HHS Finalizes Healthcare Provider Disincentives for Information Blocking

Recently, the United States Department of Health and Human Services (“HHS”), Centers for Medicare & Medicaid Services (“CMS”), and Office of the National Coordinator for Health Information Technology (“ONC”) announced the release of the Final Rule establishing disincentives for certain healthcare providers found by the HHS Office of Inspector General (“OIG”) to have committed information blocking and referred by OIG to CMS. As previewed in our discussion of the 2023 Proposed Rule, the finalized disincentives have been long anticipated.

This Final Rule will take effect on July 31, 2024, which is 30 days following its publication in the Federal Register. However, HHS did establish in its commentary to the Final Rule that OIG will exercise its enforcement discretion not to make any determinations regarding conduct occurring prior to the effective date of the Final Rule and, thus, no disincentives finalized in the rule will be applied to conduct occurring before the effective date. While providers can take some comfort in having a “clean slate” from which to move forward, HHS also clearly communicated its position that providers should have been taking compliance steps ever since the underlying regulations became effective in 2021. Thus, to the extent providers have not yet grappled with the implications of these regulations, the first set of “teeth” have been established, and providers would do well to include a review of these requirements in their compliance endeavors.

Overview of Finalized Disincentives

The Final Rule largely follows the Proposed Rule in its establishment of disincentives that operate as reductions of payments under certain Medicare payment programs. These disincentives, detailed in the table below, will be effective 30 days after publication of the Final Rule.

As with the Proposed Rule, there remains a swath of providers who will not be subject to the newly established disincentives, as they do not participate in the applicable Medicare payment programs. However, CMS and ONC have signaled that additional disincentives may be established in the future to address noncompliance by such providers.

Practical Application and Risk Areas

Practical understanding around risk areas will continue to develop as we begin to see enforcement of the requirements. The “knowledge” threshold for providers under the regulations establishes that, in order to commit information blocking, a provider must “know” that such practice is “unreasonable” and is “likely” to interfere with access, exchange, or use of electronic health information. OIG expects to use four priorities to inform decisions about which information blocking allegations to pursue. Specifically, those which:

1. 1. resulted in, are causing, or have the potential to cause patient harm;
   2. significantly impacted a provider’s ability to care for patients;
   3. were of long duration; and
   4. caused financial loss to federal healthcare programs or other government or private entities.

ONC will publicly post information about actors that have been determined to have committed information blocking and, in the case of healthcare providers, have been subject to a disincentive. As the body of examples begins to build, the threshold for what providers are expected to know will be a moving target.

Also, a number of the exceptions to information blocking are predicated on clearly defined policies and processes being established internally at the provider organization, in advance, or in making determinations around a specific information sharing request on a case-by-case basis, which may be burdensome. Thus, providers may face risk in their ability to put forth a defense to information blocking if their policies and procedures are not tailored with such defensive posture in mind.

Takeaways and Compliance Tips

The premise of avoiding information blocking may seem straightforward, but the practical application is vastly complex, especially in light of the rapidly evolving regulatory landscape around health information privacy, emerging technologies, and the reversal of the historic policy and compliance approach that has been entrenched in industry thinking regarding protection of health data for decades. Systems and processes that were created under the long-established premise of “do not disclose unless required” may not function to support compliance with the inverted approach required by the information blocking regulations of “must disclose unless excepted.”

Providers should remain diligent for continued legal developments, as well as enforcement of the information blocking regulations. ONC makes data available regarding reports of alleged information blocking to date. Notably, the vast majority of such reports have cited a healthcare provider as the potential actor.

Providers should proactively review and tailor policies and procedures as necessary and stand ready to take responsive action should they receive a complaint or notice of investigation from OIG. This will require coordination among departments, including IT, compliance, and legal, to ensure that the functions are aligned in their approaches, especially in light of competing regulatory pressures of the information blocking regulations versus other health data privacy frameworks such as HIPAA.

For more information, please contact AGG Healthcare partner Madison Pool.

[1] Note, CMS has clarified that if an individual eligible clinician is found to have committed information blocking, the disincentive under the MIPS Promoting Interoperability performance category will only apply to the individual, even if they report as part of a group.

[2] CMS also finalized that it will consider the relevant facts and circumstances (e.g. time since the information blocking conduct, the healthcare provider’s diligence in identifying and correcting the problem, whether the provider was previously subject to a disincentive in another program, etc.) before applying a disincentive under the Shared Savings Program.