OIG Seeks Comment on Key Enforcement Parameters and Deadlines For Information Blocking; HHS Delays Enforcement

The HHS Office of the Inspector General (OIG) published proposed regulations in the Federal Register on April 24, 2020 regarding its civil monetary penalty (CMP) enforcement authority under the new information blocking rules (the “OIG Proposed Rule”). Information blocking is a practice by certain “actors” that, among other things, is likely to interfere with access, exchange, or use of electronic health information. As discussed below, the OIG is specifically seeking comment on when OIG will commence enforcement of the information blocking rules, and on what would constitute a “single violation” for purposes of determining appropriate penalties. Interested parties may submit comments on the OIG Proposed Rule, which are due by June 23, 2020. 

On May 1, 2020, the final rules from the Office of the National Coordinator for Health IT defining the “information blocking” prohibition: 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program (“ONC Final Rule”) will be published in the Federal Register. On the same date, the Centers for Medicare & Medicaid Services will publish the companion Interoperability and Patient Access Rule (“CMS Final Rule”). In light of the COVID-19 public health emergency, the respective agencies delayed key compliance deadlines for portions of these final rules (which we summarize in this enforcement deadline chart). We also note that formal publication of these final rules in the Federal Register will occur almost two months after they were initially announced. We summarize the impact of the changed deadlines after our analysis of the OIG Proposed Rule below. 

In addition, we note that this alert, as well as prior alerts regarding the ONC Final Rule and CMS Final Rule are available on our recently launched “Health Data” page, which provides a one-stop resource for our Digital Health team’s insights on federal laws, regulations, and policies impacting health data privacy, patient access, interoperability and information blocking.

OIG Proposed Regulation Establishing Penalties for Violations of Information Blocking

Statutory Information Blocking Enforcement Authority

Section 3022(b)(1) of the Public Health Service Act (PHSA), as created by section 4004 of the 21st Century Cures Act (“Cures Act”), authorizes OIG to investigate claims of information blocking by individuals and entities described in sec. 3022(a) of the PHSA, including HIEs, HINs, and health IT developers. Section 3022(b)(1) also authorizes OIG to investigate claims that health IT developers or other entities offering certified health IT have submitted false attestations under the ONC Health IT Certification Program. Most significantly, section 3022(b)(2)(A) authorizes the HHS Secretary to impose CMPs of up to $1 million per violation. 

Actors Subject to CMPs

The Cures Act granted the OIG authority to impose CMPs on HIEs, HINs, and health IT developers or other entities offering certified health IT. But with respect to health care providers that are also subject to the information blocking provisions, the OIG only has statutory authority to refer them to the appropriate agency for “appropriate disincentives using authorities under applicable Federal law” – such disincentives will be set forth in future notice and comment rulemaking from the HHS Secretary.

Key Definitions – Opportunity to Comment on What Constitutes a “Violation”

The OIG Proposed Rule incorporates the regulatory definitions and exceptions set forth in the ONC Final Rule at 45 C.F.R. Part 171, including the definitions of information blocking, HIE, HIN, and health IT developer as the basis for imposing CMPs and determining the amount of penalty imposed. 

The most important definition for purposes of the OIG Proposed Rule on information blocking is “violation.” If finalized as proposed, a “violation” would be defined as “each practice that constitutes information blocking” (emphasis added). The OIG Proposed Rule provides several examples of practices that would constitute a single violation to provide an understanding of how such determinations would be made.

The examples OIG provides in the proposed rule suggest that the determining factor for quantifying the number of violations generally is the information blocking practice itself and not the number of patients affected. For example, if a health IT developer disables another health IT developer’s ability to exchange information using a certified application program interface (API), the practice of disabling API access would constitute a single violation.

We note that the number of patients affected by the practice would be considered by the OIG when determining the penalty amount. Further, the OIG proposes to consider additional factors impacting the amount of the CMP, as described below.

Enforcement Priorities and CMP Amount Determinations

The agency stated that its enforcement priorities related to information blocking will focus on conduct that:

• resulted in, is causing, or had the potential to cause patient harm;
• significantly impacted a provider’s ability to care for patients;
• was of long duration;
• caused financial loss to Federal health care programs, or other government or private entities; or
• was performed with actual knowledge.

OIG notes that it does not have the authority to pursue enforcement of the information blocking rules against actors where the intent of such actors do not meet the “know[s] or should know” standard stated in the PHSA. This should assure actors subject to the information blocking rules that “innocent mistakes” would not be subject to penalty.

When determining the dollar amount for a CMP due to an information blocking violation, PHSA § 3022(b)(2)(A) mandates that the OIG “consider factors such as the nature and extent of the information blocking and the harm resulting from such information blocking, including, where applicable, the number of patients affected, the number of providers affected, and the number of days the information blocking persisted.” The OIG is proposing to codify these statutory factors, but is soliciting comments on any additional factors it should consider in determining the amount of information blocking CMPs, as well as examples of specific information blocking-related conduct that should warrant higher or lower penalty amounts from the OIG.

Enforcement Deadline – Opportunity for Comment

As currently proposed, the OIG Proposed Rule states that enforcement related to the information blocking rules would not begin sooner than the compliance date for the ONC Final Rule established in 45 C.F.R. § 171.101(b) – November 2, 2020. This is the deadline by which actors subject to the information blocking requirements at 45 C.F.R. Part 171 must be in compliance with the ONC Final Rule. OIG has proposed to begin enforcement 60 days after its own rule is final in order to provide actors with more lead time for information blocking compliance activities without fear of penalties from the OIG. However, OIG is seeking comment on an alternative proposal for the effective date – establishing a specific date of October 1, 2020 for information blocking enforcement to begin. Given that OIG states that enforcement of information “would not begin sooner than the compliance date of the ONC Final Rule” – which is November 2, 2020, it’s unclear what the benefit would be of an October 1, 2020 enforcement effective date. The OIG is interested in comments on potential effective dates and explanations on why parties would need a longer or shorter time period to come into compliance with the ONC Final Rule – whether it is sooner or later than October 1, 2020. More broadly, the OIG’s press release encourages commenters to submit information regarding how the COVID-19 pandemic and other considerations should affect information blocking enforcement time frames.

Coordination with Other Agencies

In order to minimize potential duplication of penalty structures that may apply to conduct violating the information blocking rules, the OIG plans to closely coordinate with other agencies in the pursuit of appropriate enforcement. For example, instead of possibly referring information blocking claims to ONC for separate, but related, enforcement under the PHSA, the OIG may refer them to HHS’s Office of Civil Rights “if a consultation regarding the health privacy and security rules promulgated under sec. 264(c) of HIPAA would resolve [it].” The OIG is not limiting its coordination to HHS sub-agencies and offices – it also references the Department of Justice and the Federal Trade Commission as possible partners in coordinating enforcement of information blocking allegations. Actors subject to the rules will need to account for all of these agencies’ enforcement authorities when developing and implementing their information blocking compliance mechanisms.

As we will discuss in a separate alert, the OIG Proposed Rule also includes provisions related to CMPs, assessments, and exclusion authorities related to misconduct regarding HHS grants, contracts and other agreements, and increases maximum CMPs for certain types of violations subject to OIG enforcement as required by the Balanced Budget Act of 2018.

ONC 21st Century Cures Act and CMS Interoperability and Patient Access Final Rules – Implementation Delays and Enforcement Discretion

On April 21, 2020, the ONC and CMS Final Rules were posted on the Federal Register website, with a stated official publication date in the Federal Register of May 1, 2020 for both rules. ONC and CMS simultaneously announced a policy of enforcement discretion with respect to these rules in order to allow compliance flexibilities on implementation of the rules in response to the COVID-19 public health emergency.

Updated Timelines in ONC Cures Act Final Rule

The ONC Final Rule implemented provisions in Title IV of the 21st Century Cures Act, including the agency’s policies for the new legal prohibition against information blocking, as well as updates to the Health IT Certification Program to enhance interoperability of EHI. The ONC Final Rule was first made available unofficially on the ONC’s website on March 9, 2020.

In response to the COVID-19 crisis, ONC has announced that it will exercise enforcement discretion for three months after the stated compliance dates and timelines for all new requirements under 45 CFR Part 170 (certification program changes). Many existing compliance dates and timeframes are based on the final rule publication date, which is now confirmed to be May 1, 2020.

Key Provisions	Original Compliance Date/Timeframe	Enforcement Discretion Date/Timeframe
Conditions of Certification (CoC) – Information Blocking	November 2, 2020 (6 months after final rule publication in the Federal Register)	February 2, 2021 (3 months after the compliance timeframe)
CoC -- Assurances – Will not take any action that constitutes information blocking or action that inhibit access, exchange, and use of EHI	November 2, 2020 (6 months after final rule publication in the Federal Register)	February 2, 2021 (3 months after the compliance timeframe)
CoC – Assurances – EHI Export Rollout	May 2, 2023 (36 months after final rule publication in the Federal Register)	August 2, 2023 (3 months after the compliance timeframe)
CoC – Application Programming Interface (API) – Rollout of new standardized API functionality	May 2, 2022 (24 months after final rule publication in the Federal Register)	August 2, 2022 (3 months after the compliance timeframe)

A more detailed description of ONC Final Rule enforcement discretion dates and timeframes is available here.

Updated Timelines in CMS Interoperability and Patient Access Final Rule

The CMS Final Rule used CMS’s authority to advance interoperability and patient access to electronic health information by imposing standards-based API access and use requirements on CMS-regulated payers specified in the statute. The Patient Access Rule also finalized important Medicare Conditions of Participation (CoPs) requiring the transmission of electronic Admission, Discharge, and Transfer (ADT) notifications by Medicare- participating providers, including hospitals, psychiatric hospitals, and certain Critical Access Hospitals (CAHs). As with the ONC Final Rule, the Patient Access final rule was first posted on CMS’s website on March 9, 2020, and now the official publication date in the Federal Register is set for May 1, 2020.

In response to the COVID-19 crisis, CMS announced a new implementation timeline for the ADT notification CoPs for Medicare hospitals, and six months of enforcement discretion in connection with the Patient Access and Provider Directory API provisions for CMS-regulated payers.

Provision	Who is Affected	Original Compliance Date/Timeframe	Effective or Enforcement Discretion Date/Timeframe
ADT CoPs	Medicare providers, including hospitals, psychiatric hospitals, and most Critical Access Hospitals	November 2, 2020 (6 months after final rule publication in the Federal Register)	May 2, 2021 (12 months after final rule publication in the Federal Register)
Patient Access API	CMS-regulated payers, including Medicare Advantage plans, Medicaid and Children’s Health Insurance Program (CHIP) managed care plans, state agencies, and Qualified Health Plan (QHP) issuers on federally-facilitated exchanges	January 1, 2021	July 1, 2021 (6-month enforcement discretion)
Provider Directory API	CMS-regulated payers, including Medicare Advantage plans, Medicaid and Children’s Health Insurance Program (CHIP) managed care plans, state agencies, and Qualified Health Plan (QHP) issuers on federally-facilitated exchanges	January 1, 2021	July 1, 2021(6-month enforcement discretion)

CMS explicitly stated that other policies contained in the CMS Final Rule will be implemented and enforced on schedule.

Conclusion

We recommend that HIEs/HINs and certified health IT developers pay particular attention to the OIG Proposed Rule because of the significant CMPs at issue. It will be important for these “actors” and other stakeholders to comment on the desired enforcement deadline – particularly because the alternative effective date of October 1, 2020 that OIG proposed would come before the November 2, 2020 date on which ONC requires compliance for its own requirements. The October 1, 2020 effective date proposal adds confusion to the enforcement timeline and appears not to benefit “actors” subject to information blocking rules. Furthermore, actors and other healthcare entities should submit comments on whether the definition of “violation” is narrow enough to not be unduly punitive while sufficiently deterring information blocking practices. Entities also may wish to weigh in on appropriate factors the OIG should use to determine penalty amounts.

Health care providers may supply their own input on the foregoing issues, but otherwise, they are essentially in limbo until proposed rules for notice and comment are issued regarding the appropriate disincentives that providers would be subject to as a result of information blocking violations. 

Even with these delays, all entities subject to the ONC and CMS Final Rules should begin thinking about and developing plans for compliance with these rules as compliance requires significant changes in practices of health care providers, health plans, health information networks and certified health IT developers. The ONC and CMS Final Rules may also impact negotiations by entities that seek access to electronic health information from those who are required to comply with these rules. Our team is available to assist with regulatory interpretation and compliance efforts and can advise on responses to the OIG Proposed Rule.