Data Masking & Information Archiving , Governance & Risk Management , Healthcare
Information Blocking of Patient Records Could Cost Providers
Final HHS Rule Cuts Financial Payments to Healthcare Firms That Violate Cures ActFederal regulators have issued a final rule that sets financial disincentives for healthcare providers that commit information blocking - or practices that they know are unreasonable and likely to interfere with patient access to electronic health information.
See Also: Using the Netskope HIPAA Mapping Guide
On Monday, the Department of Health and Human Services released the final rule to establish disincentives involving penalized payments from the Centers of Medicare and Medicaid Services to healthcare providers such as hospitals, clinicians, physician groups and participants of accountable care organizations that commit information blocking.
The financial penalties come in the form of reduced annual incentive payments that the providers would have otherwise earned for their participation in various HHS programs - such as a hospital or clinician being a "meaningful user of electronic health records" under CMS' Medicare Promoting Interoperability Program or the Promoting Interoperability performance category of the Merit-Based Incentive Payment System.
"This final rule is designed to ensure we always have access to our own health information and that our care teams have the benefit of this information to guide their decisions," said Xavier Becerra, secretary of HHS, in a statement.
"When health information can be appropriately accessed and exchanged, care is more coordinated and efficient, allowing the healthcare system to better serve patients. But we must always take the necessary actions to ensure patient privacy and preferences are protected - and that's exactly what this rule does," he said.
Information blocking is defined as a practice that is likely to interfere with the access, exchange or use of electronic health information, except as required by law or specified in one of nine information blocking exceptions.
HHS's nine exceptions consist of "reasonable and necessary activities" that do not constitute information blocking.
Two of those exceptions are privacy and security.
For instance, if an actor - such as a healthcare provider - does not fulfill a request to access, exchange or use certain EHI to protect an individual's privacy - in compliance with a state or federal law requiring a patient to provide consent or authorization for certain disclosures - that could fall under the privacy exception for information blocking.
Under the security exception, it is not considered information blocking for an actor to interfere with the access, exchange or use of EHI to protect the security of that information, provided certain conditions are met. For example, during a security incident, such as a ransomware attack, a healthcare provider might be unable to provide access or exchange to certain EHI for a time, and that would not constitute information blocking.
Information Blocking Rule Details
The information blocking regulations, authorized under the 21st Century Cures Act that was signed into law in late 2015, pertain to three categories: certified health IT vendors, health information exchanges or networks, and healthcare providers.
HHS last year finalized a rule that established penalties by the HHS Office of the Inspector General of up to $1 million per violation of information blocking committed by two categories - certified health IT vendors and health information exchanges or networks (see: HHS On Information Blocking Rule Enforcement: Stay Tuned).
"Although the final rule implementing the penalties to be taken against developers of certified health IT or HIEs/HINs that are found to have committed information blocking has been in effect since Sept. 1, 2023, OIG has not yet announced publicly any penalties that have been assessed against any such actors," said regulatory attorney Krystyna Monticello, of law firm Attorneys at Oscislawski LLC.
"Even though OIG was accepting complaints alleging information blocking prior to this date, the OIG and the Office of the National Coordinator for Health IT have been clear that no penalties will be assessed for conduct which occurred prior to the enforcement date," she said.
OIG has publicly said that it will be investigating and prioritizing certain types of information blocking complaints, Monticello said. Those include information blocking that: resulted in or had the potential to cause patient harm, significantly impaired a provider's ability to care for patients, occurred for a long duration, caused financial loss to federal care programs or was performed with knowledge.
The financial disincentives for healthcare providers comes in the form of payment penalties from CMS for providers that commit information blocking. It goes into effect 30 days after the rule's publication in the Federal Register. HHS did not immediately provide a publication date.
Under the 21st Century Cures Act, HHS was permitted to craft information blocking disincentives for healthcare providers under its existing statutory authority.
So, as of now, if a healthcare provider does not participate in any of the CMS payment programs that are currently subject to the disincentives, they do not face any potential penalties for information blocking.
But that could change moving forward. HHS officials during a briefing with media on Monday said HHS is considering adding other disincentives for healthcare providers that do not participate in such CMS programs.
HHS is also considering updating the information blocking exceptions, said Steve Posnack, ONC's deputy national coordinator.
"There is likely to be disparity in the financial impact felt across healthcare providers that commit information blocking even where they do participate in federal incentive programs," Monticello said.
"Each federal incentive program has different incentive structures - market basket rate adjustments vs. positive or negative payment adjustments vs. shared savings or shared losses - and therefore, the disincentives that would be applied for a particular provider will be different depending on the program the provider participates in," she said.
For instance, "a physician participating in the CMS Quality Payment Program would receive a zero in its Promoting Interoperability category score, which could mean either a neutral or negative payment adjustment for the physician in the event of information blocking," according to Monticello.
"A hospital that participates in a Medicare Shared Savings Program would be rendered ineligible for shared savings - or shared losses - in the event information blocking were committed, whereas a hospital that participates in the Promoting Interoperability Program would be ineligible for market basket rate adjustments for that year in the event of such.
"Furthermore, a healthcare provider that participates in more than one federal incentive program would face disincentives from each federal incentive program that they participate in for the same instances of information blocking."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine said the financial disincentives can be "hefty" depending on factors such as what Medicare reimbursement programs - if any - a provider participates.
"In the proposed disincentives rule, HHS estimated a median disincentive amount of $394,353 for eligible hospitals under the Promoting Interoperability Program and a median individual disincentive amount of $686 for eligible clinicians under the Promoting Interoperability Program," he said. But during public comment on the proposed rule, some of the estimates went "much higher."
HIPAA Considerations
Posnack said the information blocking provisions in the 21st Century Cures Act and potential violations of the HIPAA "right to access" provisions could both apply to the same incidents where a healthcare entity fails to provide access to requested health information. "Both laws are applicable at the same time," he said.
The information blocking rule and the HIPAA right of access provision are closely related when the requestor is the patient or the patient's personal representative, Greene said.
"This is because the information blocking rule incorporates the HIPAA bases for denying access. Nevertheless, it is possible to violate one rule but not the other, he said.
For example, an unreasonable, intentional five-day delay in access may violate the information blocking rule but would not violate HIPAA, according to Greene. "Conversely, a reasonable 35-day delay in providing a patient access may violate HIPAA but may not violate the information blocking rule, since a provider's practice only is information blocking if the provider knows the practice to be unreasonable."