Published on:

OIG Final Rule Implementing Information Blocking Penalties

The Department of Health and Human Services (HHS) Office of Inspector General (OIG) issued a final rule (Final Rule) on June 27, 2023, which implements statutory provisions for specific individuals or entities subject to the information blocking requirements established by the 21st Century Cures Act (Cures Act). The Cures Act imposes civil money penalties (CMP) of up to $1 million per violation of information blocking, which is defined as “a practice that interferes with, prevents, or materially discourages access, exchange, or use of electric health information,” except as required by law or covered by an exception.

The Final Rule authorizes HHS to impose CMPs, assessments, and exclusions on individuals and entities that engage in alleged fraud or other misconduct related to HHS grants, contracts, and other agreements, as well as increases the maximum penalties for certain CMP violations. OIG may impose CMPs of up to $1 million per violation of information blocking on a health information technology (Health IT) developer of certified health IT or a health information network or health information exchange (HIN/HIE), as those terms are defined by OIG.

Penalties may be imposed on certified Health IT developers and HIN/HIEs that do not actually interfere with access, exchange, or use of electronic health information (EHI) if the requisite intent is present. Specifically, such individual or entity may have CMP exposure under the Final Rule if it knew or should have known that a practice was likely to interfere with access, exchange, or use of EHI. Additionally, OIG has clarified that a discrete action by an actor that implicates information blocking would be viewed as a single violation. Thus, it appears that the number of violations will be directly connected to the number of discrete acts.

While OIG’s lookback period is 6 years for information blocking, OIG recommends that information be maintained for additional time because other programs may require a showing of 10 years’ worth of compliance records. OIG explained that it will assess the nature, extent, and harm resulting from information blocking when determining the degree of penalties. OIG will also consider the duration, impact of a provider’s ability to care for patients, financial loss caused to Federal healthcare programs, and whether the actor possessed actual knowledge or specific intent to engage in information blocking. The Final Rule provides a self-disclosure protocol for actors who determine that their practices may constitute information blocking, which may mitigate an alleged violation.

OIG finalized its proposal for an effective date for the CMP for information blocking as of September 1, 2023, which means that OIG will not impose penalties on conduct occurring before that date. The remainder of the Final Rule’s provisions are effective August 2, 2023. Healthcare providers should be aware of whether they fall under OIG’s definitions of a Health IT developer or HIN/HIE in order to assess whether they are subject to the information blocking requirements, and to take any necessary steps towards compliance with the Final Rule.

For over 35 years, Wachler & Associates has represented healthcare providers and suppliers nationwide in a variety of health law matters, and our attorneys can assist providers and suppliers in understanding new developments in healthcare law and regulation. If you or your healthcare entity has any questions pertaining to healthcare compliance, please contact an experienced healthcare attorney at 248-544-0888 or

Contact Information