Health Care Provider Disincentives for Information Blocking

Articles / Publications
Reprinted with permission from Birmingham Medical News

On June 31, 2024, the Department of Health and Human Services (“HHS”) published a final rule establishing penalties for health care providers who violate the information blocking rules implemented under the 21st Century Cures Act. Until the recent publication of this final rule, there were no penalties in place for violation of the information blocking rules by health care providers, although complaints relating to violations by health care providers could be filed.

As a refresher, the information blocking rules prohibit a health care provider, among other “actors” as defined in the rules, from taking any action that is likely to interfere with the access, exchange, or use of electronic health information contained in a designated record set (“EHI”), unless the action is required by law or an applicable legal exception is met. The eight exceptions to the information blocking rules are complex and each one contains a number of factors that must be met in order to qualify for the exception. The information blocking rules apply to a request for EHI from any requestor, not just a request to access information from patients. Further, compliance with HIPAA does not necessarily equate to compliance with the information blocking rules.

Previously, the Office of Inspector General (“OIG”) published a final rule establishing civil money penalties for violations of the information blocking rules by health IT developers, entities offering certified health IT, health information exchanges, and health information networks. The latest final rule implements penalties for health care providers who violate the information blocking rules by allowing the OIG to refer such providers to the Centers for Medicare & Medicaid Services (“CMS”) for payment disincentives. The method of payment disincentive depends on the type of provider involved.

For eligible hospitals and critical access hospitals, the disincentive involves not being deemed a meaningful electronic health record (“EHR”) user during a relevant period of time. If the eligible hospital is not a meaningful EHR user, the eligible hospital will not be able to earn certain reimbursement incentives. This disincentive will be effective 30 days after publication of the final rule.

Under the Promoting Interoperability performance category of the Merit-based Incentive Payment System (“MIPS”), a MIPS eligible clinician who has committed information blocking will not be a meaningful EHR user during the calendar year of the applicable performance period. If the MIPS eligible clinician is not a meaningful EHR user, then they will receive a zero score in the MIPS Promoting Interoperability performance category, which will impact MIPS performance and related incentives. The disincentive will only apply to the individual, even if the individual reports as part of a group practice. This disincentive will be effective 30 days after publication of the final rule.

Under the Medicare Shared Savings Program, a health care provider that is an Accountable Care Organization (“ACO”), ACO participant, or ACO provider or supplier who has committed information blocking may be ineligible to participate in the program for a period of at least one year. Consequently, the health care provider may not receive revenue that they might otherwise have earned through the Shared Savings Program. This disincentive will be effective 30 days after publication of the final rule; however, any disincentive would be imposed after January 1, 2025.

OIG will consider four elements when investigating information blocking violations and determining if a disincentive should be imposed: (1) whether the practice caused or had the potential to cause patient harm; (2) whether the practice impacted the ability to care for patients; (3) whether the practice was of a long duration; and (4) whether the practice caused financial loss to a federal health care program. Disincentives will not be imposed for conduct occurring prior to the effective date of the final rule.

“This final rule is designed to ensure we always have access to our own health information and that our care teams have the benefit of this information to guide their decisions. With this action, HHS is taking a critical step toward a health care system where people and their health providers have access to their electronic health information,” said HHS Secretary Xavier Becerra. “When health information can be appropriately accessed and exchanged, care is more coordinated and efficient, allowing the health care system to better serve patients. But we must always take the necessary actions to ensure patient privacy and preferences are protected – and that’s exactly what this rule does.”

Noticeably missing from the final rule are disincentives for other types of health care providers, for example, nursing homes, home health agencies, group practices, DME suppliers. Thus, additional incentives may be forthcoming through future rule-making.

Burr
Jump to Page

Contact Us

About Burr & Forman Cybersecurity & Data Privacy Law

Burr & Forman's experienced team helps clients navigate the complex cybersecurity and data privacy landscape with strategies designed to assess current risks, develop a corrective action plan, implement best practices, and provide immediate and appropriate responses to a cybersecurity breach.

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.