New Data Blocking Fines in HealthTech
The Department of Health and Human Services (DHHS) channeled Dr. Evil from the Austin Powers movie franchise when announcing that data blocking fines could yield up to $1 million in civil monetary penalties.
Effective September 1, 2023, DHHS’ Office of Inspector General (OIG) now has authority under the 21st Century Cures Act to fine the following types of entities for failing to ensure that patients and providers can access electronic health records:
1. Certified health information technology providers (“Health IT”);
2. Health information exchanges; and
3. Health information networks.
According to the OIG’s final rule, it looks to stop Health IT developers and others from engaging in any practice that is likely to interfere with access, exchange, or use of electronic health information. The OIG has six years from the infraction to implement the fine.
These penalties do not just apply to intentional violations of the OIG’s rule against information blocking. These penalties apply to any of the regulated entities that “know, or should know, that such practice is likely to interfere with access, exchange, or use of EHI[.]” Health care providers may be subject to fines if the provider knows that a practice is unreasonable and likely to interfere with access, exchange, or use EHI, thereby acting as a Health IT developer or network. Exceptions to these rules primarily apply to specially protected health information such as psychotherapy notes and information compiled in anticipation of litigation, administrative, or criminal proceedings.
OIG credits its aggressive posture with the desire to prohibit conduct that 1) may result in, is causing, or has the potential to cause patient harm; (2) significantly impacted a provider’s ability to care for patients; (3) was of long duration; (4) caused financial loss to Federal health care programs, or other government or private entities; or (5) was performed with actual knowledge.
The new civil monetary penalties and Cures Act further encourage various agencies of the U.S. Government to collaborate in investigating and enforcing information blocking and associated crimes.
Indeed, the Department of Justice warns that illegal information blocking may create “False Claims Act” violations, requiring criminal investigations. Specifically anticipated by the DOJ is a Health IT provider providing false attestations in support of their client’s compliance efforts with the Office of the National Coordinator for Health IT’s (ONC) Health IT Certification Program.
The Cures Act further gives the ONC express authority to share its investigations into data blocking with the Federal Trade Commission (FTC), if such investigations produce concerns over anti-competitive or deceptive conduct. Although duplicative penalties are prohibited, penalties imposed for information blocking do not prohibit another agency from imposing penalties for separate crimes or civil violations such as False Claims Act or FTC Act violations.
Many health care providers and Health IT developers have no intention of blocking any patient from accessing their electronic health records or prohibiting another provider from referencing a colleagues’ notes in order to provide optimum care. However, the absence of intention does not negate the actual occurrence.
Unfortunately, the data blocking rule may confront cybersecurity concerns that inhibit, for HIPAA-compliance purposes, the sharing or viewing of electronic health records. For example, if one provider needs to review medical records of a shared patient with another provider, but the other provider utilizes an untrusted interface, the connection may be blocked.
The Final OIG rule acknowledges that there remain several unanswered questions in the enforcement of the data blocking protections. It is anticipated that additional advisory guidance is forthcoming.