Million Dollar Maybe: Enforcement of Cures Act Information Blocking Prohibitions Begins
As of September 1, 2023, the U.S. Department of Health and Human Services (“HHS”) Office of Inspector General (“OIG”) can officially begin enforcement against Certified Health Information Technology (“HIT”) developers, health information exchanges (“HIEs”), and health information networks (“HINs”) for conduct that violates the information blocking provisions of the 21st Century Cures Act (“Cures Act”).
Through a final rule issued on July 3, 2023 (“Final Rule”), OIG provided long-awaited clarity on the imposition of Civil Monetary Penalties (“CMPs”) for Certified HIT developers, HIEs, and HINs that violate the information blocking prohibitions. However, as expected, the Final Rule notably does not address information blocking CMPs for health care providers (including hospitals and other provider groups). To aid in your company’s readiness for potential enforcement by OIG, we provide an information blocking refresher, a summary of information blocking provision enforcement, and practical compliance tips.
What is Information Blocking? A Brief Refresher
Signed into law by President Obama on December 13, 2016, Congress intended for Title IV of the Cures Act to advance interoperability, prohibit information blocking, and enhance the ability for patients and their health care providers to use HIT platforms that are both private and secure. However, many of these concepts were not clearly defined until March 2020 when the Office of the National Coordinator for Health Information Technology (“ONC”) and the Centers for Medicare and Medicaid Services (“CMS”) issued proposed regulations to define the scope of the information to which the law applies and the steps required for an entity to “advance interoperability.”
“Information blocking” is the antithesis of interoperability—defined in the Cures Act as conduct that, except as required by law or covered by an exception, is likely to interfere with access, exchange, or use of EHI; and
- If conducted by a Certified HIT developer, HIN or HIE, such developer, network, or exchange knows, or should know, that such practice is likely to interfere with access, exchange, or use of EHI; or
- If conducted by a health care provider, such provider knows that such practice is unreasonable.
ONC interprets “interference” broadly to include actions that prevent, materially discourage, and otherwise meddle with the ability for patients and their health care providers to access, use, and transmit EHI. For example, health care providers and providers of Certified HIT, HIEs, and HINs alike perpetrate violations of information blocking prohibitions by:
- Imposing formal or informal policies, procedures, and requirements that directly or indirectly restrict access, use, and exchange of EHI;
- Implementing HIT and other technologies in non-standard ways to increase the burden of accessing, using, and exchanging EHI;
- Placing timing restrictions on the ability to access, use, and exchange EHI;
- Discouraging or limiting the use of interoperability methods through contract terms and conditions or by exercising influence over the individual seeking access, use, and/or disclosure of EHI;
- Charging exorbitant fees to respond to and otherwise comply with requests to access, use, and transmit EHI;
- Otherwise limiting portability or engaging in discriminatory behavior that frustrates interoperability of EHI.
While the interpretation and application of the information blocking prohibition are quite broad, the Cures Act permits interference with the access, use, and exchange of EHI when certain circumstances arise. The law categorizes information blocking exceptions into those that involve: (i) not fulfilling requests to access, exchange, or use EHI, and (ii) procedures for fulfilling requests to access, exchange, or use EHI.
To summarize, nonfulfillment of a request to access, exchange, or use EHI is permissible:
- To prevent harm – To make use of this exception, the entity to which the request is made must hold “a reasonable belief that the practice will substantially reduce a risk of harm to a patient or another natural person that would otherwise arise from the access, exchange, or use.”
- To protect an individual’s privacy – Depending on the type of entity to which the request is made and that entity’s satisfaction of certain conditions, certain practices are permissible to protect an individual’s privacy interests.
- To protect the security of EHI – Use of this exception requires the entity to which the request was made to demonstrate that the nonfulfillment practice is directly related to safeguarding the confidentiality, integrity, and availability of EHI.
- Because the fulfillment of the request is infeasible – If certain conditions are met, OIG will excuse conduct that usually constitutes information blocking if fulfilling the request is infeasible due to uncontrollable events, inability to separate the requested EHI from EHI that the entity may withhold or cannot provide under applicable law, or other, non-discriminatory circumstances.
- Due to temporary unavailability of HIT to maintain or improve performance
If certain conditions are met, the following practices do not constitute information blocking:
- Limiting the content of a request response or the manner in which the request is fulfilled.
- Charging fees for the fulfillment of requests for access, use, and/or exchange of EHI that result in a reasonable profit margin.
- Licensing interoperability elements from a technology provider to facilitate access, use, or exchange of EHI.
Why Does Information Blocking Matter? Final Rule and Enforcement
The Cures Act authorizes OIG to investigate claims of information blocking violations. Despite this authority, no mechanism (i.e., penalties) existed for OIG to enforce the information blocking regulations when they became effective in April 2021. Until the recent issuance of the Final Rule in July 2023, the only recourse available to an individual or entity experiencing information blocking by another was to make a report through the ONC website. In effect, the law lacked teeth. Despite delayed rulemaking due to the COVID-19 public health emergency, in the Final Rule OIG noted that enforcement remains a priority.
Investigative Authority. The Final Rule amends the Civil Monetary Penalties Law (“CMPL”) to permit the Secretary of HHS, upon an investigation and subsequent finding of an information blocking violation, to exact monetary penalties “not to exceed $1 million per violation” on developers of Certified HIT or other entities offering Certified HIT (i.e., a vendor of Certified HIT), HIEs, and HINs. Similar to the look-back periods of other Federal laws, the HHS Secretary has 6 years from the date an information blocking violation occurred to bring an action to impose a CMP.
The Final Rule indicates that HHS will develop a separate notice of proposed rulemaking establishing disincentives for health care providers. Until those rules are final, OIG may refer any health care provider that commits information blocking “to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law.” Importantly, a developer of Certified HIT, HIE, or HIN that engages in information blocking and also meets the definition of a health care provider may still be required to pay CMPs established by this Final Rule. Further, developers of Certified HIT that participate in the ONC Health IT Certification Program and are found to have committed an information blocking violation could face termination of certification through the ONC Health IT Certification Program or other action by ONC in addition to Final Rule CMPs. OIG also emphasizes the myriad pathways for coordinating with a variety of federal agencies to supplement OIG information blocking enforcement.
Determination of CMP Amounts. In addition to the establishment of an enforcement mechanism, the Final Rule expounds the definition of a “violation” as a term separate from the practice of information blocking—a “violation” is a “practice” that constitutes “information blocking.” Per OIG, a single action preventing access to EHI affecting multiple patients is a single violation, but the number of affected patients would be considered in determining CMP amounts.
While a penalty of $1M per violation is authorized by the Cures Act, OIG explained that such a penalty would be appropriate for “particularly egregious conduct.” There are not yet enforcement decisions to which OIG may refer in determining whether a “violation” of information blocking rules has occurred, and the Final Rule indicates that the agency will rely on a fact-specific analysis. OIG will weigh factors to assess the nature and extent of the violation and the physical and financial harm resulting from the violation (e.g., number of patients affected, number of providers affected, number of days for which the violation continues). OIG will also consider the general factors in the CMPL when determining CMP amounts. CMP determinations may be appealed through an administrative law judge, and the fact-specific analysis is likely to come up. OIG noted that it may implement additional factors for CMP determination in future rulemaking after the agency has enforcement experience.
Reporting Violations. ONC will continue to accept reports from the public via its website. As required by law, ONC will coordinate with OIG to share the details of any submitted report. In addition, the Final Rule indicates that OIG will maintain a website and a hotline for the public to submit reports of information blocking. However, this website currently lacks explanation about how to categorize an information blocking violation for report filing purposes.
Enforcement Priorities. OIG expects to receive more complaints than it can investigate. OIG plans to prioritize the following conduct for investigation:
- Resulted in, is causing, or had the potential to cause patient harm;
- Significantly impacted a provider’s ability to care for patients;
- Was of long duration;
- Caused financial loss to federal health care programs, or other government or private entities; or
- Was performed with actual knowledge.
What Now? Practical Compliance Tips
As OIG ramps up enforcement efforts, we recommend taking a few practical steps to identify compliance obligations applicable to your business:
- Determine whether any part of your business may be classified as a health care provider or a developer of Certified HIT, HIE, or HIN. If no part of your business falls into one of these categories, compliance with information blocking rules is not required. However, if any part of your business fits within one or more of these categories, you must evaluate whether any changes to policies, procedures, and business practices are necessary to avoid information blocking violations.
- Review and update policies, procedures, and practices. Because OIG’s authority to exact enforcement penalties against developers of Certified HIT, HIE, and HINs began September 1, 2023, these entities should review and make any necessary changes to policies, procedures, and practices immediately, though businesses that are health care providers should also review and make updates as soon as possible. This includes actors that put information blocking policies and practices in place in response to proposed rulemaking. FAQs and additional guidance may lead to tweaks. See our recommended steps below:
- If your business qualifies as a health care provider, it is important to evaluate all aspects of your approach to granting access, use, and exchange of EHI to patients and other health care providers. This includes, e.g., whether fees are reasonable, timing obligations, and technical changes to EMR/portal access. If a policy, procedure, or practice raises information blocking concerns, we recommend determining whether an exception applies. If all conditions for an exception are not met, the policy, procedure, or practice should be remediated. Priority reviews should focus on practices that affect patient care.
- If you are a developer of Certified HIT, HIE, or HIN, we recommend evaluating whether any of your policies, procedures, or practices interfere with access, use, and exchange of EHI between patients and health care providers. This includes, e.g., technical specifications, customization impact, and functionality for providers to make individualized determinations for access. If a policy, procedure, or practice raises information blocking concerns, we recommend determining whether an exception applies. If all conditions for an exception are not met, the policy, procedure, or practice should be remediated.
- Employee training. We recommend providing and/or revisiting information blocking training for all personnel who interact with your organization’s HIT or facilitate access, use, and exchange of EHI. Consider implementing role-based access with additional details for frontline employees.
- Assess risk management plan. While the goal should always be to prevent information blocking violations, it is important to plan for the financial impacts of a potential enforcement action. Because penalties for each information blocking violation can reach $1 million, we recommend re-evaluating your business’s insurance policies and any other financial information to develop a plan for addressing CMPs imposed by OIG.
- Analyze licensing agreements, terms and conditions, and other contractual arrangements. Reexamine any licensing agreements, business associate agreements, terms and conditions, and other contractual arrangements for the provision, access, or use of HIT of any kind and implement amendments to upstream and downstream contracts to bring your business into compliance with the information blocking prohibition.
For guidance on whether your business must comply with the information blocking prohibitions or advice on implementing changes to avoid a violation, please contact any member of the Quarles Data Privacy & Security Team, your Quarles attorney, or: