On June 27, 2023, the United States Department of Health and Human Services (HHS) Office of Inspector General (OIG) posted its final rule, implementing its Information Blocking Rule penalties under the 21^st Century Cures Act. Entities subject to the rule include health IT developers of certified health IT, entities offering certified health IT, health information exchanges, and health information networks. It does not apply to health care providers or address health care disincentives as HHS is working on a separate proposed rule that will be released as described in the Unified Agenda. Below summarizes the key provisions from the final rule.

1. No new requirements are imposed under the final rule.
2. OIG’s current focus is on imposing civil monetary penalties (CMPs) up to $1 million per violation for individuals or entities that it determines has committed information blocking.
3. OIG will not use its authority to investigate information blocking to investigate non-compliance with CMS program requirements, but may refer such matters to CMS.
4. A self-disclosure protocol (SDP) to resolve OIG CMP liability with lower penalties will be added to OIG’s SDP webpage in the coming days. As with other OIG SDPs, OIG may refer allegations to The Office of the National Coordinator for Health Information Technology (ONC) or The Office of Civil Rights (OCR) to address allegations under its respective authority.
5. Actors should be aware that OIG is of the opinion that information blocking could create false claims liability if, for example, a health IT developer of certified health IT submits falsified attestations to ONC as part of its certification process.

Enforcement of the information blocking penalties will begin 60 days after publication of the final rule in the Federal Register. 

For those subject to the information blocking rule, we recommend a review of Health Insurance Portability and Accountability Act (HIPAA) policies and procedures to ensure that the Information Blocking Rule is addressed in a written policy.  We also recommend an assessment of operational policies, to determine whether any practice could be considered an interference with the use, access or exchange of electronic protected health information (PHI).