On June 27, 2023, the U.S. Department of Health and Human Services (“HHS”), Office of Inspector General (“OIG”) posted on its website a final rule implementing its civil money penalty (“CMPs”) authority and providing a corresponding enforcement process for certain violations of the Information Blocking Rule by health information networks (“HINs”), health information exchanges (“HIEs”), developers of health IT certified (“Certified Health IT”) by the Office of the National Coordinator for Health IT’s (“ONC”) Certification Program (“Developers”), and those that offer such Certified Health IT.¹  

Generally, as a reminder, the Information Blocking Rule implements requirements of the 21^st Century Cures Act regarding certain practices by “actors” subject to the requirements that are “likely to interfere” with, prevent, or materially discourage the access to, use of, or exchange of specific “electronic health information” (“EHI”).²

Importantly, while healthcare providers are subject to the Information Blocking Rule, this final rule does not address investigations, enforcement, or disincentives for healthcare providers’ compliance with the Information Blocking Rule, except in instances where a healthcare provider also meets the definition of one of the above-described actors (i.e., Developer or offeror of Certified Health IT, HIE, or HIN). 

Congress established separate enforcement tracks for health care providers and HINs, HIEs, and Developers.  Healthcare providers are exempt from CMPs and are instead subject to information-blocking oversight in the form of “provider disincentives” which are under development by ONC.³  Therefore, OIG may investigate only the actions of and apply CMPs against Developers and offerors of Certified Health IT, HIEs, and HINs.⁴

Moving forward, the OIG states that it expects to receive more information blocking complaints than it can investigate, including complaints provided to OIG from the ONC and the HHS Office for Civil Rights (“OCR”) (the HHS staff division charged with HIPAA enforcement).

As such, OIG states that it will prioritize information blocking complaints regarding any practice that: causes harm to a patient population, community, or the public; affects a health care provider’s ability to provide treatment; lasted over a long period of time; resulted in loss to a health care program (public or private); or was undertaken with “actual knowledge.”⁵  OIG states that it framed the enforcement priorities around individual claims, but OIG may evaluate allegations and prioritize investigations based at least in part on the volume of claims relating to the same (or similar) conduct by the same actor. 

OIG also described the following complaint-based enforcement process to govern its investigations.

1. Receipt of a complaint, including from ONC or OCR.

2. Assessment of complaint, based on enforcement priorities (as mentioned above).

3. Open investigation.

4. Gather facts, including through interviews, document requests, and consultation with ONC.  OIG will close a case after investigation if it determines no information blocking occurred.

5. Discussion of information blocking allegations with actor.

6. Demand letter.

7. Appeal by the actor.

The OIG may impose a CMP of no more than $1 million per violation.  A “violation” is defined as “a practice . . . that constitutes information blocking . . .”  OIG did not formally define specific criteria in this final rule that will be used to determine whether a practice results in single or multiple violations, but OIG did provide certain example scenarios related to whether a described fact pattern would result in single or multiple violations.  While OIG emphasizes that its examples are for illustration purposes, such fact patterns focus, not on the number of patients involved, for example, but on the number of deliberate actions taken by an actor related to single or multiple requests for access to EHI.

The final rule will soon be published in the Federal Register, which will start the sixty-day clock for the compliance period before enforcement by OIG under the final rule may begin.  We continue to watch for additional enforcement requirements for health care providers, as well.