This article was updated September 6, 2024 to include finalized rules from HHS-OIG.
Key Takeaway
Information Blocking is a real phenomenon that can result in patient harm. The administration is treating this topic as one of its top enforcement priorities. Rest assured, both of the U.S. Department of Health and Human Services’s (HHS) Assistant Secretary for Technology Policy and Office of the National Coordinator for Health Information Technology (ASTP/ONC), in collaboration with the HHS Office of the Inspector General (OIG) have established processes to review and investigate claims of information blocking, and enforce financial penalties and/or refer to HHS/Centers for Medicare & Medicaid Services (CMS) for financial disincentives, if warranted. Additionally, it is evident that the United States Department of Justice (DOJ) and HHS-OIG have been very active in conducting investigations for False Claims Act violations involving Certified Health IT misrepresentations and CMS reporting inaccuracies, as well as the HHS Office of Civil Rights (OCR) for HIPAA security and patient right of access violations.
Bottom-line: Not complying with Information Blocking regulations can prove very costly! Developers of certified Health IT, health information networks (HINs), health information exchanges (HIEs) and healthcare providers / hospitals (termed “actors” in the regulations) should review current policies and implement preemptive measures and pro-information sharing policies to minimize their risk of being an information blocker.
Background and Rule Summary
The 21st Century Cures Act (Cures Act)—a landmark bipartisan healthcare law enacted in December 2016—includes provisions to enable sharing of electronic health information (EHI) and prohibits blocking of such information by specific defined “Actors,” namely, health information networks (HIN), health information exchanges (HIE), health information technology developers of certified health IT, and also health care providers and hospitals. Specifically, section 4004 of the Cures Act defines Information Blocking as a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI except as required by law or covered by an exception.
Information Blocking can threaten patient safety, introduce avoidable systemwide inefficiencies, and undermine the true potential of health information technology. As an example, when clinical reports and histories are not available in a patient’s record, providers may inadvertently prescribe a contraindicated medication or unnecessarily order new lab tests.
More than three years after the ONC final rule defining Information Blocking and its exceptions, the HHS-OIG, as enabled by the Cures Act, issued its final rule incorporating their new authority to impose civil monetary penalties (CMP) for Information Blocking for all actors except providers and health systems. With this new authority, HHS-OIG can now investigate such complaints and may impose the maximum CMPs penalties up to $1M per violation and/or refer to CMS for appropriate disincentives if the actor is a provider or health systems. Determinations of CMPs will take into consideration the following:
(A) The nature and extent of the Information Blocking including where applicable:
- The number of patients affected;
- The number of providers affected; and
- The number of days the Information Blocking persisted; and
(B) The harm resulting from such Information Blocking including where applicable:
- The number of patients affected;
- The number of providers affected; and
- The number of days the Information Blocking persisted
The final rule does not impose new Information Blocking requirements but refers to the regulations published by the ONC as the basis for investigating and enforcing penalties. This OIG final rule addresses penalties for the technology actors in this Information Blocking regulatory construct. Just recently, the HHS/CMS established the final rule of Information Blocking enforcement with regulation outlining Information Blocking disincentives for providers, hospitals, and health systems.
Reporting & Enforcement Activity
Information blocking complaints should be reported following the process outlined by the HHS-OIG website and ONC Information Blocking Portal. ONC has been tracking these complaints for years — there have already been many.
Given these recent HHS OIG and CMS information blocking enforcement regulations, we expect to notice an uptake in both investigation activities and enforcement actions. It is time, resource, and cost prohibitive to prepare, participate, and effectively respond to HHS-OIG investigations, and equally expensive to satisfy CMPs and CMS provider disincentives.
Depending on the details of the matter, the HHS-OIG may also coordinate with other organizations, including the Federal Trade Commission and HHS Office of Civil Rights (HHS-OCR) for investigation purposes. Certified Health IT developers must comply with the stated Information Blocking rule and provide the required Attestation under the Condition and Maintenance of Certification requirements. A Certified Health IT developer’s failure to comply with this rule can result in termination of their certification for Health IT Modules and/or a certification ban. An actor who is a provider or health system that fails to comply with information blocking regulations, may be referred to the appropriate agency and could face disincentives such as reduced reimbursement from CMS and/or removal from specific CMS payment programs. Additionally, defined Actors can also be in violation of certain safe harbor conditions under the Federal Anti-Kickback Statute and therefore become subject to civil monetary penalties and/or additional enforcement actions.
Analysis Of The Complaint Data
ONC’s Information Blocking portal has been operational since April 5, 2021, allowing claims to be submitted against potential Actors.
Key points gleaned from the recently updated ONC data, include:
- Between April 5, 2021 to August 31, 2024, the ONC received a total of 1,134 submissions out of which 1,059 (94%) appeared to be claims of possible Information Blocking.
- ~75% of the possible claims of Information Blocking were made by patients or a third-party on behalf of the patient seeking access to their EHI.
- ~81% of claims were made against health care providers.
~15% of claims were made against Certified Health IT developers.
Observations by Quandary Peak Research
Although the majority of submitted claims were against healthcare providers, it is unclear to us whether the submitters are able to precisely identify the offending Actor. For example, it is unreasonable to expect a typical patient to know whether it is the provider that is denying access to their EHI, or the institution employing the provider, or the Certified Health IT developer providing software to the healthcare institution without conducting some detailed investigation. With the HHS-OIG enforcement rule effective September 1, 2023 and the HHS-CMS provider disincentive rule, effective July 31, 2024 HHS-OIG now has full investigative and enforcement authorities for all actors that commit information blocking. Additionally, HHS will now begin publicly posting the details of those actors determined to have committed information blocking.
Holders and Users of Electronic Health Information;
The Time to Act is Now!
Key Action Steps:
- Review and update information release practices, HIPAA policies, business associate agreements, and request/response workflows to ensure full compliance with requirements concerning timely access to EHI.
- Review and update contracts, agreements, and practices to ensure compliance with the Information Blocking, Assurances and Communications requirements.
- Develop a robust infrastructure and governance processes to confidently attest and maintain compliance; examples include:
- Review all policies for data access / requests.
- Evaluate if any of the Information Blocking exceptions are applicable to your business processes. Note: the Federal Government expected these nine exceptions to be very infrequently used and be similarly applied.
- If so, develop a process to evaluate when / if Information Blocking exceptions may occur and how the request for access, exchange, and use of EHI will be processed.
- Develop and implement a robust documentation process to support any Information Blocking exception employed.
- Educate and train staff on new Information Blocking requirements. Additionally, healthcare providers should also create targeted materials to educate their users regarding this important topic and to correctly utilize the software in a manner that will not constitute Information Blocking.
- Conduct audits to ensure Certified Health IT in use complies with all ONC Certification Program and CMS information blocking and health IT requirements.
At least 9 in 10 US hospitals have Certified Health IT. There is now a perfect storm of near ubiquitous Health IT adoption, standardized EHI, heightened patient engagement, and expansive needs for interoperable health information (e.g., care coordination, quality improvement, population health, etc.) that now necessitates laser focus attention on meeting Information Blocking requirements and a robust compliance action plan.
Quandary Peak Research has unique expertise and working experience in auditing and consulting with HHS federal agencies, the DOJ, providers, and healthcare organizations on health IT regulatory compliance matters. Contact us today for a consultation with a Health IT expert.