HHS Cracks Down on Health Data Blocking with Threat of $1 Million Penalties

The Department of Health and Human Services (HHS) is considerably increasing its enforcement efforts to combat details blocking – practices that prevent the seamless exchange of electronic health information (EHI) – and is warning healthcare organizations, IT developers, and data-exchange networks to comply with federal regulations. The initiative, launched jointly by HHS’s Office of the Assistant Secretary for Technology Policy/Office of the National Coordinator for Health information Technology (ASTP/ONC) and the Office of Inspector General (OIG), signals a zero-tolerance policy for hindering data access. Jim O’neill stated. Acting Inspector General Juliet T. Hodgkins affirmed that her office will leverage “all available authorities” to investigate and hold those who violate the rules accountable. ASTP/ONC National Coordinator Thomas (Tom) Keane, MD, confirmed the office has already begun reviewing complaints filed by developers under the ONC Health IT Certification Program and is actively supporting OIG investigations.

Who is at Risk and What are the Penalties?

Under the 21st century Cures Act and the OIG’s 2023 final rule, health IT developers of certified health IT, health information networks, and health information exchanges could face civil monetary penalties of up to $1 million per violation for engaging in information blocking.

The consequences extend to healthcare providers as well. HHS has finalized programmatic disincentives for 2024 for Medicare-enrolled providers found by the OIG to have committed information blocking,potentially impacting their participation in programs like Promoting Interoperability and affecting their reimbursement rates.These provider disincentives are separate from the civil penalties levied against developers, hies, and HINs, but can significantly affect financial standing.

Furthermore, ASTP/ONC has reiterated that developers certified under the ONC Health IT Certification Program risk losing their certification – even complete termination – for violations related to information blocking or failing to meet certification conditions.

Reporting Suspected Information Blocking

HHS encourages a broad range of stakeholders – including patients,clinicians,payers,public health entities,and health IT companies – to report suspected instances of information blocking through ONC’s dedicated reporting portal. Complaints submitted through the portal will be reviewed by the OIG for investigation, with technical support provided by ASTP/ONC.

Leadership Shifts at HHS and ONC

This increased enforcement comes during a period of transition within HHS and the Centers for Disease Control and Prevention (CDC). Robert F.Kennedy Jr. currently serves as HHS secretary, with Jim O’Neill sworn in as Deputy Secretary in June and subsequently appointed as Acting CDC Director. Juliet T. Hodgkins is serving as acting Inspector General at HHS-OIG, while Tom Keane, MD, was named National Coordinator at ONC earlier this year. HHS has also begun utilizing the ASTP/ONC branding in recent standards publications.

What This Means for Health Systems

Healthcare organizations must proactively address potential vulnerabilities and ensure compliance. Key steps include:

• Tighten Exception Workflows: re-evaluate and meticulously document all ONC information-blocking exceptions, such as those related to preventing harm, protecting patient privacy, ensuring security, or addressing infeasibility. Ensure staff are equipped to efficiently route, assess, and respond to EHI requests within the mandated timeframes.
• Audit Vendor contracts: Thoroughly review contracts with developers and HIEs to confirm that certification conditions and anti-information-blocking terms are enforceable.
• Prepare for OIG/CMS Coordination: Identify wich facilities and clinicians are susceptible to CMS disincentives and assess the potential impact on program participation and revenue cycles.

HHS is clearly signaling a more assertive approach to dismantling data-sharing barriers. Organizations should anticipate heightened scrutiny, update their compliance protocols, and rigorously test their ability to provide timely, compliant access to patient data across all platforms, providers, and public health partners.