June 27, 2024

HHS Is Primed to Enforce Information Blocking Conduct

Final Rule Released on Information Blocking Disincentives for Healthcare Providers
Holland & Knight Alert
Beth Neal Pitman


  • The U.S. Department of Health and Human Services (HHS) has finalized information blocking disincentives for healthcare providers and set the stage for future enforcement actions.
  • Continuing HHS' commitment to encouraging permitted access to and exchange of electronic health information, the final rule specifically focuses on establishing disincentives for healthcare providers found by the HHS Office of Inspector General to have committed information blocking.
  • This Holland & Knight alert summarizes the key aspects of the final rule and its implications for healthcare providers.

The U.S. Department of Health and Human Services (HHS) continued its commitment to timely and full access to health records on June 24, 2024, through the finalization of its information blocking disincentives rule for healthcare providers and setting the stage for future enforcement. This Holland & Knight alert summarizes the key aspects of the final rule and its implications for healthcare providers.


Since 2000, with the implementation of the first Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules, HHS has been committed to ensuring access to healthcare and has focused on the impact that access to health records has on an individual's quality of care. The broad umbrella of access initiatives has included healthcare information technology (Health IT) interoperability with the 2009 introduction of the electronic medical record (EMR) Meaningful Use incentive program (through the Health Information Technology for Economic and Clinical Health Act (HITECH)) intended to encourage healthcare provider implementation of electronic health records. The Meaningful Use program was transitioned by CMS to the Medicare Access and CHIP Reauthorization Act (MACRA) Merit-Based Incentive Payment System (MIPS) program, Promoting Interoperability program, and Affordable Care Organizations (ACO) shared savings program. OCR's access initiative was announced in 2019 with its aggressive enforcement activity followed by the 21st Century Cures Act (Cures Act) regulations setting interoperability standards and prohibiting information blocking practices. .

As emphasized by HHS Secretary Xavier Becerra, "[w]hen health information can be appropriately accessed and exchanged, care is more coordinated and efficient, allowing the health care system to better serve patients. But we must always take the necessary actions to ensure patient privacy and preferences are protected – and that's exactly what this rule does."

The Cures Act, enacted in 2016, established provisions to promote interoperability and patient access to electronic health information (EHI). A critical component of the Cures Act is the prohibition of information blocking, which refers to practices that interfere with the access, exchange or use of EHI. Effective April 5, 2021 and amended in December 2023 through the HTI-1 Rule, the Office of the National Coordinator for Health Information Technology (ONC) issued regulations defining information blocking and establishing permissible exceptions. An enforcement structure for Health IT developers and Health Information Exchanges was finalized June 27, 2023 with enforcement against these Information Blocking Actors underway since Sept. 1, 2023.

Continuing HHS' commitment to encouraging permitted access to and exchange of EHI, the final rule specifically focuses on establishing disincentives for healthcare providers found by the HHS Office of Inspector General (OIG) to have committed information blocking. Importantly, the Cures Act definition of healthcare providers is not limited to the HIPAA regulated providers and includes both individual providers and their group practices, hospitals or other organizations through which an individual renders services.

Finalized Disincentives

HHS has finalized three categories of disincentives applicable to healthcare providers determined by the OIG to have engaged in information blocking. These disincentives primarily target three major programs:

1. Medicare Promoting Interoperability Program

  • An attestation of no information blocking is a foundational requirement for the Promoting Interoperability program.
  • Under this program, eligible hospitals and critical access hospitals (CAHs) reporting Promoting Interoperability and found by OIG to have committed information blocking will be excluded from being considered meaningful electronic health record (EHR) users.
  • This exclusion may lead to significant financial penalties, including a reduction of 75 percent of the annual market basket increase for eligible hospitals and a decrease in payment to 100 percent of reasonable costs for CAHs (from 101 percent).
  • The exclusion applies to the reporting period during which the information blocking practice occurred.

2. Merit-Based Incentive Payment System (MIPS)

  • Eligible clinicians and groups who are Medicare Part B providers and are determined by OIG to have engaged in information blocking will be denied the meaningful user status within MIPS. The final rule amends the MIPS definition of Meaningful User to exclude an information blocker.
  • This denial will result in a zero score in the Promoting Interoperability performance category, significantly impacting the overall MIPS score and potential payment adjustments.
  • Denials apply to the performance reporting period during which the information blocking practice occurred.
  • Groups that are not information blockers will not be penalized for an individual clinician's information blocking actions, but will be required to submit MIPS reporting without the data from that individual clinician.

3. Affordable Care Organizations

  • Medicare providers that are an ACO, ACO participant, or ACO provider or supplier found by OIG to have committed information blocking may be ineligible to participate in the CMS Shared Savings Program for at least one year.
  • This will result in loss of revenue from the Shared Savings Program.

These finalized disincentives aim to encourage compliance with information blocking regulations and foster a culture of data sharing and interoperability in healthcare. Enforcement disincentives become effective 30 days after the final rule is published in the Federal Register, but the ACO disincentive will not be imposed until the 2025 contracting year (Jan. 1, 2025). Publication of the final rule for public review will be on July 1, 2024, according to a notice posted on the Federal Register

Key Considerations

The final rule maintains several noteworthy aspects from the proposed rule:

  • Scope. Disincentives apply to a broad range of healthcare providers, including hospitals, physicians, dentists, certain therapists and other eligible professionals participating in Medicare and Medicaid programs, and is not limited to HIPAA-regulated persons or to healthcare providers using certified Health IT.
    • Healthcare providers will not be penalized for information blocking conduct attributed to a Health IT developer.
    • There will be no "double" penalty for providers who may participate in multiple CMS payment programs (i.e., MIPS and ACO).
  • Process. OIG is responsible for investigating and determining instances of information blocking. The OIG's Information Blocking site includes specific resources for more detail. After a determination of information blocking, OIG will refer the healthcare provider to the appropriate agency, in this case the CMS, to impose the appropriate disincentives. During the investigation and prior to a determination of information blocking, OIG will coordinate with the appropriate agency (CMS in this case) regarding the potential referral for imposition of disincentives. The proposed OIG enforcement priority structure (which is not binding) was maintained in the final rule, which includes:
    • resulted in, are causing, or have the potential to cause patient harm
    • significantly impacted a provider's ability to care for patients
    • were of long duration
    • caused financial loss to federal healthcare programs or other government or private entities
  • Appeals. Neither the Cures Act or final rule establishes an administrative appeals process but instead defers to appeal processes available under the authority relied upon by HHS to establish a disincentive (i.e., authority for payments, recoupment, or contracting for Shared Savings Programs, MIPS or Promoting Interoperability).
  • Timing. The Cures Act and HHS did not establish a time period for imposition of disincentives after a determination of information blocking has been determined, but defers to the timing requirements in regulatory authority for the agency imposing the disincentive.
  • Enforcement Discretion. OIG will not investigate healthcare providers until after the effective date of the final rule and is exercising its enforcement discretion not to make any determination of information blocking, and related referral for imposition of disincentives, on conduct occurring prior to the effective date of the final rule.

Current Information Blocking Complaint Status

Anyone can submit an information blocking complaint to the ONC Information Blocking Portal or the OIG Hotline. Since April 5, 2021, through May 2024, 1,052 complaints have been received. OIG has determined that 982 are possible claims of information blocking, approximately 85 percent were filed by patients (which could also include attorneys on behalf of patients) and more than 90 percent were regarding healthcare providers.

Implications for Healthcare Providers

Information blocking regulations have been effective since April 5, 2021, with a lengthy phase-in period. HHS reiterated through the final rule that its imperative to begin enforcement without delay is predicated on the fact that providers have had more than three years to implement an anti-information blocking program. Providers should take the following steps:

  • Review and Update Policies and Processes. Ensure that organizational policies and procedures align with information blocking regulations and promote seamless EHI exchange. Assure that processes implemented align with policy statements and do not contribute to practices of information blocking.
  • Privacy Compliance Integration. Monitor changes in privacy laws and integrate compliance with privacy laws, such as HIPAA’s reproductive healthcare privacy rules and Part 2 Substance Use Disorder privacy law, with processes to mitigate and prevent information blocking.
  • Training. Provide comprehensive training to staff members on information blocking, including the definition, exceptions and potential consequences of noncompliance. Particular attention to staff responsible for Health IT, health information management and privacy is important.
  • Monitor Compliance. Implement mechanisms to monitor and audit information sharing practices to identify and address any potential issues proactively. Address specific processes for navigating privacy laws prohibiting or delaying disclosures, such as the recent HIPAA reproductive healthcare privacy rules. (See Holland & Knight's previous alert, "Reproductive Healthcare Privacy Rule Brings New Requirements for All Providers," May 10, 2024.)
  • Health IT Coordination and Contracting. Investigate technology processes that can enable compliance with the Cures Act and assist in flagging and restricting disclosure of sensitive information that is either prohibited from disclosure or requires additional consents or other actions prior to disclosure. Contracts with Health IT vendors should include provisions requiring compliance with the Cures Act and affording healthcare providers with protection in the event the Health IT vendor engages in information blocking conduct.

For additional information on information blocking disincentives, please contact the author or another member of Holland & Knight's HIPAA and Healthcare Privacy Team.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.

Related Insights