According to the Office of Inspector General (OIG) a violation of information blocking happens when someone does something that wrongly prevents people from accessing or using electronic health information (like patient records). For example, if a health tech company does one thing that blocks information for many patients, that's counted as one violation.
However, if they keep doing different things to block information for different people, each violation is separate. The OIG can fine these violators up to $1 million for each time they block information.
This rule mainly applies to companies that make health tech software and those that help share health information. The idea is to make sure that health information is always available when needed.
See also: HIPAA Compliant Email: The Definitive Guide
Who is subject to these penalties under the OIG Final Rule?
- Health IT developers: These companies create health technology-like software for hospitals and clinics.
- Health Information Exchanges (HIEs): These organizations help different healthcare providers, like hospitals and doctors, share patient information with each other.
- Health Information Networks (HINs): These systems connect different health organizations to exchange health information.
See also: What is a covered entity?
The basis for information blocking
The basis for civil money penalties, as outlined in section 1003.1410, is straightforward. If a company or organization involved in healthcare IT is found to be blocking information – which means they're stopping or interfering with the sharing of health information – they can be fined. This rule is especially for those who make health software or are part of networks that share health data. The idea is to ensure they don't prevent doctors, hospitals, and patients from getting the health information they need.
The rule explains how the exact amount of the penalty is determined. When deciding on the fine, several things are considered. These include how big the information-blocking issue is, how many patients and doctors were affected, and how long the blocking went on. The more people affected and the longer the blocking lasts, the higher the fine.
The penalties
- For false or fraudulent claims (§ 1003.700(a)(1)): The OIG can impose a penalty of up to $10,000 for each specified claim that a person knowingly presents or causes to be presented under such grant, contract, or other agreement, knowing it to be false or fraudulent.
- For false statements, omissions, or misrepresentations (§ 1003.700(a)(2)): If a person knowingly makes, uses, or causes to be made or used any false statement, omission, or misrepresentation of a material fact in a required document for funding, the penalty can be up to $50,000 for each occurrence.
- For false records or statements related to claims (§ 1003.700(a)(3)): The OIG may impose a penalty of up to $50,000 for each false record or statement made or used about a false or fraudulent specified claim.
- For false records or statements related to obligations (§ 1003.700(a)(4)): In cases where a false record or statement is made or used related to an obligation to pay or transmit funds or property, or where such an obligation is concealed, avoided, or decreased, the penalty can be up to $50,000 for each false record or statement, or up to $10,000 for each day of concealing, avoiding, or decreasing the obligation.
- For failure to grant timely access (§ 1003.700(a)(5)): If a person fails to grant timely access to the Inspector General upon reasonable request for audits, investigations, or other statutory functions, the penalty can be up to $15,000 for each day of the failure.
See also: 2023 HIPAA civil monetary penalty adjustments
Kirsten Peremore
