On 27 June 2023, the Department of Health and Human Services (HHS), Office of Inspector General (OIG) posted its long-awaited final rule (CMP Final Rule) related to the federal information blocking regulations and the issuance of civil monetary penalties (CMPs).1 Enforcement of CMPs outlined in the CMP Final Rule will begin 60 days after publication in the Federal Register – as publication should occur in short order, we anticipate enforcement will likely begin the first part of September, 2023.

KEY TAKEAWAYS

  • The CMP Final Rule sets forth penalties, created by the 21st Century Cures Act (the Cures Act), that can be imposed against developers of health information technology certified by the Office of the National Coordinator for Health IT (ONC) ("health IT developers") as well as health information networks (HIN) and health information exchanges (HIE) that violate information blocking regulations.2
  • Penalties can reach US$1,000,000 per violation, defined as a "practice" that constitutes information blocking; OIG has substantial discretion to determine the amount of the penalty based on a series of priorities when investigating information blocking claims.
  • Enforcement against health care providers is not addressed in the CMP Final Rule (except where a provider is also a health IT developer, HIN, or HIE); this will be addressed in future rulemaking.
  • Health IT developers that have at least one ONC-certified health IT module (other than health care providers who self-develop health IT for their own use) are subject to the information blocking regulations and should take note of those requirements and the CMP Final Rule.
  • Separately, the CMP Final Rule also modifies 42 CFR parts 1003 and 1005 by adding Cures Act statutory provisions that amended the Civil Monetary Penalties Law (CMPL) related to fraud and other misconduct involving HHS grants, contracts, and other agreements and increasing CMPL penalty amounts effectuated by the Bipartisan Budget Act of 2018.3

BACKGROUND AND ADDITIONAL DETAIL

The Cures Act authorized CMPs for any practice that constitutes information blocking, defined as:

"any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI) if the practice is conducted by an entity that is: a developer of certified health information technology (IT); offering certified health IT; a health information exchange (HIE); or a health information network (HIN) and the entity knows or should know that the practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI." 4

On 1 May 2020, ONC published a final rule that promulgated regulations defining information blocking and other relevant terms and establishing exceptions (ONC Final Rule). While the ONC Final Rule referenced CMPs and other penalties required by the Cures Act, it did not describe the parameters and procedures applicable to the imposition of CMPs for information blocking, nor did it revise the CMP regulations.

OIG emphasizes in the CMP Final Rule that it coordinated "extensively" with ONC to ensure that the CMP Final Rule is aligned with the ONC Final Rule, and that stakeholders should read the two rules in tandem. To that effect, the CMP Final Rule:

  1. authorizes OIG to impose CMPs of not more than US$1,000,000 per violation against health IT developers of certified health IT and HIEs/HINs that commit information blocking;5
  2. defines "violation" as a practice that constitutes information blocking;6 and
  3. identifies factors specific to information blocking that OIG will consider in assessing information blocking penalties.

These factors, which are similar to the factors that OIG indicates in the preamble to the CMP Final Rule as informing how OIG will prioritize investigations, are:

  1. the number of patients affected;
  2. the number of providers affected;
  3. the number of days the information blocking persisted; and
  4. the harm resulting from the information blocking, as measured by factors (1) through (3).

Health Care Provider Penalties Not Addressed in This Rulemaking

The CMP Final Rule does not implement the portion of the Cures Act that indicates that health care providers engaged in information blocking practices shall be subject to "appropriate disincentives," which HHS shall set forth through notice and comment rulemaking.7 However, OIG notes in the CMP Final Rule that a health care provider that meets the definition of health IT developer or HIE/HIN determined by OIG to have committed information blocking could be subject to CMPs. OIG further states that, while the CMP Final Rule includes "an informational statement" regarding how OIG anticipates it will approach information blocking enforcement, such commentary is limited to OIG's investigation of entities subject to CMPs, and "does not apply to the investigations of health care providers that may be referred for disincentives" under the Cures Act. On this subject, OIG clarifies that HHS is developing a separate notice of proposed rulemaking to establish "appropriate disincentives" for health care providers.

OIG Enforcement Priorities

In describing its anticipated priorities in enforcing information blocking rule CMPs, OIG indicates it will prioritize conduct that:

  • Resulted in, is causing, or had the potential to cause patient harm;
  • Significantly impacted a provider's ability to care for patients;
  • Was of long duration;
  • Caused financial loss to federal health care programs or other government or private entities; or
  • Was performed with actual knowledge.

In outlining its anticipated priorities, OIG emphasizes six main points:

  1. There "is no specific formula" applicable to every information blocking allegation; rather, these priorities will assist OIG in effectively allocating its resources to "target information blocking allegations that have more negative effects on patients, providers, and health care programs."
  2. OIG will reassess enforcement priorities as it gains more experience in investigating and enforcing information blocking.
  3. In reviewing allegations, OIG will coordinate closely, as appropriate, with ONC and other agencies, including the Office for Civil Rights, as well as the Federal Trade Commission for potential anti-competitive practices (see #6 below).
  4. Patient harm is not limited to individual patients, but "may broadly encompass harm to a patient population, community, or the public."
  5. Actual knowledge is not required to prove information blocking, but will assist in determining the severity of conduct that results in information blocking.
  6. Anticipated enforcement priorities will include reviewing both individual claims and allegations as well as patterns of claims or investigations; either may lead to investigations of anti-competitive conduct or unreasonable business practices, "such as unconscionable or one-sided business terms for the access, exchange, or use of EHI, or the licensing of an interoperability element."

OIG also addresses whether it will implement enforcement approaches that provide alternatives to CMPs; whether potential noncompliance with other federal laws as a result of information blocking practices will be investigated or referred; and whether OIG will create a self-disclosure protocol to allow actors to self-disclose and resolve potential CMP liability related to conduct that constitutes information blocking, including the benefits of such approach. The CMP Final Rule provides helpful insight into OIG's approach in enforcing information blocking against health IT developers and HIEs/HINs.

K&L Gates will continue to track OIG's and ONC's guidance as it relates to information blocking and the access, use, and exchange of EHI, and our attorneys are available to assist entities that are health IT developers, HIEs/HINs, and health care providers in applying these and related regulations.

Footnotes

1. According to OIG, HHS has approved the CMP Final Rule and submitted it to the Office of the Federal Register for publication, but as of the publication of this Alert, it has not yet been placed on public display or published in the Federal Register. The CMP Final Rule is available at this link: Information Blocking HHS-OIG Rule.

2. Information blocking regulations were published by the Office of the National Coordinator for Health Information Technology (ONC) at 45 C.F.R. pt. 171, and are referred to herein as "ONC Final Rule."

3 .For more information, see pp. 5 and 6 of the CMP Final Rule, available at: https://oig.hhs.gov/reports-and-publications/featured-topics/information-blocking/infoblocking-rule-unofficial-hhs-oig.pdf.

4. CMP Final Rule, p. 7-8. "Information blocking" also prohibits health care providers from engaging in a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI, but the knowledge qualifier requires that the health care provider "knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI." P. 11 of CMP Final Rule; see also 42 C.F.R. pt. 171.103.

5. 42 C.F.R. §§ 1003.1400 and 1003.1410.

6 .42 C.F.R. § 1003.1410(a).

7. HHS is developing a separate notice of proposed rulemaking to establish appropriate disincentives for healthcare providers. See CMP Final Rule, p. 27-28; see also Office of Management and Budget Unified Agenda, RIN 0955-AA05, available at Unified Agenda and Regulatory Plan Search Results (reginfo.gov).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.