OIG Final Rule Implementing Information Blocking Penalties
The Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a final rule (Final Rule) on June 27, 2023, which implements statutory provisions for specific individuals or entities subject to the information blocking requirements established by the 21st Century Cures Act (Cures Act). The Cures Act imposes civil money penalties (CMP) of up to $1 million per violation of information blocking, which is defined as “a practice that interferes with, prevents, or materially discourages access, exchange, or use of electric health information,” except as required by law or covered by an exception.
The Final Rule authorizes HHS to impose CMPs, assessments, and exclusions on individuals and entities that engage in alleged fraud or other misconduct related to HHS grants, contracts, and other agreements, as well as increases the maximum penalties for certain CMP violations. OIG may impose CMPs of up to $1 million per violation of information blocking on a health information technology (Health IT) developer of certified health IT or a health information network or health information exchange (HIN/HIE), as those terms are defined by OIG.
Penalties may be imposed on certified Health IT developers and HIN/HIEs that do not actually interfere with access, exchange, or use of electronic health information (EHI) if the requisite intent is present. Specifically, such individual or entity may have CMP exposure under the Final Rule if it knew or should have known that a practice was likely to interfere with access, exchange, or use of EHI. Additionally, OIG has clarified that a discrete action by an actor that implicates information blocking would be viewed as a single violation. Thus, it appears that the number of violations will be directly connected to the number of discrete acts.