The Office of Inspector General (OIG) is an office of Health and Human Services (HHS) that has broad leeway to investigate potential fraud and abuse within healthcare associated with HHS grants, contracts, and other agreements and then impose financial penalties called civil monetary penalties (CMP). In the 21st Century Cures Act, OIG was granted ability to investigate and charge CMP around the area of information blocking. This is their proposed rule for enforcing information blocking.

Information Blocking Enforcement Details

The first part of the NPRM updates some current OIG rules around their investigations into fraud and other misconduct, and it is not highly relevant to the information blocking enforcement from Cures. The second part of the NPRM addresses information blocking and the authority OIG has from the 21st Century Cures Act to investigate claims of information blocking and impose CMPs against violations.

It should be noted that his NPRM is only focused on information blocking by health IT developers or other entities offering certified health IT, health information exchanges, and health information networks but not for health care providers. However, OIG does note that providers and hospitals already have to agree to not participate in information blocking via other CMS programs.

It should be noted that this proposal is not defining anything new about what is or is not information blocking. The definition and details of information blocking remain solely in the recent ONC Cures rule. Rather, this proposed rule only addresses OIG’s ability to assign CMP for information blocking violations. It states that it can authorize a maximum penalty not to exceed $1 million USD per violation. It also lists the factors OIG would use in determining the CMP penalty which are:

· Nature and extent of the information blocking and

· Harm resulting from such information blocking based on:

o Number of patients affected.

o Number of providers affected.

o Number of days the information blocking persisted.

OIG explicitly states that their fines are per “violation” and that a charge of information blocking against a developer may have multiple violations. In the NPRM, they give two examples of information blocking containing a single violation and two examples of information blocking with multiple violations. These examples are quoted at the bottom of this article essentially verbatim from the proposed rule.

Information Blocking Enforcement Timeline

Finally, in terms of enforcement timeline, OIG offers some alternatives when their information blocking oversight and enforcement would begin. One suggestion is the “normal” timeline of making enforcement of the rule 60 days after the rule is published as final, which is common practice with many HHS proposals. For this route, the final rule probably likely comes out around October of this year which puts its enforcement date around the end of CY 2020 or the start of CY 2021, but that is just an estimation.

However, another suggested alternative is setting a specific enforcement date. They actually mentioned a specific enforcement date of October 1, 2020, which is actually before the ONC Cures compliance date for information blocking, but this is likely because the NPRM was written before the Cures rule was officially published. They later state that the enforcement would not be earlier than the information blocking compliance date required by the ONC Final Rule.

OIG is taking comments from this NPRM to determine their final enforcement time, and you can comment here. I am going to make comments that they explicitly tie their enforcement dates to align with the ONC’s dates for information blocking compliance, including its enforcement discretion extension due to COVID-19, and if ONC adds any future extension or delays around information blocking compliance and enforcement that OIG would follow. That way developers are not having to deal with conflicting dates around information blocking.

Example Information Blocking Violations from the NPRM

Information Blocking Example #1: Single Violation

A health care provider notifies its health IT developer of its intent to switch to another electronic health record (EHR) system and requests a complete electronic export of its patients’

electronic health information (EHI) via the capability certified to in 45 CFR § 170.315(b)(10). The developer refuses to export any EHI without charging a fee. The refusal to export EHI without charging this fee would constitute a single violation.

NOTE – The number of patients affected by the health IT developer’s information blocking practice is a factor OIG would consider when determining the penalty.

Information Blocking Example #2: Single Violation

A health IT developer (D1) connects to a health IT developer of certified health IT (D2) using a certified API. D2 decides to disable D1’s ability to exchange information using the certified API. D1 requests EHI through the API for one patient of a health care provider for treatment. As a result of D2 disabling D1’s access to the API, D1 receives an automated denial of the request. This would be considered a single violation.

Information Blocking Example #3: Multiple Violations – Different Types of Violations

A health IT developer’s software license agreement with one customer prohibits the customer from disclosing to its IT contractors certain technical interoperability information (i.e. interoperability elements), without which the customer and the IT contractors cannot access and convert EHI for use in other applications. The health IT developer also chooses to perform maintenance on the health IT that it licenses to the customer at the most inopportune times because the customer has indicated its intention to switch its health IT to that of the developer’s competitor. For this specific circumstance, one violation would be the contractual prohibition on disclosure of certain technical interoperability information and the second violation would be performing maintenance on the health IT in a discriminatory fashion. Each violation would be subject to a separate penalty.

Information Blocking Example #4: Multiple Violations – Same Type of Violation Done Multiple Times

A health IT developer requires vetting of third-party applications before the applications can access the health IT developer’s product. The health IT developer denies applications based on the functionality of the application. There are multiple violations based on each instance the health IT

developer vets a third-party application because each practice is separate and based on the specific functionality of each application. Each of the violations in this specific scenario would be subject to a penalty.