Despite the 21st Century Cures Act's prohibition of information blocking in 2016, health data interoperability remains a significant challenge.
In 2021, 42% of hospitals reported perceived instances of information blocking, according to the American Hospital Association. Ironically, providers themselves might be the biggest culprits, making up almost 90% of submissions to the Assistant Secretary for Technology Policy's (ASTP/ONC) information blocking portal.
However, information blocking enforcement has begun, with an HHS and CMS final rule that subjects providers to "appropriate disincentives" should the Office of Inspector General (OIG) find them guilty of information blocking.
Information blocking enforcement
While enforcement of the rule began on July 31, 2024, enforcement targets are still uncertain, according to Amy Magnano, a healthcare litigation and regulatory attorney at Morgan Lewis.
However, she noted that HHS and OIG have indicated that their primary focus will be incidents of information blocking that have caused patient harm.
For instance, if a healthcare provider delays the release of a critical lab value to an emergency department and a patient dies with sepsis, that would be a scenario ripe for information blocking enforcement, Magnano said.
Additionally, she said that information blocking between systems could also be an enforcement target.
"If a patient is being seen by multiple systems and there's some policy or procedure that prevents access or disclosure between systems and it delays care for the patient and there's patient harm, I think that will be another big target for on the healthcare provider side," Magnano noted.
Penalties for information blocking across providers are tied to Medicare reimbursement. In the final rule, HHS and CMS modeled what some of the financial penalties could be.
Information blocking disincentives for hospitals could range from about $30,000 to $2.4 million, with the expected median disincentive to be around $400,000.
Most states have very specific requirements on how and when you can release certain types of healthcare information. Being familiar with those state requirements and understanding that that won't necessarily be information-blocking is a good thing for healthcare providers to familiarize themselves with.
Amy MagnanoHealthcare litigation and regulatory attorney, Morgan Lewis
Disincentives for clinicians will be much smaller. Clinicians eligible for the Merit-based Incentive Payment System could face financial penalties ranging from $38 to $7,184. Notably, disincentives for information-blocking will only apply to the individual clinician responsible, not the entire group, unless the group was also preventing access.
"I think there's a healthy fear of this, and there probably should be because that can be very significant reimbursement, particularly for folks in more rural areas," said Magnano.
The final rule also introduced a provision to publicly post the names and information of healthcare providers found guilty of information-blocking. This would be similar to the Office for Civil Rights' "HIPAA Wall of Shame," which lists data breaches from the past 24 months that OCR is investigating.
Mangano emphasized that the real value of the website will not be in exposing individual practitioners for committing information blocking. Instead, it will highlight the organizational policies that lead to these violations to help other organizations avoid them.
After all, Magnano noted that many instances of information blocking might stem from well-intentioned data exchange policies. For example, a group might have a policy that restricts the release of a cancer diagnosis until the provider has directly communicated with the patient.
She suggested healthcare organizations have their risk managers or legal counsel read through the FAQs to better understand how they intend to operationalize the rule.
For instance, one FAQ dives into an information-blocking exception: privacy.
"If there's a state or federal law that imposes a requirement that you not release the information, information blocking is not going to interfere with that," Magnano explained.
For example, meeting specific prerequisites for releasing reproductive healthcare information does not constitute information-blocking.
"Most states have very specific requirements on how and when you can release certain types of healthcare information," Magnano said. "Being familiar with those state requirements and understanding that that won't necessarily be information blocking is a good thing for healthcare providers to familiarize themselves with."
In addition to the FAQ page, Magnano pointed out that some states have shared resources with legal counsel to help critical access hospitals comply with the information-blocking provisions.
"In a number of states, they'll have a collaborative or something where they can access advice on this," she said. "There's really great shared legal advice to be had about some of these concepts."
Potential for future rulemaking
HHS indicated that it might issue another rule in the future to apply to providers who do not participate in Medicare. However, since this group represents a relatively small number of entities, Mangano said that additional rules targeting them might not be a prime concern.
"I could see that not being a priority right now in light of other competing regulatory priorities, but it certainly could happen in the future depending on what we see, what type of behavior and what type of complaints are made against those providers that they don't have the enforcement ability or investigative authority over right now," Mangano explained.
Hannah Nelson has been covering news related to health information technology and health data interoperability since 2020.
