On Friday, April 24th, the Office of Inspector General (OIG) of HHS published a Proposed Rule to amend the civil monetary penalties (CMP) rules to incorporate new authorities for investigating and assessing monetary penalties for Information Blocking violations. The action follows closely on the heels of ONC & CMS issuing a Joint Statement earlier this week announcing each agency’s respective decision to exercise enforcement discretion and delay enforcement of their Final Rules governing Information Blocking for 3 months (ONC) and 6 months (CMS) due to the burdens of the COVID-19 outbreak on the healthcare industry.
Among other things, the OIG’s Proposed Rule seeks to address the amendment of the Public Health Service Act (PHSA) by the Cures Act authorizing the OIG to investigate claims of Information Blocking and implementing provisions to impose CMPs for Information Blocking. A high-level summary of some of the most important points about the Proposed Rule follows.
Who Gets Dinged?
The Cures Act grants authority for monetary penalties to be assessed only against:
- health information technology developer of certified health information technology;
- other entities offering health information technology; and
- health information exchanges or networks.
Therefore, significantly, the Cures Act does not grant authority for assessing monetary penalties against health care providers. Instead, the OIG notes in its Preamble that if a health care provider engages in a prohibited information blocking practice, the health care provider will be referred to the appropriate agency for “appropriate disincentives”. However, exactly which agency or agencies these would be and what such “appropriate disincentives” might entail are left to be established by HHS in future Notice and Comment rulemaking. Additionally, OIG points out in a footnote:
“While health care providers are not subject to information blocking CMPs, many must currently comply with separate statutes and regulations related to information blocking. Prior to the enactment of the Cures Act, Congress enacted the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), Public Law 114-10, which, in part, requires a health care provider to demonstrate that it has not knowingly and willfully taken action to limit or restrict the compatibility or interoperability of Certified Electronic Health Record (EHR) Technology. To implement these provisions, the Centers for Medicare & Medicaid Services (CMS) established and codified attestation requirements to support the prevention of information blocking, which consist of three statements containing specific representations about a health care provider’s implementation and use of Certified EHR technology (81 FR 77028 through 77035).” (emphasis added).
How Much?
The proposed cap for monetary penalties is $1M per violation. (§1003.1410)
What is Considered a Violation?
The proposed definition of a “violation” is “a practice, as defined in 45 CFR 171.102, that constitutes information blocking, as defined in 45 CFR Part 171.” Therefore, the OIG definition cross-references definitions in the ONC Final Rule on Information Blocking scheduled for publication on May 1, 2020. To explain the intent of the proposed definition of “violation” and illustrate how OIG could determine what constitutes a single violation vs. multiple violations, several hypothetical examples were provided in the Preamble.
The OIG offers the following two examples as each constituting a single violation:
- A health care provider notifies its health IT developer of its intent to switch to another electronic health record (EHR) system and requests a complete electronic export of its patients’ electronic health information (EHI) via the capability certified to in 45 CFR 170.315(b)(10). The developer refuses to export any EHI without charging a fee. The refusal to export EHI without charging this fee would constitute a single violation.
- A health IT developer (D1) connects to a health IT developer of certified health IT (D2) using a certified API. D2 decides to disable D1’s ability to exchange information using the certified API. D1 requests EHI through the API for one patient of a health care provider for treatment. As a result of D2 disabling D1’s access to the API, D1 receives an automated denial of the request. This would be considered a single violation.
The OIG points out here that even though several patients might be affected by the health IT developer’s practice of information blocking, the health IT developer only engaged in one practice in response to the request from the provider.
To contrast, the OIG then offered the following examples illustrating multiple violations:
- A health IT developer’s software license agreement with one customer prohibits the customer from disclosing to its IT contractors certain technical interoperability information (e., interoperability elements), without which the customer and the IT contractors cannot access and convert EHI for use in other applications. The health IT developer also chooses to perform maintenance on the health IT that it licenses to the customer at the most inopportune times because the customer has indicated its intention to switch its health IT to that of the developer’s competitor. For this specific circumstance, one violation would be the contractual prohibition on disclosure of certain technical interoperability information and the second violation would be performing maintenance on the health IT in a discriminatory fashion. Each violation would be subject to a separate penalty.
- A health IT developer requires vetting of third-party applications before the applications can access the health IT developer’s product. The health IT developer denies applications based on the functionality of the application. There are multiple violations based on each instance the health IT developer vets a third-party application because each practice is separate and based on the specific functionality of each application. Each of the violations in this specific scenario would be subject to a penalty.
It is then explained that in the first example, the health IT developer engages in two separate practices: (1) prohibiting disclosure of certain technical interoperability information and (2) performing maintenance on the health IT in a discriminatory fashion. Each practice would meet the definition of information blocking separately. In the second example, the health IT developer vets each third-party application separately and makes a separate decision for each application. For each denial of access to EHI based on the discriminatory vetting, there is a practice that meets the definition of information blocking. Thus, each denial of access would constitute a separate violation.
Will All Violations be Treated the Same?
Possibly not. OIG is proposing to take into account the following factors when evaluating the amount of a CMP to be assessed, or if any at all should be assessed:
- The nature and extent of the information blocking; and
- The harm resulting from such information blocking, including, where applicable, the number of patients and providers affected; and
- The number of days the information blocking persisted. (1003.1420)
OIG points out that each allegation of Information Blocking will be assessed based on its own merits given the unique facts and circumstances presented. Additionally, OIG may refer an Information Blocking claim to OCR if a consultation regarding the health privacy and security rules promulgated under HIPAA would resolve an Information Blocking claim. Depending on the facts and circumstances of the claim, OIG may exercise its discretion in referring individuals and entities to consult with OCR to resolve information blocking claims.
What if I Didn’t Know!?
OIG did point out that Information Blocking—as defined in § 3022(a)(1)(B)(i) of the PHSA and in 45 CFR 171.103(b) —includes an element of intent (i.e., “if conducted by a health information technology developer, exchange, or network, such developer, exchange, or network knows, or should know, that such practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information”). Therefore, the OIG will not bring enforcement actions against actors who OIG determines made innocent mistakes (i.e., lack the requisite intent for information blocking).
When Will the Penalties Begin?
The OIG is considering two possible alternative effective dates for enforcement to begin. With the first alternative, the OIG would not begin enforcement of Information Blocking CMPs until 60 days from the date of publication of a Final Rule. Under the second alternative, the OIG is considering for the Final Rule an effective date to only apply to Subpart N of Part 1003, which would also affect the start of OIG’s Information Blocking enforcement. The second alternative would provide a definite period to individuals and entities to continue their compliance efforts with the ONC Final Rule with the knowledge that their conduct would not be subject to OIG enforcement until October 1, 2020 [sic]. OIG believes that this time frame would be more than adequate for actors to implement necessary changes to align with ONC’s Final Rule. Importantly, the OIG reminds us that individuals and entities are legally subject to the Information Blocking regulations and must comply with those rules as of the compliance date of ONC’s Final Rule finalized at 45 CFR 171.101(b). At a minimum, OIG enforcement would not begin until the compliance date of the ONC Final Rule finalized at 45 CFR 171.101(b), which is set for November 2, 2020.
The OIG Proposed Rule has a 60-day comment period, which closes on June 23, 2020.
