Listen to this post

Industry stakeholders have been eagerly waiting for the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Secretary of HHS to provide more clarity on federal information blocking enforcement rules since the Office of the National Coordinator for Health Information Technology (ONC) issued its final information blocking rules in 2020.[i] 

HHS OIG’s final enforcement rule was published in the Federal Register on July 3, 2023. The final rule will provide a sense of direction and certainty when navigating ongoing information blocking conduct for the first time since the information blocking rules were published three years ago. In addition, the final enforcement rule provides clarity on the scope of enforcement and penalties, the enforcement process, and the types of conduct the OIG will prioritize for enforcement.

Enforcement Scope, Penalties, and Standards

The OIG reiterated that only health information networks/health information exchanges (HIEs/HINs) and developers of certified health IT (Developers) are subject to the final rule at this time, and healthcare providers will be subject to appropriate disincentives as they are defined in the coming months by HHS and ONC. The proposed rule for appropriate disincentives is scheduled to be published in September 2023 per the fall 2022 regulatory agenda.

The OIG’s final enforcement rule provides a civil monetary penalty (CMP) of up to $1 million per violation. A “violation” is defined as each practice that constitutes information blocking. For example, while the enactment of a policy that violates information blocking will be considered one violation, each enforcement of the policy will constitute another, separate violation.

To decide whether to impose a CMP, the OIG must consider factors such as the nature and extent of the information blocking, the resultant harm, the number of patients and providers affected, and the duration of the blocking. 

Enforcement Process Will be Complaint-Based

The OIG’s enforcement will be complaint-based and will track the following process:

  1. Receipt of an information blocking complaint;
  2. Assessment of complaint using enforcement priorities;
  3. Open investigation;
  4. Investigation of complaint (case will be closed after investigation if the OIG determines no information blocking conduct occurred);
  5. Opportunity for entity that is the subject of the complaint to discuss the OIG’s investigation;
  6. The OIG concludes whether entity committed information blocking, and if the OIG concludes it did, the OIG sends a demand letter to the entity; and
  7. Opportunity for appeal by the entity.

The OIG’s Enforcement to Prioritize Certain Conduct

The OIG set forth a number of enforcement priorities in its final rule, noting that it expects to receive more information blocking complaints than it can investigate. The OIG will focus on prioritizing the following information blocking conduct when selecting cases for investigation:

  • resulted in, is causing, or had the potential to cause patient harm;
  • significantly impacted a provider’s ability to care for patients;
  • was of long duration;
  • caused financial loss to Federal health care programs, or other government or private entities; or
  • was performed with actual knowledge.

With regard to patient harm priorities, the OIG is primarily focused on harm to a patient population, community, or the public, rather than individual harm. As for its focus on practices performed with actual knowledge, which the OIG explicitly recognized is not a requirement for violations by HIEs/HINs or Developers under ONC’s rules, the OIG intends to prioritize cases in which an actor has actual knowledge over cases in which the actor only should have known that the practice was likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. 

Further, the OIG anticipates its enforcement priorities may lead to investigations of anti-competitive conduct or unreasonable business practices. The OIG noted that for investigations of anti-competitive conduct, the Public Health Service Act includes specific options for ONC and the OIG to coordinate with the Federal Trade Commission (FTC) related to an information blocking claim, including by sharing information, and that the OIG will coordinate with ONC to identify claims and investigations that may warrant referral to the FTC.

In addition to these priorities, the OIG has stated that it may prioritize investigations based in part on the volume of information blocking claims received by ONC relating to the same (or similar) conduct by the same actor.

Finally, the OIG stated that it will add an information blocking self-disclosure protocol (SDP), including an online submission form and other processes, to its existing SDP. The OIG noted the various benefits of using the SDP for information blocking violations, which potentially include paying lower damages than would normally be required, and avoiding costs and disruption associated with a government-directed investigation or litigation. The OIG also specifically noted that disclosure via the SDP and full cooperation with the OIG’s review and resolution of such a disclosure would be considered part of timely corrective action by an information blocking actor, which is a mitigating circumstance that the OIG will consider in determining the amount of a penalty.

Enforcement to Begin September 1, 2023

The OIG will begin enforcement starting September 1, 2023, 60 days after the final rule was published. While HIEs/HINs and Developers have already been required to comply with ONC’s information blocking rules, they now have 60 days to comply or be subject to penalties. Significantly, though, the OIG will not impose CMPs on information blocking conduct that occurred before September 1, 2023.


[i] 88 Fed. Reg. 23746 (Apr. 18, 2023).