Privacy and Security, Regulatory and Health Industry

Who Is at Risk of Million-Dollar Penalties for Information Blocking?

The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has released its final rule implementing the information blocking investigation process for all actors (parties subject to the Cures Act) and information blocking penalties for health information networks (HINs), health information exchanges (HIEs), and health information technology (IT) developers. Enforcement of these penalties began September 1, with large civil monetary penalties (CMP) of up to a million dollars per incident of information blocking confirmed after investigation. The Office of the National Coordinator for Healthcare Information Technology (ONC) has indicated it is currently on track to release a proposed version of the provider disincentives by the end of 2023.    

While this final rule was not unexpected, now that it’s here, a new and serious element of risk has been introduced to those subject to the Cures Act. Risk can be mitigated through careful implementation and continued learning about newly evolved practices, which are being defined mostly in the marketplace to manage compliance with the significant and complex liabilities this rule introduces. 

Unfortunately, outside the rule itself, there is not much official guidance from regulators at this point. If history is a guide, the healthcare industry may not get much more until patterns and actions by regulators emerge. 

OIG and ONC, as they often allude to in the rule, do not know many of the implications to come from implementing the rule. For now, it’s mostly uncharted territory that regulators and the healthcare industry will need to figure out to operate within the structure of the rules. When federal officials will offer more guidance remains unknown.  

Who Do Penalties Apply To?

Section 3022(b)(2)(A) authorizes the HHS Secretary to impose CMPs not to exceed $1 million per violation on HIEs, HINs, and health IT developers of certified health IT or other entities offering certified health IT that OIG determines, following an investigation, committed information blocking. Information blocking is defined as a practice by an actor that is likely to interfere with the access, exchange, or use of electronic health information (EHI), except as required by law or specified in an information blocking exception.  

What is particularly notable is that there is a caveat. The Cures Act has established two distinct “knowledge standards” in the definition of information blocking: “knows” or “should know.” For entities subject to CMPs, both knowledge standards apply when the practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI. For healthcare providers, the law applies the standard of whether they know that the practice is unreasonable and likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.  

This is significant because it limits penalties to those who were especially egregious in their actions. But the law gives plenty of latitude to investigators to establish that the actor knew or should have known a practice is information blocking. This standard can be widely flexed to fit particular facts by investigators. So, while it appears to make the bar very high for the imposition of CMPs, it would be prudent to take all necessary steps to establish and operate effective and compliant information blocking processes.  

Given that healthcare providers participate in HIEs and HINs and maybe in an electronic health record (EHR)-sharing arrangement, it would appear these providers (large and small) should carefully evaluate their risk under the information blocking rules. Healthcare providers/offerors need to be cognizant that both information blocking knowledge standards apply: “knows” or “should know.” The offeror and the recipient need to assess, identify, and mitigate the risks surrounding the access, exchange, or use of the EHI (e.g., third-party requests, designated record set, EHI export, etc.) to ensure information blocking is avoided.    

Who Exactly Are ‘Healthcare Providers’?  

There is some language in the final rule that is less defined and more open to interpretation as to how, when, and who may be at risk for the million-dollar fines. As noted, the primary targets of potential penalties are HIEs, HINs, and health IT developers of certified health IT or other entities offering certified health IT. However, there is a complication that should cause unease among healthcare providers.  

Section 3022(b)(2)(B) of the Public Health Service Act provides that any healthcare provider determined by OIG to have committed information blocking will be referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable federal law, as the HHS Secretary sets forth through notice and comment rulemaking.  

There is some more OIG rule language that increases the complexity of understanding to whom these rules apply. A health IT developer of certified health IT, HIE, or HIN, as defined in 45 CFR 171.102, determined by OIG to have committed information blocking could be subject to CMPs under the OIG final rule. While one entity can be two types of actors, HHS has been very clear that the actor category they will fall into for investigation and penalty will be determined by how the entity is operating at the time of the information blocking occurrence.  

The rule goes on to state that for additional discussion related to healthcare providers that meet a definition of an actor subject to penalties, section IV.A.3. of the rules preamble should be reviewed.  

Based on the ONC final rule, no clinician is going to be viewed as an HIN/HIE unless they are actually operating as an HIN/HIE as defined by the ONC and the information blocking rules.  

As part of its assessment of whether a healthcare provider or other entity is an HIN/HIE that could be subject to CMPs for information blocking, OIG anticipates engaging with the healthcare provider or other entity to better understand its functions and to offer the provider an opportunity to explain why it is not an HIN/HIE.  

Once the investigation is undertaken, factors such as those listed below will be gathered and considered prior to assignment of a penalty. Section 3022(b)(2)(A) also says a determination of penalty amounts will consider factors such as the nature and extent of the information blocking and resulting harm including, where applicable, the number of patients and providers affected, and the number of days the information blocking persisted. 

Looking at the reality of such high penalties being issued for the new information blocking rules is dicey at this point, but a few conclusions may be drawn.  

The use of up to a $1 million penalty clearly speaks to the depth of Congress’ commitment  to overcome barriers to information exchange. These new rules stress that OIG’s enforcement budget is not unlimited, and they will be selecting which complaints to investigate, based on a set of priorities included in the final rule and posted on OIG’s information blocking resource page. This suggests more of a model like the Federal Trade Commission has for its breach and other rules, where the agency determines which complaints to investigate based on resource availability and priority 

Building New Information Blocking Practices  

There are numerous difficulties and unknowns about business and operational practices surrounding information blocking that are being reviewed by those subject to these rules. The challenges are occurring primarily from a dearth of guidance from OIG and ONC. As noted, the information blocking enforcement rule provides some official guidance on the subject, but in doing so, also introduces more questions and opacity as to their actual meanings for actors within the US healthcare marketplace. 

The final rule plainly states that both OIG and ONC do not yet have any real experience enforcing the Cures Act rules, although they have been collecting complaints for quite some time. Clearly, the entire set of actors, including governmental agencies, are learning about the realities of implementing new, expansive rules in the complex US healthcare system.  

But this slow path to guidance for the marketplace is insufficient for privacy officials, health information managers, and others who need to design practices to become and remain compliant. 

As with any new areas of compliance, which practices to use, and by whom, must be created by pioneers and adopted by the rest of the market. This does seem to be occurring. Prior to this final rule, there was no real impactful enforcement of the Cures Act, which would spur implementation and innovation of supporting processes and practices. There is much left to be learned about information blocking.  

Close study of Cures Act rules by information management professionals, while not legal advice, sheds light on areas of this new rule and can assist various types of actors in moving forward with Cures Act implementation efforts. Anecdotal evidence indicates that healthcare providers are at varying stages of this implementation, but it is increasingly clear that now is the time to dive in and set up the many aspects of the information blocking rules, especially given that they are required by law and now being backed up by these enforcement rules.  

So far, implementation efforts are using a multi-prong approach stretching through years of implementation with heavy EHR vendor and other record management vendor dependency. 

Once a larger number of health information practitioners have refined the myriads of impacted disclosure and harm flagging processes, including their integration with interoperability, portal, and application provider interface (API)/EHI approaches, there will begin to be enough data to establish industry best practices. At this point, each facility is on its own to chart its Cures Act course, although there are some resources available such as those published by AHIMA and the Sequoia Project.  

EHR and Other IT Developers Are Crucial Elements 

While not all healthcare providers need to use health IT-certified products to be subject to information blocking enforcement, the ones that do are highly dependent on their EHR and other health IT vendors that manage technical approaches.  

These technical approaches may or may not include some information blocking functionality at the clinician level, especially for prevention of harm. But they typically do not address health information and compliance processes that also must be implemented, such as monitoring, incident management, and general documentation about information blocking exception invocation and perhaps revocation. Few vendors have realized that such process controls may be necessary to create and operate at this point.   

To conclude, all potential Cures Act actors involved in health information exchange or networks and those that share their EHRs should evaluate their risk under the information blocking laws. Ensure that all staff members are trained on proper organizational information blocking practices that have been vetted and ultimately adopted as commonly utilized by the many types of actors impacted by these rules.  


Peg Schmidt, RHIA CHPS, is the deputy chief privacy officer for health system Advocate Health. 

Chrisann Lemery, RHIA, CHPS, FAHIMA, is the compliance officer-privacy for Advocate Health. 

Kelly McLendon, RHIA, CHPS, is senior vice president for compliance and regulatory affairs for privacy and security firm CompliancePro Solutions, a wholly owned subsidiary of Genzeon, LLC. 

Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, currently serves as consultant and was former vice president of privacy, compliance and HIM policy for release of information/clinical data exchange corporation, MRO. 

Additional Resources:  

Electronic Health Information Training Series: Getting Ready for Compliance 

Compliance Guidance on Information Blocking: Health Information Sharing is the Goal