The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS-OIG Final Rule Authorizes Information Blocking Penalties of up to $1 Million for Health IT Vendors

Posted By on Jun 29, 2023

The civil monetary penalties for health IT companies that are found to be engaging in information blocking have been finalized. Fines of up to $1 million can be imposed per violation.

In 2016, the 21st Century Cures Act made sharing electronic health information the expected norm in healthcare and authorized the Secretary of the Department of Health and Human Services (HHS) to identify reasonable and necessary activities that do not constitute information blocking. In 2020, the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) established information blocking provisions and exceptions in the 21st Century Cures Act Final Rule, and new civil monetary penalties were proposed for enforcement. The HHS’ Office of Inspector General (HHS-OIG) has now issued a final rule enacting those penalties for health IT developers of certified health IT and other entities offering certified health IT, health information exchange (HIEs), and health information networks (HINs). Financial penalties can also be imposed on healthcare providers that engage in information blocking; however, those penalties have yet to be finalized, although a final rule on provider penalties is expected soon.

Enforcement of the information blocking penalties will commence 60 days after the publication of the final rule in the Federal Register. HHS-OIG has confirmed that penalties will not be imposed for information blocking conduct that occurs before 60 days after the publication in the Federal Register. HHS-OIG will take various factors into consideration when determining an appropriate financial penalty, including the extent to which information blocking has occurred, how many individuals have been affected, and the harm the information blocking has caused.

HHS-OIG expects to receive large numbers of complaints about information blocking and potentially many more than it can investigate, so its enforcement activities will focus on the most egregious cases, where information blocking has been performed knowingly, over a long period, and if the information blocking has the potential to cause patient harm or impact the ability of healthcare providers to provide care to patients. HHS-OIG may also choose to investigate cases against a single entity in response to large numbers of complaints. HHS-OIG may consider other alternative enforcement approaches rather than imposing civil monetary penalties in the future, but in the short term, it does not anticipate using any other enforcement measures than fines. HHS-OIG has also confirmed its investigation process following the receipt of complaints about perceived information blocking, as detailed in the diagram below.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

How HHS-OIG Investigates Complaints of Information Blocking. Source: HHS Office of Inspector General

The civil monetary penalties are expected to help ensure that electronic health information flows to support patient care and will finally give HHS-OIG the authority to act on the hundreds of complaints it received. ONC says that more than 700 complaints about alleged information blocking have been received since April 2021. A recent study published in the Journal of the American Medical Informatics Association (JAMIA) confirmed the extent to which information is believed to be occurring. The study was based on American Hospital Association (AHA) survey data collected between April and September 2021. The researchers found 42% of surveyed hospitals believed they had encountered activity that they perceived to constitute information blocking. In 2022, 12% of hospitals believed healthcare providers were engaging in information blocking practices, down from 36% in 2021; however, perceived information blocking by IT vendors increased between 2021 and 2022. In 2021, 19% of hospitals believed IT vendors were engaging in information blocking, rising to 20% in 2022, and hospitals reported an increase in information blocking by developers of certified health IT, which rose from 17% in 2021 to 22% in 2022.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist