Information Blocking Disincentives for Providers: The Final Rule

What’s the first word that comes to mind when you think about protected health information (PHI)? For most, it is probably “private.” For the past three decades, HIPAA has laid the groundwork for ensuring the safety and privacy of every patient’s health information. And when you consider that medical records are up to 50x more valuable than stolen credit card information on the black market, it’s no wonder why keeping PHI protected stays top-of-mind.

But where privacy increases, access can become more difficult. Enter information blocking. The Information Blocking Rule, whose underpinnings were first introduced in the 21st Century Cures Act, aims to discourage providers and other key stakeholders in patient data exchange from unreasonably interfering with a patient’s access to PHI (or blocking information, if you will).

Recently, the U.S. Department of Health and Human Services (HHS), in partnership with CMS, has released a final rule that defines the disincentives healthcare providers may face.

The final rule was established July 1 and went into effect July 31 of this year. Providers must now brace themselves for these new disincentives or be left in the dust as others align themselves with tools and strategies to limit information blocking and stay compliant. Read on to learn about the final rule and how it will impact providers moving forward.

A Brief History of Information Blocking Enforcement

One of the intentions behind the 21st Century Cures Act was to improve patients’ access to their own records. But when the law was initially finalized, it did not specify any penalties (or “disincentives”) for actors found to commit information blocking. This meant the groundwork of rules was there for healthcare organizations to follow, but with no defined course of action if these rules were broken.

Then in June 2023, the Office of Inspector General (OIG) released the first final rule outlining penalties for health IT developers, health information exchanges (HIEs) and health information networks (HINs) involved in information blocking. Under this final rule, entities (note: not including health care providers) found guilty could face fines of up to $1 million per violation.

Health IT developers, health information exchanges and health information networks were impacted by the initial penalties. However, in November 2023, a proposed rule was released establishing disincentives for providers who are found to commit information blocking. This proposed rule was the basis of the final rule passed into law on July 1st of this year.

How Has the Final Rule Changed from the Proposed Rule?

The good news for those of you who have been following this is that the final rule is essentially the same as the proposed rule. The most significant change between the proposed and the final rule is that the final rule states the relevant authority “may” impose the disincentives, which gives greater flexibility to regulatory authorities in the event of a violation.

Here is a breakdown of the disincentives outlined in the final rule, which are all based on CMS program participation:

Who?	Disincentive	Impact
Providers who participate in the Medicare Promoting Interoperability Program	Providers will not be considered a meaningful EHR user for the applicable reporting period; CMS will reduce eligible hospital payments by 75% of the market basket update; Critical Access Hospitals will only receive 100% reasonable costs reimbursement rather than 101%.	The provider would not qualify for the three-quarter annual market basket increase and will have its payment reduced to 100% of actual costs instead of 101%, for an estimated median disincentive amount of $394,393
Clinicians who participate in a Merit-based Incentive Payment System (MIPS)	Clinicians will not be considered a meaningful EHR user for the applicable reporting period, receive a score of zero under Promoting Interoperability category of MIPS score	The clinician will not receive a threshold score required for receiving an upward adjustment of up to 9% of reimbursement under the Physician Fee Schedule, and instead would receive a downward adjustment of up to 9%. It’s estimated that the median disincentive amount here would be $686 per clinician
Accountable care organization (ACO) participants, providers, or suppliers under the Medicare Shared Savings Program (MSSP)	ACOs will not be permitted to participate in Medicare’s Shared Savings Program for one year	An ACO would be disqualified from earning shared savings payments, which in 2022 totaled $2.3 billion for ACOs as a whole
All providers, regardless of CMS program	The ONC will publish a public list that identifies all health care providers determined to have committed information blocking	The list will include details such as name, address, practice, disincentives applied, and where to find more information. Appearing on this list would have a negative impact on the public perception and credibility of your organization

How Can You Protect Your Organization Now That Enforcement Is Upon Us?

When a new law is passed, it’s natural to worry about how it will impact you. Now that disincentives have been extended to providers, it’s inevitable to question which actions are considered information blocking, how you can tell if you’re committing information blocking and wonder about the nuanced situations with grey areas (and let’s face it, there are always a lot of those!).

While there’s never a way to 100% guarantee compliance with any regulation (welcome to the stressful world of HIM!), the Office of Inspector General (OIG) has outlined four main priorities for information blocking enforcement. These may include actions that:

• Resulted in or had the potential to cause harm to the patient
• Negatively impacted a provider’s ability to care for patients
• Caused extensive delays
• Led to financial loss for federal health care programs or other government/private entities

As we’ve shared before, the most important protection for you and your organization when it comes to this or any other regulatory compliance situation is outlining, documenting, and following a structured process. This will not only help protect you from these information blocking disincentives, but it’s also an important best practice for the overall safety and security of your patients’ data.

The Bottom Line

The information blocking final rule is an enduring effort to maintain the balance between privacy and access, and every contributor in the healthcare industry plays a role. Laws like the 21st Century Cures Act make health information more accessible while maintaining privacy requirements. To stay in the know—and compliant—as new regulations that impact patient data are passed, sign up to receive regular updates from the HealthMark blog!

If you want to learn more about the information blocking disincentives released earlier this month, you can access the official final rule from the Federal Register.