How Not to Lose $1 Million: Preparing for OIG’s Information Blocking Enforcement

Guest post by Alya Sulaiman and James A. Cannatti III, Partners with McDermott, Will & Emery LLP

On Sept. 1, 2023, the HHS Office of Inspector General (OIG) began enforcing rules against information blocking in healthcare – authority it was granted under the 21st Century Cures Act – putting certified health IT developers, HINs, and HIEs at risk of civil monetary penalties (CMPs) of up to $1 million for each confirmed violation. (Ultimately, healthcare providers will also be subject to disincentives for information blocking not yet published by HHS.) The EHR Association’s membership is committed to preventing information blocking and supporting efforts to share electronic health information (EHI) to better patient care. Part of that is arming impacted health IT developers with as much information as possible to help them – and by extension, their customers – comply with current and future regulations to help protect themselves from potentially crippling penalties.

This guest blog is the Association’s latest effort to ensure our members are prepared for every element of information blocking compliance. It follows a presentation on preparing for OIG’s initiation of information blocking enforcement by Alya Sulaiman and James A. Cannatti III at our August General Membership meeting and the Association’s publication earlier this year of Good Information Sharing Practices. The latter offers a practical list of proactive actions health IT developers can take to demonstrate strong support for access, use, and exchange of health information and compliance with information blocking regulations.

These efforts are the result of our ongoing collaboration with stakeholders across the industry to address regulatory questions and further information exchange – work that will continue as progress toward ubiquitous safe, secure, and appropriate patient access to and use of health information continues.

—Leigh Burchell (Altera Digital Health), Vice Chair, EHR Association Information Blocking Compliance Task Force

OIG’s long-awaited final rule on investigating and imposing penalties for information blocking dropped in July 2023 and is effective as of Sept. 1, 2023 – almost three years after OIG released its proposed rule (April 2020) and two years after the start of information blocking compliance on April 5, 2021. The final rule codifies OIG’s authority to investigate information blocking complaints, including against developers of certified health IT and health information networks/health information exchanges (HIN/HIEs), and assess CMPs of up to $1 million per violation. 

OIG defined a “violation” as a practice that constitutes information blocking as set forth in ONC’s information blocking regulations—a broad definition that is important because each distinct act or omission could be subject to a separate $1 million CMP. OIG also provided examples of what it would consider constituting a single violation versus multiple violations subject to multiple CMPs:

  • Single Violation: A certified health IT developer denies a single request by a healthcare provider to receive multiple patients’ EHI via an API and no legal requirement or information blocking exception applies. OIG would consider this a single violation even though it would result in preventing access to multiple patients’ EHI.
  • Multiple Violations: A certified health IT developer takes multiple separate actions to improperly deny multiple individual requests by a healthcare provider for EHI through an API. Each separate action would be considered a separate violation.

OIG has stated that while it does not intend to impose CMPs on conduct that occurred before Sept. 1, 2023, it may consider a regulated entity’s behavior from the April 2021 compliance date onwards in deciding if alleged information blocking conduct was part of a pattern of behavior. Other factors OIG anticipates considering when deciding penalty levels include the nature, circumstances, and extent of the information blocking and resulting harm, including the number of patients and/or providers affected and the number of days the information blocking persisted. OIG will also consider other factors, such as the degree of culpability, history of prior offenses, and other wrongful conduct.

When deciding whether to pursue a particular information blocking allegation, OIG indicated that it plans to prioritize enforcement for actions that:

  • Resulted in/had the potential to cause patient harm;
  • Significantly impacted providers’ ability to care for patients;
  • Are of long duration;
  • Caused financial loss to Medicare, Medicaid, or other federal healthcare programs or private entities; and
  • Were performed with actual knowledge.

Each allegation will require a facts and circumstances analysis, which OIG will conduct in coordination with ONC and other federal agencies as appropriate. Further, while OIG’s enforcement priorities may inform its decisions about which allegations to investigate, OIG states that the priorities are not dispositive, meaning it can investigate any allegations it chooses.

The Investigation Process

Information blocking complaints can be submitted through several channels, including OIG’s hotline and ONC’s “Report Information Blocking Portal.” Investigations will involve, at a high level, two phases. First is the non-public phase, during which OIG is working behind the scenes to assess the allegations. If it determines that the accusations are credible and worth pursuing, then the investigation enters the overt phase, during which OIG agents or attorneys begin gathering additional information, including conducting interviews with existing or former employees or contractors, potential witnesses, and potentially even customers. 

The start of the overt phase is likely the first inkling a health IT developer or HIN/HIE will have that they are under investigation for an information blocking violation, as they may begin hearing from individuals who have been contacted by the OIG. They may also receive subpoenas or formal requests for customer agreements, policies and procedures, emails, or other correspondence relevant to the allegations.

It’s important to engage counsel early to develop a strategy for dealing with not only OIG, but also any other agencies with which it is coordinating during the investigation. An attorney can act as a buffer with OIG, but more importantly, can work with the government to determine the flow of information and manage document production. The attorney may also be able to ascertain the government’s primary areas of concern to help focus resources and inform defense strategies.

As for the final resolution, the best-case scenario is that the case is closed with a finding that no information blocking violation occurred. If that doesn’t happen, the options are to try to negotiate a settlement or see the investigation through and pay or appeal any CMPs that may be levied.

Action Items

In this new era of enforcement, there are several key action items that health IT developers and HIN/HIEs should undertake to be in a better position to defend themselves and demonstrate a thoughtful approach to their information sharing activities. 

One of the most urgent action items is to review policies, procedures, contract terms, fee structures, and practices affecting access, exchange, or use of EHI and update them as necessary to ensure compliance and consistency with ONC’s information blocking regulations and related laws (e.g., HIPAA, ONC Health IT Certification Program, state laws, etc.).

Public statements and documentation regarding a company’s position on health information access and exchange and/or describing a commitment to health information sharing (e.g., the EHR Code of Conduct) should also be reviewed, updated, or created as appropriate – particularly given OIG’s recommendation that documentation be maintained for longer than just the six-year lookback period applicable to the information blocking CPMs.

Other proactive steps include:

  • Training personnel responsible for negotiating and implementing collaborations, partnerships, and other arrangements with third parties to avoid information blocking conduct.
  • Training personnel responsible for implementing APIs, interfaces, and other interoperability elements on interoperability expectations, requirements under ONC’s information blocking regulations and OIG’s enforcement priorities.
  • Refining processes to create and retain records and other documents demonstrating your compliance with ONC’s information blocking regulations, including relevant exceptions.
  • Interviewing and identifying defense counsel to help navigate a potential OIG investigation so you are prepared.

Finally, have a plan in place and resources at the ready, including internal and external teams (i.e., defense counsel and communications assistance) to take point if you are the target of an investigation. Taking a disciplined, careful approach to an OIG information blocking investigation will go a long way toward limiting disruptions to your organization’s business and operations regardless of the outcome.

1 Comment
by EHR Association on October 3, 2023  •  Permalink
Posted in Health IT Regulation, Information Blocking, Uncategorized
Tagged , , ,

Posted by EHR Association on October 3, 2023

https://ehrablog.org/2023/10/03/how-not-to-lose-1-million-preparing-for-oigs-information-blocking-enforcement/

Previous Post
Next Post
Leave a comment

1 Comment

  1. Looking Back: The 5 Dominant Issues of 2023 | EHRA Blog

Share your thoughts on this topic!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Categories

  • Follow EHRA on Twitter

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 197 other subscribers

  • Contact Us

    Kasey Nicholoff
    staff @ ehra.org

    Amanda Patanow
    Communications and Media
    ehracomms @ npccs.com