Revised Privacy Rule May Not Emerge for Two Years; Info Blocking Penalty Regulation Published
Report on Patient Privacy Volume 23, no 7 (July 2023)
In two public talks this spring, Melanie Fontes Rainer, director of the HHS Office for Civil Rights (OCR), said completing the 2021 proposed regulation extensively revising the Privacy Rule wasn’t a priority this year amid limited resources and more pressing matters—including safeguarding abortion-related information.[1] Turns out it may not be a priority next year, either.
According to the newest federal Unified Agenda and Regulatory Plan, published June 13, OCR estimates a final version of the rule under development since 2018 will be published in December 2024.[2] However, these agendas—typically published in the spring and fall each year—are often little more than guesses and frequently publication dates are missed, sometimes by a lot. This means a final rule could appear in 2025 or later.
In fact, OCR is more than 10 years late publishing regulations required by Congress that would allow people affected by privacy or security breaches to share in the financial penalties the agency collects for HIPAA violations. The June agenda lists March 2024 for a proposed rule on this topic. OCR published a related request for information in April of last year, a step that helps inform rulemaking but also lengthens the process. The statutory deadline for issuing the rule was Feb. 17, 2012.
Conversely, on July 3, the HHS Office of Inspector General (OIG) published a final rule describing how it will enforce compliance with an information technology (IT) blocking rule, disclosing that it may impose a $1 million penalty per violation on IT companies, networks and related vendors—but not on health care providers.[3]
Although enforced by OIG, the information blocking rule was written by the Office of the National Coordinator for Health Information Technology (ONC), with assistance from OCR. After a phase-in period, the rule went fully into effect Oct. 6, 2022.
Providers Won’t Be Sanctioned Anytime Soon
Earlier this year, ONC Director Micky Tripathi said the lack of enforcement regulations may be hindering compliance with the information blocking rule, which essentially requires the sharing of all elements of a designated medical records set, with eight exceptions.[4] Complaints may be submitted to ONC via a portal at https://bit.ly/44Ewh4x.
Although they are subject to the law, “any health care provider determined by OIG to have committed information blocking shall be referred to the appropriate agency to be subject to appropriate disincentives using authorities under applicable Federal law, as the Secretary of HHS sets forth through notice and comment rulemaking,” OIG said on its website.[5]
HHS is working on a separate rule to impose these “disincentives.” The recent regulatory agenda indicates a proposed rule is expected to be issued in September; this would be followed by a final rule with an effective date sometime in the future, so it will be a while before providers engaging in information blocking feel any sanctions.
For the other groups, however, OIG will begin enforcement Sept. 1 and “will not impose a penalty on information blocking conduct occurring” prior to that date, the agency said.
No ‘Intent,’ No Case
As noted earlier, OIG said individuals or entities found to have “committed information blocking…may be subject up to a $1 million penalty per violation.” It did not specify the lesser amounts it may impose.
“The final rule does not impose new information blocking requirements,” OIG pointed out.
The rule maintains the enforcement priorities OIG laid out in the proposed regulation. OIG will pursue “conduct that: (1) resulted in, is causing, or had the potential to cause patient harm; (2) significantly impacted a provider’s ability to care for patients; (3) was of long duration; (4) caused financial loss to Federal health care programs, or other government or private entities; or (5) was performed with actual knowledge.”
OIG will “select cases for investigation based on these priorities and expect[s] that the enforcement priorities will evolve as OIG gains more experience investigating information blocking,” it said. Importantly, OIG stressed that it has to find there was an element of “intent” in an entity’s actions; otherwise, OIG lacks authority to impose a fine, according to the rule.
The rule acknowledges that health care providers might develop IT for their own use, saying these entities are exempt from the definition of health IT developer. “The ONC Final Rule clarifies that health care providers that self-develop health IT for their own use refers to health care providers that are the primary users of the health IT and are responsible for its certification status.”
1 Theresa Defino, “OCR Issues Reproductive Health Propose Rule, Focuses on Part 2—But Not Privacy Amendments,” Report on Patient Privacy 23, no. 5 (May 2023), https://bit.ly/3Mm1QbG.
2 U.S. Department of Health & Human Services, Office for Civil Rights, “HIPAA Privacy: Changes to Support, and Remove Barriers to, Coordinated Care and Individual Engagement,” RIN: 0945-AA00, Spring 2023, https://bit.ly/3D5KHPs.
3 Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules, 88 Fed. Reg. 42,820 (July 3, 2023), https://bit.ly/43dTrNP.
4 Theresa Defino, “ONC’s Tripathi: HIPAA Doesn’t Impede Sharing, Requirements Under Info Blocking Regulation,” Report on Patient Privacy 23, no. 2 (February 2023), https://bit.ly/3ZEoAJu.
5 U.S. Department of Health & Human Services, Office of Inspector General, “Information Blocking,” last updated July 5, 2023, https://bit.ly/3pFtA3M.
[View source.]