HHS Issues Provider Information Blocking Disincentives Final Rule - McDermott Will & Emery

HHS Issues Provider Information Blocking Disincentives Final Rule


On July 1, 2024, the US Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS) published a final rule in the Federal Register to implement a 21st Century Cures Act provision establishing penalties (called “appropriate disincentives”) for certain health care providers determined by the HHS Office of Inspector General (OIG) to have committed information blocking. Health care providers have been subject to the information blocking regulations since April 5, 2021, but there has been no enforcement mechanism under the Cures Act to date. The disincentives for certain Medicare-participating hospitals and clinicians become effective July 31, 2024, while disincentives associated with the Medicare Shared Savings Program (MSSP) become effective January 1, 2025.


  • While the final rule moves the industry towards full enforcement of the information blocking regulations against health care providers, it applies penalties only to health care providers that participate in certain Medicare programs and not to all health care providers that are covered actors under the information blocking regulations.
  • HHS has not proposed any disincentives for health care providers that do not participate in the Medicare Promoting Interoperability Program or MSSP, or that serve a limited number of Medicare beneficiaries.
  • In a press release accompanying the final rule publication, HHS emphasized that the final rule complements OIG’s July 2023 final rule establishing penalties for information blocking actors other than health care providers. OIG’s information blocking civil monetary penalty (CMP) authority does not extend to health care providers except to the extent that they meet the definitions of a health IT developer of certified health IT (certified health IT developer) or health information network and health information exchange (HIN/HIE).

For more information about ONC’s recent final rule expanding information blocking regulatory exceptions, see our On the Subject. For a discussion of OIG’s final information blocking enforcement rule concerning the penalties for information blocking by certified health IT developers and HIN/HIEs, plus OIG’s investigation and enforcement procedures, see our Special Report.

In Depth


The final rule establishes the following disincentives for health care providers that participate in certain Medicare programs that OIG determines committed information blocking and refers to CMS. As discussed below, the ultimate financial impact of disincentives (if any) will vary in some instances based on Medicare reimbursement otherwise owed to the provider rather than on the severity of a health care provider’s alleged information blocking conduct or other factors related to interference with access, exchange or use of electronic health information. The final rule does not include disincentives for health care providers that are not enrolled in Medicare at all or that do not participate in certain Medicare programs.

Hospitals and Critical Access Hospitals

HHS uses the existing Medicare Promoting Interoperability Program for the meaningful use of certified electronic health record (EHR) technology to impose disincentives on certain acute care hospitals (eligible hospitals) reimbursed under the Medicare Inpatient Prospective Payment System (IPPS) and on critical access hospitals (CAHs), which are reimbursed based on their reasonable costs. Under the final rule, an eligible hospital or CAH will not be a meaningful EHR user in an EHR reporting period if OIG refers, during the calendar year of the reporting period, its determination that the eligible hospital or CAH committed information blocking. As a result, an eligible hospital would be unable to earn the three-quarters of the annual market basket increase under the IPPS, and a CAH would have its Medicare reimbursement reduced to 100% of reasonable costs, down from 101%. The disincentives under the Medicare Promoting Interoperability Program will be effective July 31, 2024.

In the proposed rule, HHS estimated that this change could result in a median disincentive amount of $394,353 and a 95% range of $30,406 to $2,430,766. Of note, the Promoting Interoperability Program does not apply to many long-term care hospitals, rehabilitation hospitals, psychiatric hospitals, laboratories and other facilities.

Physicians and Other Clinicians Reimbursed Under the Medicare Physician Fee Schedule

With some exceptions, clinicians reimbursed under the Physician Fee Schedule (PFS) must either participate in a Medicare Advanced Alternative Payment Model or achieve a threshold Merit-based Incentive Payment System (MIPS) performance score to avoid a downward adjustment to their PFS reimbursement. CMS currently calculates the MIPS performance score based on four performance categories: Quality (30%), Improvement Activities (15%), Promoting Interoperability (25%) and Cost (30%). Measures within the four performance categories are scored and combined to make up a clinician’s MIPS score. Those who score higher than a performance threshold set by CMS for a reporting year (75 points for 2024) can earn a positive adjustment of up to 9% of reimbursement under the PFS in the payment year. Likewise, those below the performance threshold face penalties of up to -9% of reimbursement under the PFS. CMS applies a payment adjustment to the payment year two years after the calendar year of the clinician’s MIPS reporting period. Not all MIPS participants are required to report the Promoting Interoperability category. For example, there are exceptions for facility-based and hospital-based clinicians (e.g., emergency room physicians and providers in ambulatory surgical centers) as well as some small practices.

Under the final rule, a clinician who participates in MIPS and is required to report on the Promoting Interoperability performance category will receive a zero score for the category if OIG refers, during the calendar year of the clinician’s reporting period, a determination that the clinician committed information blocking. Because the Promoting Interoperability performance category is currently 25% of the total MIPS score, 75 would be the highest score that the clinician could earn and would likely result in a penalty based on the current MIPS performance threshold for 2024. Those who do not report the MIPS Promoting Interoperability category would not be subject to any disincentives under the final rule. The disincentives for MIPS participants will be effective July 31, 2024.

In the proposed rule, HHS estimated that the median individual disincentive amount could be a loss of $686 for a clinician, while an estimated median group of six clinicians could see a loss of $4,116, with a range of $1,372 to $165,326 for group sizes ranging from two to 241 clinicians.

Medicare Shared Savings Program

Clinicians can avoid having to participate in MIPS by participating in the MSSP. Under the final rule, if OIG determines that a health care provider that is an accountable care organization (ACO) or part of an ACO has committed information blocking, CMS can apply a range of appropriate disincentives under the MSSP based on the relevant facts and circumstances. The disincentives may include:

  • Denying the addition of an ACO participant such as a physician group to an ACO participant list (or denying addition of an ACO provider or supplier such as a physician to the ACO provider/supplier list);
  • Informing an ACO that remedial action should be taken against the ACO participant, provider or supplier;
  • Denying an ACO’s application to participate in the MSSP if the remedial action is not taken; or
  • Terminating an ACO’s participation agreement with CMS.

CMS stated that the relevant facts and circumstances to determine the appropriate disincentives to be applied under the MSSP include:

  • The nature of the provider’s information blocking practice;
  • The provider’s diligence in identifying and correcting the problem;
  • The time elapsed since the information blocking occurred, including whether the issue had long since been remediated; and
  • Whether the provider was previously subject to a disincentive in another program.

The disincentives under the MSSP will be effective January 1, 2025.


The information blocking regulations apply to a broad range of health care providers, including facilities such as nursing facilities, long-term care facilities, dialysis facilities, blood centers, ambulatory surgical centers, laboratories and pharmacies, and individual providers such as therapists and pharmacists. However, because only a subset of health care providers is subject to the requirements that are the basis for disincentives under the final rule (e.g., the Promoting Interoperability Program requirements), many health care providers will be excluded from the disincentives framework, even though they are covered actors under the Cures Act and the information blocking regulations.


The application of disincentives to health care providers covered by the final rule turns on a determination by OIG that the health care provider committed information blocking, so to understand the potential impact of HHS’s final rule, it is important to understand OIG’s role in the information blocking ecosystem.

The Cures Act granted OIG the authority to investigate information blocking claims against each type of covered actor: health care providers, certified health IT developers and HIN/HIEs. The Cures Act also granted OIG the authority to impose CMPs against certified health IT developers and HIN/HIEs that violate the information blocking prohibition. OIG published its final rule implementing its CMP authority in the Federal Register in July 2023. That penalty authority, however, does not extend to the health care provider category of covered actors. Instead, the Cures Act requires OIG to refer health care providers that OIG determines have violated the information blocking prohibition to “the appropriate agency to be subject to appropriate disincentives.”

From a procedural perspective, the final rule notes that OIG will coordinate with the “appropriate agency” to which OIG plans to make a “referral” during the pendency of OIG’s investigation and before actually making the referral, in an effort to ensure that the agency is aware that OIG might make the referral. When OIG actually makes the referral, OIG will provide information about its determination of information blocking, including how the health care provider’s practice met the “intent element” of the prohibition, among other data related to the alleged misconduct.

In the final rule, HHS acknowledged that OIG’s anticipated information blocking enforcement priorities for health care providers are identical to those OIG identified for certified health IT developers and HIN/HIEs, except that OIG omitted actual knowledge from its enforcement priorities list for health care providers. This omission reflects the different knowledge standard in the statutory definition of information blocking for health care providers, which must know that their alleged information blocking practice is likely to interfere with access, exchange or use of electronic health information to implicate the prohibition. In contrast, health IT developers and HIN/HIEs must know or should know that their alleged information blocking practice is likely to interfere to implicate the prohibition.

Health care providers should note that in some situations, they may be considered certified health IT developers or HIN/HIEs, subject to the lower knowledge threshold. However, the HTI-1 final rule released on December 13, 2023, clarifies the definition of certified health IT developer as it may apply to health care providers who “offer” health IT, and, as a result, limits the scope of scenarios in which health care providers would be considered certified health IT developers.

OIG has provided guidance describing its planned investigative process for entities subject to information blocking CMPs. Although the final rule discusses OIG’s enforcement priorities for health care providers, it largely omits discussion of the underlying investigative process, including whether OIG’s process will similarly include an opportunity for health care providers to discuss an OIG investigation and explain why their conduct did not implicate the information blocking prohibition, met an exception or was otherwise lawful. This is notable given the absence in the final rule of any appeal mechanism by which health care providers could challenge OIG’s information blocking determination. Although there may be some limited opportunities to appeal a disincentive, HHS specifically makes clear that ACO appeals under the MSSP regulations, at least, do not extend to OIG’s underlying information blocking determination.

One would expect that OIG would need to engage with the health care provider to perform a reasonable investigation. But the final rule’s omission of meaningful discussion about such interactions leaves open the question of what, if any, reasonable opportunities health care providers will have to make their case before being subjected to disincentives.

In addition, unlike appeals for CMPs, HHS has not implemented new administrative appeals for appropriate disincentives. In the limited circumstances in which the underlying program that forms the basis for the disincentive has an appeal right, such as the right for an ACO to appeal certain actions under the MSSP, then an actor could appeal the disincentive itself through that process.


The final rule creates a framework for public posts on ONC’s website about actors that OIG determines have committed information blocking. For health care providers subject to disincentives, the website will feature:

  • The health care provider’s name;
  • The provider’s business address (to ensure accurate provider identification);
  • The practice found to have been information blocking;
  • The disincentive(s) applied; and
  • Where to find additional information, if publicly available, about the determination of information blocking.

HHS will post similar information on ONC’s website about HIN/HIEs and certified health IT developers that OIG determines have committed information blocking (regardless of whether they resolved their CMP liability with OIG or were subject to a CMP). This portion of the final rule is intended to provide transparency as to how information blocking impacts the nationwide health information technology infrastructure.

The transparency is also an extension of the ONC’s existing website, Information Blocking Claims: By the Numbers, where it publishes statistics on the information blocking claims received through its Report Information Blocking Portal since April 5, 2021 (the information blocking compliance date). As of the end of May 2024, ONC and OIG had received almost 1,000 claims of possible information blocking (including 813 claims against health care providers).


Health care providers should evaluate their current information blocking policies and procedures to ensure compliance with the information blocking prohibition and mitigate the risk of disincentives. If you would like to evaluate your compliance capabilities, contact any of the authors of this On the Subject or your regular McDermott lawyer.