The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) recently posted the final rule establishing civil monetary penalties (CMPs) for information blocking (IB Enforcement Rule). The Rule implements OIG's authority to investigate claims of information blocking and HHS' authority to impose CMPs on health information technology (IT) developers of certified health IT, entities offering certified health IT, health information exchanges (HIEs) and health information networks (HINs). Enforcement of information blocking CMPs begins Sept. 1, 2023. The IB Enforcement Rule does not change or create any new information blocking requirements or establish disincentives for healthcare providers.

Among highlights:

• The IB Enforcement Rule applies to health IT developers of certified health IT, entities offering certified health IT, HIEs and HINs.
• Healthcare providers are exempt from CMPs unless the provider also meets the definition of one of the entities subject to CMPs. The Office of the National Coordinator for Health Information Technology (ONC) has previously issued rulemaking and additional guidance around assessing when a healthcare provider may also be a health IT developer or considered to be offering certified health IT. (See the Holland & Knight alert, "ONC Proposes Updates to Information Blocking Regulations," April 27, 2023.)
• OIG has authority to investigate healthcare provider violations, but ONC is tasked with establishing "appropriate disincentives" for healthcare provider violations.
• OIG will coordinate with other agencies (ONC, HHS' Office for Civil Rights (OCR), the Federal Trade Commission (FTC) and others) in its investigation.
• CMPs are based on a combination of violations arising out of a practice and implementation of that practice and can result in multiple violations with a maximum CMP of $1 million per violation.
• OIG will provide for a self-disclosure protocol and process.

Background

OIG protects federal healthcare programs from fraud, waste and abuse by exercising its authority to impose CMPs, assessments and exclusions. Consistent with this principle, the 21st Century Cures Act (Cures Act) established authority for OIG to investigate information blocking violations and enforce such violations by certified health IT developers, entities offering certified health IT or HIN/HIEs through imposition of CMPs. Though OIG has authority to investigate an information blocking violation by a healthcare provider, the agency has no statutory authority to impose a CMP on a healthcare provider. Instead, ONC is tasked with implementing regulations to establish "appropriate disincentives" for providers.

The Cures Act defines conduct that constitutes information blocking as a practice by an "actor" that is likely to interfere with the access, exchange or use of electronic health information (EHI), except as required by law or specified in an information blocking exception. The law applies to healthcare providers, developers of certified health IT and HIEs/HINs. The Cures Act also established two different "knowledge" standards for actors' practices within the statute's definition of information blocking. For developers of certified health IT, as well as HIEs/HINs, the law applies the standard of whether they know, or should know, that a practice is likely to interfere with the access, exchange or use of EHI. For healthcare providers, the law applies the standard of whether they know that the practice is unreasonable and likely to interfere with the access, exchange or use of EHI. 42 U.S.C. § 300jj-52.

CMP Enforcement Priorities and Considerations

OIG specifies considerations to be made in imposing a CMP. In addition, and in anticipation of receiving more information blocking complaints than it can investigate, OIG has described its planned approach to information blocking investigations, including general enforcement priorities, that identify conduct that:

1. resulted in, is causing or had the potential to cause patient harm
2. significantly impacted a provider's ability to care for patients
3. was of long duration
4. caused financial loss to federal healthcare programs or other government or private entities, or
5. was performed with actual knowledge

OIG expects to select cases for investigation based on these priorities initially; however OIG's priorities will likely evolve over time. Note that generally, the conduct of an actor who has actual knowledge is considered more egregious than that of an actor who only should have known. Therefore, OIG will likely prioritize cases involving actual knowledge over cases in which the actor only should have known that the practice was likely to interfere with, prevent or materially discourage the access, exchange or use of EHI. Other considerations may include the nature and extent of the information blocking and harm resulting from such information blocking – including, where applicable, the number of patients affected, number of providers affected and number of days the information blocking persisted. 88 Fed. Reg. 42822-23.

Investigative Process

When OIG receives an information blocking complaint, it will evaluate the complaint using its enforcement priorities. While investigating the complaint, OIG will gather facts, conduct interviews, request documents, etc. OIG will also consult with ONC, OCR and other agencies as necessary throughout the investigation and may refer matters, as appropriate, to other agencies for resolution. OIG specifically commented on referrals to OCR for resolution of issues arising out of the Health Insurance Portability and Accountability Act (HIPAA) privacy or security rules. In addition, for developers of certified health IT, ONC has the authority to revoke certifications for information blocking conduct. 88 Fed. Reg. 42823-24.

OIG expects to coordinate with the FTC when a claim involves possible anticompetitive conduct, fraudulent marketing practices or other unreasonable business practices, such as unconscionable or one-sided business terms for the access, exchange or use of EHI or the licensing of an interoperability element. 88 Fed. Reg. 42823-24. For example, a contract containing unconscionable terms related to sharing of patient data could be anticompetitive conduct that impedes a provider's ability to care for patients.

As emphasized in the IB Enforcement Rule, OIG and ONC have been clear that information blocking arises as the result of a practice and does not necessarily occur only when a request for exchange has been delayed or denied. OIG described instances when a violation will result in multiple violations. 88 Fed. Reg. 42831-31. For example, enactment of a policy that constitutes information blocking may be one violation, while application of the policy may be a separate violation, and the number of information blocking violations found will correspond to the number of discrete acts identified in the investigation.

If OIG concludes that an actor committed information blocking, a demand letter will be sent and the actor will have the opportunity to appeal OIG's imposition of CMPs. 88 Fed. Reg. 42824. OIG has also announced the availability of a specific self-disclosure process. Unfortunately, OIG has no statutory authority for providing advisory opinions on information blocking and has been clear that the self-disclosure process is not available for advisory opinions.

As a final note, the Bipartisan Budget Act of 2018 doubled CMP amounts (not taking into account increases for inflation). 88 Fed. Reg. 42837. Though the increased CMP will apply to conduct going back to Feb. 9, 2018, OIG will not enforce penalties on information blocking conduct occurring prior to Sept. 1, 2023.

Conclusion

Though this IB Enforcement Rule does not directly apply to healthcare providers, OIG recommends that healthcare providers maintain good documentation to support compliance with the IB Enforcment Rule. ONC's proposed rule to identify appropriate disincentives and refer healthcare providers to the appropriate agency for enforcement is pending before the Office of Management and Budget Unified Agency (OMB). See RIN 0955-AA05, available at Unified Agenda and Regulatory Plan Search Results (reginfo.gov).

For more information on information blocking compliance or questions regarding how the IB Enforcement Rule may impact your business, please contact the authors or another member of Holland & Knight's HIPAA and Healthcare Privacy Team.