Home Health & Hospice Week

Starting this month, will you be subject to a $1 million statutory penalty per violation if it is determined that you’ve broken health information blocking rules? Hold on tight as we spell out the latest Cures Act final rule and the penalties surrounding information blocking.

Background: On Dec. 13, 2016, Congress signed into law the 21st Century Cures Act to accelerate the electronic access to, use and exchange of health information. The Act applies to healthcare providers, health IT developers of certified health IT, health information exchanges (HIEs) and health information networks (HINs).

The law defines information blocking and “knowledge” standards for healthcare entities:

• Healthcare providers are in violation if they know that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI).
• Health IT developers of certified health IT, HINs or HIEs are in violation if they know, or should know, that such practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.

Since 2016, many provisions of the Act have been implemented including major rulemaking activities to facilitate data sharing across different types of providers, and to expressly promote patient control over their own health information. To further achieve these goals, the Office of the National Coordinator for Health Information Technology established the information blocking regulations of the law with its 2020 Cures Act Final Rule.

The final rule went into effect Oct. 6, 2022. The regulation is intended to prevent interference with the access, exchange, or use of EHI for almost all healthcare providers including stalling the release of or preventing access to EHI.

The rule also expanded the EHI definition to include all electronic Protected Health Information (ePHI) under the Health Insurance Portability and Accountability Act (HIPAA) and made it easier to access this data, with only a few exceptions (see box, p. 242).

Providers that do not meet all the conditions of an exception will not automatically be considered information blocking, but will be evaluated on a case-by-case basis to determine whether blocking actually occurred.

On June 27, 2023 the OIG’s final rule implemented penalties for information blocking. The rule does not impose any new requirements, but incorporates regulations published by the ONC for blocking enforcement.

OIG’s Civil Monetary Penalty Looms

Under the OIG’s rule, if it determines that an individual or entity has committed a blocking infraction, the party may be subject to up to a $1 million penalty per violation. Penalties begin Sept. 1, 2023.

But providers can breathe easy for the moment. The OIG rule subjects only certain entities to penalties: health IT developers of certified health IT; entities offering certified health IT; HIEs; and HINs.

On the horizon: The OIG’s rule does not establish healthcare provider disincentives. A separate rule to establish provider penalties is being developed by the Department of Health and Human Services. Look for it soon as HHS has a workgroup actively working on it now.

Resource: To determine if you are subject to penalties under the OIG final rule, see the definition of healthcare entities at www.healthit.gov/sites/default/files/page2/2020-03/ InformationBlockingActors.pdf.

Take These 7 Steps While You Wait

You are under no obligation to proactively provide EHI. But under the law, once a request to access, exchange, or use EHI is made, you must respond to the request in a timely manner.

That means now is the time to ensure your processes surrounding health information requests and how you respond to them are aligned with information blocking regulations. You should also ensure that you have standards in your compliance plan to safeguard against blocking claims.

Confer with legal counsel when needed and look to take the following steps:

1. Review the information blocking rule, especially the examples in the proposed rule at www.govinfo.gov/content/ pkg/FR-2020-04-24/pdf/2020-08451.pdf.

2. Evaluate and assess patient health records including electronic medical records (EMRs) to identify information risks.

3. Review and revise all policies and procedures related to responding to information requests, including HIPAA policies and those governing confidential or sensitive information. Also develop a process for documenting exceptions to requests.

5. If you use one, evaluate patient portal functionality. Determine if features are working properly and ensure there are no operational breaks/delays. Update portal terms of use, as necessary.

6. Review and revise business associate agreements (BAAs) to ensure language complies with blocking regulations.

7. Determine how you access, exchange or use EHI and check with vendors to review their compliance with the rule.

Takeaway: If you’re proactive and deliberate in your efforts you can reduce your information blocking liability now and in the future.

Note: More resources are at www.healthit.gov/topic/ information-blocking.