Key Takeaways:

1. The OIG has implemented penalties of up to $1 million per violation for information blocking under the 21st Century Cures Act.
2. The penalties apply to developers and health information networks/exchanges, but a separate rule is being developed for healthcare providers regarding information blocking.
3. When determining the penalty amount, the OIG considers factors such as the extent of information blocking, harm caused, number of affected patients/providers, duration, financial losses, and whether the blocking was done knowingly. The maximum penalty is expected for severe cases, but no baseline amount is set.

On June 27th, Office of the Inspector General (OIG) of the Department of Health and Human Services (HHS) posted its final rule (Final Rule), which amends the OIG’s civil monetary penalty (CMP) regulations to implement the information blocking penalties authorized by the 21st Century Cures Act and regulations promulgated thereunder (together, the Cures Act). The Final Rule subjects individuals or entities that commit information blocking in violation of the Cures Act to a penalty of up to $1 million per violation. The OIG finalized the effective date for the CMP for information blocking as 60 days after the Final Rule is published in the Federal Register. The OIG also confirmed that it would not impose a CMP on information blocking that occurred prior to the enactment of the Final Rule.

Applicability of Enforcement Rule

Notably, the Final Rule only applies to two of the three categories of “actors” that are subject to the Cures Act – health information networks/exchanges (HINs/HIEs) and developers of certified health IT (Developers). However, the Final Rule does not address potential information blocking by healthcare providers (unless the provider also meets the definition of a Developer or HINs/HIEs), as HHS is developing a separate notice of proposed rulemaking to establish appropriate disincentives for healthcare providers. Thus, the Final Rule establishes CMPs for any practice that is likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information (EHI) if the practice is conducted by a Developer or HINs/HIEs.

Calculation of CMP Amounts

In determining the amount of a CMP for information blocking, the Final Rule provides that the OIG must consider several factors, including the nature and extent of the information blocking and harm resulting from such information blocking, including, where applicable, the number of patients affected, the number of providers affected and the number of days the information blocking persisted. The OIG noted that its information blocking enforcement priorities would be conduct that (1) had the potential to cause patient harm, (2) significantly impacted a provider’s ability to care for patients, (3) was of long duration, (4) caused financial loss to federal healthcare programs or other government or private entities, or (5) was performed with actual knowledge of wrongdoing.

According to the OIG, its goal in setting penalty amounts is for a penalty to be fair, reasonable and commensurate with the wrongdoing. Since the penalty amount is based on a case-by-case evaluation, the OIG declined to set a baseline penalty amount in the Final Rule but noted that it expected the maximum penalty of $1 million per violation would apply to particularly egregious conduct. The amount of each penalty will be determined per violation and will be based on aggravating and mitigating factors, as explained in the following example that was included in the Final Rule:

• If the Developer denies a provider’s request to receive EHI for a single patient, the OIG would consider this a single violation by the Developer.
• If a provider makes a single request to receive EHI for 10 patients and the Developer takes a single action to prevent the provider from receiving the EHI, the OIG would consider this as a single violation affecting multiple patients, but the number of patients would be taken into consideration when determining the CMP.
• If a healthcare provider makes multiple, separate requests to receive EHI for several patients and the Developer denies each individual request but does not set up the system to deny all such requests, the Developer would be viewed as taking multiple separate actions to block individual requests and each denial would be considered a separate violation.  
• If a healthcare provider makes multiple requests to receive EHI for a single patient but the Developer has updated its system to deny all requests made by anyone using the provider’s EHR technology such that all requests are denied by the system, this would be viewed as a single violation, but the number of affected patients may increase the CMP.
• If a Developer enters into an agreement with a provider that requires a payment of a fee to export patients’ EHI, which it charges to  export the EHI using certified functionality, the OIG would consider this conduct two violations for (a)  the inclusion of the contract provision (fee) itself, and (b) the actual charging of the fee for an export using certified functionality.

Thus, while the OIG will treat the enactment of a policy that is likely to interfere with, prevent or materially discourage as one violation, each time that the policy is enforced will constitute another, separate violation according to the Final Rule. The OIG also emphasized in the Final Rule that information blocking only requires engaging in a practice that is likely to interfere with, prohibit or materially discourage the access, exchange or use of EHI. Information blocking does not require that the practice actually interfere with, prohibit or materially discourage the access, exchange or use of EHI.

Self-Disclosure Protocol

Since information blocking is newly regulated conduct, the OIG indicated that it had not created a self-disclosure protocol (SDP) specifically for information blocking, but that it would add an information blocking SDP in the future. The OIG encouraged utilization of the SDP, citing the several benefits of cooperating with the OIG and entering into the SDP, such as paying lower damages than would normally be required in resolving a government-initiated investigation and avoiding costs and disruptions associated with government-directed investigations. The OIG also stated in the Final Rules that it has no plans to develop and establish an advisory opinion process regarding the application of the CMP for information blocking.  

Enforcement Coordination with Other Federal Agencies

The OIG clarified in the Final Rule that enforcement for information blocking violations would not foreclose other regulatory considerations and that it would refer violations to other agencies, such as the Office of Civil Rights or the Federal Trade Commission, as appropriate, if the actions could also be deemed Health Insurance Portability and Accountability Act violations or anticompetitive conduct. The OIG highlighted that information blocking could implicate anticompetitive or unreasonable conduct, such as unconscionable or one-sided business terms for the access, exchange or use of EHI, or the licensing of an interoperability element, including contracts containing unconscionable terms related to sharing of patient data that could be anticompetitive conduct if they  impede a provider’s ability to care for patients.

We will continue to monitor ongoing developments in the enforcement of the Cures Act. 

[View source.]