On September 1, 2023, the United States Department of Health and Human Services Office of Inspector General (HHS OIG) started to enforce the final rule implementing information blocking penalties. This means that effective September 1, 2023, complaints of information blocking conduct (essentially any practice that interferes with access, exchange or use of electronic health information) will be considered by HHS OIG, potentially resulting in penalties of up to $1 million per violation.
There are four different types of entities that are subject to the penalties: health IT developers of certified health IT, entities that offer certified health IT, health information exchanges, and health information networks.
HHS OIG anticipates receiving “more information blocking complaints that it can investigate,” and therefore, as complaints come in, HHS OIG has created a triage system and will first focus on cases that: resulted in, is causing, or had the potential to cause patient harm; significantly impacted a provider’s ability to care for patients; lasted a long period of time; caused financial loss to federal health care programs or other government/private entities; or were performed with actual knowledge.
When it comes to the priority related to patient harm, it is not specific to individual harm, but may encompass harm to a patient population, community, or the public. Additionally, health IT developers of certified health IT and health information exchanges and networks do not have to have actual knowledge in order to commit information blocking but the conduct of someone who has actual knowledge is typically more egregious than the conduct of someone who only should know that their practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information. It’s likely that the enforcement priorities may shift and evolve as OIG gains more experience investigating information blocking.
After assessing each complaint, HHS OIG may open an information blocking case and investigate the complaint. If OIG concludes information blocking was not committed, the case will be closed.
If a complaint leads to a full investigation, OIG may consult with the Office of the National Coordinator for Health IT in addition to conduct interviews, document requests, and other fact gathering. If OIG concludes the entity committed information blocking, a demand letter will be sent to the entity. Entities will be given an opportunity to discuss the investigation with OIG and if a civil monetary penalty is imposed, will have the ability to appeal the penalty.
The actual penalty amount will vary and be “based on a case-specific application of each identified aggravating and mitigating factor,” noting that the maximum penalty of $1 million per violation would likely “apply to particularly egregious conduct.”
As this became effective September 1, 2023, any information blocking conduct that occurred before September 1, 2023, will not incur penalties. HHS is also in the process of developing a separate rule to establish specific disincentives for healthcare providers that do not meet the four types of entities named above to also discourage information blocking among those entities as well.