More than three years after the federal government issued rules to prohibit “information blocking,” penalties for violating those rules are taking effect. September 1 marks the first day on which certain entities may face civil monetary penalties (CMPs) for engaging in conduct deemed to be information blocking.

The Office of the National Coordinator for Health IT (ONC) released its final Information Blocking Rule in 2020, defining “information blocking” as certain practices that interfere with the access to, exchange of or use of electronic health information (EHI); in June, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) finalized its rule establishing monetary penalties for violations of the ONC rule.

Entities that could face penalties-in the form of fines up to $1 million per violation-for information blocking include health information exchanges (HIEs) (also referred to as health information networks (HINs)), as well as vendors or developers of health information technology (health IT) that have been certified by ONC. Vendors that solely develop health IT that is not certified by ONC are not subject to the rule. OIG has stated that, depending on the specific facts and circumstances, public health institutions, clinical data registries, public health agencies, health plans and certain health care providers could meet the definition of an HIE/HIN or a certified developer of health IT and hence be subject to penalties for any information blocking conduct occurring on or after September 1. OIG has declined to establish whether specific individuals or entities, or categories of individuals or entities, will meet these definitions, nor does it exempt specific types of individuals or entities, including providers or payers, from the definitions.

In assessing conduct that could be deemed to be information blocking, OIG will consider the nature and extent of information blocking conduct and resulting harm, including, where applicable, the number of patients affected, the number of providers affected and the number of days the information blocking persisted. Health IT developers and HIEs/HINs do not have to have actual knowledge of their violation in order to commit information blocking, but OIG has stated that cases in which an entity does have such knowledge likely will be prioritized over those where an entity should have but may not have known that its practice constituted information blocking, and that an actor’s intent will be taken into consideration when assessing culpability.

Although OIG has said it will not pursue conduct that occurred prior to September 1, practices that began prior to the enforcement date but continue after that date will presumably be subject to scrutiny. The time to ensure compliance is now.

The federal government has yet to release a second information blocking enforcement rule that would be targeted to health care providers. The government indicated earlier in the year that it would propose that rule-which would establish “appropriate disincentives”-in September.