Skip to main content

OIG, HHS Publish Information Blocking CMP Final Rule, Enforcement Priorities

Though there has been much speculation and commentary among industry stakeholders, the Office of Inspector General (OIG) and the Office of the National Coordinator for Health Information Technology (ONC) have not yet begun enforcing statutory penalties associated with violations of the Information Blocking Rules. On July 3, 2023, OIG and the Department of Health and Human Services (HHS) took a significant step toward enforcement of these penalties when they published long-awaited civil monetary penalty (CMP) final rule (CMP Final Rule) for certain Information Blocking Actors in the Federal Register.

The portion of the CMP Final Rule dedicated to information blocking CMPs is effective 60 days after publication of the CMP Final Rule, or September 1, 2023. Once the CMP Final Rule is effective, OIG and ONC will begin enforcing information blocking penalties against the following types of Information Blocking Actors: health IT developers of certified health IT, entities offering certified health IT, health information exchanges (HIEs), and health information networks (HINs). The finalization of these penalties and OIG and HHS’s commentary around enforcement priorities and approaches are momentous developments for entities across health care. Those who have submitted information blocking claims to the Information Blocking Portal – or perhaps those entities who suspect being on the subject of such claims – have been waiting since the Information Blocking Rules were published in 2020 for the OIG and ONC to formalize the penalty structure for entities who violate the Information Blocking Rules. Notably, OIG will not impose CMPs on information blocking conduct that occurred prior to the Final Rule effective date.

Separate and apart from the aforementioned subset of Information Blocking Actors, any health care provider determined by OIG to have committed information blocking will be subject to “appropriate disincentives” set forth by HHS through notice and comment rulemaking. The CMP Final Rule will not apply to health care providers unless they also meet the definition of a health IT developer of certified health IT or a HIN or HIE as defined under 45 C.F.R. 171.102. HHS is developing a separate notice of proposed rulemaking to establish appropriate disincentives for health care providers in the Unified Agenda.

In April 2020, pursuant to The Cures Act, OIG published a proposed rule (Proposed Rule) in the Federal Register setting forth certain proposed amendments to the Civil Monetary Penalty Law (CMP Law). Consistent with the Proposed Rule, the CMP Final Rule will amend the CMP Law regulations to, following investigation, impose penalties of up to $1 million per Information Blocking Rules violation for HINs, HIEs, health IT developers of certified health IT, and entities offering certified health IT. OIG stated that it anticipates the maximum penalty of $1 million per violation would only apply to particularly egregious conduct.

The commentary from OIG and HHS in the CMP Final Rule also provided the following:

  • OIG Enforcement Priorities and Factors – OIG stated that it will continue to focus on information blocking allegations where there is heightened risk to patients, providers, and health care programs, specifically citing conduct that: (1) resulted in, is causing, or had the potential to cause patient harm; (2) significantly impacted a provider’s ability to care for patients; (3) was of long duration; (4) caused financial loss to Federal health care programs, or other government or private entities; or (5) was performed with actual knowledge.

Additionally, OIG is required to consider the aggravating and mitigating factors in 42 CFR 1003.140, consistent with section 1128A of the Social Security Act (SSA). When determining the amount of penalties, OIG will take into account:

(a) The nature and extent of the information blocking including where applicable:

(1) The number of patients affected;

(2) The number of providers affected; and

(3) The number of days the information blocking persisted; and

(b) The harm resulting from such information blocking including where applicable:

(1) The number of patients affected;

(2) The number of providers affected; and

(3) The number of days the information blocking persisted.

OIG, recognizing the potential for confusion of similar aggravating factors across the Public Health Service Act, SSA, and 42 C.F.R. 1003.140, said it would holistically consider all aggravating factors when determining the penalty amount.

OIG also added that its current anticipated enforcement priorities may lead to investigations of anticompetitive conduct or unreasonable business practices, including unconscionable or one-sided business terms for the access, exchange, or use of electronic health information, or the licensing of an interoperability element.

  • Agency Investigation Coordination – Depending on the facts and circumstances of the allegation and the results of an investigation, OIG or ONC may have the authority to address an information blocking claim. The CMP Final Rule also discussed the instances in which it may be appropriate for OIG to refer instances of information blocking to other federal agencies. For instance, it may refer claims to the Office for Civil Rights (OCR) when claims implicate health privacy and security rules promulgated under section 264(c) of HIPAA. Additionally, if there is alleged anti-competitive conduct as discussed above, ONC and OIG may coordinate information blocking claim investigations with the Federal Trade Commission (FTC). Finally, OIG provided a reminder that information blocking could create false claims liability for an Information Blocking Actor, such as under the ONC Health IT Certification Program, and OIG may need to coordinate such activity with the Department of Justice.
  • Information Blocking SDP – Though OIG has not yet created a self-disclosure protocol (SDP) specifically for information blocking, it intends to add an information blocking SDP on the OIG website that will explain: (1) eligibility criteria; (2) manner and format; (3) required contents of a submission; and (4) expected resolution of the matter. According to OIG, only Information Blocking Actors looking to resolve their own potential CMP liability for information blocking should use the information blocking SDP. OIG will accept self-disclosure of information blocking conduct prior to finalization of the information blocking SDP.
  • Advisory Opinions – In response to commenter inquiries regarding advisory opinions on information blocking, OIG noted that section 1128D(b) of the SSA does not include administrative sanction authorities for information blocking. OIG does not plan to create an advisory opinion process regarding the application of the CMP for information blocking, but there have been legislative proposals that would grant HHS the authority to issue advisory opinions on information blocking practices.
  • CMP Process – OIG, as it originally proposed, finalized the addition of the CMP for information blocking to its existing CMP regulations at 42 CFR part 1003 and to apply the existing procedural and appeal rights at 42 CFR parts 1003 and 1005 to the CMP for information blocking.

The CMP Final Rule will also incorporate new authorities for CMPs, assessments, and exclusions related to HHS grants, contracts, and other agreements.


To this point, Information Blocking Rules penalties have been much discussed but the timeline for OIG actually penalizing Information Blocking Actors who engage in conduct deemed to be information blocking has been largely academic. Once the CMP Final Rule goes into effect on September 1, 2023, and OIG and ONC begin to announce investigation and enforcement efforts that involve specific penalty amounts, industry stakeholders will finally begin to have clarity on which types of information blocking claims are truly enforceable and how OIG will apply its enforcement priorities to these claims.


Subscribe To Viewpoints


Pat focuses his practice on advising health care organizations on regulatory, compliance, data privacy, and transactional matters. He is also a Certified Information Privacy Professional–US (CIPP–US).