Proposed Penalties for Information Blocking Violations

Articles / Publications
Reprinted with permission from Birmingham Medical News

On October 30, 2023, the Department of Health and Human Services (HHS) released a proposed rule establishing penalties for healthcare providers who violate the information blocking rules implemented under the 21st Century Cures Act. Currently, there are no penalties against healthcare providers for violating the information blocking rules.

As a refresher, the information blocking rules are separate and apart from the HIPAA Privacy and Security Rules, which do have established penalties for violations by healthcare providers. The information blocking rules prohibit a healthcare provider, among other “actors” as defined in the rules, from taking any action that is likely to interfere with the access, exchange, or use of electronic health information contained in a designated record set (EHI), unless the action is required by law or an applicable legal exception is met.

The eight exceptions to the information blocking rules are complex, and each one contains a number of factors that must be met in order to qualify for the exception. To avoid any potential penalties, any provider utilizing an exception should document the use of the exception and how the exception was satisfied.

The information blocking rules apply to any request for EHI from any requestor, not just a request to access information from patients. Further, compliance with HIPAA does not necessarily equate to compliance with the information blocking rules. In other words, a provider can be in compliance with the HIPAA requirements, but be found to be in violation of the information blocking rules. In addition, the information blocking rules can be violated even if there is no harm as a result of the actor’s actions.

Previously, the Office of Inspector General (OIG) published a final rule establishing civil money penalties for violations of the information blocking rules by health IT developers, entities offering certified health IT, health information exchanges, and health information networks. However, the OIG final rule did not contain any penalties against healthcare providers for violating the information blocking rules.

The latest information blocking proposed rule aims to implement penalties for healthcare providers who violate the information blocking rules by allowing the OIG to refer such providers to CMS for payment disincentives. The method of payment disincentive depends on the type of provider involved. For eligible hospitals and critical access hospitals, the disincentives include not being able to be deemed a meaningful EHR user in the applicable EHR reporting period. For eligible individual providers, the disincentives include not being able to be deemed a meaningful user of certified EHR technology in a performance period and therefore receiving a zero score in the Promoting Interoperability performance category of MIPS. For accountable care organizations and their participants, the disincentives include not being able to participate as an ACO for at least a year.

“HHS is committed to developing and implementing policies that discourage information blocking to help people and the health providers they allow to have access to their electronic health information,” said HHS Secretary Xavier Becerra. “We are confident the disincentives included in the proposed rule, if finalized, will further increase the appropriate sharing of electronic health information and establish a framework for potential additional disincentives in the future.”

The proposed rule regarding the information blocking disincentives for healthcare providers is currently published in the Federal Register and available for public comment. Written or electronic comments must be received on or before January 2, 2024. Healthcare providers are encouraged to submit comments regarding the appropriateness of the proposed disincentives.

Jump to Page

Contact Us

About Burr & Forman Cybersecurity & Data Privacy Law

Burr & Forman's experienced team helps clients navigate the complex cybersecurity and data privacy landscape with strategies designed to assess current risks, develop a corrective action plan, implement best practices, and provide immediate and appropriate responses to a cybersecurity breach.

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.