Are there penalties for information blocking?

Yes, there are penalties for information blocking. The Department of Health and Human Services (HHS) Office of Inspector General (OIG) has the power to impose civil money penalties (CMPs) on individuals or entities that engage in information blocking.

Information blocking violations 

According to the final rule 88 FR 42820 issued by the OIG, “In the context of information blocking, the Cures Act authorizes CMPs for any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (EHI) if the practice is conducted by an entity that is: a developer of certified health information technology (IT); offering certified health IT; a health information exchange (HIE); or a health information network (HIN) and the entity knows or should know that the practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.”

For example, if a health tech company does one thing that blocks information for many patients, that's counted as one violation. But if they keep doing different things to block information for different people, each violation is separate. The OIG can fine these violators up to $1 million for each time they block information. This rule mainly applies to companies that make health tech software and those that help share health information. The idea is to make sure that health information is always available when needed.

See also: HIPAA Compliant Email: The Definitive Guide

Who is subject to these penalties under the OIG Final Rule?

1. Health IT developers: These are companies that create health technology like software for hospitals and clinics.
2. HIEs: These are organizations that help different healthcare providers, like hospitals and doctors, share patient information with each other.
3. Health Information Networks (HINs): These are systems that connect different health organizations so they can exchange health information.

See also: What is a covered entity?

The basis for information blocking 

The basis for civil money penalties, as outlined in section 1003.1410, is straightforward. If a company or organization involved in healthcare IT is found to be blocking information – which means they're stopping or interfering with the sharing of health information – they can be fined. This rule is especially for those who make health software or are part of networks that share health data. The idea is to make sure they don't prevent doctors, hospitals, and patients from getting the health information they need.

The rule explains how the exact amount of the penalty is determined. When deciding on the fine, several things are considered. These include how big the information blocking issue is, how many patients and doctors were affected, and how long the blocking went on. The more people affected and the longer the blocking lasts, the higher the fine. 

The penalties

1. For false or fraudulent claims (§ 1003.700(a)(1)): The OIG can impose a penalty of up to $10,000 for each specified claim that a person knowingly presents or causes to be presented under such grant, contract, or other agreement, knowing it to be false or fraudulent.
2. For false statements, omissions, or misrepresentations (§ 1003.700(a)(2)): If a person knowingly makes, uses, or causes to be made or used any false statement, omission, or misrepresentation of a material fact in a required document for funding, the penalty can be up to $50,000 for each occurrence.
3. For false records or statements related to claims (§ 1003.700(a)(3)): The OIG may impose a penalty of up to $50,000 for each false record or statement made or used in relation to a false or fraudulent specified claim.
4. For false records or statements related to obligations (§ 1003.700(a)(4)): In cases where a false record or statement is made or used related to an obligation to pay or transmit funds or property, or where such an obligation is concealed, avoided, or decreased, the penalty can be up to $50,000 for each false record or statement, or up to $10,000 for each day of concealing, avoiding, or decreasing the obligation.
5. For failure to grant timely access (§ 1003.700(a)(5)): If a person fails to grant timely access to the Inspector General upon reasonable request for audits, investigations, or other statutory functions, the penalty can be up to $15,000 for each day of the failure.

See also: 2023 HIPAA civil monetary penalty adjustments

FAQs

Are there any protections for whistleblowers who report information blocking?

Yes, there are laws in place to protect whistleblowers from retaliation when they report information blocking.

Can penalties be imposed for not sharing health information even if it’s not electronic?

No, the penalties for information blocking specifically address the blocking of electronic health information.

What is the role of the Office of the National Coordinator for Health Information Technology (ONC) in information blocking?

The ONC sets the regulations and exceptions for what constitutes information blocking, which are used by the OIG to enforce penalties.