Information blocking is an emerging area of law that has important implications for health care providers and health information networks. The law of information blocking originated with the 21st Century Cures Act (the “Act”) in 2016. Pursuant to the Act, the federal government has released several important rules addressing information blocking. On March 4, 2019, the Office of the National Coordinator (“ONC”) released a final rule that, among other things, created the nine exceptions that would permit entities to lawfully block the flow of electronic health information. On July 3, 2023, the Office of the Inspector General (OIG) released a final rule setting forth the civil monetary penalties that OIG could assess against software vendors, health information exchanges and health information networks for unlawful information blocking. On July 1st, 2024, the Centers for Medicare & Medicaid Services released a final rule establishing “disincentives” for health care providers that commit information blocking. Finally, OCR recently released a proposed rule that, if adopted in final form, will update, and refine certain aspects of the current definition of information blocking and its exceptions. The OIG will investigate all suspected instances of information blocking.
Information Blocking
The Act and the ONC’s regulations define information blocking as a practice that is likely to interfere with access, exchange, or use of electronic health information. If a developer of certified health information technology, a health information network, or a health information exchange refuses to share electronic health information and such developer, network or exchange knows, or should know, that such practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information without good cause, that refusal is information blocking. If a health care provider refuses to share electronic health information, the refusal can rise to information blocking if the provider knows the refusal is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information without good reason. As already noted, ONC’s information blocking regulations contain important exceptions that allow providers, software developers, and networks to refuse to share electronic health information with violating the ban on information blocking. The exceptions are preventing harm, complying with privacy laws, maintaining information security, infeasibility of data exchange, maintaining health information technology performance, permitted limitations on the manner of data sharing, permitted fees, permitted information technology licensing arrangements, and an exception to accommodate parties to The Trusted Exchange Framework and Common Agreement (“TEFCA”).
Unless an exception applies, the developers, networks, exchanges, and providers are required to facilitate the access, use or exchange of electronic health information. This contrasts with the HIPAA privacy regulation and other privacy laws, all of which regulate when the release or use of health information is permitted, but generally do not require the release or exchange of health information except in limited circumstances (e.g., disclosure to the Secretary of Health and Human Services and disclosure to the subject of the information or the subject’s personal representative). Absent an exception, regulated entities must share electronic health information.
Penalties and Disincentives
Software developers, exchanges and networks that engage in information blocking can face substantial civil monetary penalties. Providers that engage in information blocking face a range of “disincentives” that vary depending on the type of health care provider involved. CMS has established the following disincentives.
- For physicians or medical groups participating in Medicare’s Merit-Based Incentive Payment System (“MIPS”), a violation can lead to the loss of “Meaningful EHR User for MIPS” status under the MIPS program. This would prevent the physicians or groups from earning a performance category score in the Promoting Interoperability performance category for MIPS, and lead to a financial penalty.
- For providers participating in a Medicare accountable care organization, information blocking is a violation of the ACO’s shared savings participation agreement, which could lead to termination of the ACO agreement.
- For providers receiving meaningful use incentive payments from Medicare, information blocking could lead to the loss of status as a Meaningful EHR user in the Electronic Health Record Technology Incentive Program for a payment year or payment adjustment year, resulting in a reduction in revenue.
While the information blocking rule applies to a wide range of providers and suppliers, the disincentives apply only to a small subset of suppliers and providers. Providers that don’t participate in Medicare MIPS, Medicare shared-savings payments, or receive Medicare’s meaningful use incentives currently face no disincentives at all. CMS has asked for input on how to best apply disincentives to a wider range of providers and suppliers.
Health Information Networks
The ONC regulations define a “health information network” as an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information: (1) among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and (2) that is for a treatment, payment, or health care operations purpose, as such terms are defined in the HIPAA privacy regulations, regardless of whether such individuals or entities are subject to the requirements of HIPAA. Significantly, a provider (such as a hospital) could also be the operator of a health information network, and thus be subject to both disincentives and OIG civil penalties if it improperly blocks the flow of electronic health information.
CMS noted in the preamble to the disincentives rule:
- An individual or entity could meet both the definition of a health care provider and the definition of a health IT developer of certified health IT or could meet both the definition of a health care provider and a health information exchange or network. We mention these potential scenarios so that health care providers are aware that they would not necessarily only be subject to the disincentives finalized in this rule, but depending on the specific facts and circumstances, they could meet the definition of a health information network, health information exchange, or health IT developer of certified health IT—and therefore be subject to civil money penalties, if found by OIG to have committed information blocking.
Recommendations
Every entity that is subject to the information blocking rules should take steps to comply with the Act and applicable regulations. These steps should include policies, training, and regular updates. Entities should adopt comprehensive polices that both prohibit information blocking but also articulate the permitted grounds for not sharing electronic health information. The policies also should provide for an affirmative commitment to expanding interoperability and data sharing to meet the needs of patients, clinicians, and other relevant stakeholders. Entities should train relevant personnel on information blocking policies in the same manner that personnel are training on privacy, security, and data breach notification requirements. As privacy laws and data sharing technologies change, entities should update their information blocking, and interoperability policies to reflect both.
