Join us at Realcomm in San Diego (June 2–4)   —   Turning AI into real estate ROI.     Book a meeting →Join us at Realcomm in San Diego (June 2–4)   —   Turning AI into real estate ROI.     Book a meeting →Join us at Realcomm in San Diego (June 2–4)   —   Turning AI into real estate ROI.     Book a meeting →Join us at Realcomm in San Diego (June 2–4)   —   Turning AI into real estate ROI.     Book a meeting →

All Insights

The Hidden Cost of FHIR Non-Compliance: Penalties, Gaps, and Missed Opportunity

Hidden-Cost-FHIR
3 min read

FHIR non-compliance is not a technical gap that stays contained to the IT department. FHIR non-compliance creates financial penalties, competitive disadvantage, reputational risk, and patient trust erosion. Healthcare executives who treat FHIR readiness as an IT project rather than an organizational risk are underpricing their exposure. This article outlines what is actually at stake.

The Regulatory Risk: What the Penalties Are

The ONC 21st Century Cures Act Final Rule established a prohibition on information blocking—practices that unreasonably restrict access, exchange, or use of electronic health information. Actors subject to this rule include health systems, clinicians, health IT developers, health information networks, and health information exchanges.

  • Health IT developers and networks: Civil Monetary Penalties up to $1 million per violation, administered through ONC’s Office of Inspector General referral process.
  • Healthcare providers (hospitals, clinicians): Subject to appropriate disincentives, including exclusion from federal programs, reimbursement clawbacks, and public disclosure of violations on ONC’s information blocking portal.
  • CMS payer requirements: Payers subject to CMS rules that fail to implement required FHIR APIs face conditions of participation non-compliance, which can affect Medicare and Medicaid program participation.

These are not hypothetical risks. ONC’s information blocking complaint portal has received thousands of complaints since it opened. Enforcement actions have been initiated. Organizations operating on the assumption that regulators are not paying attention are taking on liability that is difficult to price and impossible to insure away.

The Compliance Gap: What Organizations Miss Most

Gap CategoryWhat It Looks LikeConsequence
API availability vs. usabilityFHIR API is technically live but returns incomplete or malformed dataPatient access apps fail; downstream integration breaks
Information blocking gray areasData sharing restricted by contract terms, policies, or EHR configuration without explicit clinical justificationONC complaint exposure; provider relationship friction
ONC timeline driftOrganization treats compliance dates as aspirational rather than hard deadlinesRetroactive penalties; audit findings
Third-party app restrictionsPatient requests to connect third-party apps are denied or made difficultDirect information blocking violation risk
Provider directory accuracyFHIR Provider Directory API returns stale or incomplete network dataCMS non-compliance; network adequacy exposure

The Competitive Disadvantage: What Non-Compliance Costs You in the Market

Beyond regulatory exposure, FHIR non-compliance carries compounding competitive costs that are harder to quantify but equally real.

  • Patient choice: Patients who cannot access their health data through apps of their choosing are more likely to choose providers who offer that access. CMS rules were designed in part to shift market power toward patients.
  • Payer contracting: Health systems that cannot exchange data efficiently with payers face friction in value-based contract performance reporting, prior authorization cycles, and care gap closure.
  • Partner ecosystem: Digital health partners, clinical AI vendors, and research collaborators increasingly require FHIR-capable data exchange as a baseline condition for engagement.
  • Talent and innovation: Clinical informatics teams, data engineers, and health IT developers evaluate employers on technology posture. FHIR readiness signals organizational maturity.

The Patient Trust Cost: What Non-Compliance Signals

Patients increasingly expect their health data to work the way their financial and consumer data works—accessible, portable, and under their control. FHIR non-compliance is visible to patients who attempt to use apps to access their records and encounter barriers. Each friction point erodes trust in the organization’s commitment to patient-centered care.

The 21st Century Cures Act was written with patient advocacy as an explicit driver. Healthcare organizations that are seen as data gatekeepers rather than data stewards face reputational consequences that extend beyond regulatory enforcement.

FAQ

How does ONC find out about information blocking violations?

ONC receives complaints through its online portal from patients, providers, payers, and health IT developers. Complaints are reviewed by ONC staff and referred to the OIG for investigation when there is reasonable basis for concern. ONC also conducts proactive surveillance and receives referrals from CMS during certification and audit processes.

Can we get a compliance waiver or extension?

Information blocking prohibitions have been in effect since April 2021 for most actors. ONC has not established a general waiver mechanism for compliance timelines. Organizations that have documented, good-faith compliance programs with known gaps are better positioned in an enforcement context than those with no program at all, but this does not constitute a formal extension or waiver.

Is there a difference between information blocking and data sharing that is slow?

Yes. Information blocking requires a practice that unreasonably interferes with access, exchange, or use. ONC has defined eight exceptions—including security, preventing harm, privacy, licensing, infeasibility, and health IT performance—that provide safe harbor for practices that might otherwise appear restrictive. The key word is unreasonably. Organizations should document the basis for any data access restriction against the applicable exception criteria.

What CFOs and Compliance Teams Should Do Now

FHIR non-compliance risk requires the same structured treatment as HIPAA risk: identify exposure, document controls, close gaps, and maintain evidence. Clinovera’s FHIR Readiness Assessment is designed to surface the specific compliance gaps, data quality issues, and architectural shortfalls that create the highest risk—and to prioritize remediation in a sequence that reduces exposure fastest.

Assess your FHIR readiness before your next compliance review cycle finds it first.

Q2 2026

Start a conversation today