Healthcare providers face Medicare payment-rate penalties for information blocking under new rule

Healthcare providers will receive a lower Medicare payment update if they are deemed to have engaged in information blocking, according to a final rule from HHS and CMS.

For hospitals, a violation will leave the organization noncompliant with the Promoting Interoperability Program, meaning it would lose out on three-quarters of the annual market-basket update for Medicare inpatient payments based on the performance year in which the infraction was assessed. The payment reduction would happen two years after the relevant performance year. For critical access hospitals, Medicare payments will be reduced from 101% of reasonable costs to 100% during the year in which the violation is confirmed.

Physicians eligible for the Merit-based Incentive Payment System will have their score zeroed out in the Promoting Interoperability performance category if they commit a violation. Participants in Medicare Shared Savings Program accountable care organizations (ACOs) also face penalties, potentially including a provider’s removal from an ACO or an ACO’s removal from the program for a given year.

A 2023 rule established penalties for health IT developers, health information exchanges (HIEs) and health information networks (HINs). Those entities are subject to fines of up to $1 million per violation.

With the Supreme Court recently overturning the Chevron precedent that had given federal agencies wide leeway to implement statutory provisions through rulemaking, provisions in the newly finalized rule could be subject to litigation. In comments on last year’s proposed rule, stakeholders questioned whether HHS and CMS have authority to expand the application of punitive measures related to the Promoting Interoperability Program as the rule describes.

The 21^st Century Cures Act, which Congress passed in 2016 and which serves as the legislative basis for the rule, directs HHS to “subject [providers] to appropriate disincentives using authorities under applicable federal law, as the [HHS] secretary sets forth through notice-and-comment rulemaking.”

Specifics on information blocking

Once the final rule takes effect July 31, providers will face penalties if they engage in practices that they know are unreasonable and that are “likely to interfere with, prevent or materially discourage access [to], exchange or use of electronic health information” with or by patients or other providers, unless a statutory or regulatory exception has been established. The knowledge standard could allow providers to avoid penalties if they have limited resources or a lack of experience with electronic health records.

For the purposes of the rule, electronic health information (EHI) means almost all information contained in a patient’s designated record set, including electronic protected health information. Off-limits are psychotherapy notes and information compiled for use in (or in anticipation of) a civil or criminal proceeding or an administrative action.

If applicable, designated exceptions absolve any stakeholder of a violation, assuming the stakeholder meets the specified criteria. The exceptions include:

Not fulfilling EHI requests: Preventing harm to a patient, protecting a patient’s privacy (in accordance with federal and state laws), protecting the security of EHI, facing insurmountable barriers to EHI sharing (e.g., due to technological constraints, legal concerns), undertaking vital health IT maintenance

Limiting or placing conditions on EHI requests: Providing EHI in an alternative manner based on technical constraints or inability to agree on terms with the EHI recipient, charging fees for access to or exchange of EHI (with certain conditions), licensing interoperability elements for EHI

TEFCA participation: Opting to fulfill EHI requests via participation in the Trusted Exchange Framework and Common Agreement, an initiative of the Office of the National Coordinator for Health Information Technology (ONC)

How claims will proceed

The HHS Office of Inspector General (OIG) is authorized to conduct investigations into potential information blocking by providers, as well as by health IT developers, HIEs and HINs, and to refer those cases for CMS to issue penalties. However, OIG intends to exercise “enforcement discretion” with respect to providers for potential violations that happened before July 31, meaning providers would not be investigated for any such violations.

ONC has a portal for stakeholders, including patients, to submit claims regarding information blocking. To protect privacy, information connected to a claim is exempt from mandatory disclosure under the Freedom of Information Act if such disclosure could identify the party that submitted the claim.

Since the portal opened in April 2021, ONC has received more than 980 allegations of information blocking. An estimated 813 of the allegations have been aimed at providers, dwarfing the next highest category, health IT developers, at 161.

Patients have been by far the most frequent claimant, at more than 750 when including third parties making claims on a patient’s behalf. Fellow providers were responsible for an estimated 113 claims, followed by attorneys at 89.

As noted, providers are not susceptible to an investigation for any claim received thus far, but that will change for alleged conduct occurring on or after July 31. In addition to being docked part of their Medicare payment update for a year, parties that are found to have engaged in information blocking will be posted on the ONC website.

HHS and CMS declined to set up an appeals process to review findings of information blocking, noting the Cures Act requires such a process for health IT developers, HIEs and HINs but not for providers. Standard Medicare payment-related appeals processes will be available.

Responding to stakeholder concerns

The final rule adheres to the provisions that were described in a November 2023 proposed rule, with few significant changes.

CMS reported that some commenters requested a delay in implementation of the disincentives, in part for providers to be educated on issues such as what constitutes information blocking. HHS declined to offer an extension, saying core provisions defining information blocking and electronic health information took effect in 2021 and 2022 and thus should be familiar to healthcare stakeholders.

Providers also expressed concern about trying to navigate the cumulative set of regulations pertaining to information blocking and EHI, with EHI provisions also appearing in regulations related to surprise billing, electronic prescriptions and electronic clinical quality measures.

“We will continue to collaborate closely within the department to consider other requirements that impact healthcare providers and seek to reduce burden,” CMS wrote in the final rule.

Specifically with respect to reproductive health data and privacy, commenters said providers might now feel pressure to disclose sensitive information about reproductive healthcare. CMS acknowledged the concerns but said policies protecting against such an outcome are “out of scope for this final rule.” Future rulemaking on information blocking may be able to incorporate such policies, and HIPAA rules concerning confidentiality, privacy and security of health information still apply, the agency wrote in the rule.