It's time for healthcare entities to take information blocking rules and regulations seriously. After all, there could be a million-dollar fine on the line.
ONC's 2020 Cures Act Final Rule implemented key provisions of the 21st Century Cures Act to advance health data interoperability, including the prohibition of information blocking, which refers to preventing or interfering with the access, exchange, or use of electronic health information (EHI).
However, without a practical enforcement mechanism for the regulation, information blocking has persisted since the final rule's enactment in April 2021.
According to an ONC survey, over 40 percent of nonfederal acute care hospitals observed practices they perceived to constitute information blocking in 2021.
A new final rule from the HHS Office of Inspector General (OIG) outlines information-blocking enforcement policies, which are set to break down data siloes across the healthcare industry to improve care coordination and ensure a competitive marketplace.
Effective September 1, 2023, OIG has the authority to investigate reports of information blocking across certified health IT developers, companies that resell certified health IT, health information networks, and health information exchanges (HIEs).
Stakeholders could be subject to up to a $1 million penalty per instance of information blocking.
According to Sean Sullivan, a healthcare regulatory and compliance attorney at Alston & Bird Law Firm's Atlanta office, actors subject to enforcement must closely analyze their data access policies to ensure they follow the information blocking regulations.
"The biggest area of concern is really contractual terms that health information networks, exchanges, and developers of certified health IT put in place that could limit competition," Sullivan told EHRIntelligence in an interview.
For instance, EHR vendors prohibiting hospital clients from using certain vendors to access or use health information constitutes information blocking. A vendor imposing unnecessary licensing terms, fees, training, or waiting periods to prevent access to health records could also be categorized as information blocking.
"If you're a technology company with hospital clients and you make it difficult for the hospital to export their data and then import it into another EHR, then you're protecting your business," Sullivan said. "You're protecting your client from leaving and finding another EHR."
"Even though these technology vendors and health IT companies don't necessarily want to make their information accessible by other health IT vendors because of their concern about competition. Now Congress is telling them, "Well, you must,'" he said.
In its final rule, OIG said it expects to receive more information blocking complaints than it can investigate.
To triage allegations and allot resources, OIG will prioritize cases for investigation that:
- resulted in, is causing, or had the potential to cause patient harm
- significantly impacted a provider's ability to deliver patient care
- were of long-duration
- caused financial loss to federal healthcare programs or other government or private entities
- were performed with actual knowledge
However, Sullivan said that ONC data could also help guide enforcement. When ONC enacted the Cures Act Final Rule in April 2021, it launched an online portal for stakeholders to submit information blocking complaints. As of July 31, 2023, the portal had 821 submissions.
While OIG made it clear in its final rule that it will not enforce any information blocking cases that occurred before September 1, 2023, the backlog of claims could help the agency identify which entities to investigate.
"ONC has a history of who some of these bad actors might be or who has been complained against the most, and I think that's probably where OIG is going to focus first," Sullivan said.
"Anything that could be viewed as interference with access to electronic health information after September 1 can be enforced, and OIG is going to have a lot of hints and a lot of ideas on where to look, based on the complaints that they already have," he added.
While healthcare providers are also beholden to the information blocking provisions, the OIG final rule does not subject them to civil monetary penalties.
"There's a proposed rule from ONC that's targeted for this fall that will establish disincentives for providers for information blocking, but there's still really not any meaningful enforcement on the horizon anytime soon for providers," Sullivan noted.
He suggested that information blocking disincentives for providers could include penalties through CMS.
"If there's information blocking, then CMS could issue some sort of penalty, or it could be something where a provider could undergo an audit and potentially be terminated from the Medicare program," he said.
Since the ONC interoperability rule came out, Sullivan has helped providers examine their data sharing practices to comply with the regulation. Much of this work has focused on how the information blocking provisions relate to the Health Insurance Portability and Accountability Act (HIPAA).
"You still have to think about your existing federal laws under HIPAA and state laws around healthcare data privacy and security, but now the information blocking rules are sitting on top of those in a way that is supposed to be consistent," Sullivan emphasized.
For instance, HIPAA generally requires patient consent to share protected health information (PHI). However, there are several exceptions where patient consent is not mandatory, including if the data exchange is for treatment purposes.
Still, Sullivan noted that many healthcare providers have required patient consent to share PHI for treatment purposes despite the HIPPA exception.
However, since obtaining this consent is unnecessary and potentially interferes with a valid request for health information, this act could constitute information blocking.
Other examples of provider-initiated information blocking include not providing patients access to all their health information or not responding to record requests within the 30-day time frame outlined by HIPAA.