosures or on providers who fail to provide access of information to the patient and/or providers as permitted under the law remains to be seen. In the “,” Secretary Kennedy noted that OCR had the authority to impose civil monetary penalties, require corrective action plans and issue subpoenas related to compliance with Part 2 requirements, among other enforcement avenues.
In the announcement, HHS noted that a 2024 modification to Part 2, detailed , has a compliance date of February 16, 2026, implying increased enforcement may begin around that date. Nonetheless, the “Statement of Delegation Authority” is effective immediately, meaning that OCR could now begin enforcement of Part 2 requirements that predate the 2024 modification.
Information Blocking Enforcement
One week after the issuance of the Statement of Delegation Authority, a “crackdown on health data blocking.” Secretary Kennedy stated that he had “directed HHS to increase resources dedicated to curbing the harmful practice of information blocking” and that HHS will engage in “active enforcement” of the regulation—a statement clearly aligned with the larger Trump Administration initiatives. The federal information blocking rule, promulgated in 2020 in accordance with the 21st Century Cures Act, prohibits “actors” from engaging in practices that prevent, restrict, or discourage the access, exchange or use of electronic health information (EHI). Actors include health care providers, developers of certified health information technology (HIT) and health information networks. In contrast to Part 2 and HIPAA, the information blocking rule is not a data privacy rule intended to limit the disclosure of information. Instead, the rule aims to promote access to EHI, except in narrowly defined exceptions. For instance, in general, a provider must disclose EHI to a digital health app of a patient’s choice, if directed by the patient, and share EHI with other treating health care providers without delay unless expressly prohibited by law.
The Biden Administration adopted two rules to support enforcement against information blocking. One rule allows for civil monetary penalties of up to $1 million per violation against certified HIT developers and health information networks, and the other established disincentives—such as reduced Medicare reimbursement rates—for certain health care providers found to be blocking information sharing. However, the Trump Administration criticized its predecessor for not using this authority effectively. On a call following the announcement, HHS pointed out there was a backlog of 1,300 information blocking complaints that have not been investigated. In the announcement, and consistent with the Trump Administration's prior previously articulated priorities, HHS suggested it may prioritize investigating complaints related to patients’ own access to their data, noting that patients’ access to their health data through apps “is critical to delivering on Secretary Kennedy’s promise to Make America Healthy Again.” The announcement also highlighted that HHS is reviewing reports against certified HIT developers.
Implications
The dual announcements come during a year when staffing at HHS has been significantly reduced, raising questions as to whether the department has sufficient resources to monitor and enforce two complex data laws.
Nevertheless, organizations should take the prospect of increased enforcement seriously—in particular, honoring patients’ requests for their own information and removing any artificial barriers to other health care providers or their business associates’ access to EHI. Violations of either regulation can lead to significant financial penalties and other detrimental actions, as well as negative publicity and associated reputational harm.
The announcement should put actors subject to information blocking on notice. While information networks are subject to million -dollar fines, the vast majority of complaints logged by the federal government have been for providers including hospitals, physicians, and other clinicians. These providers face potentially steep disincentives through the Promoting Interoperability Program and bans from participating in Medicare Shared Savings Programs. To avoid complaints, organizations should have clear policy EHI sharing policies, and internal mechanisms to implement them, including processes to respond for requests for EHI in a timely (i.e., 24-hour) timeframe, monitor requests and responses, and identify and rectify instances when they are not responding in a timely manner.
For organizations subject to Part 2, or receiving records subject to Part 2, compliance with the 2024 requirements is critical. This requires updating notices of privacy practices to include SUD data protections and reviewing policies to ensure compliance with consent form requirements. It also requires clear understanding of which entities and what information is covered by Part 2. SAMHSA supports a training and technical assistance resource, the Center of Excellence for Protected Health Information, as one resource for additional information.
Organizations should pay particular attention to practices that result in data being withheld from patients, given HHS’ focus on this issue.