A final rule published on July 3, 2023, empowers the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) to impose civil monetary penalties (CMP) of up to $1 million for unlawful acts of information blocking.
Although OIG’s CMP authority does not apply directly to health care providers, the final rule offers insight into how OIG will coordinate with other federal agencies in scrutinizing information blocking practices that providers and other regulated parties alike should consider in their compliance efforts.
What Is Information Blocking?
As advancements in health care technology have made electronic health information (EHI) increasingly critical in the delivery of care, the regulatory framework has shifted from permissive to mandatory sharing of health information. Enacted in 2016, the 21st Century Cures Act helped propel this shift by authorizing HHS to regulate “information blocking,” which the statute defines as a practice that “is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” Activities that may fall within this definition include:
- Practices that restrict patients from exercising their right to access their EHI under applicable law, including the federal Health Insurance Portability and Accountability Act (HIPAA), or that restrict health care providers from sharing EHI for treatment purposes, as HIPAA permits;
- Implementation of health information technology in nonstandard ways that substantially increase the complexity or burden of accessing, exchanging, or using EHI; and
- Implementation of health information technology in ways that are likely to restrict the access, exchange, or use of EHI with respect to exporting complete information sets or in transitioning between health information technology systems.
A practice is not information blocking, however, if it meets a regulatory exception for a “reasonable and necessary activit[y.]” To date, HHS, acting through its Office of the National Coordinator for Health Information Technology (ONC), has promulgated eight such exceptions, which are detailed in a prior final rule that took effect on June 30, 2020. To account for the disruptive impact of the COVID-19 pandemic, ONC later extended the compliance date for those exceptions to April 5, 2021.
OIG’s Enforcement Role
The Cures Act directs OIG to investigate claims that a party knowingly engaged in information blocking and to impose a CMP of up to $1 million for each violation where the violator is a:
- Health information technology (IT) developer of certified health IT;
- Health information network (HIN); or
- Health information exchange (HIE).
The July 3, 2023, final rule updates OIG’s CMP regulations to codify its CMP authority under the Cures Act, providing that each practice constituting information blocking is a separate violation subject to a CMP. Because the rule integrates with the provisions of the ONC final rule, a party can avoid a CMP if it complies with an exception in the ONC rule.
OIG’s CMP authority does not cover health care providers. Instead, following an investigation where OIG determines that a provider knowingly committed an “unreasonable” information blocking practice, the Cures Act instructs OIG to refer the provider to another agency for “appropriate disincentives” to be specified by regulation.
As OIG noted in the final rule, however, a provider could be subject to a CMP for an information blocking violation if, based on the facts, it also meets the definition of a health IT developer of certified health IT, HIN, or HIE. OIG declined to rule out that a provider would be acting as a health IT developer if, for example, it sublicenses certified health IT to an unaffiliated provider.
The amount of a CMP against an information blocker will depend on the nature and extent of the information blocking and the resulting harm. In making these determinations, OIG will consider:
- The number of patients affected;
- The number of providers affected; and
- The number of days the information blocking persisted.
OIG will exercise its CMP authority for information blocking violations that occur on or after September 1, 2023. Regardless of whether a party has complied with an ONC exception since the exception requirements took effect on April 5, 2021, OIG explained that it will not impose CMPs for conduct that occurred between then and August 31, 2023, noting the significant demands that regulated parties faced during this time related to the COVID-19 pandemic.
OIG’s Enforcement Priorities and Coordination with Other Agencies
In addition to codifying OIG’s CMP authority under the Cures Act, the final rule gives insight into how the agency will exercise that authority. The enforcement process will be largely complaint driven and will focus on conduct that:
- Resulted in, is causing, or had the potential to cause patient harm;
- Significantly impacted a provider’s ability to care for patients;
- Was of long duration;
- Caused financial loss to federal health care programs, or other government or private entities; or
- Was performed with actual knowledge.
Complaints of information blocking violations may raise issues within other regulatory agencies’ purview. Accordingly, OIG anticipates coordinating closely with other agencies, including the following:
- ONC: Many information blocking complaints that OIG investigates will come through ONC, which has developed a public portal for the filing of information blocking complaints. Moreover, given ONC’s role in defining the scope of impermissible information blocking through its promulgation of exceptions, OIG will closely consult with ONC throughout the investigative process. If a health IT developer engages in information blocking, ONC has separate authority to terminate the developer’s certification of its health IT or take other action under the ONC Health IT Certification Program review process.
- OCR: ONC’s information blocking exceptions rely extensively on concepts and terminology from the HIPAA privacy and security rules, which are enforced by the HHS Office for Civil Rights (OCR). To the extent a claim of information blocking raises a privacy or security concern regarding EHI, OIG may request technical assistance from OCR during an investigation or refer the matter for resolution under OCR’s HIPAA authorities.
- FTC: OIG noted that its investigations of information blocking may uncover “anti-competitive conduct or unreasonable business practices,” such as “unconscionable or one-sided business terms for the access, exchange, or use of EHI, or the licensing of an interoperability element.” In these instances, OIG may share information with the Federal Trade Commission (FTC), which has power under the FTC Act to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.
To further support its enforcement efforts, OIG will launch a new self-disclosure protocol for information blocking violations. Through that protocol, entities may resolve their CMP liability and potentially pay lower penalties. For now, however, OIG will not expand its advisory opinion process to allow parties to obtain opinions on whether specified conduct constitutes information blocking for which OIG may impose a CMP.
Key Takeaways
OIG’s CMP rule is a clear signal of increased enforcement attention to information blocking — a novel and largely undeveloped area of health information regulation. Because information blocking regulation will be a multi-agency enforcement effort, regulated parties should coordinate across their information technology, security, privacy, and legal teams to ensure their organizations’ technology arrangements and business practices do not constitute information blocking.
Meanwhile, regulated parties should monitor for further regulatory developments, including OIG’s development of an information blocking self-disclosure protocol and HHS’s forthcoming release, as documented in the Biden Administration’s Spring 2023 Unified Agenda of Regulatory and Deregulatory Actions, of proposed regulations addressing the appropriate disincentives against health care providers that commit information blocking. Stakeholders should also be mindful as to how ramped-up federal enforcement efforts relating to information blocking may overlap with similar initiatives at the state level, such as with the Data Exchange Framework in California.