- The 21st Century Cures Act already establishes the penalties that will apply to Actors that engage in prohibited Information Blocking
- ONC will exercise enforcement discretion and not assess penalties until CMP rules are final, however compliance by April 5, 2021 is still required
- ONC already maintains a live webpage and portal through which anyone can report information blocking to them
Subscribe to HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with Information Blocking, HIPAA, 42 CFR Part 2, and much more.
The deadline for compliance with the Information Blocking Rule (IBR) is just twelve (12) days away! I am certain that all the Actors are working feverishly and diligently to come into compliance with these new requirements by this fast-approaching date. On the bright side, I suppose that we can all be relieved that ONC did not stick with its original deadline date of November 2, 2020. However, even with the extra time Actors may still be scrambling to get all of their ducks in a row by April 5, 2021. So, what are the actual consequences if everything is not “buttoned-up” in time?
First, it’s worth pointing out that the 21st Century Cures Act already establishes the penalties that will apply to Actors that engage in prohibited Information Blocking. They are codified in 42 U.S.C. §300jj-52(b)(2), which provides the following:
(2) Penalties
(A) Developers, networks, and exchanges
Any [HIE, HIN or developer of certified health IT] that the Inspector General, following an investigation conducted under this subsection, determines to have committed information blocking shall be subject to a civil monetary penalty determined by the Secretary for all such violations identified through such investigation, which may not exceed $1,000,000 per violation. Such determination shall take into account factors such as the nature and extent of the information blocking and harm resulting from such information blocking, including, where applicable, the number of patients affected, the number of providers affected, and the number of days the information blocking persisted.
(B) Providers
Any [health care provider] determined by the Inspector General to have committed information blocking shall be referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary sets forth through notice and comment rulemaking.
Therefore, Actors already generally know the consequences for engaging in prohibited information blocking practices. What we are waiting for are regulations that lay out the details of how such penalties will be assessed and give the Office of Inspector General (OIG) authority to begin enforcement.
On April 24, 2020, the OIG published a Proposed Rule for assessing civil monetary penalties (CMPs) against HIEs, HINs, and developers of certified health IT for violation of the IBR. Although a final rule has not yet been released, we are soon approaching the 1-year mark from publication of the proposed rule — and so a final rule could be imminent. Once a final rule is published, generally it is effective no less than 30 days after the date of the publication in the Federal Register. Therefore, if the final rule is published with the next month or two, this means that OIG would be poised to begin assessing CMPs against HIEs/HINs and developers of certified health IT not long after the April 5, 2021 IBR compliance date. In light of this, this group of Actors in particular should be working quickly and diligently to ensure their compliance with the IBR.
With regard to enforcement against health care providers, we have not even seen a proposed rule introduced. This means that health care providers do not know what penalties will be imposed on them. In its proposed rule, ONC requested information from the public on what “appropriate disincentives” should be. The comments submitted ranged from recommending that CMPs also be imposed against health care providers, to merely requiring corrective action with no other consequence. ONC noted on pages 25900-25901 of the final IBR that it has “shared all the comments received with the appropriate agencies and offices within the Department for consideration in subsequent rulemaking.” Thus, health care providers will have to be patient to wait and see what will be proposed.
As far as what happens between the time period between April 5, 2021 and the date upon which a final rule for enforcement goes into effect, there will be no enforcement. Specifically, ONC stated the following multiple times in its Preamble to the final IBR:
“Enforcement of information blocking civil monetary penalties (CMP) in section 3022(b)(2)(A) of the PHSA will not begin until established by future notice and comment rulemaking by OIG. As a result, actors would not be subject to penalties until CMP rules are final. At a minimum, the timeframe for enforcement would not begin sooner than the compliance date of the information blocking section of this final rule (45 CFR part 171) and will depend on when the CMP rules are final. Discretion will be exercised such that conduct that occurs before that time will not be subject to information blocking CMP. 85 Fed Reg at 25649, 25789, 25793 & 25890, (May 1, 2020) (emphasis added).
However, ONC also specifically noted:
“Individuals and entities are subject to the information blocking regulations and must comply with this rule as of the compliance date of this provision.” 85 Fed Reg at 25789 (May 1, 2020).
So, what does all this mean?
To start, all Actors should continue to work towards complying with the IBR by April 5, 2021. However, for a number of reasons, there is definitely a higher sense of urgency for HIEs, HINs, and developers of health IT. Remember, HIEs, HINs and developers of health IT have a higher knowledge standard so that if they “should know” that an adopted or implemented practice results in prohibited information blocking, they could be found noncompliant. This suggests that these Actors in particular have a duty to proactively take steps to identify and correct any noncompliant practices by April 5, 2021, as well as remain compliant thereafter. Additionally, since the OIG has already published a proposed rule for assessing CMPs against these types of Actors, a final rule is likely to be in play much sooner than for health care providers.
Health care providers appear to potentially have slightly more breathing room. To start, this type of Actor must actually know that they have adopted a practice that results in prohibited information blocking. Nevertheless, health care providers could be presumed to know about a prohibited practice if it has been adopted as an organizational policy, or reflected in contractual language. Therefore, health care providers should be reviewing and updating such policies and contracts as necessary. That said, ONC has been expressly clear that it will exercise enforcement discretion and not assess penalties against Actors until final rules are published. While it is technically possible for an agency to bypass issuing a proposed rule and go straight to the final rule, that would be surprising here. As such, it is likely (but not guaranteed) that health care providers will have some additional time before they will be faced with actual penalties (i.e., “appropriate disincentives”) for engaging in prohibited information blocking practices.
In the meantime, all Actors should be aware that even absent actual assessment of penalties, the ONC already maintains a live webpage and portal through which anyone can report information blocking to them. So, during the period that ONC may not be actively enforcing against Actors for information blocking, they are still able to collect complaints and reports though such portal – which is not a “list” any Actor wants to land on.