The Centers for Medicare & Medicaid Services ("CMS") and the Office of the National Coordinator for Health Information Technology ("ONC") have released a final rule establishing "disincentives" (i.e., penalties) for health care providers that participate in certain Medicare payment programs who have engaged in information blocking, as determined by the HHS Office of Inspector General ("OIG").
The rule continues to signal the federal government's commitment to encouraging permitted access to and exchange of electronic health information. The rule summarizes elements of the June 2023 OIG final rule, which established penalties for information blocking for certified health IT developers, health information networks, and health information exchanges. The rule also details the procedures that OIG will follow when investigating potential health care provider information blocking claims. There is a wide range of health care providers subject to the rule including, hospitals, physicians, nursing facilities, group practices, pharmacies, and certain eligible professionals participating in Medicare and Medicaid programs, among others, and disincentives are not limited to HIPAA-regulated entities or to healthcare providers who use ONC-certified health IT.
OIG investigation process
OIG investigations of potential information blocking will focus on activities that:
- resulted in, are causing, or have the potential to cause patient harm;
- significantly impacted a provider's ability to care for patients;
- persisted for a long time; and
- caused financial loss to federal health care programs or other government or private entities.
If OIG finds that information blocking has occurred, OIG will send a referral report to the appropriate agency, and the health care provider may then be subject to each disincentive that is applicable to the health care provider. The agency must then give notice to the health care provider, and the notice must include (a) a description of the practice(s) that formed the basis of OIG's information blocking determination; (b) the basis for the disincentive(s) being imposed; (c) the effect of each disincentive; and (d) any other information necessary for the health care provider to understand how the disincentives will be implemented.
After any available appeals have been completed and each applicable disincentive has been applied, ONC will publicly post information about health care providers who have committed information blocking in order to provide transparency into how and where information blocking is occurring within the nationwide health information technology infrastructure. This publicly-posted information will include (i) a description of the information blocking practice(s); (ii) the identity of the health care provider(s) who committed the actions; (iii) which disincentives were applied, and (iv) where to find any other relevant information about the OIG's determination.
Disincentives that apply
The rule finalizes penalties for health care providers who engage in information blocking under three Medicare payment programs: the Medicare Promoting Interoperability Program; the Quality Payment Program; and the Medicare Shared Savings Program. The information blocking penalties will vary based on the provider type and payment system.
- Under the Medicare Promoting Interoperability Program disincentive, hospitals that commit information blocking will not be considered meaningful electronic health record ("EHR") users in the applicable reporting period and will lose 75% of the annual market basked increase (for critical access hospitals, payment would be reduced to 100% of reasonable costs instead of 101%). The Medicare Promoting Interoperability Program disincentive does not apply to rehabilitation hospitals, laboratories, psychiatric hospitals, and many long-term care hospitals. This penalty becomes effective July 31, 2024.
- Under the Quality Payment Program, physicians, including a group practice, that commit information blocking will not be considered meaningful EHR users and will receive a zero score in the Promoting Interoperability performance category of the Merit-based Incentive Payment System ("MIPS"). Importantly, the rule clarifies that if an individual physician commits information blocking, the disincentive will only apply to the individual even if the individual reports as part of a group practice. This penalty becomes effective July 31, 2024.
- Under the Medicare Shared Saving Program ("MSSP"), Accountable Care Organizations ("ACOs"), ACO participants, and ACO providers or suppliers that commit information blocking will be ineligible for the Medicare Shared Savings Program for at least one year and will not receive revenue that they earned. This penalty becomes effective January 1, 2025.
Before applying a penalty, OIG will consider relevant facts and circumstances, including the nature of the health care provider's information blocking, the health care provider's diligence in identifying and correcting the problem, the time since the information blocking occurred, and whether the health care provider was previously subject to a disincentive in another program. Of note, health care providers will not be penalized for information blocking conduct attributed to a health IT developer and there will be no double penalty for providers who participate in multiple CMS payment programs (i.e., MIPS and MSSP).
When the rule will take effect
OIG will begin investigating health care providers for information blocking beginning July 31, 2024, and OIG will exercise its enforcement discretion whether to make any determinations regarding conduct that occurred prior to July 31, 2024. Presently, the rule does not apply to healthcare providers that are not enrolled in Medicare or that do not participate in the Medicare payment programs specified above. As such, HHS also stated that it is open to establishing additional disincentives and that it will continue to consider new disincentives that would apply to all health care providers in future rulemaking.
Information blocking regulations have been effective since April 5, 2021, and HHS has emphasized its desire to begin enforcement without delay because providers have been given a significant phase-in period and adequate time to implement compliant information sharing practices. Presently, anyone can submit an information blocking complaint to the ONC Information Blocking Portal or the OIG Hotline.
In addition to HHS information blocking enforcement, information blocking litigation has also increased. For example, in a federal court case in Maryland (Real Time Medical Systems, Inc. v. PointClickCare Technologies, Inc., 8:24-cv-00313, D. Md.) a judge is set to rule on a request from an electronic medical records company to restrict a nursing home analytics company from automated access to its online repositories through the use of CAPTCHA tests that were solvable by humans but slowed the nursing home analytics company's access to patient data.
As information blocking enforcement continues to increase, we will gather more evidence on what practices constitute information blocking. To prepare, health care providers should ensure that organizational policies and procedures are aligned with information blocking regulations, internal processes do not prevent or materially interfere with electronic health information access, exchange or use, and workforce members are educated on these policies and practices.
Reed Smith will continue to follow developments with regard to the HIPPA information blocking regulations. If you have questions please do not hesitate to reach out to the author or any of the health care lawyers at Reed Smith.
This article is presented for informational purposes only and is not intended to constitute legal advice.