HHS Issues Provider Information Blocking Disincentives Proposed Rule - McDermott Will & Emery

HHS Issues Provider Information Blocking Disincentives Proposed Rule


On October 30, 2023, the US Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS) released a long-awaited proposed rule to implement a 21st Century Cures Act provision establishing penalties (called “appropriate disincentives”) for health care providers determined by the HHS Office of Inspector General (OIG) to have committed information blocking. Health care providers have been subject to the information blocking regulations since April 5, 2021, but there has been no enforcement mechanism under the Cures Act to date.

In Depth


  • While the HHS proposed rule moves the industry one step closer to enforcement of the information blocking regulations against health care providers, it would apply penalties only to health care providers that participate in certain Medicare programs and not to all health care providers that are covered actors under the information blocking regulations.
  • HHS has not proposed any disincentives for health care providers that do not participate in the Medicare Promoting Interoperability or Medicare Shared Savings Program (MSSP), or that serve a limited number of Medicare beneficiaries.
  • In a blog post accompanying the proposed rule, ONC was unequivocal about its position that “[i]nformation sharing is expected.” What remains unclear is the mechanics of how HHS will apply its proposed disincentives framework, and a close review of the proposed rule reveals several open questions.
  • Comments on the proposed rule are due January 2, 2024.

For more information about ONC’s information blocking regulations, including who is a regulated actor, as well as important information blocking definitions and exceptions, see our Special Report. For a discussion of OIG’s final information blocking enforcement rule concerning the penalties for information blocking by health IT developers of certified health IT (certified health IT developers) and health information networks and health information exchanges (HIN/HIEs), plus OIG’s investigation and enforcement procedures, see our Special Report “A Million Reasons to Share: OIG’s Final Rule on Information Blocking Enforcement.


The proposed rule would establish the following disincentives for certain Medicare-enrolled health care providers that OIG determines committed information blocking and referred to CMS. As discussed below, the ultimate financial impact of disincentives (if any) would vary in some instances based on Medicare reimbursement rather than on the severity of a health care provider’s alleged information blocking conduct or other factors related to interference with access, exchange or use of electronic health information (EHI). The proposed rule does not include disincentives for health care providers that are not enrolled in Medicare.

Hospitals and Critical Access Hospitals

HHS proposes to use the existing Medicare Promoting Interoperability Program for the meaningful use of certified electronic health record (EHR) technology to impose disincentives on eligible hospitals and critical access hospitals (CAHs). Under the proposed rule, an eligible hospital or CAH would not be a meaningful EHR user in an EHR reporting period if OIG refers, during the calendar year of the reporting period, its determination that the eligible hospital or CAH committed information blocking. As a result, a hospital would be unable to earn the three-quarters of the annual market basket increase, and a CAH would have its payment reduced to 100% of reasonable costs, down from 101%.

HHS estimates that this proposal could result in a median disincentive amount of $394,353 and a 95% range of $30,406 to $2,430,766. Of note, the Promoting Interoperability Program does not apply to many other facilities, laboratories, long-term care hospitals and other care sites.

Physicians and Other Clinicians Reimbursed Under the Medicare Physician Fee Schedule

With some exceptions, clinicians reimbursed under the Physician Fee Schedule (PFS) must either participate in a Medicare Advanced Alternative Payment Model (AAPM) or achieve a threshold Merit-based Incentive Payment System (MIPS) performance score to avoid a downward adjustment to their PFS reimbursement. CMS currently calculates the MIPS performance score based on four performance categories: Quality (30%), Improvement Activities (15%), Promoting Interoperability (25%) and Cost (30%). Measures within the four performance categories are scored and combined to make up a clinician’s MIPS final score. Those who score higher than a performance threshold set by CMS for a reporting year (75 points for 2024) can earn a positive adjustment of up to 9% of reimbursement under the PFS in the payment year. Likewise, those below the performance threshold face penalties of up to -9% of reimbursement under the PFS. CMS applies a payment adjustment to the payment year two years after the calendar year of the clinician’s MIPS reporting period. Not all MIPS participants are required to report the Promoting Interoperability category. For example, there are exceptions for facility-based and hospital-based clinicians (e.g., emergency room physicians and providers in ambulatory surgical centers) as well as some small practices.

Under the proposed rule, a clinician who participates in MIPS and is required to report on the Promoting Interoperability performance category would receive a zero score for the category if OIG refers, during the calendar year of the clinician’s reporting period, a determination that the clinician committed information blocking. Since the Promoting Interoperability performance category is currently 25% of the total MIPS score, 75 would be the highest score that the clinician could earn and would likely result in a penalty based on the current MIPS performance threshold for 2024. Those who do not report the MIPS Promoting Interoperability category would not be subject to any disincentives under this proposal.

HHS estimates that the median individual disincentive amount could be a loss of $686 for a clinician, while an estimated median group of six clinicians could see a loss of $4,116, with a range of $1,372 to $165,326 for group sizes ranging from two to 241 clinicians.

Medicare Shared Savings Program

Clinicians can avoid having to participate in MIPS, or can have their reporting requirements reduced, by participating in the Medicare Shared Savings Program (MSSP). CMS is moving to align certified EHR reporting requirements for all MSSP participants with those of the MIPS Promoting Interoperability performance category beginning in the 2025 performance year.

Because MSSP accountable care organizations (ACOs) are not yet required to report under the Promoting Interoperability program, CMS proposes a different disincentive in connection with the MSSP. Under the proposed disincentives rule, if OIG determines that a health care provider that is an ACO or part of an ACO has committed information blocking, that provider would be barred from participating in the MSSP for at least one year. This may result in a health care provider being removed from an ACO or prevented from joining an ACO. In the instance where a health care provider is an ACO, this would prevent the ACO’s participation in the MSSP.


The information blocking regulations apply to a broad range of health care providers, including facilities such as nursing facilities, long-term care facilities, dialysis facilities, blood centers, ambulatory surgical centers, laboratories and pharmacies, and individual providers such as therapists and pharmacists. However, because only a subset of health care providers is subject to the requirements that are the basis for disincentives under the proposed rule (e.g., the Promoting Interoperability requirements), many health care providers would be, at least initially, excluded from the disincentives framework, even though they are “covered actors” under the Cures Act and the information blocking regulations. In the proposed rule, HHS included a request for information on additional appropriate disincentives HHS should consider for future rulemaking efforts that would apply to the health care providers excluded from the disincentive framework in this rulemaking.


The application of disincentives to health care providers covered by HHS’s proposal turns on a determination by OIG that the health care provider committed information blocking, so to understand the potential impact of HHS’s proposed rule, it is important to understand OIG’s role in the information blocking ecosystem.

The Cures Act granted OIG the authority to investigate information blocking claims against each type of covered actor—health care providers, certified health IT developers and HIN/HIEs. The Cures Act also granted OIG the authority to impose civil monetary penalties (CMP) against certified health IT developers and HIN/HIEs that violated the information blocking prohibition. OIG published its final rule implementing its CMP authority in the Federal Register in July 2023. That penalty authority, however, does not extend to the health care provider category of covered actors. Instead, the Cures Act requires OIG to refer health care providers that OIG determines have violated the information blocking prohibition to “the appropriate agency to be subject to appropriate disincentives.”

From a procedural perspective, the proposed rule notes that OIG will coordinate with the “appropriate agency” to which OIG plans to make a “referral” during the pendency of OIG’s investigation and before actually making the referral in an effort to ensure that the agency is aware that OIG might make the referral. When OIG actually does make the referral, OIG will provide information about its determination of information blocking, including how the health care provider’s practice met the “intent element” of the prohibition, among other data related to the alleged misconduct.

In the proposed rule, HHS identified OIG’s anticipated information blocking enforcement priorities for health care providers, which are identical to those OIG identified for certified health IT developers and HIN/HIEs except that OIG omitted actual knowledge from its enforcement priorities list for health care providers. This omission reflects the different knowledge standard in the statutory definition of information blocking for health care providers which must know that their alleged information blocking practice is likely to interfere with access, exchange or use of EHI to implicate the prohibition while health IT developers and HIN/HIEs must know or should know that their alleged information blocking practice is likely to interfere to implicate the prohibition.

In connection with OIG’s final rule, OIG provided guidance describing its planned investigative process for entities subject to information blocking CMPs. Interestingly, OIG stated in its final rule that its discussion of its anticipated enforcement priorities and investigative process was limited to those entities subject to CMPs, and not applicable to health care providers that may be referred for appropriate disincentives. Although the proposed rule discusses OIG’s enforcement priorities for health care providers, it largely omits discussion of the underlying investigative process, including whether OIG’s process will similarly include an opportunity for health care providers to discuss an OIG investigation and explain why their conduct either did not implicate the information blocking prohibition, met an exception or was otherwise lawful. This is notable given the absence in the proposed rule of any appeal mechanism by which health care providers could challenge OIG’s information blocking determination. Although there may be some limited opportunities to appeal a disincentive, HHS specifically makes clear that ACO appeals under the MSSP regulations, at least, do not extend to OIG’s underlying information blocking determination. HHS does not discuss any other appeal avenues in the proposed rule.

One would expect that OIG would need to engage with the health care provider to perform a reasonable investigation. But the OIG final rule’s disclaimer and the proposed rule’s omission of meaningful discussion about such interactions leaves open the question of what, if any, reasonable opportunities health care providers would have to make their case before being subjected to disincentives.


The proposed rule would create a framework for public posts on ONC’s website about actors that OIG determines have committed information blocking. For health care providers subject to disincentives, the website would feature:

  • The health care provider’s name;
  • The provider’s business address (to ensure accurate provider identification);
  • The practice found to have been information blocking; the disincentive(s) applied; and
  • Where to find additional information, where publicly available, about the determination of information blocking.

HHS also proposes to post similar information on ONC’s website about HIN/HIEs and certified health IT developers that OIG determines have committed information blocking (regardless of whether they resolved their CMP liability with OIG or were subject to a CMP). The proposal is intended to provide transparency into how information blocking conduct is impacting the nationwide health information technology infrastructure.

This approach to transparency is similar to the HHS Office for Civil Rights’ notorious website that lists breaches of unsecured protected health information affecting 500 or more individuals (which is often referred to as the “wall of shame”). The transparency proposal is also an extension of the ONC’s existing website, Information Blocking Claims: By the Numbers, where it publishes statistics on the information blocking claims received through its “Report Information Blocking Portal” since April 5, 2021 (the information blocking compliance date). As of September 2023, ONC and OIG have received more than 800 claims of possible information blocking (including 685 claims against health care providers).


If you would like to submit comments to the proposed rule before the January 2, 2024, deadline, contact any of the authors of this On the Subject or your regular McDermott lawyer or McDermott+Consulting advisor. Health care providers also should consider reviewing their information blocking policies and practices now so that they are ready for a future final rule.