Advisories July 27, 2023

Health Care Advisory: OIG Adds New Teeth to the Information Blocking Rule

Executive Summary
Minute Read

Our Health Care Group shares what you need to know about how the Department of Health and Human Services implemented civil monetary penalties and enforcement authority for information blocking.

  • Beginning September 1, the Office of Inspector General will be able to investigate and enforce information blocking with penalties of up to $1 million per violation
  • The OIG will use various factors to prioritize its investigations and determine penalties
  • The rule applies only to health information networks and exchanges and those entities that develop or offer certified health IT, but not health care providers at this time

On July 3, 2023, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) published a final rule, Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules. What does this mean for the health care industry and for actors now subject to information blocking enforcement?

What You Should Know

Background and effect of final rule

This long-awaited final rule amends the civil monetary penalty (CMP) regulations of HHS OIG to incorporate new CMP authority for information blocking.

Under the final rule, health information networks and exchanges (HINs/HIEs) and those entities that develop or offer certified health IT will be subject to CMPs of up to $1 million per violation for information blocking that occurs starting September 1, 2023, subject to the OIG’s enforcement priorities. The 2016 21st Century Cures Act prohibited certain types of entities from blocking access to electronic health information, and a 2020 final rule from the Office of the National Coordinator for Health Information Technology (ONC) defined information blocking, established a number of exceptions, and provided for an applicability date of April 5, 2021. Since then, while information blocking has technically been prohibited, HHS has had no meaningful enforcement mechanism. But with this final rule, the OIG will be able to investigate complaints against and enforce information blocking conduct by HINs/HIEs and entities that develop or offer certified health IT.

For an industry still trying to understand how the information blocking prohibition will be applied and enforced, this final rule means greater clarity may be on the horizon. While the OIG will not establish an advisory opinion process for the application of CMPs for information blocking, enforcement actions themselves may establish bright lines.

Penalty determination factors and enforcement priorities

The OIG will not impose penalties for information blocking conduct that occurs before the September 1, 2023 effective date of the final rule, but a history of information blocking complaints could be an aggravating factor in determining a penalty amount. When determining penalty amounts, the final rule allows the OIG to consider the nature and extent of the information blocking, including the number of patients or providers affected and the number of days information blocking persisted. It is unclear how each factor will be weighed in determining penalty amounts.

The OIG also anticipates receiving more information blocking complaints than it can investigate. Accordingly, the OIG will prioritize its investigation and enforcement of conduct that:

  • resulted in, is causing, or had the potential to cause patient harm;
  • significantly impacted a provider’s ability to care for patients;
  • was of long duration;
  • caused financial loss to the Federal health care programs, or other government or private entities; or
  • was performed with actual knowledge.

Anticipated proposed rules from ONC

This final rule applies only to HINs/HIEs and developers/offerors of certified health IT; it does not create an information blocking enforcement mechanism against health care providers (unless a provider also meets the definition of an applicable actor). ONC is currently working on a proposed rule, Establishment of Disincentives for Health Care Providers Who Have Committed Information Blocking, which the agency is targeting for publication in September 2023. The rule, expected later this year, will implement a provision of the 21st Century Cures Act requiring the OIG to refer health care providers that the OIG determines have committed information blocking to the appropriate agency to be subject to appropriate disincentives or penalties for such conduct.

ONC also plans to issue another proposed rule, Patient Engagement, Information Sharing, and Public Health Interoperability (HTI-2), in November 2023. This proposed rule will build on policies adopted in the 21st Century Cures Act and included in the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) proposed rule. In part, it is anticipated that the HTI-2 proposed rule will advance electronic health information sharing through proposals for supporting patient engagement and other information-sharing principles under the information blocking regulations.


As September 1, 2023 approaches, HINs/HIEs, entities offering certified health IT, and health IT developers of certified health IT should evaluate their own procedures for providing access to and sharing electronic health information and consider establishing practices, policies, and procedures addressing compliance with the information blocking rules to avoid OIG scrutiny. Additionally, in anticipation of ONC’s proposed rules, health care providers should also ensure operations are compliant with the information blocking regulations. As more information becomes available, we will monitor the OIG’s CMP enforcement practices and ONC’s anticipated proposed rules.

This website uses cookies to improve functionality and performance. For more information, see our Privacy Statement. Additional details for California consumers can be found here.