In June 2023, a new final rule was issued by the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) entitled: Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; OIG’s Civil Money Penalty Rules.[1] The effective date of this new rule is September 1, 2023, with no look-back period. In other words, the rules are in effect now, so there is urgency in the preparation, operation, and administration of compliance for the areas impacted within actors that are subject to the rules.
Rule overview
This final rule from one of the most powerful enforcement arms of the federal government is important for several reasons, but primarily because it establishes an infrastructure for enforcing portions of the 21st Cures Act that has previously not been enforced. And the penalties it proscribes are potentially in the seven to eight figure range ($1 million per violation), which adds an entirely new element of risk to organizations that may fall under its purview.
This final rule amends the civil monetary penalty (CMP) OIG regulations to incorporate new CMP authority for information blocking; incorporate new authorities for CMPs, assessments, and exclusions related to HHS grants, contracts, other agreements; and increase the maximum penalties for certain CMP violations.
Section 4004 of the Cures Act added section 3022 to the Public Health Service Act (42 U.S.C. § 300jj-52),[2] which, among other provisions, provides OIG the authority to investigate claims of information blocking and authorizes the secretary to impose CMPs against a defined set of individuals and entities that OIG determines committed information blocking. Information blocking poses a threat to patient safety and undermines efforts by providers, payers, and others to make the health system more efficient and effective. Information blocking may also constitute an element of a fraud scheme, such as forcing unnecessary tests or conditioning information exchange on referrals.
The Office of the National Coordinator for Health Information Technology (ONC) Final Rule implements certain Cures Act information blocking provisions, including defining terms and establishing reasonable and necessary activities that do not constitute information blocking or “exceptions” to the definition of information blocking. OIG and ONC have coordinated extensively on the ONC Final Rule and this final rule to align both sets of regulations.
Why and what is the OIG CMP final rule about?[3]
ONC’s information blocking regulations at 45 C.F.R. Part 171 and the OIG CMP regulation at 42 C.F.R. § 1003, subpart N, are designed to work in tandem. As a result, parties should read this OIG CMP final rule together with the ONC Final Rule. The ONC Final Rule defined “information blocking”—and specific terms related to information blocking—as well as implemented exceptions to the definition of information blocking. This final rule describes the parameters and procedures applicable to the CMP for information blocking. Using the definition from the Cures Act—which defines conduct that constitutes information blocking—is practice by an actor likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or specified in an information blocking exception.
A healthcare provider must provide a clear explanation for any limitations they impose on access to EHI and must make a good faith effort to provide access to as much EHI as possible. Healthcare providers are also required to make available any information blocking policies or procedures that they have in place, and provide patients with information on how to file a complaint if they believe their access to EHI has been improperly limited or blocked. This should be added into your Notice of Privacy Practices. It has not been answered at this point if and when an invoked information exception must or even should be notified to the requesting party.
Who the OIG Final Rule applies to
CMPs—not to exceed $1 million per violation—may be imposed upon health IT developers of certified health IT or other entities offering certified health IT (meaning those who share electronic health record (EHR) systems), health information exchange (HIE), and health information networks (HIN) that OIG determines—following an investigation—committed information blocking. This seemingly does not include healthcare providers. Rather, the rules seem to focus on the owners and operators of HIE or HIN and certain certified health IT developers. But that is misleading and cause for concern for healthcare providers who are also mentioned in other text within the rules. So, if an actor is a healthcare provider that works with HIE or HIN, shares their EHR or similar systems that contain patient information that could be described as EHI under the Cures Act, be aware, these CMP rules could apply. Seek legal counsel advice for specific determination of liability.
For example, the rule says that any healthcare provider determined by OIG to have committed information blocking shall be referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable federal law, as the Secretary of HHS sets forth through notice and comment rulemaking, meaning they have not yet set these rules, although they are said to be due in fall 2023. More language oriented towards healthcare providers says that a health IT developer of certified health IT, HIE, or HIN as defined in 45 C.F.R. § 171.102 determined by OIG to have committed information blocking could be subject to CMPs under this final rule—even if that entity also met the definition of a healthcare provider at 45 C.F.R. § 171.102.[4] For additional discussion related to healthcare providers who meet a definition of an actor subject to CMPs, see section IV.A.3. of the rules preamble.
In fact, the list of potential actors subject to CMPs are listed as public health institutions, clinical data registries, public health agencies, health plans, and healthcare providers—any of which could meet the definition of an HIN/HIE.
As part of their assessment of whether a healthcare provider or other entity is an HIN/HIE that could be subject to CMPs for information blocking, OIG anticipates engaging with the health care provider or other entity to better understand its functions and offer the provider an opportunity to explain why it is not an HIN/HIE.
OIG has the authority to investigate an information blocking violation by a healthcare provider. However, the agency has no statutory authority to impose a CMP on a healthcare provider. Therefore, the final rules discussed in this document are only for providers who meet the wider definition (HIE/HIN or health IT developers) listed above. That turns a healthcare provider expecting only “appropriate disincentives” for violation of the information blocking rules to having perhaps a million-dollar liability.
Knows or should have known
For a developer of certified health IT offering certified health IT, a HIE or HIN to be liable for a CMP they must have known or should have known that the practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.
The Cures Act has established two distinct knowledge standards for actors’ practices that can fall into the definition of information blocking. For the entities above the law’s standard of knows, or should know, that a practice is likely to interfere with the access, exchange, or use of EHI. Whereas for healthcare providers, the law applies the standard of whether they know that the practice is unreasonable and likely to interfere with the access, exchange, or use of EHI.
The part that states “should know” is a tool the regulators can use to expand who may be levied a charge of information blocking as it’s subject and basically determined by them, although there are defenses.
Determination of CMP amounts
The final rule says that investigations of complaints about information blocking will determine the CMP amounts after considering factors such as the nature and extent of the information blocking and harm resulting from such information blocking, including and where applicable:
-
the number of patients affected
-
the number of providers affected
-
the number of days the information blocking persisted
HIPAA, Cures Act, and state law intertwine
There is so much intertwining of the HIPAA and Cures Act rules that it is difficult to gauge how they will interplay in enforcement. Here is some assistance in sorting the interactions. Remember, HIPAA is not covered under this final rule but has its own enforcement, not discussed in this document. Also, remember that state breach and privacy laws, as well as other specific laws, could also come into play.
A covered entity (CE) under HIPAA may deny a request for access by a patient or their personal representative to (PHI) under certain limited circumstances. While there are various timers for HIPAA, it is typically in increments of 30 days for access provision, too long these days and this can be seen as a barrier to access, which is forbidden by the intertwined information blocking rules.
Under HIPAA, the CE must provide a written denial and explanation to the individual, along with information on how to request a review of the denial.
Under the Cures Act information blocking rules, healthcare providers and other covered entities may only deny a request for access to EHI under certain limited circumstances, and EHI must be made accessible to individuals, their personal representatives, and other authorized parties (other providers, payers, caregivers and family members, researchers, and public health authorities), without unreasonable delay and in the manner requested by the individual, except in certain limited circumstances.
With the Cures Act and other state laws intertwining, processes for disclosure of PHI and EHI are changing. When a denial of a request, be it a patient request, treatment, payment, healthcare operations request or other data exchange is made, the pace of the documentation must be made available without unreasonable delay, just like the requested records would have to be. The reasons for the denial must be documented, policies and procedures must be made available, as well as, where the parties can complain. Whether the actual language of the information blocking exception(s) invoked must be delivered to the requestor has not been established in practice yet.
Don’t forget to create systems to log and manage the invocation and maybe revocation of these exceptions as they are conditional and require specific documentation for compliance. As a matter of process, there is no information in the OIG Final Rule provided about revoking previously invoked information blocking exceptions (nor is it expected to be in this rule as it’s not addressed in the ONC or CMS Cures Act rules at this time). This will be defined over the course of developing good industry practices.
Conclusion
The new OIG CMP enforcement final rules make clear that at least egregious violations of the Cures Act information blocking rules will be enforced with possibly million-dollar plus penalties. This is a large sum, showing the regulators are serious about the rules being followed for information blocking and the use of their exceptions. Now is the time to implement both EHR vendor and other compliance tools to manage information blocking. Know the rules and work diligently, with documentation, to ensure your organization does not engage in practices that could fall under these stiff penalties. Best practices have not yet evolved in these areas but are in process. Be sure to collaborate with subject matter experts to grasp and correctly implement the full suite of the Cures Act rules that include information blocking.
Takeaways
-
The new U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) Final Rule has massive penalties of up to $1 million per violation and there can be multiple violations.
-
The rules took effect on September 1, 2023.
-
The 21st Century Cures Act “actors” these rules apply to may or may not include healthcare providers depending upon whether they are connected with health information exchange, health information network, or share an electronic health record system with another organization.
-
“Appropriate disincentives” terminology indicating the enforcement for healthcare providers in general is stated by the Office of the National Coordinator for Health Information Technology (ONC) to be coming in the fall of 2023, these new rules would be somehow related to this OIG civil monetary penalty (CMP) rule, but there is little other guidance.
-
OIG’s enforcement action will only include CMPs, while ONC could pursue a separate enforcement action within its authority, which could include a corrective action plan, education, and other items. HHS Office for Civil Rights could also be called in to apply their own investigation and penalties.