This is intended to be a living document and will be updated as news comes out about final enforcement information.
This work is a professional practice analysis of the OIG CMP Enforcement Final Rule published officially on July 03, 2023. This FAQ is for our customers, prospects and any other interested parties. The information in this document is not and should not be used as legal advice, for that consult a knowledgeable attorney. This work is a professional practice document meant to further the current level of knowledge about these rules. Being a new rule with almost no interpretation, other than what is included the rule itself, some of the FAQs may be in error, if so, they are unintentional. This document is intended to address the information blocking rules within it, not one of the other two areas addressed, the fraud and abuse and The Bipartisan Budget Act elements. Those may relate to information blocking but that was not addressed within this document.
I highly recommend all parties, especially providers of care, understand all the ramifications, including these rules as they implement the Cures Act, at this point especially in relation to certified Health IT Vendors (EHR) and HIE’s and HINs given the potential risk from $1,000,000 CMPs. One of the best ways to gain full understanding, from a legal perspective is to consult your knowledgeable legal counsel.
For a primer on the Cures Act generally, please visit our recent Cures Act overview blog. If you have any questions or additions for this document, please contact us at CompliancePro Solutions.
-- Kelly McLendon, RHIA, CHPS
FAQ Contents
- Name of Rule – Introductory Information
- Final Rule Effective Date
- Summary
- Link to Official OIG Information Blocking Enforcement Final Rule
- Who the OIG Final Rule Applies To
- Why and What is the OIG CMP Final Rule About?
- Penalties under the Final Rule (CMP)
- Violations – Timing
- Enforcement Priorities
- Investigative Process
- HIPAA, The Cures Act and State Law Intertwine
- HIPAA – OCR Coordination
- Compliance Documentation and Retention
- Examples Illustrating Violations From OIG
- Definitions and References
- Disclaimer and Author’s Notes
Name of Rule – Introductory Information
DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of Inspector General - 42 CFR Parts 1003 and 1005 RIN 0936-AA09: Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules.
AGENCY: Office of Inspector General (OIG), Department of Health and Human Services (HHS)
ACTION: Final Rule
(Back to Contents)
Final Rule Effective Date
September 1, 2023
Summary
Quick Summary:
This rule from one of the most powerful enforcement arms of the US Federal government is important for several reasons, but primarily because it establishes an infrastructure for enforcing portions of the Cures Act that has previously not been enforced. And the penalties it proscribes are potentially in the seven to eight figure range ($1M per violation), which adds an entirely new element of risk to organizations that may fall under its purview.
This final rule amends the civil monetary penalty (CMP) regulations of the Department of Health and Human Services (HHS) Office of Inspector General (OIG) to incorporate new CMP authority for information blocking; incorporate new authorities for CMPs, assessments, and exclusions related to HHS grants, contracts, other agreements; and increase the maximum penalties for certain CMP violations.
Summary:
Section 4004 of the Cures Act added section 3022 to the PHSA, 42 U.S.C. 300jj-52 which, among other provisions, provides OIG the authority to investigate claims of information blocking and authorizes the Secretary to impose CMPs against a defined set of individuals and entities that OIG determines committed information blocking. Information blocking poses a threat to patient safety and undermines efforts by providers, payers, and others to make the health system more efficient and effective. Information blocking may also constitute an element of a fraud scheme, such as by forcing unnecessary tests or conditioning information exchange on referrals.
The ONC Final Rule implements certain Cures Act information blocking provisions, including defining terms and establishing reasonable and necessary activities that do not constitute information blocking or ‘exceptions’ to the definition of information blocking.
OIG and ONC have coordinated extensively on the ONC Final Rule and this final rule to align both sets of regulations. As proposed, we incorporate by reference the regulatory definitions and exceptions in ONC’s regulations at 45 CFR part 171 related to information blocking as the basis for imposing CMPs and determining the amount of penalty imposed.
Link to Official OIG Information Blocking Enforcement Final Rule
Who the OIG Final Rule Applies To
Section 3022(b)(2)(A) authorizes the Secretary to impose CMPs not to exceed $1 million per violation on health IT developers of certified health IT or other entities offering certified health IT, HIEs, and HINs that OIG determines, following an investigation, committed information blocking. Section 3022(b)(2)(A) also provides that a determination of the CMP amounts shall consider factors such as the nature and extent of the information blocking and harm resulting from such information blocking including, where applicable, the number of patients affected, the number of providers affected, and the number of days the information blocking persisted.
Furthermore, section 3022(b)(2)(B) of the PHSA provides that any health care provider determined by OIG to have committed information blocking shall be referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary of HHS sets forth through notice and comment rulemaking. This final rule does not implement section 3022(b)(2)(B) of the PHSA.
However, a health IT developer of certified health IT, HIE, or HIN as defined in 45 CFR 171.102 determined by OIG to have committed information blocking could be subject to CMPs under this final rule even if that entity also met the definition of a health care provider at 45 CFR 171.102.
For additional discussion related to health care providers that meet a definition of an actor subject to CMPs, see section IV.A.3. of the rules preamble.
Based on the ONC final rule and depending on the specific facts and circumstances, public health institutions, clinical data registries, public health agencies, health plans, and health care providers could meet the definition of an HIN/HIE. As part of their assessment of whether a health care provider or other entity is an HIN/HIE that could be subject to CMPs for information blocking, OIG anticipates engaging with the health care provider or other entity to better understand its functions and to offer the provider an opportunity to explain why it is not an HIN/HIE.
OIG has the authority to investigate an information blocking violation by a healthcare provider, the agency has no statutory authority to impose a CMP on a healthcare provider, therefore the Final Rule discussed in this document are only for providers that meet the wider definition listed above.
ONC is tasked with implementing regulations to establish ‘appropriate disincentives’ (unknown what those will be, but they are promised to be out this fall) for healthcare providers. OIG has authority to investigate healthcare provider violations, but ONC is tasked with establishing ‘appropriate disincentives’ for healthcare provider violations, which have not been create yet Though OIG has authority to investigate an information blocking violation by a healthcare provider, the agency has no statutory authority to impose a CMP on a healthcare provider. Instead, ONC is tasked with implementing regulations to establish "appropriate disincentives" for providers. (July 2023).
In making a fact-specific assessment of whether an individual or entity meets the definition of an HIN/HIE in 45 CFR 171.102, we would assess whether the individual or entity determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of EHI among two or more unaffiliated entities (other than the individual or entity that is the subject of the allegation) that are enabled to exchange with each other for a treatment, payment, or health care operations purpose as such terms are defined in 45 CFR 164.501.
As stated in the ONC Final Rule, the definition of HIN/HIE in 45 CFR 171.102 does not cover bilateral exchanges in which an intermediary is simply performing a service on behalf of one entity in providing EHI to another entity or multiple entities and no actual exchange is taking place among all entities. This would seem to exclude coverage of Business Associate type companies, for example Release of Information companies. Of course, legal counsel would have to confirm.
Why and What is the OIG CMP Final Rule About?
ONC’s information blocking regulations at 45 CFR part 171 and the OIG CMP regulation at 42 CFR 1003, subpart N are designed to work in tandem. As a result, we encourage parties to read this final rule together with the ONC Final Rule. The ONC Final Rule defined “information blocking”—and specific terms related to information blocking—as well as implemented exceptions to the definition of information blocking. This final rule describes the parameters and procedures applicable to the CMP for information blocking.
Using the definition from the Cures Act defining conduct that constitutes information blocking is practice by an Actor that is likely to interfere with the access, exchange or use of electronic health information (EHI), except as required by law or specified in an information blocking exception.
Court orders, subpoenas and other legally ordained requirements for disclosure or PHI or EHI are required as always.
In the context of information blocking, the Cures Act authorizes CMPs (civil monetary penalties) for any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI) if the practice is conducted by an entity that is:
- A developer of certified health information technology (IT)
- Offering certified health IT
- A health information exchange (HIE)
- or A health information network (HIN)
- And
- The entity knows or should know that the practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI
- The Cures Act has established two distinct ‘knowledge standards for actor’s practices that can fall into the definition of information blocking. For the entities above the law’s standard of knows, or should know, that a practice is likely to interfere with the access, exchange or use of EHI.
- Note this is the first type of knowledge required for information blocking. For these groups it’s a know or should have known the practice would lead to interference that can be information blocking
- For healthcare providers, the law applies the standard of whether they know that the practice is unreasonable and likely to interfere with the access, exchange or use of EHI.
Per OIG information blocking poses a threat to patient safety and undermines efforts by providers, payers, and others to make the health system more efficient and effective. It may also constitute an element of a fraud scheme, such as by forcing unnecessary tests or conditioning information exchange on referrals.
A healthcare provider must provide a clear explanation for any limitations they impose on access to EHI and must make a good faith effort to provide access to as much EHI as possible.
Healthcare providers are also required to make available any information blocking policies or procedures that they have in place, and to provide patients with information on how to file a complaint if they believe that their access to EHI has been improperly limited or blocked.
Penalties under the Final Rule (CMP)
Section 3022(b)(2)(A) authorizes the Secretary to impose CMPs not to exceed $1 million per violation.
Secretary to impose CMPs not to exceed $1 million per violation on Health IT Developers of Certified Health IT or Other Entities offering Certified Health IT, HIEs, and HINs that OIG determines, following an investigation, committed Information Blocking.
Provides that a determination of the CMP amounts shall consider factors such as:
- The nature and extent of the Information Blocking and
- Harm resulting from such Information Blocking including:
- Where applicable, the number of patients affected
- The number of providers affected and
- The number of days the information blocking persisted
Violations – Timing
OIG has indicated that the timing for violations starts upon implementation of the final rule, September 1, 2023, with no lookback period.
OIG (nor ONC) did not propose, and therefore this rule does not finalize, specific criteria that they would use to identify single vs multiple violations because they do not have enough information or experience with information blocking enforcement to allow them to establish a set of criteria that could apply uniformly to all information blocking allegations.
Enforcement Priorities
Enforcement budgets are not unlimited, therefore OIG and ONC’s resources will have to be marshalled and managed, it is easier in that they choose from complaints which cases are investigated and enforced upon, they are not required to investigate all complaints like OCR (The Office for Civil Rights) must for HIPAA Privacy and Security.
OIG maintains discretion in evaluating what claims to investigate and when to impose CMPs. OIG is not required to—and does not expect to be able to—investigate every allegation it receives.
OIG provided an explanation so that the public and stakeholders may have a better understanding of how they anticipate allocating our resources to enforce the CMP for information blocking. Prioritization ensures OIG can effectively allocate its (somewhat limited?) resources to target information blocking allegations that have more negative effects on patients, providers, and health care programs.
Their enforcement priorities will inform their decisions about which information blocking allegations to pursue, but these priorities are not dispositive. Each allegation will present unique facts and circumstances that must be assessed individually. Each allegation will be assessed to determine whether it implicates one or more of the enforcement priorities, or otherwise merits further investigation and potential enforcement action. There is no specific formula they can apply to every allegation that allows OIG to effectively evaluate and prioritize which claims merit investigation.
OIG reaffirmed their information blocking enforcement priorities as conduct that:
- Resulted in, is causing, or had the potential to cause patient harm
- Significantly impacted a provider’s ability to care for patients
- Was of long duration
- Caused financial loss to Federal health care programs, or other government or private entities; or
- Was performed with actual knowledge
OIG explained that they will select cases for investigation based on these priorities and expect that the enforcement priorities will evolve as OIG gains more experience investigating information blocking.
OIG’s enforcement priorities are a tool used to triage allegations and allocate resources. They can and do expect to investigate allegations of other information blocking conduct not covered by the priorities. If conduct or patterns of conduct raise concerns, OIG may choose to investigate those allegations. And as they gain more experience with investigating information blocking, we will reassess our priorities accordingly. For example, as patients continue to adopt and use technology to access their EHI, the number of patients that will request their EHI directly from a health IT developer of certified health IT or HIE may increase. That may generate more allegations related to patient access to their EHI.
OIG clarified that their anticipated priority relating to patient harm is not specific to individual harm, but rather may broadly encompass harm to a patient population, community, or the public. Additionally, with respect to OIG’s anticipated priority relating to actual knowledge, they note that health IT developers of certified health IT and health information exchanges and networks do not have to have actual knowledge to commit information blocking.
Intent and knowledge are cornerstones of OIG’s enforcement prioritization. They believe the conduct of someone who has actual knowledge is generally more egregious than the conduct of someone who only should know that their practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI. As a general matter, they say they would likely prioritize cases in which an actor has actual knowledge over cases in which the actor only should have known that the practice was likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.
Their current anticipated enforcement priorities may lead to investigations of anti-competitive conduct or unreasonable business practices. The ONC Final Rule provides, as examples, conduct that may implicate the information blocking provision, anti-competitive or unreasonable conduct, such as unconscionable or one-sided business terms for the access, exchange, or use of EHI, or the licensing of an interoperability element.
For example, a contract containing unconscionable terms related to sharing of patient data could be anti-competitive conduct that impedes a provider’s ability to care for patients. A claim of such conduct would implicate OIG’s enforcement priority related to a provider’s ability to care for patients. Anti-competitive conduct resulting in information blocking could implicate other enforcement priorities as well, depending on the facts.
If investigations into alleged information blocking suggest a health care provider may be out of compliance with CMS programmatic requirements, OIG may refer such matters to CMS.
Self-disclosure is very important part of a corrective action process and OIG created some guidance and is creating a website for self-disclosures. Information blocking is newly regulated conduct, and OIG has not created an SDP (self-disclosure to OIG of information blocking violations) specifically for information blocking; however, after the publication of this rule, OIG will add an information blocking SDP, including an online submission form, and other processes, to OIG’s existing SDP.
OIG understands many stakeholders may not be familiar with OIG’s current SDP and they provide the following information regarding the forthcoming information blocking SDP and self- disclosure process. The information blocking SDP will provide actors with a framework and mechanism for evaluating, disclosing, coordinating, and resolving CMP liability for conduct that constitutes information blocking.
When posted on their website, OIG’s SDP will explain: (1) eligibility criteria, (2) manner and format, (3) required contents of a submission, and (4) expected resolution of the matter. The information blocking SDP will be available only to those actors seeking to resolve potential CMP liability.
Investigative Process
OIG explained its goal that the CMP be “fair, reasonable, and commensurate with the conduct so that wrongdoers are held accountable and future information blocking conduct is deterred.” As a result, the OIG will use a fact-specific approach to assessing penalties — including consideration of aggravating and mitigating factors — instead of a one-size-fits-all formula or threshold.
The OIG notes in the preamble that information blocking is novel and that it has limited experience in this area, and, as a result, it is only adopting the aggravating and mitigating factors set forth in the Cures Act. These statutory factors, which are now part of the CMP Final Rule, require the OIG to consider the nature and extent of the information blocking, as well as the harm resulting from the information blocking, including, where applicable, the number of patients affected, the number of providers affected, and the number of days the information blocking persisted.
The OIG noted that it is required under the CMPL to consider certain general factors, including the nature of the claims and the circumstances in which they are presented; the degree of culpability, history of prior offenses, and financial condition of the person presenting the claims; and such other matters as justice may require. See 42 U.S.C. § 1320a–7a(d).
OIG expects that the maximum $1 million per violation penalty would apply to particularly egregious conduct. It declined to adopt specific criteria that it would use to identify single or multiple violations because it does not have enough information or experience with information blocking enforcement to establish uniform criteria. However, in response to certain hypotheticals, the OIG appears to have treated each impermissibly denied request as its own violation. Readers are encouraged to review pages 42830-42832 of the CMP Final Rule for the OIG’s discussion of various hypotheticals.
Whenever OIG proposes to impose CMPs for information blocking, the actor will have the opportunity to appeal the CMPs. That appeal will be heard by an administrative law judge (ALJ) and governed by the procedures set forth in 42 CFR part 1005.
42 CFR 1005.7 addresses discovery and allows each party to request that the other party produce nonprivileged documents that are relevant and material to the issues before the ALJ for inspection and copying. If the other party objects to producing the requested documents, the party requesting the documents can ask the ALJ to compel discovery.
The discovery regulations that will apply to appeals of CMPs for information blocking are the same regulations that have applied to existing CMPL administrative litigation. These regulations and this process have been approved by administrative tribunals and Federal courts. OIG provides limited discovery in their CMP cases even though it is not required in administrative proceedings at all.
Additionally, the vast bulk of material and relevant evidence (i.e., evidence relating to whether the actor committed information blocking) will come from the actor whose conduct is at issue and not the government.
HIPAA, The Cures Act and State Law Intertwine
There is so much intertwining of the HIPAA and Cures Act rules that it is difficult to gauge how they will interplay in enforcement. Here is some assistance in sorting the interactions. Remember HIPAA is not covered under this final rule, but has their own enforcement, not discussed in this document. Also, remember that State Breach and Privacy laws, as well as other specific laws, could also come into play.
A covered entity (CE) under HIPAA may deny a request for access by a patient or their personal representative to protected health information (PHI) under certain limited circumstances. Under HIPAA the limited circumstances under which a request for access by a patient or their personal representative may be denied include:
- Psychotherapy notes: Covered entities are not required to provide access to psychotherapy notes, which are notes recorded by a mental health professional documenting or analyzing the contents of a counseling session.
- Information compiled for legal proceedings: Covered entities may deny access to information that is created for the purpose of legal proceedings, such as attorney-client privileged communications.
- Information prohibited by law: Covered entities may deny access to PHI if providing access would be prohibited by another law.
- Information that may cause harm: Covered entities may deny access to PHI if they reasonably believe that providing access would endanger the life or physical safety of the individual or another person.
While there are various timers for HIPAA, it is typically in increments of 30 days, too long these days and this can be seen as a barrier, which is also forbidden.
Under HIPAA the CE must provide a written denial and explanation of the denial to the individual, along with information on how to request a review of the denial.
Under the 21st Century Cures Act information blocking rules, healthcare providers and other covered entities may only deny a request for access to EHI under certain limited circumstances and EHI must be made accessible to individuals, their personal representatives, and other authorized parties, (other providers, payers, care givers and family members, researchers, public health authorities, without unreasonable delay and in the manner requested by the individual, except in certain limited circumstances. The exceptions, called ‘Information Blocking Exceptions’ by the rules, there are 8 in total) under which a request for access may be denied include.
Figure 1: HealthIT.gov Information Blocking: https://www.healthit.gov/topic/information-blocking
Information Blocking Exceptions
-
The Preventing Harm Exception
- A healthcare provider may limit the access to EHI if they believe that providing access could reasonably result in harm to the individual or another person.
- Providers of care may be zealous in the use of this exception and its use must be monitored and controlled by compliance.
- Be aware that Information Blocking software from EHR vendors often centers around this and perhaps a few other exceptions.
- Understanding and appropriately managing configuration of EHRs with information blocking tools is mandatory, but it is also complex and to be undertaken with care.
-
The Privacy Exception
- A healthcare provider may limit access to EHI if they reasonably believe that providing access would violate the privacy of another person.
- To be used if there is a HIPAA Privacy rule reason not to provide the access, this is where the two rules tie together directly.
- From now on if a request is denied an information blocking exception should be invoked.
- A healthcare provider may limit access to EHI if they reasonably believe that providing access would violate the privacy of another person.
-
The Security Exception
- A healthcare provider may limit access to EHI if they reasonably believe that providing access would pose a security risk to the EHI or to other systems that are part of the electronic health record ecosystem.
- However automated requests for access using APIs and FHIR Access Request using Security Ops SMART FHIR, APIs, Oauth2, OpenID Connect (OIDC), CDex type tools are viewed by the regulators as rarely cause for this exception to be invoked. Although there are other reasons it may be, do so with care. See the next item below.
- The ONC Final Rule states that ‘for certified API technology (e.g., a Health IT Module certified to § 170.315(g)(10), which includes the use of OAuth2 among other security requirements (see, e.g., 85 FR 25741) in addition to its focus on ‘read-only’/responses to requests for EHI to be transmitted, there should be few, if any, security concerns about the risks posed by patient-facing apps to the disclosing actor’s health IT systems (because the apps would only be permitted to receive EHI at the patient’s decision)’.
- Again, this is an area where the HIPAA Security rule can tie to the Information Blocking rules directly.
- However automated requests for access using APIs and FHIR Access Request using Security Ops SMART FHIR, APIs, Oauth2, OpenID Connect (OIDC), CDex type tools are viewed by the regulators as rarely cause for this exception to be invoked. Although there are other reasons it may be, do so with care. See the next item below.
- A healthcare provider may limit access to EHI if they reasonably believe that providing access would pose a security risk to the EHI or to other systems that are part of the electronic health record ecosystem.
-
The Infeasibility Exception
- A healthcare provider may limit access to EHI if the request is not technically feasible or if providing access would require unreasonable effort or resources.
- To be used when there is no ‘reasonable’ way to provide the information in the format required by the requestor.
- A healthcare provider may limit access to EHI if the request is not technically feasible or if providing access would require unreasonable effort or resources.
-
Content and Manner Exception
- Another information blocking exception that can be used when there is misalignment between a requested disclosure in manner and form and the ability of an actor to provide the requested information in that format and by specified manner. Alternatives must be explored and conditions met for this exception to be invoked.
With The Cures Act and other State laws intertwining processes for disclosure of PHI and EHI are changing. When a denial of a request, be it a patient request, a TPO request or other data exchange is made, the pace of the documentation must be made available without unreasonable delay, just like the requested records would have to be. The reasons for the denial must be documented, policies and procedures must be made available, as well as, where the parties can complain provided. Whether the actual language of the information blocking exception(s) invoked has to be delivered to the requestor has not been established in practice as of yet.
Don’t forget to create systems to log and manage the invocation and maybe revocation of these exceptions as they are conditional and require specific documentation for compliance.
As a matter of process, there is no information in the OIG final rule provided about revoking a previously invoked information blocking exceptions (nor is it expected to be in this rule as it’s not addressed in the ONC or CMS Cures Act Rules at this time). This will be defined over the course of developing good industry practices.
HIPAA – OCR Coordination
The Cures Act identifies ways for ONC, the Office for Civil Rights (OCR), and OIG to consult, refer, and coordinate. For example, section 3022(b)(3) of the PHSA states that OIG may refer instances of information blocking to OCR when a consultation regarding the health privacy and security rules promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) will resolve such information blocking claims.
OIG’s approach to enforcement will focus on information blocking allegations/complaints that pose greater risk to patients, providers, and health care programs, as well as OIG’s anticipated consultation and coordination with the Office of the National Coordinator for Health Information Technology (ONC) and other agencies (such as OCR for HIPAA), as appropriate, in reviewing and investigating allegations of information blocking. In other words, OIG will be working with other investigations, so as these arise, say within OCR for a HIPAA violation if there is a suspected information blocking allegation, OIG can come in and investigate and levy CMPs, if appropriate.
Exempt from the definition of Information Blocking are practices required by law. Therefore, if a Practice is required by Privacy or Security laws, it does not constitute Information Blocking. However, Privacy and Security standards that are not required by law (such as trade best practices or voluntary industry standards) would not be exempt from the definition of information blocking, unless an exception applies.
Compliance Documentation and Retention
Remember Information Blocking compliance activities require documentation. OIG did not propose and are not finalizing a record retention requirement specific to the CMP for Information Blocking. Furthermore, the Final Rule does not provide additional guidance regarding which documents are required to demonstrate compliance with an ONC exception for Information Blocking because that is outside the scope of this rule and OIG’s authority.
OIG will consider any documentation provided by an actor during an investigation to evaluate whether a practice constitutes Information Blocking.
OIG has 6 years from the date an actor committed a practice that constitutes information blocking to impose a CMP. Even though OIG may commence an action to impose CMPs up to 6 years after the date of a violation, an actor may want to maintain information for additional time beyond 6 years.
In an indication that all manners of compliance documentation related to The Cures Act and Information Blocking in particular, is extremely important OIG reminds that actors in a CMP enforcement action bear the burden of proof for affirmative defenses and mitigating circumstances by a preponderance of the evidence, therefore the more documentation you can produce in your favor the better your potential for more positive outcomes.
OIG did not propose nor finalizing a record retention requirement specific to the CMP for information blocking. Furthermore, the final rule does not provide additional guidance regarding which documents are required to demonstrate compliance with an ONC exception for information blocking because that is outside the scope of this rule and OIG’s authority. OIG will consider any documentation provided by an actor during an investigation to evaluate whether a practice constitutes information blocking.
How an actor meets that burden may depend, in part, on records or documentation they maintain. For example, a party may choose to maintain documents demonstrating they meet a specific exception in the information blocking regulations in 45 CFR part 171.
Furthermore, the ONC final rule did not establish record retention requirements for actors to maintain documents relating to an exception for a specified period. Although ONC did not set record retention duration requirements, ONC explained that many exceptions with documentation conditions are related to other existing regulatory requirements that have document retention standards. For example, the Security Exception at 45 CFR 171.203 is closely aligned to the HIPAA Security Rule, which has a six-year documentation retention requirement.
OIG also notes that the ONC final rule established records and information retention requirements for health IT developers of certified Health IT as part of the ONC Health IT Certification Program. The Maintenance of Certification requirement at 45 CFR 170.402(b) generally requires a health IT developer participating in the ONC Health IT Certification Program to retain all records and information necessary to demonstrate initial and ongoing compliance with the requirements of the ONC Health IT Certification Program for a period of 10 years beginning from the date of certification.
Examples Illustrating Violations From OIG
Pages 42830 - 42832 of the Information Blocking Enforcement Final Rule contain OIG’s discussion of various hypotheticals. I will only list two of them, but they do seem to be able to levy stacked CMP amounts from multiple violations.
- A health IT developer (D1) connects to an API supplied by health IT developer of certified health IT (D2). D2’s API has been certified to 45 CFR 170.315(g)(10) (standardized API for patient and population services) of the ONC Certification Program and is subject to the ONC Condition of Certification requirements at 45 CFR 170.404 (certified API technology). A health care provider using D1’s health IT makes a single request to receive EHI for a single patient via D2’s certified API technology. D2 denies this request. OIG would consider this a single violation by D2 affecting a single patient. The violation would consist of D2’s denial of the request to exchange EHI to the provider through D2’s certified API.
- A health care provider using technology from a health IT developer (D1) makes a single request to receive EHI for 10 patients through the certified API technology of a health IT developer of health IT (D2). D2 takes a single action to prevent the provider from receiving any patients’ information via the API. OIG would consider this as a single violation affecting multiple patients. This is a single violation as D2 took a single action to deny all requests from the provider. The number of patients affected by the violation would be considered when determining the amount of the CMP.
Definitions and References
Important Introductory Definitions from § 300jj - Definitions
These definitions are key to understanding which organizations may fall under the enforcement provisions of the June 2023 ONC Final Rule on Information Blocking enforcement. In my opinion, especially for Providers of Care.
Per OIG: They will use the definitions in ONC regulations at 45 CFR 171.102 and any guidance issued by ONC when evaluating whether an individual or entity meets the definition of HIN/HIE. Such determinations are individualized and highly dependent on the facts and circumstances presented. Because the ONC definition of HIE/HIN is a functional definition that does not specifically include or exclude any particular individuals or entities, OIG says they cannot establish in this final rule whether specific individuals or entities or categories of individuals or entities would meet the definition of HIN/HIE.
Definition of Healthcare Provider used by OIG in these ONC definitions as pulled from the new FR Summary:
On May 1, 2020, ONC published a final rule, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, (ONC Final Rule) in the Federal Register. 85 FR 25642, May 1, 2020. Among other things, ONC through the ONC Final Rule promulgated the information blocking regulations defining information blocking and establishing exceptions to that definition. OIG’s final rule incorporates by reference the relevant information blocking regulations at 45 part 171 as the basis for imposing CMPs for information blocking.
Definition of Healthcare Provider used by OIG in these ONC definitions:
(3) Health care provider The term ‘‘health care provider’’ includes a hospital, skilled nursing facility, nursing facility, home health entity or other long term care facility, health care clinic, community mental health center (as defined in section 300x–2(b)(1) of this title), renal dialysis facility, blood center, ambulatory surgical center described in section 1395l(i) of this title, 1 emergency medical services provider, Federally qualified health center, group practice, a pharmacist, a pharmacy, a laboratory, a physician (as defined in section 1395x(r) of this title), a practitioner (as described in section 1395u(b)(18)(C) of this title), a provider operated by, or under contract with, the Indian Health Service or by an Indian tribe (as defined in the Indian Self-Determination and Education Assistance Act [25 U.S.C. 5301 et seq.]), tribal organization, or urban Indian organization (as defined in section 1603 of title 25), a rural health clinic, a covered entity under section 256b of this title, an ambulatory surgical center described in section 1395l(i) of this title,1a therapist (as defined in section 1395w–4(k)(3)(B)(iii) of this title), and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the Secretary.
Definition of HIE and HIN: Title 45 —Public Welfare Subtitle A —Department of Health and Human Services Subchapter D —Health Information Technology Part 171 —Information Blocking (Cures Act)
Subpart A —General Provisions §171.102
Health information network or health information exchange means an individual or entity that determines, controls, or has the discretion to administer any requirement, policy, or agreement that permits, enables, or requires the use of any technology or services for access, exchange, or use of electronic health information:
(1) Among more than two unaffiliated individuals or entities (other than the individual or entity to which this definition might apply) that are enabled to exchange with each other; and
(2) That is for a treatment, payment, or health care operations purpose, as such terms are defined in 45 CFR 164.501 regardless of whether such individuals or entities are subject to the requirements of 45 CFR parts 160 and 164
The final rule adds the information blocking CMP authority to the existing regulatory framework for the imposition and appeal of CMPs, assessments, and exclusions (42 CFR parts 1003 and 1005) pursuant to section 3022(b)(2)(C) of the PHSA (42 U.S.C. 300jj-52(b)(2)(C)). The amendments give individuals and entities subject to CMPs for information blocking the same procedural rights that currently exist under 42 CFR parts 1003 and 1005. Through this final rule, we codify this new information blocking authority at 42 CFR 1003.1400, 1003.1410, and 1003.1420.
OIG will provide additional information on their website regarding the SDP (self-disclosure) for information blocking after publication of the final rule. However, before such information is posted, OIG will accept self-disclosure of information blocking conduct. They refer actors to section IV.A.5 of the preamble that describes how we will evaluate disclosure of violations and cooperation with investigations. Specifically, it is a mitigating circumstance under the factors at 42 CFR 1003.140(a)(2) for an actor to take appropriate and timely corrective action in response to a violation. Timely corrective action includes disclosing information blocking violations to OIG and fully cooperating with OIG’s review and resolution of such disclosure.
Disclaimer and Author’s Notes
Disclaimer and Authors Note: This work is a professional practice analysis of the OIG CMP Enforcement Final Rule published officially on July 03, 2023. This FAQ is for our customers, prospects and any other interested parties. The information in this document is not and should not be used as legal advice, for that consult a knowledgeable attorney. This work is a professional practice document meant to further the current level of knowledge about these rules. Being a new rule with almost no interpretation, other than what is included the rule itself, some of the FAQs may be in error, if so, they are unintentional. This document is intended to address the information blocking rules within it, not one of the other two areas addressed, the fraud and abuse and The Bipartisan Budget Act elements. Those may relate to information blocking but that was not addressed within this document.
I highly recommend all parties, especially providers of care, understand all the ramifications, including these rules as they implement the Cures Act, at this point especially in relation to certified Health IT Vendors (EHR) and HIE’s and HINs given the potential risk from $1,000,000 CMPs. One of the best ways to gain full understanding, from a legal perspective is to consult your knowledgeable legal counsel.