HHS on Information Blocking Rule Enforcement: Stay TunedFinal Rule on Penalties for Violators of Regs Expected This Month - Or Is It?
While a final rule for enforcement of the 21st Century Cures Act information blocking regulations is slated to be issued this month, federal regulators are still uncertain that timeline will stick, or when other related unresolved details - such as potential disincentives for healthcare providers that violate the provisions - will be disclosed.
The Department of Health and Human Services' information blocking rule, which went into effect for compliance in April, generally prohibits healthcare providers, health IT developers and health information exchanges from knowingly interfering with the access, exchange or use of electronic health information.
For instance, under the regulations, healthcare providers, developers of certified health IT and health information exchanges and networks must allow patients to access their electronic health information from an application of their choice.
Enforcement of the information blocking regulations by the HHS Office of Inspector General is still pending.
OMB's regulatory affairs website indicates that HHS OIG had planned to issue its final rule for enforcement this month, but that is not guaranteed.
"There is an [enforcement] draft rule out there, and [HHS OIG] has indicated in the schedule that they provided to the Office of Management and Budget that they expect to have their final rule out in September, but that is not binding," said Micky Tripathi, leader of HHS' Office of the National Coordinator for Health IT during a briefing with media on Thursday.
"We don't know anything more about that and we certainly don't want to comment on another agency's rule," he said.
Under the 21st Century Cures Act regulations, HHS ONC set policy for the information blocking provisions - including developing eight exceptions - among them, one pertaining to privacy and one to security - that spell out practices that are not considered information blocking.
Compliance with the information blocking regulations went into effect for health information exchange organizations, certified health IT vendors and healthcare providers in April.
A year earlier, however, in April 2020, the HHS OIG issued a proposed enforcement rule for the information blocking regulations and elicited public comment.
Under that proposal, health information exchange organizations and certified health IT vendors face civil monetary penalties up to $1 million per information blocking violation.
But the enforcement penalties – or disincentives - for healthcare providers that violate the information blocking regulations are to be spelled out by HHS' office of the secretary and various HHS agencies, such as ONC and the Office for Civil Rights, HHS OIG said.
"Any healthcare provider determined by OIG to have committed information blocking shall be referred to the appropriate [HHS] agency to be subject to appropriate disincentives," the proposed rule says.
For instance, complaints of information blocking committed by a healthcare provider might also trigger a review by HHS' OCR, which enforces HIPAA - including HIPAA's patient right of access provision.
"The 21st Century Cures Act states that OIG may refer instances of information blocking to OCR where a consultation regarding the health privacy and security rules under HIPAA will resolve such information blocking claims," the proposed rule says.
Tripathi says ONC is working with the HHS' office of the secretary and other HHS agencies to help determine disincentives for providers that are found to be in violation.
Penalizing Healthcare Providers
So what kinds of potential disincentives will healthcare providers face?
"The Cures Act requires HHS to use disincentives under existing statutory authority with respect to healthcare providers, but it is difficult to find existing authority that impacts all healthcare providers governed by the information blocking rule," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"HHS could potentially reduce federal reimbursement payments or even leverage conditions of participation in federal programs, but it’s not clear how they can impact healthcare providers that do not participate in Medicare, Medicaid, or other federal programs," he says.
"Anyone offering predictions as to what the potential disincentives might be at this point, I believe, is just speculating," says regulatory attorney Helen Oscislawski of the law firm Attorneys at Oscislawski.
For instance, during HHS OIG's rule-making process last spring, public feedback on the types of disincentives HHS should consider for healthcare providers ranged from recommendations of civil monetary penalties to merely requiring corrective action with no other consequence, she notes.
But in any case, it's important that HHS tie up loose ends regarding the information blocking regulations, she says. "Enforcement is necessary to get meaningful compliance."
Greene says he expect that health IT vendors will feel the biggest effects of the enforcement.
"With respect to healthcare providers and patient access, providers are already subject to overlapping enforcement under HIPAA, and it will be difficult for the government to bring an information blocking rule enforcement action that proves that a provider knew a practice to be unreasonable," he says.
"In contrast, there may be more opportunities to bring enforcement actions against health IT vendors for practices that interfere with access, exchange, or use of electronic health information but do not run afoul of HIPAA, and the information blocking rule’s knowledge standard is significantly lower for health IT vendors, making for stronger enforcement cases," he adds.
Information Blocking Complaints
For its part of the process, ONC takes in information blocking complaints through a public website and passes them to OIG for a case-by-case determination for potential enforcement action, Tripathi says.
"There is one little nuance in that: For the extent there is a [complaint] related to a certified [health IT] vendor, and it implicates their conditions of [product] certification, that also could mean that ONC could get involved in enforcement as well," Tripathi says.
While ONC has received information blocking complaints since the compliance deadline kicked in, the agency on Thursday did not have a total or an assessment of the number or kinds of complaints that have been submitted.
"We are working on being able to release some information on the number of complaints that we hope to have shortly," Tripathi says.
HHS OIG did not immediately respond to an Information Security Media Group request for clarification about its timeline for issuing a final enforcement rule.