The Bill largely seeks to continue Medicare’s hospital-at-home program through 2029, which provides resources for at-home care for patients who need acute-level care. The Bill would also eliminate the geographic originating site restrictions on telehealth visits through 2026. Absent these changes, the programs will expire at the end of 2024.

Significantly, the Bill also would empower the Secretary of Health and Human Services (“HHS”) to expand the categories of practitioners that may furnish reimbursable telehealth services. This would potentially allow for any healthcare professional who bills the Medicare program to be eligible to offer telehealth services. The Bill would further enable the Secretary to maintain an expanded list of eligible telehealth services, even after the existing law’s emergency period expires.

The Bill specifically benefits patients located in a rural location by explicitly allowing additional resources to be allocated to rural health clinics providing telehealth services. For example, the Bill would make permanent the ability of Federally Qualified Health Centers and Rural Health Clinics to provide telehealth services and provide reimbursements in those settings. This is crucial because Federally Qualified Health Centers and Rural Health Clinics are critical safety-net providers of primary care for underserved populations. Permitting these types of health centers to provide telehealth services as distant sites plays a major role in expanding and maintaining access to care in underserved and rural communities, and helps ensure continuity of care in those communities. 

While the Subcommittee advanced the Bill following its markup session, it still must pass in both the House and Senate. Providers should closely track the Bill’s progress. If it is not enacted in 2024, the telehealth flexibilities borne out of the COVID-19 public health emergency may end. Practitioners should be prepared to adjust their telehealth services and billing practices in the event the flexibilities expire. On the other hand, practitioners should be prepared to continue and potentially expand their telehealth services and flexibilities if the Bill is enacted and the Secretary expands the applicability of the flexibilities to additional categories of healthcare professionals. 

The population of Medicare patients that use telehealth has grown, likely in part due to the flexibilities—12% of Medicare users had a telehealth service in the third quarter of 2023, which is nearly double the percentage that received at telehealth service in the first quarter of 2020. If the flexibilities end, many Medicare patients who have grown accustom to telehealth will need to readjust how they seek out and receive healthcare services and providers will need to reassess how to best serve those patients. 

Overview and Noteworthy Takeaways

The Act provides additional reporting and review requirements for healthcare facilities and provider organizations in connection with certain transactions, requiring them to:

1. Provide 30 days’ prior notice to the IL AG of any merger, acquisition or contracting affiliation for any entity not previously under common ownership or contracting affiliation (each a “Covered Transaction”) (including Covered Transactions with any out of state entity generating $10 million + in annual revenue from Illinois residents);
2. Provide the IL AG with a copy of any premerger notification submitted to the federal government in connection with the requirements under the HSR Act;
3. Provide simultaneous notice to the IL AG in connection with the completed change of ownership application submitted to the Illinois Health Facilities and Services Review Board (the “IL Review Board”); or
4. Notify the IL AG of any Covered Transaction not captured at items (2) and (3) above, and include details in such notice as described in the Act.

Failure to meet the notice requirements of the Act may result in daily fines of $500 to healthcare facilities and provider organizations for violations of the reporting requirements, as detailed below. 

Amendments to the Illinois Antitrust Act

By way of background, the Illinois Antitrust Act, enacted in 1965, supplements the federal anti-trust laws in securing the benefit of free and open competition to Illinois businesses and consumers. Under Illinois law, a private lawsuit may be filed against a party for an alleged antitrust violation at the same time a federal action is pending. In its current form, the Illinois Antitrust Act, provides the IL AG with the authority to bring action on behalf of a private party as a result of certain mergers and acquisitions that provide grossly unfair advantages to large business entities to the detriment of consumers. The Act includes additional reporting requirements under the Illinois Antitrust Act, requiring entities to provide 30 days’ prior notice to the IL AG in connection with any Covered Transactions. The added notice requirement would include any Illinois healthcare facility or provider organization seeking to contract with an out of state entity generating at least $10 million or more in revenue from Illinois residents. 

The Act’s definition of “healthcare facilities” includes:

• Ambulatory surgical treatment centers;
• Hospitals and other facilities licensed under the Hospital Licensing Act;
• Kidney disease treatment centers; and
• Outpatient surgical centers.

The Act defines a “provider organization” as any corporation, partnership, business trust, association or organized group of persons whether incorporated or not, in the business of healthcare delivery or management, that represents 20 or more healthcare providers in contracting with health carriers or third-party administrators for the payment of healthcare services. The definition includes:

• Physician organizations;
• Physician-hospital organizations;
• Independent practice associations;
• Provider networks; and
• Accountable care organizations.

Further, under the Act, a “contracting affiliation” would include the formation of a relationship between two or more entities that permits the entities to negotiate jointly with health carriers or other third party administrators over rates for professional medical services, or that permits an entity to negotiate on behalf of the other entity with health carriers or third-party administrators over rates for professional medical services. Contracting affiliations do not include arrangements among entities under common ownership.

The Act requires any healthcare facility or provider organization that is a party to a Covered Transaction and is required to file a premerger notification under the HSR Act to simultaneously provide a copy of the filing to the IL AG. Where a Covered Transaction does not require filing under the HSR Act, the healthcare facility would still need to satisfy its notice obligations to the IL AG by filing for a change of ownership with the IL Review Board in compliance with the Illinois Health Facilities Planning Act. The IL Review Board would then provide a copy of the filing to the IL AG at the same time such notice is provided to other shareholders, as required under Section 8.5(a) of the Illinois Health Facilities Planning Act. 

In addition, any entity that is a party to a Covered Transaction that is not subject to the filing requirements under the HSR Act or the change of control filing with the IL Review Board will need to provide written notice to the IL AG, including (i) the names and business addresses of the parties, (ii) the identification of all locations where each party currently provides healthcare services, (iii) a description of the nature and purpose of the transaction, and (iv) the effective date of the proposed transaction. Within 30 days’ of receipt of the notice, the IL AG may request additional information from the parties and the Covered Transaction may not proceed until 30 days’ after the parties have “substantially complied” with the additional request from the IL AG. Any failure to comply with the notice requirements or requests for additional information may result in a daily penalty of $500 for each day of noncompliance, after a 10 day cure period. 

Additional Amendments under the Illinois Finance Act and Health Facilities Planning Act

Section 8.5(a) of the Illinois Health Facilities Planning Act requires healthcare facilities to obtain a certificate of exemption from the IL Review Board in connection with any planned change in ownership by filing an application which details the terms of the proposed transaction. As discussed above, the Act amends Section 8.5(a) of the Health Facilities Planning Act to include additional notice to the IL AG upon completion of the change in ownership application. 

The Act also amends the Illinois Finance Act to include a new antitrust enforcement fund to be used by the IL AG for enforcement of the Illinois Antitrust Act.

Additional Considerations for Health Facilities and Provider Organizations

The Act raises concerns for delays in the closing process for Covered Transactions. The added reporting requirements and IL AG review process create the potential for an additional 90 day extension in healthcare transactions and failure to provide timely notice may result in penalties. The lack of clarity in the requirement for “substantial compliance” with additional inquiries from the IL AG, and the added power of the IL AG to seek a temporary restraining order or injunctive relief for noncompliance, create further possibilities for closing delays. Healthcare facilities and provider organizations should spend additional time consulting with their legal counsel in determining the best path forward with regard to transaction benchmarks and a timeline for making the required filings with the IL AG and the relevant Illinois authority. 

• Establish an AI Task Force. Under the EO, the Department of Health and Human Services (HHS) must establish an HHS AI Task Force in consultation with the Department of Defense and the Department of Veterans Affairs within 90 days. Within one year, the HHS AI Task Force must develop a strategic plan on the responsible deployment and use of AI-enabled technologies in the health sector, including guidance, policies, and regulatory action to protect AI deployment.
  • The HHS AI Task Force will focus on potential applications such as research and discovery, drug and device safety, healthcare delivery and financing, and public health. It must specifically consider appropriate human oversight, health equity and bias, and safety, privacy, and security standards.
• Incentivize Responsible AI Innovation. The EO requires HHS to identify and prioritize grantmaking and other awards to advance responsible AI innovation by healthcare technology developers. Recognizing that data quality underlies the success and usability of AI, HHS must prioritize the 2024 Leading Edge Acceleration Project cooperative agreement awards to initiatives that explore ways to improve healthcare-data quality. In addition, Veterans Affairs must host, within one year of the order, two three-month nationwide AI Tech Sprint competitions to advance AI systems that improve veterans’ healthcare quality and support small businesses’ innovative capacity.
• Protect Privacy. Privacy was a pervasive subject in the EO, with an eye on ensuring that agencies stay ahead of the privacy implications of AI and work to mitigate the privacy risks potentially exacerbated by AI.
  • The EO requires the Director of the Office of Management and Budget (OMB) to issue an RFI to seek feedback regarding how privacy impact assessments may be more effective at mitigating AI privacy risks. The RFI responses must inform potential revisions to guidance to agencies on implementing the privacy provisions of the E-Government Act of 2002.
  • We may see new guidance or rules on de-identified data and de-identification processes as part of this focus on AI and data privacy. AI may be capable of re-identifying data that was properly de-identified under currently accepted standards. On the other hand, AI may be a useful tool for advanced de-identification of data.
• Ensure Patient Safety. The EO also directs HHS to establish an AI safety program in consultation with other agencies and in partnership with Patient Safety Organizations. This program must establish a common framework for approaches to identifying and capturing clinical errors resulting from AI deployed in health care and specifications for tracking associated incidents that cause harm to patients, caregivers, and other parties—specifically including harm caused through bias or discrimination. The program will analyze captured data and generated evidence to develop best practices and other guidelines aimed at avoiding these harms.
• Regulate Drug Development. The EO also requires HHS to explore regulations for the advancement of drug development utilizing AI. HHS must develop a strategy for regulating the use of AI tools throughout each phase of the drug-development processes. It must also identify areas where future rulemaking may be necessary to implement an appropriate regulatory system.

The EO further supports citizen and expert calls for ethical, practical, and thoughtful implementation of AI. Healthcare, along with other critical industries, must ensure AI is engaged as a solution, without increased risk to patients or biased innovation. The EO is a significant step toward that goal as it tasks agencies and stakeholders with action to guide AI development, use, and, ultimately, accountability.

1. Capital and the Coming Health Startup Reckoning. Companies raising capital and the investor community continue to struggle with valuation expectations based on the outlier valuations that appeared in 2021. Issuers will need to raise capital or go to market in 2024, and there will be a reckoning in terms of the valuations they are able to support. Stakeholders expect that this shift in valuations and tightening of capital will lead to an uptick in M&A activity once there is a “meeting of the minds” among buyers and sellers. Many expect consolidation to be particularly active in the digital health sector.
2. Hospital and Health System Innovation and Transformation. Stakeholders are focused on the transformation of hospitals and health systems, which are in a fragile state and squeezed by the move to outpatient services, rising labor costs, dropping Medicare fee for service reimbursements, and quality costs. These stakeholders look to transform the current models by adopting innovative technologies, including data analytics and AI, and aligning incentives to make value-based care more successful.
3. A Need for Holistic Care and Coordination. As discussed in our prior blog post, many healthcare companies are focused on care coordination and management for specific conditions and specialties, but few are tackling holistic care coordination across the various sectors in healthcare and in the care delivery and payment vertical. Stakeholders are looking to “wellness by design” and the “quantified self.” “Super apps” were discussed as a means to solve the coordination deficit, by aggregating the massive amounts of information being generated in a multi-faceted wellness space.
4. Diabetes and Chronic Condition Care. Diabetes continues to be top of mind for payors and providers alike, with diabetes in America worsening despite increased investment in diabetes care. Fourteen percent of all 2022 medical visits related to diabetes. Almost a quarter of all individuals with diabetes are unaware that they suffer from the disease, further illustrating the need for prevention at the pre-diabetes stage through population health management, alignment of incentives, and the creation of incentivized care coordination.
5. Early Testing and Diagnostics Modalities. Companies are developing and launching early testing and diagnostics modalities, both for provider and consumer at-home use. With care coordination, the value of these products to the overall care delivery system could be enhanced.
6. Stakeholders Are Finding AI’s Role in Healthcare. AI was a pervasive topic at HLTH 2023, and it seems nearly-settled that healthcare stakeholders see AI as a tool, rather than a replacement, for providers. It is also widely accepted that developing trust is as important as developing the software and algorithms to run AI in healthcare. For now, AI’s role is likely to be more operational than clinical in nature, but as trust in AI builds through increased transparency and eliminating inherent biases, AI may make its way to the point of care.
7. Bias, Health Equity and Checks on AI and Large Language Model (LLM) Tools. The rapid pace of adoption of digital health solutions, AI and LLM tools are causing health equity concerns as some stakeholders lean on those tools to solve for inherent bias and increase health equity. However, it is worth noting that those tools themselves often have the same biases built into them; therefore, it is paramount that technologies incorporate safeguards to mitigate such biases.
8. Heightened Enforcement in the Medicare Space. There continues to be concern over enforcement activity relating to the Medicare Advantage program, whether as a result of Medicare Advantage risk adjustment, ACO REACH, underutilization or otherwise. We expect that this will continue to be an area of focus for DOJ enforcement in the next couple of years, driven both by recent high-value recoveries as well as the continued increase in government spend on the Medicare Advantage program. Potential solutions to reign in exploitation were debated, with a minority of stakeholders proposing a return to a fee for service model coupled with an expansion of the ACO REACH program, which is also under attack, as evidenced by the September resolution of the California legislature calling on President Biden to end ACO REACH.
9. Food is Medicine. As part of a focus on the social determinants of health, we saw a focus on addressing food insecurity and healthy food/food quality to drive cost savings and improved outcomes across the board.
10. Few Speakers Discussed Healthcare Professional Shortages. Few speakers and presenters at HLTH focused on the growing infrastructure deficiencies that could contribute to or worsen shortages of nurses and other essential providers. If the industry does not solve this issue, providers will continue to be stretched thin and will have little-to-no bandwidth to learn and adopt the innovative technologies and solutions that are intended to improve those providers’ abilities, overall patient care and total cost of care.

In addition to the above, we expect increased focus on more targeted and effective patient engagement, as well as advancements in behavioral health, oncology, and musculoskeletal care to drive the industry forward as we head into 2024.

While care coordination exists, it is often siloed to an individual provider or other stakeholder with whom a healthcare consumer interacts. Patient coaching has not yet found a way to persevere, but stakeholders agree that managing a patient well, both proactively and reactively, may be the key to a well person and a healthy industry. It is less clear how to carry the responsibility for holistic patient care coordination across the various service providers, payors, and healthcare resources.

Sanjula Jain, Ph.D., the Chief Research Officer and SVP of Market Strategy at Trilliant Health, eloquently encapsulated this care coordination issue during a panel session at HLTH: “If everybody is coordinating care, then nobody is coordinating care.” 

The increasing complexity of our healthcare system makes this a difficult issue to solve and makes identifying which stakeholders should have which care coordination responsibilities equally difficult. For example, while payors have a wealth of information regarding their members and where those members have used their benefits to obtain healthcare items and services, healthcare consumers frequently obtain care outside of their payor benefits for various reasons. A common example is that an individual might use an at-home testing kit for diagnosing an illness or condition instead of seeking a diagnosis from a clinician where their payor benefits might be used. In such a case, the payor might not receive data on the results of the patient’s test, including any relevant diagnosis, unless the patient follows up with a clinician using their insurance benefits. While this relatively low-risk example is fairly innocuous, the overarching point is that without any stakeholder owning the overarching care coordination role, it remains fragmented and leads to gaps in care and potential issues for any given patient.

Initiatives and incentives to improve this care coordination issue exist, but do not fully solve the problem. The federal government has recently started paying a small amount for certain federal healthcare program members who receive care coordination from providers. However, this initiative does not require coordination with the larger healthcare environment, and therefore remains siloed for now. Additionally, the global risk payment model inherently puts a premium value on care coordination and provides funding through the global risk percentage of premium to undertake such efforts successfully. Although these initiatives and incentives are helpful for care coordination, the healthcare industry still lacks the means to create coordinated care between the various sectors in healthcare and in the care delivery and payment vertical.

One potential solution is digital health “super apps.” These apps offer a unified digital platform that allows patients, providers, and other stakeholders to manage patient information, appointments, insurance benefits, prescriptions, and related features all in one place. While digital health super apps have existed for at least several years, to date none have sufficiently integrated into the care delivery market to solve the issue. There may be a renewed focus on creating effective super apps, however, given the recent entry of large retailers and technology companies into the care delivery sector and those companies’ focus on healthcare consumer experience.

The role of care management organization or division is often considered ancillary to the delivery of care, but in fact it is central to the delivery of care. Successfully bringing together all the pieces of care can be compared to bringing the notes of an orchestra together. An effective conductor aggregates and directs the various instruments and sounds to create something holistically new: music. Successfully achieving holistic care coordination will require stakeholders to come together to determine how best to share information, allocate the responsibility for acting on such information to manage a patient’s care, and take ownership of this role.

HATCo desires to create a new blueprint for national care delivery transformation via a tightknit collaboration of technologists, caregivers and capital. And it just might. By leveraging partnerships with more than 20 health systems in 43 states, a recent acquisition of a health system with a long term strategy, and the promise of innovative technology solutions, including artificial intelligence-driven data analytics, HATCo is well-positioned to succeed.

HATCo calls its single model a “clicks and mortar” approach, whereby digital transformation will enhance revenue and drive profitability. HATCo expects to create new revenue streams for health systems and free up existing revenue by leveraging technology and innovation to lower existing costs. For example, HATCo may deploy artificial intelligence solutions to analyze medical records and identify patients that are in early stages of renal failure. Using artificial intelligence, clinicians could work with patients to prevent or slow the advancement of the costly, chronic condition. Similar innovations could free up revenue for health systems to then reinvest in additional innovations that will in turn further lower costs, allowing additional revenue to be reinvested into other technologies that can better serve their respective communities.

A core feature of HATCo’s central strategy is to take on global risk for both governmental and commercial payors. In general, accepting global risk for governmental payors and programs, such as for Medicare Advantage, can lead to consistent revenue and increased profitability year-over-year due to a manageable patient population. However, commercial plan populations frequently fluctuate, are less predictable, and generally have higher volumes of acute healthcare services rather than chronic condition management services. HATCo’s sophisticated data analytics and extensive partnerships with hospitals across the country could be the key to mitigating this challenge.

HATCo is not alone in the technology-driven value-based transformation market for health systems—Kaiser Permanente announced the launch of Risant Health earlier this year. Risant Health similarly is oriented towards transforming health system care delivery with a focus on accelerating into value-based care by leveraging innovative technologies in addition to Kaiser Permanente’s established value-based care expertise. 

Whereas HATCo will offer a single model and blueprint for health system transformation, Risant Health intends to offer a platform with an array of tools for nonprofit health systems from which those health systems may pick and choose. Upon regulatory approval, Geisinger will become Risant’s first health system partner, and Risant will move forward with proving its value-based care model and expertise so that it can in turn offer that model and related technology and services to local, community-based health systems. Similar to HATCo, Risant Health will leverage innovative data analytics to accomplish its value-based transformation goals. 

For HATCo and Risant Health, data analytics and value-based care will go hand-in-hand, as their use of data analytics may help health systems unlock major care delivery and patient population insights that drive better care and better outcomes, ultimately lowering total costs of care, which is precisely the goal of value-based care. 

Bottom line: Sophisticated technology, including AI-driven data analytics, combined with deeper collaboration across health systems, may be the new capstone of health system transformation.

HHS OIG’s final enforcement rule was published in the Federal Register on July 3, 2023. The final rule will provide a sense of direction and certainty when navigating ongoing information blocking conduct for the first time since the information blocking rules were published three years ago. In addition, the final enforcement rule provides clarity on the scope of enforcement and penalties, the enforcement process, and the types of conduct the OIG will prioritize for enforcement.

Enforcement Scope, Penalties, and Standards

The OIG reiterated that only health information networks/health information exchanges (HIEs/HINs) and developers of certified health IT (Developers) are subject to the final rule at this time, and healthcare providers will be subject to appropriate disincentives as they are defined in the coming months by HHS and ONC. The proposed rule for appropriate disincentives is scheduled to be published in September 2023 per the fall 2022 regulatory agenda.

The OIG’s final enforcement rule provides a civil monetary penalty (CMP) of up to $1 million per violation. A “violation” is defined as each practice that constitutes information blocking. For example, while the enactment of a policy that violates information blocking will be considered one violation, each enforcement of the policy will constitute another, separate violation.

To decide whether to impose a CMP, the OIG must consider factors such as the nature and extent of the information blocking, the resultant harm, the number of patients and providers affected, and the duration of the blocking. 

Enforcement Process Will be Complaint-Based

The OIG’s enforcement will be complaint-based and will track the following process:

1. Receipt of an information blocking complaint;
2. Assessment of complaint using enforcement priorities;
3. Open investigation;
4. Investigation of complaint (case will be closed after investigation if the OIG determines no information blocking conduct occurred);
5. Opportunity for entity that is the subject of the complaint to discuss the OIG’s investigation;
6. The OIG concludes whether entity committed information blocking, and if the OIG concludes it did, the OIG sends a demand letter to the entity; and
7. Opportunity for appeal by the entity.

The OIG’s Enforcement to Prioritize Certain Conduct

The OIG set forth a number of enforcement priorities in its final rule, noting that it expects to receive more information blocking complaints than it can investigate. The OIG will focus on prioritizing the following information blocking conduct when selecting cases for investigation:

• resulted in, is causing, or had the potential to cause patient harm;
• significantly impacted a provider’s ability to care for patients;
• was of long duration;
• caused financial loss to Federal health care programs, or other government or private entities; or
• was performed with actual knowledge.

With regard to patient harm priorities, the OIG is primarily focused on harm to a patient population, community, or the public, rather than individual harm. As for its focus on practices performed with actual knowledge, which the OIG explicitly recognized is not a requirement for violations by HIEs/HINs or Developers under ONC’s rules, the OIG intends to prioritize cases in which an actor has actual knowledge over cases in which the actor only should have known that the practice was likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. 

Further, the OIG anticipates its enforcement priorities may lead to investigations of anti-competitive conduct or unreasonable business practices. The OIG noted that for investigations of anti-competitive conduct, the Public Health Service Act includes specific options for ONC and the OIG to coordinate with the Federal Trade Commission (FTC) related to an information blocking claim, including by sharing information, and that the OIG will coordinate with ONC to identify claims and investigations that may warrant referral to the FTC.

In addition to these priorities, the OIG has stated that it may prioritize investigations based in part on the volume of information blocking claims received by ONC relating to the same (or similar) conduct by the same actor.

Finally, the OIG stated that it will add an information blocking self-disclosure protocol (SDP), including an online submission form and other processes, to its existing SDP. The OIG noted the various benefits of using the SDP for information blocking violations, which potentially include paying lower damages than would normally be required, and avoiding costs and disruption associated with a government-directed investigation or litigation. The OIG also specifically noted that disclosure via the SDP and full cooperation with the OIG’s review and resolution of such a disclosure would be considered part of timely corrective action by an information blocking actor, which is a mitigating circumstance that the OIG will consider in determining the amount of a penalty.

Enforcement to Begin September 1, 2023

The OIG will begin enforcement starting September 1, 2023, 60 days after the final rule was published. While HIEs/HINs and Developers have already been required to comply with ONC’s information blocking rules, they now have 60 days to comply or be subject to penalties. Significantly, though, the OIG will not impose CMPs on information blocking conduct that occurred before September 1, 2023.

FOOTNOTES

[i] 88 Fed. Reg. 23746 (Apr. 18, 2023).

Attendees of the panel expressed a number of concerns and practical issues they are encountering with information blocking compliance implementation:

• Lack of Incentives to Comply. Attendees were concerned that, with the enforcement rules pending, some actors are continuing to engage in information blocking. Labs feel that they are stuck in the middle between having to comply with the rules and needing to protect themselves against those still engaging in information blocking, with limited resources. Attendees asked what, if anything, they can do now to discourage information blocking and protect their rights. Industry stakeholders do have some options, including: reporting HIPAA right of access violations to the HHS Office for Civil Rights; ensuring their contracts prohibit information blocking; and leveraging available claims for tortious business interference, unfair competition, defamation or breach of contract. 
• Added Complexity of State Laws. Attendees were also concerned with recently passed state laws that contribute to the complexity of information blocking compliance, and having to shoulder the cost of this increased complexity. For example, the Kentucky Disclosure of Lab Results Act requires that certain clinical laboratory, pathology and radiology tests and reports not be disclosed to a patient for 72 hours after they are finalized, unless a health care provider otherwise directs the release. Given that anything required by law is excepted from the definition of information blocking, information blocking actors within the scope of this Kentucky law must comply with it. In addition, California enacted its own information blocking law in 2021, the California Data Exchange Framework, which imposes additional obligations on certain actors in California. Providers and other actors must monitor for state laws that could change or add to their information blocking obligations.

Industry stakeholders’ concerns regarding the lack of enforcement rules may be addressed this fall. HHS recently reiterated that it is developing a proposed rule to implement information blocking enforcement against providers. That rule is scheduled to be released this September. Whether the proposed rule will be released by then remains to be seen—the HHS OIG failed to publish its final rule for information blocking enforcement by either of the fall 2022 or spring 2023 dates proposed in the regulatory agenda.

For assistance with information blocking questions and compliance, please contact a member of the Sheppard Mullin Healthcare Team. 

The wide-reaching effects of the Information Blocking Rules are increasingly apparent as Actors continue to grapple with how to operationalize compliance. A novel issue that has recently arisen is whether Actors may withhold EHI pursuant to other federal and state laws that permit the withholding of EHI, or whether the Information Blocking Rules would prohibit such withholding. As discussed below, the Information Blocking Rules may prohibit discretionary withholding of EHI, even where it is permitted under other federal and state laws.

Practices Required By Law Are Not Information Blocking, But Practices Permitted By Law May Be

Notably, the Information Bocking Rules narrowly exclude the withholding of EHI where “required by law” from its general prohibition. This exclusion has broad-ranging implications for Actors’ compliance with the Information Blocking Rules, including with regard to Actors’ reliance on other federal and state laws, and in particular such other laws that are merely permissive. The exclusion applies only to other laws that require a practice that could be information blocking; it does not apply to permissive laws. 

For example, ONC’s commentary in the preamble to the information blocking regulations suggests that where certain disclosures are permitted under HIPAA, the Information Blocking Rules require such disclosures.[2] The Director of ONC, Dr. Micky Tripathi, recently reiterated this point, stating that, “‘HIPAA says you’re permitted to [share]; information blocking [regulations] say you’re obligated to do it,’ as long as there is not another law forbidding the sharing.”

Many states have laws that permit specific Actors to withhold certain healthcare records under particular circumstances. The Information Blocking Rules, however, likely prohibit Actors from relying on such permissive state laws to withhold EHI, unless the Actor can generally satisfy an information blocking exception or the practice does not constitute information blocking for other reasons.

Reliance on Permissive State Laws to Withhold EHI May Be Information Blocking

By way of example, state laws often permit healthcare providers to withhold certain healthcare records where the provider determines releasing such records would pose a risk of harm to the individual that is the subject of the records or another person. In one instance, a healthcare provider recently inquired whether withholding certain mental health records under such a California law would violate information blocking prohibitions. 

The relevant California law provides that if a healthcare provider “determines there is a substantial risk of significant adverse or detrimental consequences to a patient in seeing or receiving a copy of mental health records requested by the patient, the provider may decline to permit inspection or provide copies to the patient” subject to certain conditions.[3] Because the California law merely permits (rather than requires) the provider to withhold the records, reliance solely on the California provision could violate information blocking because the Information Blocking Rules require that Actors share EHI except as otherwise required by law or where an information blocking exception is met. 

However, in certain circumstances, such as in the above example, an Actor could withhold the EHI where it generally satisfies an information blocking exception. Here, the preventing harm exception could apply to reach the same or a similar result as the California law. Notably, though, ONC has indicated that the information blocking exceptions are narrow and pose a high standard, so in some circumstances meeting an exception may be more onerous for an Actor than meeting a permissive state law standard.

Actors Should Review Their Operational Reliance on Permissive Laws

Actors should be aware of the Information Blocking Rules when relying on other laws that permit the Actor to withhold EHI. Actors should proactively determine whether the laws they rely upon to withhold EHI are mandatory or merely permissive, and whether the practice required or permitted by each law would constitute information blocking. For instance, Actors may have permissive provisions of state and other federal laws incorporated into their policies and procedures for health information management. Actors should review such policies and procedures to ensure that those documents do not permit the withholding of EHI pursuant to such permissive laws unless an information blocking exception is met or such practice would otherwise not be considered information blocking for other reasons. 

Failure to comply with the Information Blocking Rules can result in potentially-significant penalties for Actors. While the penalties and enforcement rules have yet to be finalized, penalties for health information networks and exchanges and developers of certified health IT may be up to $1 million per violation, and healthcare providers may be penalized with appropriate disincentives yet to be defined.

For assistance with questions regarding and compliance with the Information Blocking Rules, please contact a member of the Sheppard Mullin Healthcare Team. 

FOOTNOTES

[1] 45 C.F.R. § 171.103(a) (emphasis added).

[2] 85 Fed. Reg. 25846 (“We noted that practices that are “required by law” can be distinguished from other practices that an actor engages in pursuant to a law, but which are not “required by law.” Such laws are typically framed in a way that permit an access, exchange or use of health information to be made only if specific preconditions are satisfied but do not expressly require that the actor engage in a practice that interferes with access, exchange, or use of EHI. . . . However, we noted that because the condition does not prohibit the actor from exchanging the EHI in all circumstances, the actor would be at risk of engaging in a practice that was information blocking unless an exception applied.”).

[3] See CA Health & Safety Code § 123115(b).

The wide-reaching effects of the Information Blocking Rules are increasingly apparent as Actors continue to grapple with how to operationalize compliance. A novel issue that has recently arisen is whether Actors may withhold EHI pursuant to other federal and state laws that permit the withholding of EHI, or whether the Information Blocking Rules would prohibit such withholding. As discussed below, the Information Blocking Rules may prohibit discretionary withholding of EHI, even where it is permitted under other federal and state laws.

Practices Required By Law Are Not Information Blocking, But Practices Permitted By Law May Be

Notably, the Information Bocking Rules narrowly exclude the withholding of EHI where “required by law” from its general prohibition. This exclusion has broad-ranging implications for Actors’ compliance with the Information Blocking Rules, including with regard to Actors’ reliance on other federal and state laws, and in particular such other laws that are merely permissive. The exclusion applies only to other laws that require a practice that could be information blocking; it does not apply to permissive laws. 

For example, ONC’s commentary in the preamble to the information blocking regulations suggests that where certain disclosures are permitted under HIPAA, the Information Blocking Rules require such disclosures.[2] The Director of ONC, Dr. Micky Tripathi, recently reiterated this point, stating that, “‘HIPAA says you’re permitted to [share]; information blocking [regulations] say you’re obligated to do it,’ as long as there is not another law forbidding the sharing.”

Many states have laws that permit specific Actors to withhold certain healthcare records under particular circumstances. The Information Blocking Rules, however, likely prohibit Actors from relying on such permissive state laws to withhold EHI, unless the Actor can generally satisfy an information blocking exception or the practice does not constitute information blocking for other reasons.

Reliance on Permissive State Laws to Withhold EHI May Be Information Blocking

By way of example, state laws often permit healthcare providers to withhold certain healthcare records where the provider determines releasing such records would pose a risk of harm to the individual that is the subject of the records or another person. In one instance, a healthcare provider recently inquired whether withholding certain mental health records under such a California law would violate information blocking prohibitions. 

The relevant California law provides that if a healthcare provider “determines there is a substantial risk of significant adverse or detrimental consequences to a patient in seeing or receiving a copy of mental health records requested by the patient, the provider may decline to permit inspection or provide copies to the patient” subject to certain conditions.[3] Because the California law merely permits (rather than requires) the provider to withhold the records, reliance solely on the California provision could violate information blocking because the Information Blocking Rules require that Actors share EHI except as otherwise required by law or where an information blocking exception is met. 

However, in certain circumstances, such as in the above example, an Actor could withhold the EHI where it generally satisfies an information blocking exception. Here, the preventing harm exception could apply to reach the same or a similar result as the California law. Notably, though, ONC has indicated that the information blocking exceptions are narrow and pose a high standard, so in some circumstances meeting an exception may be more onerous for an Actor than meeting a permissive state law standard.

Actors Should Review Their Operational Reliance on Permissive Laws

Actors should be aware of the Information Blocking Rules when relying on other laws that permit the Actor to withhold EHI. Actors should proactively determine whether the laws they rely upon to withhold EHI are mandatory or merely permissive, and whether the practice required or permitted by each law would constitute information blocking. For instance, Actors may have permissive provisions of state and other federal laws incorporated into their policies and procedures for health information management. Actors should review such policies and procedures to ensure that those documents do not permit the withholding of EHI pursuant to such permissive laws unless an information blocking exception is met or such practice would otherwise not be considered information blocking for other reasons. 

Failure to comply with the Information Blocking Rules can result in potentially-significant penalties for Actors. While the penalties and enforcement rules have yet to be finalized, penalties for health information networks and exchanges and developers of certified health IT may be up to $1 million per violation, and healthcare providers may be penalized with appropriate disincentives yet to be defined.

For assistance with questions regarding and compliance with the Information Blocking Rules, please contact a member of the Sheppard Mullin Healthcare Team. 

FOOTNOTES

[1] 45 C.F.R. § 171.103(a) (emphasis added).

[2] 85 Fed. Reg. 25846 (“We noted that practices that are “required by law” can be distinguished from other practices that an actor engages in pursuant to a law, but which are not “required by law.” Such laws are typically framed in a way that permit an access, exchange or use of health information to be made only if specific preconditions are satisfied but do not expressly require that the actor engage in a practice that interferes with access, exchange, or use of EHI. . . . However, we noted that because the condition does not prohibit the actor from exchanging the EHI in all circumstances, the actor would be at risk of engaging in a practice that was information blocking unless an exception applied.”).

[3] See CA Health & Safety Code § 123115(b).