On June 27, 2023, the Department of Health and Human Services (“HHS”) Office of Inspector General (“OIG”) issued a final rule (“OIG Final Rule”) that implements statutory provisions for its enforcement of the information blocking penalties created by the 21stCentury Cures Act (“Cures Act”) and assessment of civil money penalties (“CMPs”) of up to $1 million per violation of information blocking for certain individuals or entities subject to the information blocking requirements.
Under the final rule, enforcement of the information blocking penalties will begin September 1, 2023. This means, OIG will not impose penalties on conduct occurring before September 1, 2023.
In addition to authorizing OIG to investigate claims of information blocking and providing the Secretary of the Department of Health and Human Services (“HHS”) authority to impose CMPs for information blocking, the OIG Final Rule also authorizes HHS to impose CMPs, assessments, and exclusions upon individuals and entities that engage in fraud and other misconduct related to HHS grants, contracts, and other agreements; and increases the maximum penalties for certain CMP violations. Other than the information blocking penalties, the rest of the final rule’s provisions are effective August 2, 2023.
OIG Final Rule Highlights
In the OIG Final Rule, OIG finalizes the addition of the CMP for information blocking to 42 CFR part 1003 Subpart N (i.e., CMPs for Information Blocking), and the application of parts 1003 and 1005 to the CMP for information blocking as proposed without modification. OIG may impose up to a $1 million CMP per violation of information blocking against any individual or entity that meets the definition of a health information technology (“health IT”) developer of certified health IT, health information network or health information exchange (“HIN/HIE”) that knows, or should know, that it engaged in a practice that is likely to interfere with access, exchange, or use of electronic health information (“EHI”), unless an exception applies or the practice is required by law. [More information regarding Office of the National Coordinator for Health Information Technology (“ONC”) information blocking final rules and 2023 proposed changes is available here and here.]
OIG provided the following clarifications:
- Penalties may be imposed on certified health IT developers and HIN/HIEs that do not actually interfere with access, exchange or use of EHI, as long as the requisite intent is present: whether the individual or entity knew or should have known that the practice was likely to interfere with access, exchange, or use of EHI.
- OIG reiterated that the definition of HIN/HIEs under the information blocking regulations at 45 part 171 that is applicable here is functional, and it does not cover bilateral exchanges where an entity is performing services on behalf of one party and providing information to one or more entities but no actual exchange is occurring between the entities; rather, to meet the definition, an HIN/HIE must provide parties the ability and the discretion to exchange with each other under the policies, agreements, technology, and or services of the HIN/HIE.
- OIG also noted that a parent company and a subsidiary both may have CMP liability for information blocking under several circumstances, including; (i) when the subsidiary acts as an agent of the parent company, and (ii) when the parent is legally responsible for the certification status of the health IT of a subsidiary.
- A discrete action by an actor that implicates information blocking would be viewed as a single violation, so the number of violations will be connected to the number of the discrete acts.
- OIG made the point that it does not have clear criteria of what would constitute one violation versus multiple ones, but in its examples focuses on the actor’s discrete acts or omissions. For example, the implementation of a policy that violated information blocking would be one violation and each time the policy is acted upon in response to a request for access, exchange or use of EHI would constitute a new violation.
- Under the new 42 CFR 1003.1580, OIG may introduce the results of a statistical sampling study as evidence of the number and amount of claims, specified claims, and/or requests for payment that were presented, or caused to be presented by the respondent.
- Actors bear the burden of proof and would have to show that they meet an affirmative defense (information blocking exception) or mitigating factor by a preponderance of the evidence. OIG will consider any documentation to evaluate whether information blocking occurred and for evidence of affirmative defenses and mitigating circumstances.
- OIG’s lookback period is 6 years for information blocking, but OIG recommended maintaining information for additional time, noting that the ONC Health IT Certification Program requires participants to maintain records to demonstrate initial and ongoing compliance for 10 years.
- The CMP existing regulatory framework will be applied to OIG’s evaluation of information blocking claims, including regarding aggravating and mitigating factors in 42 CFR 1003.140, as well as factors in section 3022(b)(2)(A) of the PHSA now codified at 42 CFR 1003.1420.
- First, under then newly added 42 CFR 1003.1420, a determination regarding the amount of penalties for information blocking will include the (i) nature and extent of the information blocking, and (ii) harm resulting from such information blocking. For both of these factors, OIG will consider the number of patients affected, the number of providers affected and the days the information blocking persisted.
- OIG explained that under the existing CMP framework, to assess the “nature and extent” factor, OIG would review whether the practice actually interfered with the access, exchange, or use of EHI; the number of violations; whether an actor took corrective action; whether an actor faced systemic barriers to interoperability; to what extent the actor had control over the EHI; the actor’s size; and the market share. With respect to the degree of culpability, OIG will consider whether the actor had actual knowledge or whether an actor had specific intent to engage in information blocking.
- Knowing violations would be most egregious and the $1 million maximum penalty would apply to particularly egregious conduct; penalty amounts would be based on aggravating and mitigating factors.
- OIG reiterated that a variety of contractual provisions may implicate information blocking, including where parties have unequal bargaining power related to access, exchange and use of EHI and where liability is transferred, and that OIG will consult with ONC regarding such provisions.
- OIG clarified that generally there would be no need for “vetting” (specifically meaning a determination regarding whether a third-party app poses a security risk to the certified health IT developer’s software) on security grounds where the certified API technology includes the use of OAuth2 among other security requirements, in addition to its focus on ‘read-only’/responses to requests for EHI, and that such vetting would be an interference. Additionally, such vetting applied in discriminatory or unreasonable manner could implicate information blocking. OIG differentiated the vetting Health Insurance Portability and Accountability Act (“HIPAA”) covered entities may conduct of entities that would be their business associates before granting access and use of EHI.
- Actors may self-disclose information blocking conduct through a forthcoming self-disclosure protocol (“SDP”) (available here), as part of a relevant corrective action in response to a violation that would mitigate the violation. OIG also explained that the relevant corrective action must include disclosing the violation to OIG through the SDP and fully cooperating with OIG’s review and resolution of such disclosure. According to the OIG, actors accepted by OIG into the SDP who cooperate with OIG during the self-disclosure process will pay lower damages than would normally be required in resolving a government-initiated investigation. Notably, OIG reiterated that self-disclosures under the SDP would be to resolve potential liability under the CMP for information blocking but would not resolve any liability an actor may have under other applicable law, such as under HIPAA or under the ONC Certification Program. Additionally, in the OIG Final Rule, OIG stated that if OIG’s investigation uncovers conduct that suggests noncompliance with CMS program requirements, OIG may refer such matters to CMS.
- OIG’s priorities for information blocking claims will be based on conduct that:
- resulted in, is causing, or had the potential to cause patient harm, which encompasses physical or financial harm to patient populations, communities or the public;
- significantly impacted a provider’s ability to care for patients;
- was of long duration;
- caused financial loss to Federal health care programs, or other government or private entities; or
- was performed with actual knowledge, which is not required to commit information blocking but makes the conduct more egregious if present – OIG stated that, as a general matter, it would prioritize cases where actors had actual knowledge.
- OIG confirmed that information blocking may also constitute an element of a fraud scheme, such as by forcing unnecessary tests or conditioning information exchange on referrals. Additionally, false attestations to ONC as part of the ONC Health IT Certification Program may cause health care providers to file false attestations under the Merit-Based Incentive Payment System (“MIPS”), which may be investigated by the OIG’s law enforcement partners, including the Department of Justice.
- OIG will coordinate with federal government agencies (as identified by statute) to consult, refer, and coordinate on information blocking claims. For example, OIG states that because ONC promulgated the information blocking regulations and exceptions, OIG will closely consult with ONC throughout the investigative process. OIG will refer instances of information blocking to the HHS Office for Civil Rights when a consultation regarding the health privacy and security rules promulgated under section 264(c) of HIPAA will resolve such information blocking claims. Specific to anti-competitive conduct, OIG and ONC will coordinate with the Federal Trade Commission related to an information blocking claim.
The good news is that no actors will be held liable for acts or omissions that would constitute information blocking occurring before September 1, 2023. The bad news is that HIEs/HINs, certified health IT developers, and certain other organizations, such as parents or subsidiaries of such organizations, may be subject to CMPs for information blocking if they knew or “should have known” that a practice was likely to interfere with access, exchange, or use of EHI.
Therefore, actors subject to the CMPs must ensure their practices, including certain contracts and agreements, are in compliance with the ONC Final Rule and that they have documentation to show evidence of such compliance. While the highest penalties will be imposed on actors that knowingly commit acts or omissions that amount to information blocking, information blocking violations that constitute an element of a fraud scheme may be subject to False Claims Act liability. Furthermore, actors that determine that they may have engaged in an information blocking practice may want to consider self-disclosure.
Finally, while OIG does not establish information blocking penalties for health care providers, health care providers that also meet the definition of a developer or HIN/HIE under ONC’s regulations would be subject to CMPs. Therefore, it is important for health care providers to determine whether they may also be considered an actor that is subject to CMP liability.
For more information on how the OIG Final Rule could impact your organization or if you have questions about the applicability of the information blocking rules, please contact the professionals listed below, or your regular Crowell & Moring contact.