What you need to know about the OIG’s new information blocking enforcement rule
The federal “information blocking” rule has been in effect since mid-2021. However, with the publication of a new enforcement rule on July 3, 2023 by the US Department of Health and Human Services, Office of Inspector General (OIG), the information blocking rule now has significant teeth – at least for certain categories of “actors” who are subject to the rule and engage in prohibited information blocking. These actors now could face civil monetary penalties (CMPs) of up to $1 million per violation.
The OIG will begin enforcing the new rule on September 1, 2023. The following are some key issues for actors to consider ahead of this enforcement date.
Who specifically is subject to the enforcement rule?
The enforcement rule applies only to the following categories of actors that are otherwise subject to the information blocking rule: health information technology (IT) developers of certified health IT, entities offering certified health IT, health information exchanges, and health information networks.
Are healthcare providers subject to this rule? What about health plans?
Healthcare providers are not subject to this rule in their capacity as providers. However, the OIG notes that providers might also fall into one of the above categories and would then be subject to this new rule in that capacity.
The same remains true for health plans, which are typically not subject to the information blocking rule, unless they engage in actions that make them one of the types of actors subject to this rule.
So, healthcare providers will not be penalized for engaging in information blocking?
While not subject to this enforcement rule, healthcare providers are not entirely off the hook. The OIG intends to issue a separate rule that will address how it will refer non-compliant providers to the appropriate agencies to be subject to “disincentives” (which are yet to be defined). At this time, at least one agency is currently working on a rule establishing disincentives for providers.
Is $1 million the maximum CMP for engaging in information blocking?
Even if $1 million per violation may sound minimal to some actors, a violation is defined as a practice (ie, an act or omission) that constitutes information blocking – and how such a practice is determined will depend on the facts and circumstances. The OIG noted, by way of an example, that the enactment of a policy that establishes an information blocking practice is one violation, and each instance of enforcing that policy is a separate violation. Therefore, depending on the facts, CMPs could quickly add up to much more than $1 million.
When determining specific CMP amounts, the OIG will consider factors such as the nature and extent of harm caused by the specific incident of information blocking, the number of patients and providers implicated and affected, and how long the information blocking lasted.
Will the OIG investigate every complaint that it receives?
No. The OIG has made it clear that it lacks the resources to investigate the large volume of complaints that it anticipates receiving. Instead, the OIG intends to prioritize cases of alleged information blocking that:
- Resulted in, are causing, or had the potential to cause patient harm
- Significantly impacted a provider’s ability to care for patients
- Were of long duration
- Caused financial loss to federal healthcare programs or other government or private entities or
- Were performed with actual knowledge.
The OIG expects that these enforcement priorities will evolve as it gains more experience investigating information blocking and provides more information on its website regarding the investigative process; nothing will prohibit the OIG from conducting investigations outside of these priorities.
Will the OIG seek to enforce this rule for conduct that occurred prior to September 1, 2023?
No. The OIG has expressly confirmed that it will not impose any CMPs for information blocking conduct occurring before September 1, 2023, which is the effective date of the rule.
Still, some caution is warranted here. If any conduct violates other laws, the OIG or other agencies might seek to enforce those laws, even if the OIG would not pursue the conduct for information blocking.
Will the OIG offer a self-disclosure protocol?
Yes. The OIG intends to implement a self-disclosure protocol (SDP) for information blocking. If the OIG accepts actors into an SDP and those actors cooperate with the OIG, the OIG noted that the actor will pay lower damages than would normally be required. However, any decision to self-disclose should be made after careful deliberation and with advice of legal counsel.
If you have any questions regarding this information blocking enforcement rule or the information blocking rule itself, please contact your DLA Piper relationship attorney, any member of the DLA Piper Healthcare group, or the authors of this alert.
Stephanie Gumabon-Greaver is a summer associate in DLA Piper's Philadelphia office.
Offshoring patient information? Florida’s Electronic Health Records Exchange Act...
20 June 2023 .7 minute read
OIG Telehealth Toolkit for program integrity risks: What payors and providers need to know
10 May 2023 .8 minute read