Three years after the Department of Health and Human Services’ (HHS) Office of the National Coordinator of Health Information Technology (ONC) issued a final rule that defined and clarified the scope of the information blocking provisions of the 21st Century Cures Act (the Information Blocking Rule), the HHS Office of Inspector General (OIG) has now published its own final rule implementing penalties for violations of the Information Blocking Rule by certain regulated actors (the OIG Final Rule). 

The OIG Final Rule (i) implements OIG’s authority to impose civil money penalties (CMP) related to violations of the Information Blocking Rule; (ii) explains OIG’s approach to enforcement of its information blocking CMP authority; and (iii) codifies the CMP amounts at 42 C.F.R. part 1003, conforming with the Civil Monetary Penalties Law as amended by the Bipartisan Budget Act of 2018.

The OIG Final Rule is effective August 2, 2023, however, enforcement of the information blocking penalties will begin on September 1, 2023. Importantly, OIG will not impose information blocking CMPs for conduct occurring prior to September 1, 2023.

Information Blocking 101

The ONC’s Information Blocking Rule regulates three categories of “actors”:(i) health care providers, (ii) health information exchanges and networks (HIEs/HINs), and (iii) developers and offerors of health information technology (HIT) certified by ONC’s voluntarily certification program. The ONC rule then prohibits these actors from engaging in “information blocking.” Information blocking is a business practice likely to interfere with, prevent, materially discourage, or otherwise inhibit the access, exchange, or use of electronic health information (EHI).

According to ONC, practices that constitute information blocking may include, for example:

  • activities that are contradictory to ONC’s interoperability requirements
  • activities that interfere with permissible or required uses of protected health information under the Health Information Portability and Accountability Act (HIPAA) Privacy Rule, such as patient access and treatment, payment, and health care operations
  • implementing health IT in a way that is nonstandard and likely to increase complexity or burden of accessing EHI.

Put simply, information blocking encompasses activities that make the access, exchange, use, or interoperability of health data more difficult. The definition also includes an intent requirement, which differs depending on the identity of the regulated actor. For health care providers, a practice meeting the regulatory definition will be considered information blocking if the health care provider knows such practice to be unreasonable and likely to interfere with access, exchange, or use of EHI. For ONC-certified health IT developers/offerors, HINs, or HIEs, a practice meeting the regulatory definition will be considered information blocking if the regulated actor knows, or should know, that such practice is likely to interfere with the access, exchange, or use of EHI.

Key Takeaways from OIG’s Final Rule

Which actors are subject to the OIG Final Rule? Only ONC-certified HIT developers and offerors, HIEs, and HINs are subject to the OIG Final Rule. Notably, the OIG Final Rule does not implement its authority to enforce the Information Blocking Rule against health care providers through referral to the appropriate agency and imposition of “appropriate disincentives.” However, OIG intends to issue a separate rulemaking implementing its enforcement authority with respect to health care providers.

What are the penalties for information blocking violations under the OIG Final Rule? OIG may impose a penalty of not more than $1 million per “violation.” A “violation” is defined as a “practice,” meaning an act or omission, which constitutes information blocking. OIG will consider the number of “violations” as connected to the number of “discrete acts” engaged in by the actor. In other words, enactment of a policy that constitutes information blocking will be considered one violation, as will each discrete act of enforcement of that policy. By considering each discrete act as a separate violation, OIG is seeking to preclude the risk that larger entities might simply opt to absorb the cost of a single violation in order to continue engaging in practices that constitute information blocking. Instead, the violations could add up quickly.

With respect to the amount of the penalties, OIG will consider the facts and circumstances of each situation, and the penalty amount will be determined per violation, based on aggravating and mitigating factors set forth in 42 C.F.R. § 1003.140. While OIG declined to establish a baseline penalty amount or a table defining specific penalty amounts for various categories of conduct, OIG noted that the maximum penalty amount of $1 million per violation will be reserved for particularly egregious conduct.

When are the information blocking CMPs effective? While the OIG Final Rule is effective as of August 2, 2023, the information blocking CMPs go into effect on September 1, 2023. Importantly, OIG has stated that conduct occurring prior to September 1, 2023, will not be subject to enforcement, with an important caveat. This enforcement discretion does not preclude government agencies from assessing conduct prior to the information blocking enforcement date under other regulatory frameworks, as applicable.

What are OIG’s enforcement priorities? OIG acknowledges that further experience with fielding claims of information blocking and enforcing CMPs for violations of the ONC’s Information Blocking Rule will lead to evolving priorities. Nevertheless, OIG has set forth several anticipated enforcement priorities and its anticipated enforcement approach, subject to evaluation of the facts and circumstances of each claim:

  • Patient Harm: The conduct resulted in, is causing, or had the potential to cause patient harm(which may be physical or financial in nature and includes harm to individual patients as well as harm to a patient population, community, or the public);
  • Patient Care: The conduct significantly impacted a health care provider’s ability to care for patients;
  • Duration: The conduct was of long duration;
  • Harm to Federal Programs: The conduct caused financial loss to Federal health care programs or other government or private entities;
  • Actual Knowledge: The conduct was performed with actual knowledge, which OIG identifies as more egregious conduct than conduct performed by an actor who merely should have known the practice constituted information blocking; and
  • Volume: OIG expects to consider the volume of information blocking claims that relate to the same or similar conduct by the same regulated actor when prioritizing the allocation of resources in investigating such claims.

Will OIG collaborate with other government agencies? Where conduct identified in the course of OIG’s investigations into allegations of information blocking intersect with multiple regulatory and enforcement frameworks, OIG plans to collaborate with and make referrals to other government agencies, including HHS, ONC, the HHS Office for Civil Rights (OCR), the Federal Trade Commission (FTC), and the Department of Justice (DOJ), as appropriate.

For example, conduct that constitutes information blocking may also create liability under the federal False Claims Act for certified health IT developers and offerors. In such cases, the DOJ’s claim may stem from a developer’s or offeror’s alleged misrepresentation made in a required bi-annual attestation to ONC that the developer or offeror has not engaged in information blocking. The DOJ may argue, as it has done in the past in connection with developers’ and offerors’ alleged misrepresentations of their health IT’s capabilities in connection with ONC certification criteria, that such misrepresentations ultimately “caused” the submission of false claims by health care provider users of the technology vis-à-vis the provider’s participation in CMS’ Promoting Interoperability Programs.

What’s Next?

As OIG notes repeatedly throughout the OIG Final Rule, enforcement of the information blocking CMP is still in its nascent stage and, as OIG builds experience investigating claims of potential information blocking and enforcing the information blocking CMP, we anticipate that OIG will issue further guidance and continue to refine its policies and procedures on this issue.

Additionally, we continue to await specific rulemaking and guidance related to the enforcement of information blocking against health care providers engaging in such conduct, including potential disincentives that will be imposed on providers found to have engaged in information blocking.

While OIG has not provided a specific timeline for such rulemaking, we will stay tuned for further developments and keep our clients up to date on the latest information blocking guidance from all related agencies. In the meantime, please contact the authors of this article with any questions.