Skip to content

OIG Releases Final Rule for Information Blocking Penalties

July 31, 2023

On July 3, the Department of Health, and Human Services (“HHS”) Office of Inspector General (“OIG”) published a final rule establishing the statutory civil money penalties created by the 21st Century Cures Act (“Cures Act”) information blocking requirements. The OIG will begin enforcing the information blocking penalties outlined in the final rule on Sept. 1.

What is Information Blocking?

In 2016, Congress passed the Cures Act to induce the electronic access, exchange, and use of health data. The Office of the National Coordinator for Health IT (“ONC”) Cures Act Final Rule, published in 2020, implemented the interoperability provisions of the Cures Act to promote patient control over their health information through the adoption of a standards-based application programming interface (“API”) that makes it easier for patients to use smartphones, tablets, and desktop apps to access their electronic health information (”EHI”) from certified EHR systems.

The Cures Act defines information blocking as, “a practice that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information,” except as required by law or covered by one of eight limited exceptions defined by the Secretary of HHS. Information blocking can take many forms, including configuring or implementing technology in ways that limit the types of data that can be exported or used from the technology, or disabling or restricting an electronic health record’s ability to enable users to obtain or share EHI with users of other systems.

Civil Money Penalties

The Cures Act authorizes civil monetary penalties (“CMP”) against actors that engage in information blocking. Actors subject to the OIG final rule include health IT developers; health information exchanges (HIEs); and health information networks (HINs). Notably, the OIG’s final rule does not address the OIG investigations of potential information blocking by healthcare providers unless the provider also meets the definition of an IT developer, HIN, or HIE. A separate notice of proposed rulemaking is being drafted to establish appropriate disincentives for healthcare providers.

If the OIG determines that information blocking occurred, it will determine the penalty amount by taking into account the nature and extent of the information blocking, the number of patients affected, the number of providers affected, the number of days the information blocking persisted, and any resulting harm. The OIG will also take into account the general factors provided for under the Civil Money Penalties Law such as the totality of the circumstances, culpability, and any prior violations. The OIG has also stated that it may consider additional factors for determining CMPs after it has gained more experience in enforcing the rule. Individuals or entities subject to the OIG’s final rule that have committed information blocking may be subject to up to a $1 million penalty per violation.

OIG Enforcement Priorities

In order to effectively allocate its resources to target information blocking allegations that have more negative effects on patients, providers, and health care programs, the OIG will prioritize cases for investigation that (1) resulted in, is causing, or had the potential to cause patient harm; (2) significantly impacted a provider’s ability to deliver patient care; (3) were of long duration, (4) caused financial loss to Federal healthcare programs or other government or private entities; or (5) were performed with actual knowledge. The OIG will likely prioritize cases in which an actor has actual knowledge over cases in which the actor only should have known that the practice was likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. The OIG also noted in the final rule that its enforcement priorities may lead to investigations of anticompetitive conduct or unreasonable business practices, such as a contract containing unconscionable terms related to sharing of patient data which could be anti-competitive conduct that impedes a provider’s ability to care for patients.

For more information about this law or what compliance options may be available, please contact the legal professionals at Clark Hill PLC.

The views and opinions expressed in the article represent the views of the author and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice.

Subscribe For The Latest