HHS OIG Posts Long Awaited Information Blocking Enforcement Rule, Provides for Penalties of up to $1 Million Per Violation

At a Glance

• HHS OIG posted its final rule implementing information blocking penalties, with possible penalties of up to $1 million per violation.
• IBR enforcement begins 60 days from publication of the final rule in the Federal Register.
• ONC is working on a proposed rule for health care provider IBR enforcement that will likely be published this fall.

Key Takeaways

The HHS Office of Inspector General (HHS OIG) posted its long-awaited final rule implementing information blocking penalties on June 27, 2023. This final rule — which applies to health IT developers of certified health IT, entities offering certified health IT, health information exchanges (HIEs) and health information networks (HINs) — adds teeth to the longstanding ONC Information Blocking Rule (IBR). Specifically, HHS OIG has confirmed possible penalties of up to $1 million per violation.

In an accompanying announcement, HHS OIG specified that IBR enforcement begins 60 days from publication of the final rule in the Federal Register. Such publication typically occurs a few days after announcement of a rule.

HHS OIG also clarified how far they will look back at practices once IBR enforcement begins, stating they “will not impose a penalty on information blocking conduct occurring before 60 days after publication of the final rule in the Federal Register.” That said, HHS OIG does reserve discretion to consider an actor’s prior history when determining how to evaluate information blocking practices that are subject to an investigation.

What About Health Care Providers?

As noted in the section above, HHS OIG has set out a precise list of IBR actor types subject to this final rule. That list notably does not include health care providers. HHS OIG clarified on its announcement page that this final rule does not establish penalties (referred to as “disincentives”) for health care providers. ONC is still working on a proposed rule for health care provider IBR enforcement, and they plan to publish it this fall. 

However, it is important to remember that an entity that considers itself a health care provider could also fall into the definition of a HIN/HIE and/or a health IT developer of certified health IT based on its practices. ONC established functional definitions for these actor types in the IBR, which gives the actor categories some fluidity. See our September 2020 article’s discussion of this concept in the section entitled “A Health Care Provider Is Not Always Just a Health Care Provider.”

What’s Next?

We will be reviewing HHS OIG’s final rule and following up with key details and practical insights. As you continue preparing for HHS OIG IBR enforcement, we recommend prioritizing: an analysis of your entity’s various roles under ONC’s functional actor definitions and determining which actor type(s) might apply; a review of practices with respect to electronic health information to determine whether any of those practices might constitute information blocking; and an analysis of IBR exceptions.