Proposed Penalties for Information Blocking Violations
On October 30, 2023, the Department of Health and Human Services (HHS) released a proposed rule establishing penalties for healthcare providers who violate the information blocking rules implemented under the 21st Century Cures Act. Currently, there are no penalties against healthcare providers for violating the information blocking rules.
As a refresher, the information blocking rules are separate and apart from the HIPAA Privacy and Security Rules, which do have established penalties for violations by healthcare providers. The information blocking rules prohibit a healthcare provider, among other “actors” as defined in the rules, from taking any action that is likely to interfere with the access, exchange, or use of electronic health information contained in a designated record set (EHI), unless the action is required by law or an applicable legal exception is met.
The eight exceptions to the information blocking rules are complex, and each one contains a number of factors that must be met in order to qualify for the exception. To avoid any potential penalties, any provider utilizing an exception should document the use of the exception and how the exception was satisfied.
The information blocking rules apply to any request for EHI from any requestor, not just a request to access information from patients. Further, compliance with HIPAA does not necessarily equate to compliance with the information blocking rules. In other words, a provider can be in compliance with the HIPAA requirements, but be found to be in violation of the information blocking rules. In addition, the information blocking rules can be violated even if there is no harm as a result of the actor’s actions.
Previously, the Office of Inspector General (OIG) published a final rule establishing civil money penalties for violations of the information blocking rules by health IT developers, entities offering certified health IT, health information exchanges, and health information networks. However, the OIG final rule did not contain any penalties against healthcare providers for violating the information blocking rules.
The latest information blocking proposed rule aims to implement penalties for healthcare providers who violate the information blocking rules by allowing the OIG to refer such providers to CMS for payment disincentives. The method of payment disincentive depends on the type of provider involved. For eligible hospitals and critical access hospitals, the disincentives include not being able to be deemed a meaningful EHR user in the applicable EHR reporting period. For eligible individual providers, the disincentives include not being able to be deemed a meaningful user of certified EHR technology in a performance period and therefore receiving a zero score in the Promoting Interoperability performance category of MIPS. For accountable care organizations and their participants, the disincentives include not being able to participate as an ACO for at least a year.
“HHS is committed to developing and implementing policies that discourage information blocking to help people and the health providers they allow to have access to their electronic health information,” said HHS Secretary Xavier Becerra. “We are confident the disincentives included in the proposed rule, if finalized, will further increase the appropriate sharing of electronic health information and establish a framework for potential additional disincentives in the future.”
The proposed rule regarding the information blocking disincentives for healthcare providers is currently published in the Federal Register and available for public comment. Written or electronic comments must be received on or before January 2, 2024. Healthcare providers are encouraged to submit comments regarding the appropriateness of the proposed disincentives.