It’s time to get serious about information blocking

It’s finally here: the final HHS rule that establishes tangible penalties for proven acts of information blocking.

After years of debate over what constitutes information blocking, how HHS can prove it, and what the punishment would be, the federal government has committed to a series of “disincentives” for healthcare providers who fail to share patient information in a good-faith manner that aligns with HIPAA and other privacy regulations.

The latest edict follows a 2023 rule from the Office of the National Coordinator (ONC) that imposes civil monetary penalties of up to $1 million on health IT developers and health information exchange organizations that willfully withhold data exchange, either through product design or specific actions.

The industry has been awaiting the matching guidelines on the healthcare provider side to ensure that patients have full access to their health information and can take charge of sharing their data as they desire.

“With this action, HHS is taking a critical step toward a health care system where people and their health providers have access to their electronic health information,” said HHS Secretary Xavier Becerra. “When health information can be appropriately accessed and exchanged, care is more coordinated and efficient, allowing the health care system to better serve patients. But we must always take the necessary actions to ensure patient privacy and preferences are protected – and that’s exactly what this rule does.”

Breaking down the penalties for hospitals, clinicians, and ACOs

HHS will leverage its various health IT technology and value-based care incentive programs to limit reimbursement opportunities for offenders, the office explained.

Hospitals and critical access hospitals (CAHs) eligible for the Medicare Promoting Interoperable Program that have been referred to CMS by the Office of the Inspector General (OIG) will be stripped of their status as meaningful EHR users during the calendar year of the EHR reporting period in which the referral occurred.

“If the eligible hospital is not a meaningful EHR user, the eligible hospital will not be able to earn three quarters of the annual market basket increase they would have been able to earn for successful program participation,” HHS stated. “For CAHs, payment will be reduced to 100% of reasonable costs instead of 101%. This disincentive will be effective 30 days after publication of the final rule.”

Similarly, MIPS-eligible clinicians and/or group practices found to have committed information blocking will not be considered a meaningful EHR user during the calendar year of the EHR reporting period that contains their OIG referral.  Without being a meaningful user, the clinician or group will receive a zero score in the MIPS Promoting Interoperability performance category, which typically forms a quarter of their overall score. A zero in the category is likely to have significant impacts on their ability to achieve incentive payments.

Accountable care organizations (ACOs) are also subject to incentive restrictions under the Medicare Shared Savings Program.  An ACO, ACO participant, or ACO provider/supplier who has committed information blocking could be rendered ineligible to participate in the program for at least one year. This may result in lost revenue from an inability to participate. CMS will consider whether or not the guilty party has also been subject to disincentives under other programs before enforcing the ACO penalty so as not to overly punish the entity.

HHS also reserves the right to impose additional punishments through future rulemaking if this batch of disincentives doesn’t turn out to be enough to keep the pipelines clear.

What do healthcare providers need to know about information blocking enforcement?

The OIG, not HHS, is responsible for investigating claims of information blocking that are submitted by members of the public or whistleblowers within healthcare organizations.

OIG officials have previously stated that they anticipate many more submissions than they have time to investigate, and published a list of their top priorities when choosing which accusations to pursue.

Reiterated in the HHS final rule, these priorities include incidents that:

• Resulted in, are causing, or have the potential to cause patient harm
• Significantly impacted a provider’s ability to care for patients
• Were of long duration
• Caused financial loss to federal health care programs, or other government or private entities

That doesn’t mean that providers can get away with other types of info blocking, especially in an era where one unhappy patient’s viral TikTok can irrevocably damage a provider’s reputation. But it does mean that healthcare organizations are unlikely to lose millions of dollars in incentive opportunities over lower-level misunderstandings, sporadic consumer complaints, or unintentional workflow bottlenecks that result in information sharing delays.

Providers can also rest easy about being penalized for adhering to other industry data sharing regulations, such as the new reproductive rights protections that augment existing HIPAA guidance.

Disincentives for hospitals and clinicians will go into effect starting 30 days after the publication of the final rule, while disincentives under the Medicare Shared Savings Program won’t begin until January 1, 2025.

What should healthcare providers do to avoid information blocking accusations?

Information blocking is defined as “a practice by an ‘actor’ that is likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or specified in an information blocking exception.”

There are currently nine established exceptions for info blocking, including in cases where sharing data would create harm, violate existing privacy and security statutes, or compromise health IT performance. Actors are also protected in situations that involve licensing, fees, or other procedures, as well as certain scenarios tied into participation in TEFCA.

To avoid being accused of purposely withholding information, entities must be fully aware of their current information sharing activities and how these exceptions may or may not apply.  That means having a thorough technical and operational understanding of what HIPAA’s privacy and security rules actually say about releasing patient information in various situations, and ensuring that front line staff and patients are similarly educated.

Providers may also wish to establish mechanisms for patients to resolve information sharing complaints, such as a helpline or feedback form, to prevent issues from escalating and quickly resolve concerns.

If the OIG does decide to investigate a potential issue, organizations should aim to be as transparent as possible with investigators and provide any documentation, if available, to support an exemption or justify other actions.

With potentially major financial penalties now on the table, healthcare organizations can’t afford to ignore the warnings around info blocking any longer.

It will likely take some time for OIG, HHS, and ONC to narrow their focus further and establish a body of precedent through real-world enforcement actions. But healthcare organizations need to take action now to prepare for this new era of scrutiny around information exchange by understanding how information is moving through the system, educating staff on how to adhere to info blocking regulations, and being proactive about addressing concerns.

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.