When the ONC published the 21st Century Cures Act in 2016, providers saw the potential that the regulation promised for sharing vital electronic health information. Primarily positioned to benefit patients with access to their personal health records, the Act made special provisions against information blocking by usual culprits, such as large, established EHR vendors. The only challenge is, until recently — this provision was all bark with little bite, as there were unclear sanctions for failing to meet data access requirements.
As a great turn of events for interoperability enthusiasts, stricter Anti-Information Blocking penalties came into effect on September 1st 2023, which include civil monetary penalties (CMPs) against players that commit information-blocking offenses.
We’ll be examining the provisions of the Final Rule and what violators can expect should they fail to comply with these conditions.
Information blocking occurs when IT developers or providers knowingly block the easy flow of patient health records. The Cures Act defines this as: “a practice that interferes with, prevents, or materially discourages access, exchange, or use of electronic health information.”
In an ideal healthcare ecosystem, fetching patient records should be as easy as sending a query through a Health Information Network, or similar secure exchange. However, not-so-accommodating IT systems and vendors can often complicate the process of accessing this health data, primarily due to misaligned incentives. If you’re an established IT vendor in America, why would you want patients to own their own data and have the freedom to take it to other vendors?
When provider A is required to pay a hefty fee to retrieve information from provider B for continuing care, or is subject to otherwise complex consent processes — these and other systems can constitute information blocking. In a 2021 survey of non-federal acute care hospitals, the ONC discovered 40% of hospitals reported observing practices classified as information blocking.
Information-blocking is a major hurdle standing in the way of interoperability between health systems. This practice repeatedly undermines the careful measures instituted by legislations like the Health Insurance Portability and Accountability Act (HIPAA) which grants patients the right to view and obtain a copy of their health information, while giving individuals control over who can use and access their data under its Privacy Rule. To realize the full potential of data exchange in clinical settings, measures like monetary penalties are needed to discourage blocking activities.
While the Cures Act made provisions for information blocking in data exchange, the Department of Health and Human Services (HHS) Office of the National Coordinator of Health Information Technology issued a final rule in 2020 that laid out what constitutes this practice. With the HHS clarifying the scope of information blocking, the HHS Office of Inspector General (OIG) has thrown some muscle into this provision by publishing its Final Rule which implements penalties for violating the Information Blocking Rule.
The final rule has its sights set on a few key players commonly responsible for information-blocking in clinical settings. Health IT developers, Health Information Exchanges, and Health Information Networks are the main actors subject to civil monetary penalties (CMP) should they engage in blocking health record access. Notably absent are healthcare providers who can play a leading role in hoarding patient information.
However; this is not to exclude providers from any liability for information blocking. Should a provider meet the definition of an IT developer, HIN, or HIE, they may come under this rule. Until then, plans are underway for a separate rule to discourage and penalize providers participating in blocking.
Information blocking can happen in any number of ways. In particular, the ONC recognizes examples like developers making the process of exporting EHI difficult for providers, or charging other app developers a hefty fee to run applications on its platform. Likewise, where HINs prevent data transmission to entities not participating in its network, or if a health system wrongly refuses to exchange health information with outside providers.
This kind of conduct will come under investigation by the OIG, with actions that result in or have the potential to cause harm to the patient prioritized in its inquiries. Also top of its investigation list are actors that engage in information blocking deliberately, or in a way that considerably affects a provider’s care for patients. Long-term information blocking, and actions that cause financial loss to Federal healthcare programs, or other government and private entities will also come under investigation by the OIG.
The OIG Final Rule has specific metrics for determining information-blocking activities. For instance, where a single action by a healthcare actor prevents access to the EHI of several patients, this singular act will be considered one violation. However, we should note that the number of patients affected by this activity will play a determining role in how much the actor will be fined. If an actor takes different actions that interfere with record access, then each act will be considered a separate violation. These separate offenses can add up very quickly, a point that should discourage large-scale organizations from simply budgeting information-blocking penalties into their budget.
As mentioned, a violator’s liability will usually depend on factors like the nature and extent of the information blocking, how much harm was caused, plus the number of days this violation persisted. While there is no baseline or minimum penalty to be imposed for information-blocking, the Cures Act limits the OIG’s penalty impositions to be no more than $1 million per violation.
The health industry is finally pulling out the big guns against information-blocking through the OIG Final Rule. But while the civil money penalties are the primary measures against this practice, we can expect more policies to curb blocking as the office becomes more adept at investigating and penalizing violations, especially as it concerns provider missteps.
Enforcement of The Final Rule began on September 1, 2023, and is a step in the right direction for furthering interoperability in healthcare.