By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure – #HCdeJure
At the end of June 2023, the HHS Office for the Inspector General announced the finalization of the first civil monetary penalties for failing to comply with information blocking requirements. The OIG rule has been a relatively long time coming with a fair amount of hopes also being attached to the rule. Will the possibility of enforcement make a difference though? Oftentimes the ability for penalties to be imposed is viewed as a driver of compliance based on the argument that entities will toe the line to avoid being forced to pay a fine to the government.
Determining the accuracy of that argument will be informed quite a bit by the details of the final rule. The OIG provides a good summary of the rule, which is important to run through before considering the potential results.
Details of the Final Rule
Who does the final rule apply to? That is an important question because the OIG clearly notes that it does not apply to healthcare providers. A rule to impose penalties on providers is still being worked on by the Department of Health and Human Services. The soon to be finally published rule applies to the following entities:
- Health IT Developers of Certified Health IT;
- Entities offering Certified Health IT;
- Health Information Exchanges; and
- Health Information Networks.
The list of entities potentially facing a civil monetary penalty is quite short and defined. The list also probably does not include an entity that will be top of mind for any individual being improperly denied access to their information. While the idea of a health IT developer or an entity offering health IT could seem broad, the qualifier of “certified health IT” narrows the scope. For most intents and purposes, certified health IT is mostly focused on electronic health records. That is appealing since the bulk of patient information can usually be found in an EHR, but if information is not provided the developer of the EHR is unlikely to come to mind for the individual. As already suggested, the provider or other entity using the EHR will come to mind. Optimistically, a rule for providers will follow shortly to provider more recourse.
What conduct will be subject to enforcement? Following the standard for rules, the final rule will not become effective until 60 days after actual publication. The announcement at the end of June 2023 was just that the rule was submitted for publication. That means it is not yet clear when the rule will actually become effective.
While the effective date is still pending, the real impact to track is that the rule will not be applied retroactively to prior conduct. That means only alleged information activities that occur following the effective date will be subject to enforcement. That makes sense but also means that any currently existing complaints cannot be raised. While paying attention to the effective date will rest on the entities subject to the rule, it also pessimistically can translate to determining the runway when potentially non-compliant behavior can run until.
What alleged violations will the OIG prioritize? The OIG provides a list of activities anticipated to cause a complaint to rise up closer to the top of what is expected to be a large pile. While not a binding list, the following priorities should be taken as pretty clear guiding principles:
- Result in, is causing, or had the potential to cause patient harm;
- Significantly impacted a provider’s ability to care for patients;
- Was of long duration;
- Caused financial loss to federal healthcare programs or other government or private entities; or
- Was performed with actual knowledge.
The list of priorities does seem straightforward and aligned with expectations. Patient harm being at the top is appropriate. Further, the OIG’s explanation that patient harm doesn’t necessarily mean direct patient harm, but could lead to it and be broadly interpreted is also beneficial. That could tie into the second priority as impacting the ability to provider care could certainly lead to patient harm. However, there is also a bit of an implication that an individual will not be the one to bring the complaint or identify the issue. That would align with the entities subject to this enforcement rule.
The priorities are also arguably quite broad and may not actually narrow down the complaints that will receive attention right away. Time will tell as to the exact approach used by the OIG to sort through the volume of complaints coming in.
Will Compliance Grow?
The real question is whether compliance will grow or become more apparent among the entities subject to the rule. That may be a bit difficult to measure, but could be seen through actions when compared to the specifics set out in the information blocking rule. That is a bit vague, which is likely the best that can be said at the moment.
Arguably a larger a more determinative factor will be how frequently the OIG imposes a penalty and the amount of each penalty. If enforcement is infrequent or penalties low or varied, then the rule may not drive as much change as hoped for. As always, there are a number of factors that go into the decision of how closely to adhere to the specific requirements contained in a regulation.
The Road Ahead
As already implied, the road ahead for information blocking compliance remains without any clear change. Enforcement and the potential impact will take time to occur. Nothing ever happens overnight in healthcare and the new rule will be no different.
This article was originally published on The Pulse blog and is republished here with permission.