McDermottPlus is pleased to bring you Regs & Eggs, a weekly Regulatory Affairs blog by Jeffrey Davis. Click here to subscribe to future blog posts.
June 27, 2024 – The long-awaited final reg is upon us! The Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) released a final regulation earlier this week establishing disincentives for certain healthcare providers determined to have committed information blocking. The reg finalizes most of the provisions in the October 2023 proposed reg and is effective 30 days after publication in the Federal Register. The estimated publication date is July 1, 2024, so 30 days after that is July 31, 2024. CMS and ONC put out a press release and held an information session on the finalized disincentives on June 26, 2024.
At a high level, information blocking occurs when a health information technology (IT) vendor, network or healthcare provider acts in a way that prevents or impedes the exchange of certain electronic health information. The prohibition on blocking health information includes nuanced requirements and exceptions (healthcare regulations are complicated, as you know!) To learn more about the information blocking regulations, check out McDermott Will & Emery’s overview.
To help me walk through the reg, I’m bringing in my colleagues Kristen O’Brien and Lauren Knizner.
The information blocking prohibition has been in effect for a while, but until now, no penalties were established for healthcare providers that the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) determines to have committed information blocking. The 21st Century Cures Act created a bifurcated approach to enforcing the information blocking prohibition, with separate provisions for health IT vendors and networks (which are subject to civil monetary penalties) and for healthcare providers (who are subject to “appropriate disincentives”). Before CMS issued the proposed reg last October, many stakeholders were uncertain how HHS would interpret the term “disincentives.”
In the final reg, CMS and ONC finalized the following disincentives, which use certain existing Medicare quality reporting programs to impose varying financial consequences on providers found to have committed information blocking:
Despite concerns expressed by many provider organizations, CMS and ONC largely finalized the disincentives as proposed. Stakeholders’ major concerns, which we detailed in a previous Regs & Eggs blog post, included the following:
CMS and ONC acknowledged these concerns in the final reg but stated that they do not have the authority to scale penalties based on the severity of the information blocking offense. They noted that “because disincentives must be established using authorities under applicable Federal law, the statute under which a disincentive is being established would need to specifically authorize or provide sufficient discretion for an appropriate agency to be able to adjust the monetary impact of the disincentive to fit the gravity or severity of the information blocking the health care provider has been determined to have committed.” However, CMS and ONC finalized an alternative policy for the MSSP: they granted the MSSP authority to exercise discretion about whether to impose a disincentive based on certain factors “consistent with existing discretion exercised by the Shared Savings Program when addressing program integrity issues and issues specific to the effects of imposing a disincentive under the Shared Savings Program on other individuals and entities that may participate in an ACO.” If the Medicare program that the disincentive is built upon does not already have such discretion, ONC and CMS believe they do not have the authority to create it.
CMS and ONC declined to include technical assistance or implementation of corrective action plans as a first step before imposing a disincentive on a provider, although they stated that they will consider creating general “educational tools” for providers going forward. Because the finalized definition of “disincentive” centers on deterrence of information blocking, CMS and ONC felt that such initial steps would not meet that definition and would not be sufficient deterrents. They also stated that multiple and duplicative disincentives would not be problematic because larger potential penalties would have an even greater deterrent effect.
CMS and ONC also declined commenters’ request for a delay in imposing disincentives. The agencies noted that the final reg only applies prospectively, so the disincentives will not apply to conduct occurring before the reg’s effective date (i.e., 30 days after it appears in the Federal Register). Thus, providers will know going forward that any information blocking violation could lead to a penalty.
CMS and ONC stated that they chose not to create a single appeals process via notice-and-comment rulemaking because it “may conflict with, or duplicate, administrative review or appeals processes available under existing authorities.” Providers will have to go through the existing appeals process (if any) for their particular Medicare program to challenge the imposition of a disincentive. CMS and ONC are unlikely to create a uniform appeals process for fear of adding further variation.
CMS and ONC largely maintained their initial proposals despite opposition from providers. As a result, healthcare providers may face a complicated array of potential consequences for information blocking conduct and will need to understand which disincentives may apply to them, as the potential penalties could be financially significant.
Not every provider will be subject to these penalties, as some providers do not participate in the CMS quality programs into which the disincentives are built. However, CMS and ONC hint in the final reg that they may consider other disincentives for providers who are currently “off the hook.”
One important thing for providers to remember is that the information blocking regulations require a higher knowledge standard as they pertain to healthcare providers. For OIG to determine that a provider has committed information blocking, it must be able to demonstrate that the provider “knows” that a practice is unreasonable and is likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information. OIG must clear a higher bar when it comes to provider conduct, and this could protect providers who were not aware that their conduct constituted information blocking. As the regs are enforced, however, this standard may become a moving target.
A major question is how OIG will prioritize enforcement. While the disincentives themselves do not allow for much discretion (if any), OIG will have to determine how best to use its resources to investigate information blocking claims against providers. While not binding, OIG has cited some factors that it plans to consider when choosing which claims to investigate, such as information blocking conduct that:
Based on these stated factors, OIG likely will prioritize more dangerous and egregious acts of provider information blocking that spanned a longer period of time.
Since healthcare providers are on the front lines of patient care, they will likely continue bearing the brunt of frustrations related to perceived information blocking, even when they may not be the cause of delayed or unfulfilled information requests. Because the vast majority of information blocking complaints are made against providers, OIG’s enforcement approach will have an outsized impact on providers. We will have to watch closely for OIG’s first move!
Until next week, this is Jeffrey (and Kristen and Lauren) saying, enjoy reading regs with your eggs.
For more information, please contact Jeffrey Davis. To subscribe to Regs & Eggs, please CLICK HERE.
