Enforcement of the ONC interoperability rule has begun, with civil monetary penalties of up to $1 million per information blocking violation.
It’s time for healthcare entities to take information blocking rules and regulations seriously. After all, there could be a million-dollar fine on the line.
ONC’s 2020 Cures Act Final Rule implemented key provisions of the 21st Century Cures Act to advance health data interoperability, including the prohibition of information blocking, which refers to preventing or interfering with the access, exchange, or use of electronic health information (EHI).
However, without a practical enforcement mechanism for the regulation, information blocking has persisted since the final rule’s enactment in April 2021.
According to an ONC survey, over 40 percent of nonfederal acute care hospitals observed practices they perceived to constitute information blocking in 2021.
A new final rule from the HHS Office of Inspector General (OIG) outlines information-blocking enforcement policies, which are set to break down data siloes across the healthcare industry to improve care coordination and ensure a competitive marketplace.
Effective September 1, 2023, OIG has the authority to investigate reports of information blocking across certified health IT developers, companies that resell certified health IT, health information networks, and health information exchanges (HIEs).
Stakeholders could be subject to up to a $1 million penalty per instance of information blocking.
According to Sean Sullivan, a healthcare regulatory and compliance attorney at Alston & Bird Law Firm’s Atlanta office, actors subject to enforcement must closely analyze their data access policies to ensure they follow the information blocking regulations.
“The biggest area of concern is really contractual terms that health information networks, exchanges, and developers of certified health IT put in place that could limit competition,” Sullivan told EHRIntelligence in an interview.
Vaultara allows for rapid, contact-less access to essential imaging data and improved efficiency.
Plus a reduction in operational costs associated with medical image sharing.
View a demo of Vaultara's self-hosted image sharing software, Flight.
While OIG made it clear in its final rule that it will not enforce any information blocking cases that occurred before September 1, 2023, the backlog of claims could help the agency identify which entities to investigate.
“ONC has a history of who some of these bad actors might be or who has been complained against the most, and I think that’s probably where OIG is going to focus first,” Sullivan said.
“Anything that could be viewed as interference with access to electronic health information after September 1 can be enforced, and OIG is going to have a lot of hints and a lot of ideas on where to look, based on the complaints that they already have,” he added.
While healthcare providers are also beholden to the information blocking provisions, the OIG final rule does not subject them to civil monetary penalties.
“There’s a proposed rule from ONC that’s targeted for this fall that will establish disincentives for providers for information blocking, but there’s still really not any meaningful enforcement on the horizon anytime soon for providers,” Sullivan noted.
He suggested that information blocking disincentives for providers could include penalties through CMS.
“If there’s information blocking, then CMS could issue some sort of penalty, or it could be something where a provider could undergo an audit and potentially be terminated from the Medicare program,” he said.
Since the ONC interoperability rule came out, Sullivan has helped providers examine their data sharing practices to comply with the regulation. Much of this work has focused on how the information blocking provisions relate to the Health Insurance Portability and Accountability Act (HIPAA).
“You still have to think about your existing federal laws under HIPAA and state laws around healthcare data privacy and security, but now the information blocking rules are sitting on top of those in a way that is supposed to be consistent,” Sullivan emphasized.
For instance, HIPAA generally requires patient consent to share protected health information (PHI). However, there are several exceptions where patient consent is not mandatory, including if the data exchange is for treatment purposes.
Still, Sullivan noted that many healthcare providers have required patient consent to share PHI for treatment purposes despite the HIPPA exception.
However, since obtaining this consent is unnecessary and potentially interferes with a valid request for health information, this act could constitute information blocking.
Other examples of provider-initiated information blocking include not providing patients access to all their health information or not responding to record requests within the 30-day time frame outlined by HIPAA.