Info blocking enforcement for health IT entities begins Sept. 1, brings fines of up to $1M per violation

Enforcement of information blocking penalties for health IT entities is slated to go into effect on Friday, opening the door to penalties of up to $1 million per violation.

The breakdown of how exactly the Department of Health and Human Services (HHS) Office of Inspector General (OIG) will prioritize what it expects to be a deluge of information blocking complaints was posted by the regulator in late June.

OIG will begin considering complaints of information blocking conduct—speaking broadly, practices that interfere with access, exchange or use of electronic health information—that occur on Sept. 1 or later, per the rule.

Four types of entities will be subject to a penalty: health IT developers of certified health IT, entities offering certified health IT, health information exchanges and health information networks.

Information blocking conduct that occurred before Sept. 1 will not incur a civil monetary penalty, according to OIG. Additionally, HHS is currently developing a separate rule to establish specific disincentives for healthcare providers that do not meet the four types of entities subject to the Sept. 1 enforcement.

“OIG expects that it will receive more information blocking complaints than it can investigate,” the office wrote in an online notice.

In order to “triage allegations and allocate resources,” OIG said in the final rule and on its website that it will be prioritizing investigations of cases that:

  • Resulted in, is causing or had the potential to cause patient harm
  • Significantly impacted a provider's ability to care for patients
  • Were of long duration
  • Caused financial loss to federal healthcare programs or other government or private entities
  • Were performed with actual knowledge

Should an complaint lead to a full investigation, OIG said it may choose to consult the Office of the National Coordinator for Health IT alongside interviews, document requests and other fact gathering.

Entities subject to an open information blocking case are given an opportunity to discuss the investigation with OIG and, if necessary, appeal the imposition of a civil monetary penalty.

As for the potential fines themselves, “the penalty amount will be based on a case-specific application of each identified aggravating and mitigating factor,” OIG wrote in the June rule. “… We would expect that the maximum penalty of $1 million per violation would apply to particularly egregious conduct.”

June’s enforcement playbook builds on the two final rules published back in 2020 that set the standards for what conduct constitutes information blocking but lacked specific penalties. Congress instructed HHS in the 21st Century Cures Act to establish the information blocking rules to improve patients’ access to health information.

While this week’s enforcement deadline is limited to health IT entities, the looming crackdown on healthcare providers is likely a tougher nut for the industry to crack.

Providers have historically had a tough time falling in line with information blocking requirements. In late 2022, several provider and provider technology groups pushed back on expanded compliance requirements that went into effect on Oct. 6 and the administration’s info blocking compliance deadlines, warning of “significant knowledge gaps” among their memberships.