After a COVID-19-related delay, on June 27, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) released a long-awaited final rule that establishes monetary penalties for violations of health information technology (IT) information blocking rules.
The 21st Century Cures Act provided OIG the authority to investigate claims of information blocking and authorized HHS to impose civil monetary penalties (CMPs) against a defined set of individuals and entities that OIG determines have committed information blocking. The Office of the National Coordinator for Health IT (ONC) published its final Information Blocking Rule in 2020, which defined “information blocking” as certain practices that interfere with the access to, exchange of or use of electronic health information (EHI). That rule also articulated a set of exceptions; concurrently, OIG issued a proposed rule on CMPs to enforce those information blocking provisions.
Entities subject to this new rule include health information exchanges (HIEs) and health information networks (HINs), as well as vendors or developers of health information technology (health IT) that have been certified by ONC. Vendors that solely develop health IT that is not certified by ONC are not subject to the rule. As of September 1, 2023, if OIG determines that such an actor has committed information blocking, the entity may be subject to a fine up to $1 million per violation; OIG will not impose a CMP on information blocking conduct that occurs before September 1, 2023.
Implications for HIEs/HINs and Developers of Health IT
The new rule means that HIEs/HINs and developers of certified health IT will soon face enforcement of a rule that can result in substantial penalties for violations.
In determining penalties for violations, OIG will consider the nature and extent of information blocking conduct and resulting harm, including, where applicable, the number of patients affected, the number of providers affected and the number of days the information blocking persisted.
With respect to determining the penalty amount, the agency will take into account:
- The nature of claims and the circumstances under which they were presented;
- The degree of culpability, history of prior offenses and financial condition of the person presenting the claims; and
- “Such other matters as justice may require.”1
OIG will make all determinations on an individual, case-by-case and fact-specific basis. The agency declined to further define “harm.”
Enforcement priorities will include conduct that:
- Resulted in, is causing or had the potential to cause patient harm;
- Significantly impacted a provider’s ability to care for patients;
- Was of long duration;
- Caused financial loss to federal health care programs or other government or private entities; or
- Was performed with “actual knowledge.”
OIG emphasizes that health IT developers and HIEs/HINs do not have to have actual knowledge of their violation in order to commit information blocking, but that cases in which an entity does have such knowledge likely will be prioritized over those where an entity should have but may not have known that its practice constituted information blocking and that an actor’s intent will be taken into consideration when assessing culpability.
OIG says they will not pursue conduct that occurred prior to September 1, 2023. However, practices that begin prior to the enforcement date but continue after that date will presumably be subject to scrutiny, meaning HIEs/HINs and developers of certified health IT need to ensure compliance with the rule quickly.
Implications for Providers and Others
Although HHS is planning to issue a separate rule this fall that is specific to penalties for health care providers that engage in information blocking, the agency indicates in this rule that, depending on the specific facts and circumstances, public health institutions, clinical data registries, public health agencies, health plans and certain health care providers could meet the definition of an HIE or HIN and hence be subject to penalties for any information blocking conduct occurring on or after September 1, 2023. OIG declines to establish whether specific individuals or entities, or categories of individuals or entities, will meet the definition of an HIE/HIN, nor does it exempt specific types of individuals or entities, including providers or payers, from the definition.
ONC has separately proposed a rule that sets forth circumstances under which providers and others will not be considered “offerors” of certified health IT (offerors can be considered developers of health IT). Falling into the exceptions of the ONC rule, therefore, is an important protection for providers and other entities that want to avoid exposure to penalties up to $1 million.
The agency indicated that, in making a fact-specific determination of whether “a health care provider or other entity is an HIN/HIE that could be subject to CMPs for information blocking, [it] anticipates engaging with the health care provider or other entity to better understand its functions and to offer the provider an opportunity to explain why it is not an HIN/HIE.”2
1 88 Fed. Reg. 42820 at 42833.
2 88 Fed. Reg. 42818.