It would probably be nearly impossible to find a HIPAA compliance professional or a provider who isn’t aware of the HHS Office for Civil Rights’ (OCR) initiative to collect fines and impose corrective action plans for failures to give patients and family members timely access to medical records—their right under the Privacy Rule. After all, there have been nearly four dozen such settlements and more formal imposition of fines since 2019.
In August, for example, United HealthCare paid OCR $80,000 related to delayed fulfillment of a patient’s request, OCR’s 45th patient access enforcement action, but its first with an insurer.[1]
And most are probably also aware that the Federal Trade Commission, as well as state governments, are increasing their enforcement activities when they believe the private data of consumers—who might also happen to be patients—has been inappropriately sold or shared.
First Penalty Rule Issued in July
But is the HHS Office of Inspector General (OIG) on the list of agencies to monitor for enforcement of HIPAA-like violations? With the recent publication of a proposed rule that provides “disincentives” for providers who engage in information blocking, it should be.[2]
Even though it’s still in the draft stages, the proposed rule draws renewed attention to OIG’s plan to coordinate with OCR when a provider is found to have committed information blocking that might also violate the Privacy Rule.
Prohibitions against information blocking were adopted in 2016 as part of the 21st Century Cures Act, but the various agencies are still engaged in related rulemaking for enforcement purposes. The primary rule prohibiting information blocking, published by the Office of the National Coordinator for Health Information Technology (ONC), went into effect in June 2020, with compliance required as of Oct. 6, 2022.
For providers, the new proposed rule implements the enforcement provisions of the information blocking regulation that apply to them. Broadly speaking, they must provide, upon request, all electronic information in a designated medical records set unless the information falls into any of eight exceptions. These include when a provider fears harm to a patient or another person or when providing the information poses a security risk to an information technology (IT) system.
Under the law, to be guilty of information blocking, the health care provider must be shown to know “a practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.”
The proposed rule follows and complements a separate information blocking enforcement final rule published in July that applies to health IT developers, health information networks and exchanges. These may be fined up to $1 million, as provided for under the Cures Act. OIG began enforcing this rule Sept. 1.[3]
Published Nov. 1, the comment deadline for the new proposed rule is 11:59 p.m. EST on Jan. 2.
Early this year, ONC Director Micky Tripathi speculated that providers’ compliance with the information blocking regulation was lagging because their enforcement rule was still in development.[4] At the time, he noted that the law called for the secretary of HHS “to define those penalties that we’ll call appropriate disincentives” without any new authority. “None of that got defined [during] the previous administration,” so the task was left to ONC, OCR and other HHS departmental personnel to develop them, he said.
The new proposed rule applies to health care providers who accept Medicare payments. Although this is a wide universe, an official from the Centers for Medicare & Medicaid Services (CMS) said during the question-and-answer portion of a Nov. 15 webinar that future rulemaking may apply to organizations that don’t accept Medicare but do accept Medicaid.[5]