What Healthcare Leaders Need to Know About Information Blocking Enforcement

On June 27, 2023, the Office of Inspector General (OIG) for the U.S. Department of Health and Human Services (HHS) released its final rule implementing penalties for information blocking. The rule went into effect on August 2, 2023, except for the additions of §§ 1003.1400, 1003.1410, and 1003.1420, which became effective on September 1, 2023. Enforcement of the information blocking penalties began on September 1, 60 days after publication of the final rule in the Federal Register.(1)

The Information Blocking Rule was introduced by the 21st Century Cures Act (Act). In the Act (44 C.F.R. § 171.103(a)), information blocking means a practice that:

1. Except as required by law or covered by an exception, is likely to interfere with access, exchange, or use of electronic health information (EHI); and

2. If conducted by a health IT developer of certified health IT, health information network or health information exchange, such developer, network, or exchange knows, or should know, that such practice is likely to interfere with access, exchange, or use of electronic health information; or

3. If conducted by a healthcare provider, such provider knows that such practice is unreasonable and is likely to interfere with access, exchange, or use of electronic health information.

Understanding Provider Disincentives

The final rule does not apply to healthcare providers. Unlike developers, exchanges, and networks, the Act does not empower the OIG to assess penalties for noncompliance against healthcare providers directly. Healthcare providers will be referred to the appropriate agency to be subject to appropriate disincentives (42 U.S.C. § 300jj-52(b)(2)(B)). HHS will likely utilize its authority granted under HIPAA and investigate claims of information blocking under a patient’s right of access. However, we could still see a provider disincentive rule by the end of the year.

The Office for Civil Rights (OCR) has been very active in issuing corrective action plans in response to patient complaints regarding their right to access their protected health information. On August 24, 2023, OCR announced a settlement with UnitedHealthcare Insurance Company (UHIC) concerning a potential violation of the HIPAA Privacy Rule’s Right of Access provision. This investigation marks the 45th Right of Access case to be resolved via voluntary settlement. UHIC agreed to implement a corrective action plan and pay $80,000 to resolve this investigation.

Complaints Received by Claimant and Potential Actor

The Office of the National Coordinator for Health Information Technology (ONC) has published a website that tracks the number of complaints received and breaks them down by complainant.(2) (Data displayed in Table 1 and Figures 1 and 2 are through September 30, 2023.)

Since the Information Blocking Rule became effective, patients have filed more than 500 complaints (Figure 1). The data in Figure 2 clearly identifies healthcare providers as the most common potential actors, highlighting that providers have the most risk of being involved in an investigation.

Figure 1. Claims counts by types of claimant. HIN/HIE, health information network or health information exchange.

Figure 2. Claims counts by potential actor. CHPL, certified health IT product list; HIN/HIE, health information network or health information exchange.

Action Items for Providers

If you haven’t already, establish a committee to review the requirements and develop an action plan with your compliance staff. The committee should review access policies and revise them to meet patient right of access under HIPAA and the expectations of ONC’s final rule. Also, the committee should develop a process for evaluating access against the following eight exceptions:(3) Exceptions that involved not fulfilling requests to access, exchange, or use EHI:

1. Preventing Harm Exception

2. Privacy Exception

3. Security Exception

4. Infeasibility Exception

5. Health IT Performance Exception

Exceptions that involved procedures for fulfilling requests to access, exchange, or use EHI:

1. Content and Manner Exception

2. Fees Exception

3. Licensing Exception

Providers have the burden of proof when responding to a complaint, and the process should include documentation to be retained for future reference. Finally, train your staff on any policy changes and evaluate your systems to understand any limitations in providing patients with electronic access.

Conclusion

The foundational concepts of information blocking are not that different than the patient’s right of access under HIPAA. The impact of a fully informed patient on the outcome of their care can have a major positive influence. As patients become more engaged, providers must understand HIPAA and the Information Blocking Rule requirements, implement compliant policies, and continually monitor compliance.

References

1. Grants, contracts, and other agreements: fraud and abuse; information blocking; office of inspector general’s civil money penalty rules. Federal Register.  https://www.federalregister.gov/documents/2023/07/03/2023-13851/grants-contracts-and-other-agreements-fraud-and-abuse-information-blocking-office-of-inspector . Accessed October 2, 2023.

2. Office of the National Coordinator for Health Information Technology. Information blocking claims: By the numbers. HealthIT.gov.  https://www.healthit.gov/data/quickstats/information-blocking-claims-numbers . Accessed October 2, 2023.

3. Office of the National Coordinator for Health Information Technology. Cures Act final rule: Information blocking exceptions. HealthIT.gov.  https://www.healthit.gov/sites/default/files/page2/2020-03/InformationBlockingExceptions.pdf . Accessed October 2, 2023.