Health Information Sharing Penalties for Providers
Summary
This final rule implements the provision of the 21st Century Cures Act specifying that a health care provider determined by the HHS Inspector General to have committed information blocking shall be referred to the appropriate agency to be subject to appropriate disincentives set forth through notice and comment rulemaking. This rulemaking establishes, for certain health care providers, a set of appropriate disincentives using authorities under applicable Federal law.
Compliance Requirements
- #1
An eligible hospital or CAH is not a meaningful electronic health record (EHR) user in an EHR reporting period if OIG refers, during the calendar year of the reporting period, a determination that the eligible hospital or CAH committed information blocking as defined at 45 CFR 171.103; A health care provider defined in 45 CFR 171.102 that is a MIPS eligible clinician is not a meaningful EHR user in a performance period if OIG refers, during the calendar year of the reporting period, a determination that the MIPS eligible clinician committed information blocking as defined at 45 CFR 171.103; A health care provider as defined in 45 CFR 171.102 that is an accountable care organization (ACO), ACO participant, or ACO provider/supplier, if determined by OIG to have committed information blocking as defined at 45 CFR 171.103, may be barred from participating in the Shared Savings Program for at least 1 year; Health care providers must not engage in information blocking as defined in 45 CFR 171.103 (practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information); OIG will investigate claims that a health care provider engaged in information blocking; Health care providers determined by OIG to have committed information blocking shall be referred to the appropriate agency to be subject to appropriate disincentives
Deadline: 2024-07-31(Effective date of rule (30 days after publication in Federal Register))
Market Impacts
Health care providers determined by OIG to have committed information blocking will face specific disincentives including loss of meaningful EHR user status, reduced Medicare payments, and potential exclusion from ACO participation; Health care providers found to have committed information blocking may be barred from participating in Medicare Shared Savings Program for at least 1 year, denied addition to ACO participant lists, or have ACO participation agreements terminated; Mandatory compliance with information blocking regulations (45 CFR 171.103) for all health care providers participating in Medicare programs, requiring interoperability and appropriate sharing of electronic health information
Validated Company Impacts
Acadia Healthcare Company, Inc.
Acadia Healthcare operates as a behavioral healthcare provider with hospitals and treatment facilities that participate in Medicare programs, making them subject to information blocking regulations and potential disincentives under the 21st Century Cures Act. Their use of electronic health records and participation in value-based care models aligns directly with the rule's requirements for health information exchange and interoperability compliance. The rule's focus on Medicare reimbursement penalties and program exclusions for information blocking aligns moderately with the company's identified Medicare/Medicaid reimbursement risk, though this represents only one of their seven disclosed risk factors. The company's broader risk profile shows limited overlap with the specific information blocking and interoperability requirements of this regulation.
AMEDISYS INC
Amedisys operates as a healthcare provider delivering home health, hospice, and high acuity care services, directly falling under the definition of health care providers targeted by this rule. The company participates in Medicare programs and uses electronic health records for patient care, making it subject to information blocking regulations and potential disincentives for non-compliance. The rule focuses specifically on information blocking compliance for healthcare providers participating in Medicare programs, while the company's disclosed risks are primarily related to M&A activities, financial liabilities, and operational integration with no mention of healthcare regulatory compliance, EHR systems, or Medicare participation. There is minimal overlap as both involve regulatory compliance risks, but the specific healthcare focus of this rule does not align with the company's general business risks.
BrightSpring Health Services, Inc.
BrightSpring Health Services operates as a comprehensive healthcare provider offering pharmacy services, home health care, and behavioral health services, directly falling under the definition of health care providers in 45 CFR 171.102. The company participates in Medicare programs and utilizes electronic health records, making it subject to information blocking regulations and potential disincentives including loss of meaningful EHR user status and Medicare payment reductions. The rule directly addresses multiple regulatory compliance risks the company has identified, specifically changes in Medicare reimbursement rates and regulatory changes affecting eligibility and revenue. The company's dependence on Medicare/Medicaid programs and its operational focus on healthcare make it highly vulnerable to the disincentives and payment reductions outlined in this information blocking rule.
UNIVERSAL HEALTH SERVICES INC
Universal Health Services operates acute care hospitals and behavioral health facilities that are directly subject to this rule as health care providers participating in Medicare programs. The company's core business of hospital services and healthcare provision falls squarely within the scope of entities affected by information blocking disincentives, including potential loss of meaningful EHR user status and Medicare payment reductions. The rule directly addresses information blocking and EHR compliance, which aligns strongly with the company's regulatory compliance risks (13 identified) and technology cybersecurity risks (3 identified). The company's explicit risk of 'changes in healthcare laws and regulations' and 'cybersecurity threats' shows clear overlap with this rule's focus on health information technology requirements and potential penalties.
DAVITA INC.
DaVita operates as a major healthcare provider offering dialysis services through outpatient centers, hospital inpatient services, and home-based care, directly falling under the definition of health care providers subject to information blocking regulations. The company participates in Medicare programs and uses electronic health records, making it subject to meaningful EHR user requirements and potential disincentives for information blocking violations. The company's disclosed risk factors show minimal alignment with this healthcare-specific information blocking rule. While the company has a regulatory compliance risk category, it specifically relates to SEC scrutiny on non-GAAP financial measures rather than healthcare interoperability regulations. The cybersecurity risk is technology-focused but not specifically tied to health information exchange requirements.
Encompass Health Corp
Encompass Health Corp operates hospitals and provides patient care services, directly falling under the definition of health care providers targeted by this rule. As a hospital operator, they would be subject to meaningful EHR user requirements and potential disincentives for information blocking violations. The company's disclosed risk factors show minimal alignment with this rule's impacts. The rule focuses on information blocking penalties affecting Medicare program participation and EHR meaningful use, while the company's regulatory risk relates solely to income tax law complexity with no mention of healthcare compliance, EHR systems, or Medicare program participation.
ENSIGN GROUP, INC
Ensign Group operates skilled nursing facilities, assisted living facilities, and other healthcare services that qualify as health care providers under 45 CFR 171.102. The company participates in Medicare programs and uses electronic health record systems, making it directly subject to information blocking regulations and potential disincentives for non-compliance. The rule's focus on regulatory compliance for health information sharing has minimal alignment with the company's disclosed risk factors, which emphasize labor pressures, revenue dependency, and market competition rather than specific health IT or interoperability concerns. While there is a general regulatory compliance risk identified, it lacks specificity to information blocking or EHR requirements, indicating only weak relevance.
HCA Healthcare, Inc.
HCA Healthcare operates hospitals and healthcare facilities that directly fall under the definition of health care providers subject to this rule. As an eligible hospital operator participating in Medicare programs, HCA would be subject to meaningful EHR user requirements and potential disincentives for information blocking violations. The rule directly addresses information blocking and EHR compliance, which aligns with the company's 8 identified regulatory compliance risks and 6 technology cybersecurity risks. The potential disincentives including loss of meaningful EHR user status and Medicare payment reductions would significantly impact operational and financial performance, matching the company's concerns about staffing shortages and financial stability.
Privia Health Group, Inc.
Privia Health Group operates as a technology-driven healthcare platform that collaborates with physician practices and health systems, directly engaging with healthcare providers who are subject to the 21st Century Cures Act's information blocking disincentives. The company's focus on value-based care and physician enablement aligns with Medicare programs like MIPS and ACOs that are specifically targeted by this rule. The rule focuses specifically on information blocking penalties for healthcare providers in Medicare programs, while the company's only disclosed risk is general cybersecurity and data breaches. There is minimal overlap as information blocking involves intentional withholding of electronic health information, whereas the company's risk appears to be about unauthorized access and data protection failures.
Surgery Partners, Inc.
Surgery Partners operates surgical facilities that qualify as health care providers under the rule's definition (45 CFR 171.102), directly participating in Medicare programs and using electronic health record systems. The company's core operations involve patient care services that would be subject to information blocking regulations and potential disincentives for non-compliance. The rule's focus on information blocking penalties and EHR compliance aligns moderately with the company's healthcare regulations risk, but there is no direct mention of interoperability or data sharing risks in their disclosed risk factors. The data security risk relates to cybersecurity incidents rather than information blocking practices.
TENET HEALTHCARE CORP
Tenet Healthcare Corp operates as a major healthcare provider with hospitals, physicians, and participates in Medicare programs including ACOs and EHR systems, directly falling under the rule's jurisdiction for health care providers. Their core business involves electronic health records and Medicare participation, making them subject to information blocking disincentives and compliance requirements. The rule focuses specifically on information blocking penalties for healthcare providers in Medicare programs, while the company's risk factors are generic cybersecurity and regulatory concerns without any healthcare-specific or EHR-related risks mentioned. There is minimal overlap as the company's regulatory investigation risk could theoretically include any compliance violation, but no direct alignment with the specific information blocking requirements.