Key Takeaway

Information Blocking is a real phenomenon that can result in patient harm. The administration is treating this topic as one of its top enforcement priorities. Rest assured, both of the U.S. Department of Health and Human Services’s Office of the National Coordinator for Health Information Technology (ONC) and the U.S. Department of Health and Human Services Office of the Inspector General (HHS-OIG) will actively review and investigate all submitted claims to determine if information blocking has occurred, and levy financial penalties if warranted Additionally, it is evident that the United States Department of Justice (DOJ) and HHS-OIG have been very active in conducting investigations for False Claims Act violations involving Certified Health IT misrepresentations and CMS reporting inaccuracies, as well as the HHS Office of Civil Rights (HHS-OCR) for HIPAA security and patient right of access violations. 

Medical professionals review patient health information

Bottom-line: Not complying with the relatively new Information Blocking regulations can prove to be very costly! Developers of certified Health IT, health information networks (HINs), health information exchanges (HIEs) and healthcare providers (termed “actors” in the regulations) should implement preemptive measures and pro-information sharing policies to minimize their risk of being an information blocker. 

Background and Rule Summary

The 21st Century Cures Act  (Cures Act)—a landmark bipartisan healthcare law enacted in December 2016—includes provisions to enable sharing of electronic health information (EHI) and prohibits blocking of such information by specific defined “Actors,” namely, health information networks (HIN), health information exchanges (HIE), health information technology developers of certified health IT, and also health care providers. Specifically, section 4004 of the Cures Act defines Information Blocking as a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI except as required by law or covered by an exception.

Information Blocking can threaten patient safety, introduce avoidable systemwide inefficiencies, and undermine the true potential of health information technology. As an example, when clinical reports and histories are not available in a patient’s record, providers may inadvertently prescribe a contraindicated medication or unnecessarily order new lab tests. 

More than three years after the ONC final rule defining Information Blocking and its exceptions, the HHS-OIG, as enabled by the Cures Act, issued its final rule incorporating their new authority to impose civil monetary penalties (CMP) for Information Blocking. With this new authority, HHS-OIG can now investigate such complaints and may impose the maximum CMPs penalties up to $1M per violation. Determinations of CMPs will take into consideration the following:

(A) The nature and extent of the Information Blocking including where applicable:

  1. The number of patients affected;
  2. The number of providers affected; and
  3. The number of days the Information Blocking persisted; and

(B) The harm resulting from such Information Blocking including where applicable:

  1. The number of patients affected;
  2. The number of providers affected; and
  3. The number of days the Information Blocking persisted

Of note, the final rule does not impose new Information Blocking requirements but refers to the regulations published by the ONC as the basis for investigating and enforcing penalties. This final rule addresses three of the actors in this information blocking regulatory construct, yet does not establish any penalties or disincentives for healthcare providers. The HHS Centers for Medicare & Medicaid Services is developing a separate rule to establish those disincentives.

Reporting & Enforcement Activity 

Complaints can be logged by affected individuals or entities following the process outlined on the HHS-OIG website and ONC Information Blocking Portal. ONC has been tracking these complaints for years — there have already been a lot. 

Given the new HHS-OIG final rule that details the CMPs and the enforcement structure in place, we expect to notice an uptake in both investigation activities and enforcement actions. It is time, resource, and cost prohibitive to prepare, participate, and effectively respond to HHS-OIG investigations, and equally expensive to satisfy CMPs if they are issued by OIG. 

Depending on the details of the matter, the HHS-OIG may also coordinate with other organizations, including the Federal Trade Commision and HHS Office of Civil Rights (HHS-OCR) for investigation purposes. Investigations will not include any conduct that occurred before September 1, 2023. That said, we note that the ONC regulation concerning Information Blocking has already been in effect since April 5, 2021. Under this regulation, Certified Health IT developers must comply with the stated Information Blocking rule and provide the required Attestation under the Condition and Maintenance of Certification requirements. A Certified Health IT developer’s failure to comply with this rule can result in termination of their certification for Health IT Modules and / or a certification ban. Additionally, defined Actors can also be in violation of certain safe harbor conditions under the Federal Anti-Kickback Statute and therefore become subject to civil monetary penalties or enforcement actions.

Bottom-line: Although the OIG CMPs for Information Blocking would not be applicable to identified non-compliance instances prior to September 1, 2023, they could still result in serious consequences.

Analysis Of The Complaint Data 

As noted, ONC’s Information Blocking portal has been operational since April 5, 2021, allowing claims to be submitted against potential Actors.

Key points gleaned from the ONC data, include:

  • Between April 5, 2021 to May 31, 2023, the ONC received a total of 764 submissions out of which 708 (93%) appeared to be claims of possible Information Blocking 
  • ~70% of the submissions were made by patients or a third-party on behalf of the patient seeking access to their EHI
  • Most submitted claims were made against health care providers (~80%) followed by Certified Health IT developers (~13%) 

Observations by Quandary Peak Research: Although the majority of submitted claims were against healthcare providers, it is unclear to us whether the submitters are able to precisely identify the offending Actor. For example, it is unreasonable to expect a typical patient to know whether it is the provider that is denying access to their EHI, or the institution employing the provider, or the Certified Health IT developer providing software to the healthcare institution without conducting some detailed investigation. 

To our knowledge, these claims have not been investigated, however, ONC does conduct a cursory review of these claims to eliminate inquiries that may be seeking general information or asking questions. With the HHS-OIG enforcement rule effective September 1, 2023, HHS-OIG will start investigating submitted claims to determine if disciplinary action is necessary. 

Holders and Users of Electronic Health Information; NOW is the (past due) TIME TO ACT!

Key Action Steps to Focus:

  • Review and update information release practices, HIPAA policies, business associate agreements, and request/response workflows to ensure full compliance with requirements concerning timely access to EHI.
  • Review and update contracts, agreements, and practices to ensure compliance with the Information Blocking, Assurances and Communications requirements
  • Develop a robust infrastructure and governance processes to confidently attest and maintain compliance; examples include:
    • Review all policies for data access / requests
    • Evaluate if any of the Information Blocking exceptions are applicable to your business processes. Note: the Federal Government expected these eight exceptions to be very infrequently used and be similarly applied
      • If so, develop a process to evaluate when / if Information Blocking exceptions may occur and how the request for access, exchange, and use of EHI will be processed
      • Develop and implement a robust documentation process to support any Information Blocking exception employed 
    • Educate and train staff on the new Information Blocking requirements. Additionally, healthcare providers should also create targeted materials to educate their users regarding this important topic and to correctly utilize the software in a manner that will not constitute information blocking
  • Conduct audits to ensure Certified Health IT in use complies with all ONC Certification Program and CMS information blocking and health IT requirements 

At least 9 in 10 US hospitals have Certified Health IT. There is now a perfect storm of near ubiquitous Health IT adoption, standardized EHI, heightened patient engagement, and expansive needs for interoperable health information (e.g., care coordination, quality improvement, population health, etc.) that now necessitates laser focus attention on meeting Information Blocking requirements and a robust compliance action plan. 

Quandary Peak Research has unique expertise and working experience in auditing and consulting with HHS federal agencies, the DOJ, and defined Actors / Healthcare organizations on regulatory policy and Health IT compliance matters. We can help you to navigate these rough waters!