Rule2023-13851
Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General's Civil Money Penalty Rules
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
July 3, 2023
Effective
August 2, 2023
Issuing agencies
Health and Human Services DepartmentInspector General Office, Health and Human Services Department
Abstract
This final rule amends the civil money penalty (CMP) regulations of the Department of Health and Human Services (HHS) Office of Inspector General (OIG) to: incorporate new CMP authority for information blocking; incorporate new authorities for CMPs, assessments, and exclusions related to HHS grants, contracts, other agreements; and increase the maximum penalties for certain CMP violations.
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 126 (Monday, July 3, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 126 (Monday, July 3, 2023)]
[Rules and Regulations]
[Pages 42820-42841]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-13851]
[[Page 42819]]
Vol. 88
Monday,
No. 126
July 3, 2023
Part II
Department of Health and Human Services
-----------------------------------------------------------------------
Office of Inspector General
-----------------------------------------------------------------------
42 CFR Parts 1003 and 1005
Grants, Contracts, and Other Agreements: Fraud and Abuse; Information
Blocking; Office of Inspector General's Civil Money Penalty Rules;
Final Rule
��Federal Register / Vol. 88, No. 126 / Monday, July 3, 2023 / Rules
and Regulations��
[[Page 42820]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of Inspector General
42 CFR Parts 1003 and 1005
RIN 0936-AA09
Grants, Contracts, and Other Agreements: Fraud and Abuse;
Information Blocking; Office of Inspector General's Civil Money Penalty
Rules
AGENCY: Office of Inspector General (OIG), Department of Health and
Human Services (HHS).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: This final rule amends the civil money penalty (CMP)
regulations of the Department of Health and Human Services (HHS) Office
of Inspector General (OIG) to: incorporate new CMP authority for
information blocking; incorporate new authorities for CMPs,
assessments, and exclusions related to HHS grants, contracts, other
agreements; and increase the maximum penalties for certain CMP
violations.
DATES: This final rule is effective August 2, 2023, except for the
additions of Sec. Sec. 1003.1400, 1003.1410, and 1003.1420 (amendatory
instruction 10), which are effective on September 1, 2023.
FOR FURTHER INFORMATION CONTACT: Robert Penezic, (202) 539-4021,
<a href="/cdn-cgi/l/email-protection#98eaf7fafdeaecb6e8fdf6fde2f1fbd8f7f1ffb6f0f0ebb6fff7ee"><span class="__cf_email__" data-cfemail="cbb9a4a9aeb9bfe5bbaea5aeb1a2a88ba4a2ace5a3a3b8e5aca4bd">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION:
I. Executive Summary
A. Purpose and Need for Regulatory Action
This final rule implements three statutory provisions: (1) the
amendment of the Public Health Service Act (PHSA), 42 U.S.C. 300jj-52,
by the 21st Century Cures Act (Cures Act) authorizing OIG to
investigate claims of information blocking and providing the Secretary
of HHS (Secretary) authority to impose CMPs for information blocking;
(2) the amendment of the Civil Monetary Penalties Law (CMPL), 42 U.S.C.
1320a-7a, by the Cures Act, Public Law 114-255, section 5003,
authorizing HHS to impose CMPs, assessments, and exclusions upon
individuals and entities that engage in fraud and other misconduct
related to HHS grants, contracts, and other agreements (42 U.S.C.
1320a-7a(o)-(s)); and (3) the increase in penalty amounts in the CMPL
effected by the Bipartisan Budget Act of 2018 (BBA 2018), Public Law
115-123. Each of these statutory amendments is discussed further below.
First, section 4004 of the Cures Act added section 3022 to the
PHSA, 42 U.S.C. 300jj-52 which, among other provisions, provides OIG
the authority to investigate claims of information blocking and
authorizes the Secretary to impose CMPs against a defined set of
individuals and entities that OIG determines committed information
blocking. Investigating and taking enforcement action against
individuals and entities that engage in information blocking are
consistent with OIG's history of investigating serious misconduct that
impacts HHS programs and beneficiaries. Information blocking poses a
threat to patient safety and undermines efforts by providers, payers,
and others to make the health system more efficient and effective.
Information blocking may also constitute an element of a fraud scheme,
such as by forcing unnecessary tests or conditioning information
exchange on referrals. Addressing the negative effects of information
blocking is consistent with OIG's mission to protect the integrity of
HHS programs, as well as the health and welfare of program
beneficiaries.
In this final rule, we implement section 3022(b)(2)(C) of the PHSA,
which requires that the CMP for information blocking follow the
procedures of section 1128A of the Social Security Act (SSA).
Specifically, the final rule adds the information blocking CMP
authority to the existing regulatory framework for the imposition and
appeal of CMPs, assessments, and exclusions (42 CFR parts 1003 and
1005) pursuant to section 3022(b)(2)(C) of the PHSA (42 U.S.C. 300jj-
52(b)(2)(C)). The amendments give individuals and entities subject to
CMPs for information blocking the same procedural rights that currently
exist under 42 CFR parts 1003 and 1005. Through this final rule, we
codify this new information blocking authority at 42 CFR 1003.1400,
1003.1410, and 1003.1420.
The final rule also explains OIG's approach to enforcement, which
will focus on information blocking allegations that pose greater risk
to patients, providers, and health care programs, as well as OIG's
anticipated consultation and coordination with the Office of the
National Coordinator for Health Information Technology (ONC) and other
agencies, as appropriate, in reviewing and investigating allegations of
information blocking.
On May 1, 2020, ONC published a final rule, 21st Century Cures Act:
Interoperability, Information Blocking, and the ONC Health IT
Certification Program (ONC Final Rule), in the Federal Register. 85 FR
25642, May 1, 2020. Among other things, ONC through the ONC Final Rule
promulgated the information blocking regulations defining information
blocking and establishing exceptions to that definition. OIG's final
rule incorporates the relevant information blocking regulations at 45
part 171 as the basis for imposing CMPs for information blocking.
Second, this final rule modifies 42 CFR parts 1003 and 1005 to add
the new authority related to fraud and other misconduct involving
grants, contracts, and other agreements into the existing regulatory
framework for the imposition and appeal of CMPs, assessments, and
exclusions. The additions: (1) expressly enumerate in the regulation
the grant, contract, and other agreement fraud and misconduct CMPL
authority; and (2) give individuals and entities sanctioned for fraud
and other misconduct related to HHS grants, contracts, and other
agreements the same procedural and appeal rights that currently exist
under 42 CFR parts 1003 and 1005 for those sanctioned under the CMPL
and other statutes for fraud and other misconduct related to, among
other things, the Federal health care programs. In this final rule, we
codify these new authorities and their corresponding sanctions in the
regulations at 42 CFR 1003.110, 1003.130, 1003.140, 1003.700, 1003.710,
1003.720, 1003.1550, 1003.1580, and 1005.1.
On February 9, 2018, the President signed into law the BBA 2018.
Section 50412 of the BBA 2018 amended the CMPL to increase the amounts
of certain CMPs. 42 U.S.C. 1320a-7a(a), (b). This final rule codifies
the increased CMPs at 42 CFR part 1003. Specifically, for conformity
with the CMPL as amended by the BBA 2018, we revise the CMPs contained
at 42 CFR 1003.210, 1003.310, and 1003.1010.
B. Legal Authority
The legal authority for this regulatory action is found in the SSA
and the PHSA, as amended by the Cures Act and the BBA 2018. The legal
authority for the changes is listed by the parts of title 42 of the
Code of Federal Regulations (CFR) that we propose to modify:
1003: 42 U.S.C. 1320a-7a(a)-(b), (o)-(s); 42 U.S.C. 300jj-52
1005: 42 U.S.C. 1320a-7a(o)-(s); 42 U.S.C. 300jj-52
C. Proposed Rule
On April 24, 2020, OIG published a proposed rule (proposed pule) in
the Federal Register setting forth certain proposed amendments to the
CMP rules of HHS OIG. 85 FR 22979, April 24, 2020. The proposed rule
set forth
[[Page 42821]]
proposed regulations that would: (1) incorporate the new CMP authority
for information blocking; (2) incorporate new authorities for CMPs,
assessments, and exclusions related to HHS grants, contracts, other
agreements; and (3) increase the maximum penalties for certain CMP
violations. We solicited comments on those three proposed regulatory
additions and changes to obtain public input. Specific to information
blocking, we also provided information on--but did not propose
regulations for--our expected enforcement priorities, the investigation
process, and our experience with investigating conduct that includes an
intent element. We received 49 timely comments, 48 of which were
unique, from a broad range of stakeholders.
D. Final Rule
This final rule incorporates into OIG's CMP regulations at 42 CFR
parts 1003 and 1005 two new CMP authorities established by the Cures
Act related to: (1) information blocking; and (2) fraud and other
misconduct involving HHS grants, contracts, and other agreements. The
final rule also incorporates into 42 CFR part 1003 new maximum CMP
amounts for certain offenses, as set by the BBA 2018.
In the context of information blocking, the Cures Act authorizes
CMPs for any practice that is likely to interfere with, prevent, or
materially discourage access, exchange, or use of electronic health
information (EHI) if the practice is conducted by an entity that is: a
developer of certified health information technology (IT); offering
certified health IT; a health information exchange (HIE); or a health
information network (HIN) and the entity knows or should know that the
practice is likely to interfere with, prevent, or materially discourage
the access, exchange, or use of EHI.
The ONC Final Rule implements certain Cures Act information
blocking provisions, including defining terms and establishing
reasonable and necessary activities that do not constitute information
blocking or ``exceptions'' to the definition of information blocking.
OIG and ONC have coordinated extensively on the ONC Final Rule and this
final rule to align both sets of regulations. As proposed, we
incorporate the regulatory definitions and exceptions in ONC's
regulations at 45 CFR part 171 related to information blocking as the
basis for imposing CMPs and determining the amount of penalty imposed.
In the context of HHS grants, contracts, and other agreements, the
Cures Act authorizes CMPs, assessments, and exclusions for:
<bullet> knowingly presenting or causing to be presented a
specified claim under a grant, contract, or other agreement that a
person knows or should know is false or fraudulent;
<bullet> knowingly making, using, or causing to be made or used any
false statement, omission, or misrepresentation of a material fact in
any application, proposal, bid, progress report, or other document that
is required to be submitted in order to directly or indirectly receive
or retain funds provided in whole or in part by HHS pursuant to a
grant, contract, or other agreement;
<bullet> knowingly making, using, or causing to be made or used, a
false record or statement material to a false or fraudulent specified
claim under a grant, contract, or other agreement;
<bullet> knowingly making, using, or causing to be made or used, a
false record or statement material to an obligation to pay or transmit
funds or property to HHS with respect to a grant, contract, or other
agreement;
<bullet> knowingly concealing or knowingly and improperly avoiding
or decreasing an obligation to pay or transmit funds or property to HHS
with respect to a grant, contract, or other agreement; and
<bullet> failing to grant timely access, upon reasonable request,
to OIG for the purposes of audits, investigations, evaluations, or
other statutory functions of OIG in matters involving grants,
contracts, or other agreements.
We further codify changes to the CMP regulations at 42 CFR part
1003 to conform with the CMP amounts contained in the SSA, as amended
by the BBA 2018.
II. Background
For more than 35 years, OIG has exercised authority to impose CMPs,
assessments, and exclusions in furtherance of its mission to protect
Federal health care and other Federal programs from fraud, waste, and
abuse. The Cures Act established new CMP authorities related both to
information blocking and to fraud and other prohibited conduct
involving HHS grants, contracts, and other agreements. OIG also
received authority through the BBA 2018 to impose larger CMPs for
certain offenses committed after February 9, 2018.
A. Overview of OIG Civil Money Penalty Authorities
The CMPL (section 1128A of the SSA, 42 U.S.C. 1320a-7a) was enacted
in 1981 to provide HHS with the statutory authority to impose CMPs,
assessments, and exclusions upon persons who commit fraud and other
misconduct related to Federal health care programs, including Medicare
and Medicaid. The Secretary delegated the CMPL's authorities to OIG. 53
FR 12993, April 20, 1988. HHS has promulgated regulations at 42 CFR
parts 1003 and 1005 that: (1) enumerate specific bases for the
imposition of CMPs, assessments, and exclusion under the CMPL and other
CMP statutes; (2) set forth the appeal rights of persons subject to
those sanctions; and (3) outline the procedures under which a
sanctioned party may appeal the sanction. Since 1981, Congress has
created various other CMP authorities related to fraud and abuse that
were delegated by the Secretary to OIG and added to part 1003.
B. The Cures Act and the ONC Final Rule
The Cures Act added section 3022 of the PHSA, which defines conduct
that constitutes information blocking by health IT developers of
certified health IT, entities offering certified health IT, HIEs, HINs,
and health care providers. Section 3022(a) of the PHSA defines
information blocking as a practice that--(A) except as required by law
or specified by the Secretary pursuant to rulemaking under section
3022(a)(3), is likely to interfere with, prevent, or materially
discourage access, exchange, or use of electronic health information;
and (B)(i) if conducted by a health information technology developer,
exchange, or network, such developer, exchange, or network knows, or
should know, that such practice is likely to interfere with, prevent,
or materially discourage the access, exchange, or use of electronic
health information; or (ii) if conducted by a health care provider,
such provider knows that such practice is unreasonable and is likely to
interfere with, prevent, or materially discourage access, exchange, or
use of electronic health information. Section 3022(a)(3) of the PHSA
provides that the Secretary shall, through rulemaking, identify
reasonable and necessary activities that do not constitute information
blocking, and section 3022(a)(4) of the PHSA states that the term
``information blocking'' does not include any conduct that occurred
before January 13, 2017. The ONC Final Rule implements these sections
of the PHSA at 45 CFR part 171.
Section 3022(b)(1) of the PHSA authorizes OIG to investigate claims
of information blocking described in section 3022(a) of the PHSA, and
to investigate claims that health IT developers of certified health IT
or other
[[Page 42822]]
entities offering certified health IT have submitted false attestations
under section 3001(c)(5)(D) of the PHSA as part of ONC's program for
the voluntary certification of health IT (ONC Health IT Certification
Program). Section 3022(b)(2)(A) authorizes the Secretary to impose CMPs
not to exceed $1 million per violation on health IT developers of
certified health IT or other entities offering certified health IT,
HIEs, and HINs that OIG determines, following an investigation,
committed information blocking. Section 3022(b)(2)(A) also provides
that a determination of the CMP amounts shall consider factors such as
the nature and extent of the information blocking and harm resulting
from such information blocking including, where applicable, the number
of patients affected, the number of providers affected, and the number
of days the information blocking persisted. Section 3022(b)(2)(C) of
the PHSA applies the procedures of section 1128A of the SSA to CMPs
imposed under section 3022(b)(2) of the PHSA in the same manner as such
provisions apply to a CMP or proceeding under section 1128A(a) of the
SSA. This final rule implements section 3022(b)(2)(A) and (C) of the
PHSA.
Furthermore, section 3022(b)(2)(B) of the PHSA provides that any
health care provider determined by OIG to have committed information
blocking shall be referred to the appropriate agency to be subject to
appropriate disincentives using authorities under applicable Federal
law, as the Secretary of HHS sets forth through notice and comment
rulemaking. This final rule does not implement section 3022(b)(2)(B) of
the PHSA. However, a health IT developer of certified health IT, HIE,
or HIN as defined in 45 CFR 171.102 determined by OIG to have committed
information blocking could be subject to CMPs under this final rule
even if that entity also met the definition of a health care provider
at 45 CFR 171.102. For additional discussion related to health care
providers that meet a definition of an actor subject to CMPs, see
section IV.A.3. of this preamble.
The Cures Act also identifies ways for ONC, the Office for Civil
Rights (OCR), and OIG to consult, refer, and coordinate. For example,
section 3022(b)(3) of the PHSA states that OIG may refer instances of
information blocking to OCR when a consultation regarding the health
privacy and security rules promulgated under section 264(c) of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
will resolve such information blocking claims. Additionally, section
3022(d)(1) of the PHSA requires ONC to share information with OIG as
required by law. For additional discussion related to coordination, see
section III.A.5 of the proposed rule preamble and section III.B. of
this preamble.
ONC's information blocking regulations at 45 CFR part 171 and the
OIG CMP regulation at 42 CFR part 1003, subpart N, are designed to work
in tandem. As a result, we encourage parties to read this final rule
together with the ONC Final Rule. The ONC Final Rule defined
``information blocking''--and specific terms related to information
blocking--as well as implemented exceptions to the definition of
information blocking. This final rule describes the parameters and
procedures applicable to the CMP for information blocking.
The Cures Act amended the CMPL to give HHS the authority to impose
CMPs, assessments, and exclusions upon persons that commit fraud and
other misconduct related to HHS grants, contracts, and other
agreements. 42 U.S.C. 1320a-7a(o)-(s). This authority allows for the
imposition of sanctions for a wide variety of fraudulent and improper
conduct involving HHS grants, contracts, and other agreements
including, among other things, the making of false or fraudulent
specified claims to HHS, the submission of false or fraudulent
documents to HHS, and the creation of false records related to HHS
grants, contracts, or other agreements. The authority applies to a
broad array of situations in which HHS provides funding, directly or
indirectly, in whole or in part, pursuant to a grant, contract, or
other agreement. The Cures Act also created a new set of definitions
related to grant, contract, and other agreement fraud and misconduct,
outlined the sanctions for violation of the statute, and referenced the
procedures to be used when imposing sanctions under the statute.
C. The Bipartisan Budget Act of 2018
The BBA 2018 amended the CMPL to increase certain CMP amounts
contained in 42 U.S.C. 1320a-7a(a) and (b). The BBA 2018 increased the
maximum CMP amounts in section 1128A(a) of the SSA (42 U.S.C. 1320a-7a)
from $10,000 to $20,000; from $15,000 to $30,000; and from $50,000 to
$100,000. The BBA 2018 increased the maximum CMP amounts in section
1128A(b) of the SSA from $2,000 to $5,000 in paragraph (1), from $2,000
to $5,000 in paragraph (2), and from $5,000 to $10,000 in paragraph
(3)(A)(i). This statutory increase in CMP amounts is effective for acts
committed after the date of enactment, February 9, 2018. This final
rule updates our regulations to reflect the increased CMP amounts
authorized by the 2018 BBA amendments.
III. OIG's Anticipated Approach to Information Blocking CMP Enforcement
The preamble to the proposed rule provided a nonbinding,
informational overview of our anticipated information blocking
enforcement priorities and the investigative process. We provided this
information in the preamble to the proposed rule for informational
purposes only and did not propose regulations on these topics. We
received several comments on these topics, which are publicly available
at <a href="https://www.regulations.gov/docket/HHSIG-2020-0001/comments">https://www.regulations.gov/docket/HHSIG-2020-0001/comments</a>. To
improve public understanding of how we anticipate we will approach
information blocking CMP enforcement, we further provide in section III
of this preamble an informational statement to supplement the
discussion set forth in the proposed rule. We note that this discussion
of anticipated approach is limited to our investigation of those
entities subject to CMPs and does not apply to the investigation of
health care providers that may be referred for disincentives under
section 3022(b)(2)(B) of the PHSA.
A. Anticipated Priorities
The preamble to the proposed rule set forth our anticipated
information blocking enforcement priorities as conduct that: (1)
resulted in, is causing, or had the potential to cause patient harm;
(2) significantly impacted a provider's ability to care for patients;
(3) was of long duration; (4) caused financial loss to Federal health
care programs, or other government or private entities; or (5) was
performed with actual knowledge. We explained that we will select cases
for investigation based on these priorities and expect that the
enforcement priorities will evolve as OIG gains more experience
investigating information blocking. We also emphasized that the
definition of information blocking--as defined in section 3022(a) of
the PHSA and 45 CFR 171.103(a)--includes an element of intent and that
OIG lacked the authority to seek CMPs for information blocking against
actors who did not have the requisite intent. We continue to anticipate
the same enforcement priorities as set out in the preamble of the
proposed rule and supplement that discussion below. We provide this
explanation so that the public and stakeholders have a better
understanding of how we anticipate allocating our resources to enforce
the
[[Page 42823]]
CMP for information blocking. Prioritization ensures OIG can
effectively allocate its resources to target information blocking
allegations that have more negative effects on patients, providers, and
health care programs. Our enforcement priorities will inform our
decisions about which information blocking allegations to pursue, but
these priorities are not dispositive. Each allegation will present
unique facts and circumstances that must be assessed individually. Each
allegation will be assessed to determine whether it implicates one or
more of the enforcement priorities, or otherwise merits further
investigation and potential enforcement action. There is no specific
formula we can apply to every allegation that allows OIG to effectively
evaluate and prioritize which claims merit investigation.
As addressed in section III.B of this preamble, we anticipate
coordinating closely with ONC and other agencies as appropriate in
reviewing allegations. Although our statement of anticipated priorities
is framed around individual allegations, OIG may evaluate allegations
and prioritize investigations based in part on the volume of claims
relating to the same (or similar) conduct by the same actor. That
evaluation would include assessment of all information blocking claims
received by ONC through the standardized process to receive claims from
the public.
We clarify here that OIG's anticipated priority relating to patient
harm is not specific to individual harm, but rather may broadly
encompass harm to a patient population, community, or the public.
Additionally, with respect to our anticipated priority relating to
actual knowledge, we note that health IT developers of certified health
IT and health information exchanges and networks do not have to have
actual knowledge in order to commit information blocking. But the
conduct of someone who has actual knowledge is generally more egregious
than the conduct of someone who only should know that their practice is
likely to interfere with, prevent, or materially discourage access,
exchange, or use of EHI. As a general matter, we would likely
prioritize cases in which an actor has actual knowledge over cases in
which the actor only should have known that the practice was likely to
interfere with, prevent, or materially discourage the access, exchange,
or use of EHI.
Finally, we are stating that our current anticipated enforcement
priorities may lead to investigations of anti-competitive conduct or
unreasonable business practices. The ONC Final Rule provides, as
examples, conduct that may implicate the information blocking
provision, anti-competitive or unreasonable conduct, such as
unconscionable or one-sided business terms for the access, exchange, or
use of EHI, or the licensing of an interoperability element. For
example, a contract containing unconscionable terms related to sharing
of patient data could be anti-competitive conduct that impedes a
provider's ability to care for patients. 85 FR 25812, May 1, 2020. A
claim of such conduct would implicate OIG's enforcement priority
related to a provider's ability to care for patients. Anti-competitive
conduct resulting in information blocking could implicate other
enforcement priorities as well, depending on the facts.
OIG's enforcement priorities are a tool we use to triage
allegations and allocate resources. We can and do expect to investigate
allegations of other information blocking conduct not covered by the
priorities. If conduct or patterns of conduct raise concerns, OIG may
choose to investigate those allegations. And as we gain more experience
with investigating information blocking, we will reassess our
priorities accordingly. For example, as patients continue to adopt and
use technology to access their EHI, the number of patients that will
request their EHI directly from a health IT developer of certified
health IT or HIE may increase. That may generate more allegations
related to patient access to their EHI. Trends or changes in the types
of allegations we receive may affect enforcement priorities in the
future.
B. Coordination With Other Agencies
The Cures Act identified ways for ONC, OCR, and OIG to consult,
refer, and coordinate on information blocking claims. We elaborate on
those processes here for informational purposes only.
Section 3022(d)(1) of the PHSA states that ONC may serve as a
technical consultant to OIG. Because ONC promulgated the information
blocking regulations and exceptions, OIG will closely consult with ONC
throughout the investigative process. ONC's subject matter expertise is
vital to our evaluation of information blocking allegations. OIG will
continue working closely with ONC as ONC develops information blocking
guidance.
Section 3022(d)(3) of the PHSA requires ONC to implement a
standardized process for the public to submit reports on claims of
information blocking, and section 3022(d)(1) requires ONC to share
information with OIG as required by law. ONC has a standardized process
for the public to submit reports on claims of information blocking
through this website: <a href="https://inquiry.healthit.gov/support/plugins/servlet/desk/portal/6">https://inquiry.healthit.gov/support/plugins/servlet/desk/portal/6</a>. In addition to the process required by the PHSA,
OIG has its own hotline process through which individuals may submit
claims of information blocking online at <a href="https://tips.oig.hhs.gov/">https://tips.oig.hhs.gov/</a> or
by calling 1-800-447-8477. Regardless of whether a claim is made to ONC
or OIG, ONC and OIG will coordinate in evaluating claims of information
blocking and share information as permitted by law.
Whether OIG's or ONC's authority is appropriate to address a claim
of information blocking will depend on the facts and circumstances of
the allegation and the results of an investigation. For example, ONC
and OIG may initially agree that a claim is most appropriately
evaluated through an OIG investigation. ONC has authority to take
action against an individual or entity that is a developer
participating in the ONC Health IT Certification Program. 45 CFR
170.580. OIG has authority to impose CMPs against a health IT developer
of certified health IT, which includes developers participating in the
ONC Health IT Certification Program. Thus, an individual or entity that
meets the definition of health IT developer of certified health IT
could be subject to CMPs, termination of certification or other action
under the ONC Health IT Certification Program review process, or both.
85 FR 25789, May 1, 2020.
In addition to coordination with ONC, section 3022(b)(3) of the
PHSA provides the option for OIG to refer instances of information
blocking to OCR when a consultation regarding the health privacy and
security rules promulgated under section 264(c) of HIPAA will resolve
such information blocking claims. Depending on the facts and
circumstances of an information blocking claim, OIG will exercise this
statutory discretion as appropriate to refer persons to consult with
OCR to resolve information blocking claims. There is no set of facts or
circumstances that will always be referred to OCR. OIG will work with
OCR to determine which claims should be referred to OCR under the new
authorities found in section 3022(b)(3) of the PHSA. In addition to
section 3022(b)(3), OIG may request technical assistance from OCR
during an information blocking investigation. OIG may also refer to OCR
claims of information blocking that would be better resolved under
OCR's HIPAA authorities.
Specific to anti-competitive conduct, we note that section 3022(d)
of the PHSA includes specific options for ONC
[[Page 42824]]
and OIG to coordinate with the Federal Trade Commission (FTC) related
to an information blocking claim. Under section 3022(d)(1) of the PHSA,
ONC may share information related to claims of information blocking or
investigations by OIG with the FTC for purposes of such investigation.
We will coordinate closely with ONC to identify claims and
investigations or patterns of claims and investigations that may
warrant referral to the FTC.
We further note that following our investigation and the imposition
of CMPs, our coordination with ONC, OCR, or other agencies as relevant
may continue as part of an appeal of the imposition of CMPs by OIG.
Upon the issuance of a notice of proposed determination for a CMP in
accordance with 42 CFR 1003.1500, the actor may appeal the proposed
determination for a CMP in accordance with the appeal procedures set
forth in 42 CFR part 1005. As noted in 42 CFR 1005.2(a), a party
sanctioned under any criteria in 42 CFR part 1003 may request a hearing
before an administrative law judge (ALJ). 42 CFR 1005.2. The facts of
the matter under appeal will determine the specific agencies with which
we may coordinate.
We also anticipate coordinating with other HHS agencies to avoid
duplicate penalties. Section 3022(d)(4) of the PHSA requires that the
Secretary, to the extent possible, ensure that penalties do not
duplicate penalty structures that would otherwise apply to information
blocking and the type of individual or entity involved as of the day
before the enactment of the Cures Act, December 13, 2016. Depending on
the facts and circumstances, OIG might also consult or coordinate with
a range of other agencies that might have relevant information or be
able to provide technical assistance, including the Centers for
Medicare and Medicare Services (CMS), other HHS agencies, FTC, or
others. We discuss what enforcement coordination may look like in
section III.D of the preamble.
C. Anticipated Enforcement Approach
Some commenters expressed interest in understanding OIG's
enforcement approach, including: (1) whether OIG would include
alternative actions, in lieu of the imposition of CMPs, such as
providing actors subject to CMPs with additional education or
corrective action plans; (2) whether OIG's approach to information
blocking investigations would include investigating potential non-
compliance with the requirements of CMS's Promoting Interoperability
Program for eligible hospitals and critical access hospitals (CAHs) and
Merit-based Incentive Payment System (MIPS) promoting interoperability
performance category for clinicians; (3) whether actors may be subject
to False Claims Act (FCA) liability for engaging in conduct that
constitutes information blocking; and (4) whether OIG plans to create a
self-disclosure protocol (SDP).
At this point, we do not anticipate using alternatives to CMPs as
described by the commenters. OIG will have an SDP to resolve CMP
liability and allow for lower penalties. As we gain more experience
investigating and imposing CMPs for information blocking, we may
further consider alternative enforcement approaches. HHS or OIG may
also consider issuance of compliance guidance or other educational
materials on the topic of information blocking.
OIG's historical position in its administrative enforcement under
the CMPL is that the Federal health care programs are best protected
when persons who engage in fraudulent or other improper conduct are
assessed a financial sanction. This remedial purpose is at the core of
OIG's administrative enforcement authorities.
The PHSA and existing regulatory structures provide options for ONC
and OCR to conduct individualized education and corrective action plans
when an actor has committed information blocking, and OIG may refer
matters to ONC or OCR for such actions. For example, OIG may refer an
allegation to OCR for consultation regarding the health privacy and
security rules or for OCR to address under its HIPAA authorities.
Similarly, OIG may refer an allegation to ONC to address under its
direct review authority, under which ONC could impose a corrective
action plan. ONC also stated in the ONC Final Rule that ONC's and OIG's
respective authorities are independent and that either office may
exercise its authority at any time. 85 FR 25789, May 1, 2020. Thus,
OIG's enforcement action will only include a CMP, while ONC could purse
a separate enforcement action within its authority, which could include
a corrective action plan.
As noted above, this rulemaking does not address OIG investigations
of potential information blocking by healthcare providers. HHS is
developing a separate notice of proposed rulemaking to establish
appropriate disincentives for healthcare providers as described in the
Unified Agenda at <a href="https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=0955-AA05">https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=0955-AA05</a>. However, in response to
commenters' inquiry we clarify that OIG does not intend to use its
authority to investigate information blocking under section 3022(b)(1)
of the PHSA to investigate potential non-compliance with CMS
programmatic requirements, including those under the Promoting
Interoperability Program for eligible hospitals and CAHs and MIPS
promoting interoperability performance category for clinicians, that
are distinct from the information blocking provisions of the PHSA. If
investigations into alleged information blocking suggest a health care
provider may be out of compliance with CMS programmatic requirements,
OIG may refer such matters to CMS.
Similarly, conduct that constitutes information blocking could
create false claims liability for an actor. For example, by engaging in
conduct that constitutes information blocking, a health IT developer of
certified health IT may have falsified attestations made to ONC as part
of the ONC Health IT Certification Program. By falsifying its
attestation, the health IT developer of certified health IT may cause
health care providers to file false attestations under MIPS. Such a
fact-specific determination would be assessed in coordination with
OIG's law enforcement partners, including the Department of Justice.
Information blocking is newly regulated conduct, and OIG has not
created an SDP specifically for information blocking; however, after
the publication of this rule, OIG will add an information blocking SDP,
including an online submission form, and other processes, to OIG's
existing SDP located at <a href="https://oig.hhs.gov/compliance/self-disclosure-info/">https://oig.hhs.gov/compliance/self-disclosure-info/</a>.
We understand many stakeholders may not be familiar with OIG's
current SDP and provide the following information regarding the
forthcoming information blocking SDP and self-disclosure process. The
information blocking SDP will provide actors with a framework and
mechanism for evaluating, disclosing, coordinating, and resolving CMP
liability for conduct that constitutes information blocking. When
posted on our website, OIG's SDP will explain: (1) eligibility
criteria, (2) manner and format, (3) required contents of a submission,
and (4) expected resolution of the matter. The information blocking SDP
will be available only to those actors seeking to resolve potential CMP
liability.
We recognize that whether to disclose potential information
blocking violations to OIG is a significant decision; however, the
significant benefits to disclosing potential information blocking
violations to OIG should make that decision easier. First,
[[Page 42825]]
actors accepted by OIG into the SDP who cooperate with OIG during the
self-disclosure process will pay lower damages than would normally be
required in resolving a government-initiated investigation. Second,
through our experience with OIG's existing SDP, we know that self-
disclosure provides the opportunity for an actor to avoid costs and
disruptions associated with government-directed investigations and
civil or administrative litigation. Finally, OIG created the original
SDP to provide a consistent, specific, and detailed process that can be
relied upon by all participants, and we are similarly committed to
working with actors that use the SDP in good faith to disclose
information blocking conduct and cooperate with OIG's review and
resolution process.
We reiterate that self-disclosing conduct is for an actor to
resolve its own potential liability under the CMP for information
blocking. It would not resolve any liability an actor may have under
other applicable law, such as under HIPAA or under the ONC
Certification Program. Actors should not self-disclose to seek opinions
from OIG as to whether an individual or entity meets the definitions of
a ``health IT developer of certified health IT'' or ``health
information network or health information exchange'' in 45 CFR 171.102
or whether conduct constitutes information blocking under section
3022(a) of the PHSA and corresponding implementing regulations. Actors
seeking to inform OIG about another individual's conduct should use the
ONC portal or the OIG hotline.
As mentioned above, OIG will provide additional information on our
website regarding the SDP for information blocking after publication of
this final rule. However, before such information is posted, OIG will
accept self-disclosure of information blocking conduct. We refer actors
to section IV.A.5 of the preamble that describes how we will evaluate
disclosure of violations and cooperation with investigations.
Specifically, it is a mitigating circumstance under the factors at
42 CFR 1003.140(a)(2) for an actor to take appropriate and timely
corrective action in response to a violation. Timely corrective action
includes disclosing information blocking violations to OIG and fully
cooperating with OIG's review and resolution of such disclosure.
D. Advisory Opinions
Some commenters requested that OIG develop an advisory opinion
process for individuals and entities to obtain advisory opinions on
whether specified conduct constitutes information blocking for which
OIG may impose a CMP. Pursuant to section 1128D(b) of the SSA, HHS,
through OIG, publishes advisory opinions regarding the application of
the Federal anti-kickback statute and the associated safe harbor
provisions, as well as specified administrative sanction authorities,
to proposed or existing arrangements. Section 1128D(b) specifies the
matters subject to advisory opinions under that authority. The CMP for
information blocking is not one of the administrative sanction
authorities specified by section 1128D(b) of the SSA.
Furthermore, the Cures Act did not establish an advisory opinion
process with regard to the application of OIG's information blocking-
related administrative enforcement authorities. At present, OIG has no
plans to develop and establish an advisory opinion process regarding
the application of the CMP for information blocking. The Justification
of Estimates to the Appropriations Committee for the President's fiscal
year (FY) 2024 budget included a legislative proposal to provide HHS
the authority to issue advisory opinions on information blocking
practices.
IV. Summary of Final Rule Provisions, Public Comments, and OIG Response
A. The CMP for Information Blocking
As a general matter, commenters were supportive of OIG's proposed
information blocking rules but sought more information and guidance
from both ONC and OIG. Commenters suggested that the effective date for
the CMP for information blocking rules be delayed as a result of the
ongoing public health emergency (PHE) due to SARS-CoV-2, which causes
COVID-19, and the requests for additional guidance from ONC and OIG.
Many commenters sought clarification on the ONC Final Rule, such as
whether an individual or entity falls within the category of actors
that OIG would subject to CMPs for information blocking. Many
commenters requested that OIG, either in this final rule or through
guidance, further elaborate on and provide examples of how OIG will
determine violations and CMP amounts. We have considered these comments
carefully in developing the final rule, as described in more detail in
responses to comments.
1. Information Blocking CMP Regulatory Authority & CMP Process
We proposed to add the CMP for information blocking to our existing
CMP regulations at 42 CFR part 1003 and to apply the existing
procedural and appeal rights at 42 CFR parts 1003 and 1005 to the CMP
for information blocking. We solicited comment on the proposed
application of the existing CMP procedures and appeal process in parts
1003 and 1005 to the CMP for information blocking. Commenters were
generally in favor of incorporating the CMP for information blocking
into these sections and applying the existing appeal processes set
forth at 42 CFR part 1005. In this rule, we finalize the addition of
the CMP for information blocking to 42 CFR part 1003 and the
application of parts 1003 and 1005 to the CMP for information blocking
as proposed without modification.
We also proposed to add the authority for OIG's imposition of CMPs
for information blocking (section 3022 of the PHSA, 42 U.S.C. 300jj-52)
to the list of statutory CMP provisions that appears in 42 CFR
1003.100. We received no comment on this proposed change and finalize
the rule as proposed without modification.
Comment: One commenter believed that the application of 42 CFR
1005.7 to the CMP for information blocking was unworkable in its
current form. The commenter believed that the discovery process under
42 CFR 1005.7 as currently written was inconsistent with the Cures
Act's intent for ONC, OCR, and OIG to consult, refer, and coordinate in
the investigation and enforcement of investigation blocking. The
commenter further stated that, consistent with the prior OIG final
rule, Amendments to the OIG Exclusion and CMP Authorities Resulting
From Public Law 100-93, 57 FR 3325, January 29, 1992, OIG would only be
required to produce documents in its possession and not documents in
the possession of other branches or divisions of HHS. The commenter
further believed 42 CFR 1005.7 as written would prohibit individuals
and entities that appeal the imposition of CMPs for information
blocking from obtaining relevant documentary evidence maintained in
ONC's possession. The commenter also believed that OIG could abuse the
discovery process by refusing to take ``possession'' of documents in
ONC's care, custody, or control in an effort to avoid producing them.
The commenter further believed that, as ONC would not be covered by the
discovery rule at 42 CFR 1005.7, ONC would not be subject to any
document preservation requirement that would increase the potential for
the spoliation or destruction of evidence.
Response: We did not propose revising--and this final rule does not
make revisions to--42 CFR 1005.7. The
[[Page 42826]]
CMP for information blocking appeals will be subject to discovery rules
in 42 CFR 1005.7 because the Cures Act requires OIG to follow existing
CMP procedures. Section 3022(b)(2)(C) of the PHSA requires the CMP for
information blocking to follow procedures of section 1128A of the SSA,
and 42 CFR part 1005 implements those procedures. Therefore, applying
the procedures at 42 CFR part 1005 to CMP for information blocking
appeals is consistent with the Cures Act.
We appreciate that the CMP appeals process and the discovery
provided therein may be new for many actors subject to CMPs for
information blocking, and we further elaborate below.
Whenever we propose to impose CMPs for information blocking, the
actor will have the opportunity to appeal the CMPs. That appeal will be
heard by an administrative law judge (ALJ) and governed by the
procedures set forth in 42 CFR part 1005. The regulation at 42 CFR
1005.7 addresses discovery and allows each party to request that the
other party produce nonprivileged documents that are relevant and
material to the issues before the ALJ for inspection and copying. If
the other party objects to producing the requested documents, the party
requesting the documents can ask the ALJ to compel discovery.
The discovery regulations that will apply to appeals of CMPs for
information blocking are the same regulations that have applied to
existing CMPL administrative litigation. These regulations and this
process have been approved by administrative tribunals and Federal
courts. We provide limited discovery in our CMP cases even though it is
not required in administrative proceedings at all. 57 FR 3298, January
29, 1992. The regulation at 42 CFR 1005.7 limits discovery to the
exchange of material and relevant documents to avoid the time-consuming
discovery fights that can affect civil litigation. Additionally, the
vast bulk of material and relevant evidence (i.e., evidence relating to
whether the actor committed information blocking) will come from the
actor whose conduct is at issue and not the government.
In addition to the specific discovery rules in 42 CFR 1005.7, there
are other provisions in 42 CFR part 1005 that ensure transparency and
fairness in an appeal. For example, 42 CFR 1005.8 calls for the parties
to exchange witness lists, copies of prior written statements of
proposed witnesses, and copies of proposed hearing exhibits. If OIG
proposed to use documents or testimony from ONC or other government
agencies as evidence in support of the imposition of CMPs, those
exhibits and statements would be made available under 42 CFR 1005.8.
Regarding the commenter's specific concern that 42 CFR 1005.7 is
not consistent with the coordination with ONC and OCR suggested by the
Cures Act, we do not agree. The Cures Act provides OIG the
discretionary authority to coordinate or consult with ONC and OCR, as
necessary. For example, under section 3022(b)(3)(A) of the PHSA, OIG
``may refer'' instances of information blocking to OCR if we determine
that consulting with OCR may resolve an information blocking claim.
While not required, we expect that nearly all information blocking
investigations will be done in coordination with ONC. This close
coordination with another HHS agency is not unique to information
blocking or the Cures Act. Many of our CMP cases involve similarly
close coordination with CMS, for example. There is nothing unique to
the Cures Act that would necessitate a change from our current
discovery procedures.
We do not agree with the commenter's concerns about spoliation or
destruction of documents in ONC's possession. ONC would not be a party
to discovery in a CMP for information blocking matter, so the concept
of spoliation--at least as the term is used in civil litigation--would
be inapplicable. Regardless, as a part of the Federal Government ONC is
subject to regulations and policies governing document maintenance and
retention, including those promulgated by the National Archives and
Records Administration.
Comment: Some commenters expressed interest in more information
about documentation and record retention requirements. They wanted to
understand how to demonstrate compliance with an information blocking
exception.
Response: We did not propose and are not finalizing a record
retention requirement specific to the CMP for information blocking.
Furthermore, this final rule does not provide additional guidance
regarding which documents are required to demonstrate compliance with
an ONC exception for information blocking because that is outside the
scope of this rule and OIG's authority. OIG will consider any
documentation provided by an actor during an investigation to evaluate
whether a practice constitutes information blocking.
OIG has 6 years from the date an actor committed a practice that
constitutes information blocking to impose a CMP. Section 3022(b)(2)(C)
of the PHSA requires that the CMP for information blocking follow the
procedures under section 1128A of the SSA, and section 1128A(c)(1)
requires that an action for CMPs must be initiated within 6 years from
the date the violation occurred.
Even though pursuant to section 1128A of the SSA OIG may commence
an action to impose CMPs up to 6 years after the date of a violation,
an actor may want to maintain information for additional time beyond 6
years. Actors in a CMP enforcement action bear the burden of proof for
affirmative defenses and mitigating circumstances by a preponderance of
the evidence. 42 CFR 1005.15(b)(1).
How an actor meets that burden may depend, in part, on records or
documentation they maintain. For example, a party may choose to
maintain documents demonstrating they meet a specific exception in the
information blocking regulations in 45 CFR part 171.
Furthermore, the ONC Final Rule did not establish record retention
requirements for actors to maintain documents relating to an exception
for a specified period of time. Although ONC did not set record
retention duration requirements, ONC explained that many exceptions
with documentation conditions are related to other existing regulatory
requirements that have document retention standards. For example, the
Security Exception at 45 CFR 171.203 is closely aligned to the HIPAA
Security Rule, which has a six-year documentation retention requirement
in 45 CFR 164.316. 85 FR 25819, May 1, 2020.
We also note that the ONC Final Rule established records and
information retention requirements for health IT developers of
certified health IT as part of the ONC Health IT Certification Program.
The Maintenance of Certification requirement at 45 CFR 170.402(b)
generally requires a health IT developer participating in the ONC
Health IT Certification Program to retain all records and information
necessary to demonstrate initial and ongoing compliance with the
requirements of the ONC Health IT Certification Program for a period of
10 years beginning from the date of certification.
2. Effective Date
We proposed two alternative effective dates for the CMP for
information blocking. The first proposal proposed an effective date of
60 days from the date of the publication of the final rule. OIG
recognized that information blocking is newly regulated conduct and
that individuals and entities would require time to take steps to
achieve compliance with the ONC Final Rule. The second
[[Page 42827]]
proposal proposed that we would set a specific date when OIG's CMP
regulations would become effective. OIG specifically proposed an
effective date of October 1, 2020, but also noted that we were
considering effective dates sooner or later than October 1, 2020. Most
of the comments submitted in response to the proposed rule expressed a
preference for one of the two proposed approaches. Commenters preferred
having a date certain, but no specific effective date was the clear
preferred approach by a majority of those who preferred a date certain.
Commenters also made several recommendations for alternative
approaches.
We are finalizing an effective date for the CMP for information
blocking of September 1, 2023.
Comment: Most commenters suggested that OIG adopt a date certain
and specifically align the effective date of its CMP for information
blocking with the effective dates for the ONC Final Rule and the CMS
Interoperability and Patient Access Final Rule (CMS Final Rule) (85 FR
25510, May 1, 2020). Some commenters stated that having a single
effective date/enforcement date for all three rules would be beneficial
for preparing for compliance with these rules. Some proposed specific,
alternative effective dates to allow individuals and entities time to
come into compliance. Others did not propose specific effective dates,
but proposed an extended period of time between the publication of the
final rule and the start of enforcement to permit additional time for
ONC to issue additional guidance, for ONC to provide education and
outreach, and for OIG to take into consideration the PHE. Some believed
that enforcement should begin 3 months after publication of OIG's final
rule while several commenters believed the appropriate amount of time
was 6 months after publication of this rule. A few commenters suggested
that the appropriate amount of time was 1 year or 2 years after
publication of this rule. Some commenters supported the proposal for an
effective date of the CMP for information blocking to be 60 days after
publication of the final rule. The commenters who supported this
proposal believed that 60 days after publication provided sufficient
time for actors to review and respond to any items that OIG was to
outline in its final rule and provide sufficient flexibility and
assistance to actors seeking to comply.
Response: Having considered the comments, we are finalizing our
proposal for an effective date for the CMP for information blocking at
42 CFR 1003.1400, 1003.1410, and 1003.420 as September 1, 2023. We
believe this effective date responds to requests for such a delay. It
also addresses commenters' concerns about having time to obtain
additional guidance and come into compliance, particularly given the
amount of time between the publication of the proposed rule and this
final rule. In addition, the selection of this effective date aligns
with the goals stated in the proposed rule of providing individuals and
entities sufficient time to finalize their ongoing efforts to comply
with the ONC information blocking regulations and putting the industry
on notice of when penalties will apply to information blocking conduct.
This effective date is consistent with the requests of commenters who
supported a date certain because those commenters largely sought a
specific date to have additional time for compliance efforts. This
effective date achieves that goal based on the time between the
proposed rule and this rule, which is longer than most specific dates
proposed by commenters.
As commenters shared with us in responses to the proposed rule, the
PHE has significantly affected the United States, patients, health care
providers, and the many individuals and entities that support health
care operations. Actors that could be subject to the CMP for
information blocking have been responding to COVID-19 on many fronts
including addressing information technology-related requirements
related to COVID-19, such as reporting data to multiple government
agencies. All of this has increased demands on health IT developers of
certified health IT, HIEs, and HINs. Recognizing these unprecedented
circumstances, the effective date for the CMP for information blocking
is reasonable and aligns with the goals stated in the proposed rule.
Furthermore, OIG will not impose a CMP on information blocking conduct
occurring before the effective date of this final rule.
We reiterate that the effective date of the CMP for information
blocking only applies to those actors defined at 45 CFR 171.102 as
health IT developers of certified health IT, HINs, and HIEs. We note
that the CMP for information blocking does not apply to health care
providers except to the extent such health care providers meet the
definition of a health IT developer of certified health IT or an HIN/
HIE. We discuss in section IV.A.3 of the preamble of this final rule
how we evaluate whether health care providers may meet the health IT
developer of certified health IT or an HIN/HIE.
3. Basis for Civil Money Penalties for Information Blocking
OIG proposed a basis for the CMP for information blocking at 42 CFR
1003.1400. In setting forth the basis for the CMP in the proposed rule,
we proposed that we may impose a CMP against any individual or entity
as defined in 45 CFR 171.103(b) that commits information blocking, as
defined in 45 CFR part 171. We also proposed that OIG's enforcement
would rely on the regulatory definitions set forth by ONC in the ONC
Final Rule. Commenters agreed with OIG's proposed approach but
requested clarification as to how OIG would interpret the definitions
set forth in 45 CFR 171.103(a)(2).
We note that since the publication of the proposed rule, ONC has
published the ONC interim final rule (IFR) (85 FR 70064, November 4,
2020) that clarified that 45 CFR 171.103(a)(2) refers to health IT
developers of certified health IT rather than health information
technology developers.
In this final rule, we finalize 42 CFR 1003.1400 as proposed with a
technical correction that incorporates 45 CFR 171.103(a)(2) instead of
45 CFR 171.103(b) and a slight language change to reflect our intent.
Comment: One commenter noted that the regulatory text of our
proposed Sec. 1003.1400 should have cited 45 CFR 171.103(a)(2) instead
of Sec. 171.103(b) when referring to those individuals or entities
subject to civil money penalties.
Response: We agree with the commenter that the correct citation is
45 CFR 171.103(a)(2) and are making this technical correction at 42 CFR
1003.1400. Our intent, as expressed in the proposed rule, was to
incorporate ONC's definition of ``information blocking,'' which matches
the statutory language in section 3022(a)(1) of the PHSA. This final
rule corrects the technical citation error in the proposed rule and is
not a substantive change.
We further note that we have changed the language ``as defined in''
to ``as set forth in'' consistent with our intent to incorporate ONC's
information blocking regulations in 45 CFR part 171. The regulation at
45 CFR part 171 includes general provisions, including definitions,
relevant to the information blocking regulations, as well as the
``exceptions'' to the definition of information blocking. We believe
this language change from ``as defined in'' to ``as set forth in''
better reflects our intent to incorporate all of ONC's information
blocking regulations into the OIG CMP regulations.
[[Page 42828]]
Comment: Commenters requested clarification as to whether they meet
the definition of HIN/HIE. Some commenters requested clarification on
whether they would meet the definition of HIN/HIE under specific facts,
such as by using ONC-certified application programming interface (API)
technology as a health care provider, or by engaging in specific
processes as a health plan. Some commenters requested clarification as
to whether certain types of entities met the definition of HIN/HIE,
specifically asking whether a public health institution combating
COVID-19, clinical data registries, public health agencies, or a health
plan would ever be considered an HIN/HIE. Other commenters requested
clarification and examples of when a health care provider would meet
the definition of HIN/HIE and be subject to CMPs rather than
disincentives. Some commenters suggested that a health care provider or
payer should never be considered an HIN/HIE for purposes of the final
rule.
Response: OIG will use the definitions in ONC regulations at 45 CFR
171.102 and any guidance issued by ONC when evaluating whether an
individual or entity meets the definition of HIN/HIE. Such
determinations are individualized and highly dependent on the facts and
circumstances presented. Because the ONC definition of HIE/HIN is a
functional definition that does not specifically include or exclude any
particular individuals or entities, OIG cannot establish in this final
rule whether specific individuals or entities or categories of
individuals or entities would meet the definition of HIN/HIE as some
commenters requested. OIG investigations of information blocking will
include gathering facts necessary to assess whether a specific
individual or entity meets a definition of health IT developer of
certified health IT or HIE/HIN. Furthermore, we proposed following the
definitions promulgated in the ONC Final Rule, which are now found at
45 CFR 171.102, and which do not exempt specific types of individuals
or entities from the definition of an HIN/HIE that could commit
information blocking. Accordingly, we decline to exempt specific types
of individuals or entities, including providers or payers, in this
final rule.
The ONC regulations define an HIN/HIE as an individual or entity
that determines, controls, or has the discretion to administer any
requirement, policy, or agreement that permits, enables, or requires
the use of any technology or services for access, exchange, or use of
EHI: (1) among more than two unaffiliated individuals or entities
(other than the individual or entity to which this definition might
apply) that are enabled to exchange with each other; and (2) that is
for a treatment, payment, or health care operations purpose, as such
terms are defined in 45 CFR 164.501 regardless of whether such
individuals or entities are subject to the requirements of 45 CFR parts
160 and 164. 45 CFR 171.102. When determining whether an individual or
entity meets the definition of an HIN/HIE, we may consult with ONC.
In making a fact-specific assessment of whether an individual or
entity meets the definition of an HIN/HIE in 45 CFR 171.102, we would
assess whether the individual or entity determines, controls, or has
the discretion to administer any requirement, policy, or agreement that
permits, enables, or requires the use of any technology or services for
access, exchange, or use of EHI among two or more unaffiliated entities
(other than the individual or entity that is the subject of the
allegation) that are enabled to exchange with each other for a
treatment, payment, or health care operations purpose as such terms are
defined in 45 CFR 164.501. As stated in the ONC Final Rule, the
definition of HIN/HIE in 45 CFR 171.102 does not cover bilateral
exchanges in which an intermediary is simply performing a service on
behalf of one entity in providing EHI to another entity or multiple
entities and no actual exchange is taking place among all entities. 85
FR 25802, May 1, 2020. The ONC Final Rule also states that for the two
unaffiliated individuals or entities besides the HIE/HIN to be enabled,
the parties must have the ability and the discretion to exchange with
each other under the policies, agreements, technology, and/or services.
85 FR 25802, May 1, 2020. Based on the ONC Final Rule and depending on
the specific facts and circumstances, public health institutions,
clinical data registries, public health agencies, health plans, and
health care providers could meet the definition of an HIN/HIE. As part
of our assessment of whether a health care provider or other entity is
an HIN/HIE that could be subject to CMPs for information blocking, OIG
anticipates engaging with the health care provider or other entity to
better understand its functions and to offer the provider an
opportunity to explain why it is not an HIN/HIE. We note further that
should the definitions in 45 CFR part 171 change in the future, we
would continue to look to applicable definitions in 45 CFR part 171
when determining whether an individual or entity was an HIN/HIE at the
time of the conduct.
Comment: One commenter noted that the definition of HIN/HIE could
apply to individuals serving on HIN governance and advisory committees
and requested clarification about whether OIG would direct enforcement
against an individual serving on an advisory board for an entity that
qualifies as an HIN. The commenter noted that HIEs and HINs rely upon
their governance and advisory committees and that individuals subject
to enforcement may not want to provide their perspectives or
participate on these committees.
Response: While we believe it is unlikely that an individual
serving on an HIN/HIE governance and advisory committee would be
subject to information blocking enforcement, such individuals could be
subject to enforcement if, based on the specific facts, they meet the
definition of HIN/HIE and have engaged in information blocking with the
requisite intent. To provide transparency on how OIG would assess an
allegation involving an individual described by the commenter, we
provide the following explanation.
Consistent with section 3022(b)(2)(A) of the PHSA, individuals or
entities subject to the CMP for information blocking must fall within a
definition in 45 CFR 171.102 that describes one of the categories of
actors that are subject to the CMP under section 3022(b)(2)(A) (i.e.,
developers, networks and exchanges). First, we emphasize that to
determine whether an individual on an advisory board met the definition
of an HIN/HIE, we would assess the specific facts and circumstances in
the case. In assessing whether an individual met the definition of HIN/
HIE, OIG would consider the advisory board's purpose and authority to
determine, control, or have discretion to administer any requirement
policy, or agreement. OIG would also consider the individual's role,
the individual's authority, and whether the individual determines,
controls, or has the discretion to administer any requirement, policy,
or agreement as a member of the advisory board. An individual or entity
that does not determine, administer, or have discretion to administer a
policy, requirement, or agreement would not meet the definition of an
HIN/HIE. For example, the mere act of serving on an advisory board
would not mean an individual is an HIN/HIE.
Second, to impose CMPs against an individual, OIG would have to
demonstrate that the individual committed an act of information
blocking, which includes a requisite intent. Assuming the individual on
the
[[Page 42829]]
advisory board met the definition of an HIN/HIE, OIG would examine
whether the individual engaged in a practice that constituted
information blocking. We would analyze the specific practice engaged in
by the individual to determine CMP liability. This is consistent with
section 3022(a)(6) of the PHSA, which states that information blocking
with respect to an individual or entity shall not include an act or
practice other than an act or practice committed by such individual or
entity. Also consistent with the statute and the implementing
regulations in 45 CFR 171.103(a)(2), we would determine whether the
individual knew or should have known that the practice in which the
individual engaged was likely to interfere with the access, exchange,
or use of EHI.
OIG maintains discretion in evaluating what claims to investigate
and when to impose CMPs. OIG is not required to--and does not expect to
be able to--investigate every allegation it receives. Similarly, OIG
may decide it is appropriate to impose CMPs on an entity but not on
both an entity and an individual for the same conduct.
Comment: One commenter requested guidance on whether a health care
provider would ever be viewed as a health IT developer of certified
health IT. The commenter specifically asked whether a health care
provider that sublicensed certified health IT to an unaffiliated
provider could be subject to CMPs.
Response: A health care provider may meet the definition of a
health IT developer of certified health IT in Sec. 171.102, depending
on the specific facts and circumstances. This regulatory definition
excludes from its scope a health care provider that self-develops
health IT for its own use. If any other individual or entity, including
a health care provider, develops or offers one or more health IT
modules certified under the ONC Health IT Certification Program, then
they may meet the definition of health IT developer of certified health
IT. If an individual or entity meets the definition of health IT
developer of certified health IT and engages in conduct constituting
information blocking, then that individual or entity could be subject
to CMPs.
Regarding the commenter's specific question, section 3022(b)(1)(A)
of the PHSA authorizes OIG to investigate claims of information
blocking against any ``other entity offering certified health
information technology,'' and the definition of a health IT developer
of certified health IT at 45 CFR 171.102 includes an individual or
entity that ``offers health information technology.'' ONC further
clarified in the ONC Final Rule its policy goal to hold all entities
that could, as a developer or offeror, engage in information blocking
accountable for their practices that are within the definition of
information blocking in 45 CFR 171.103. ONC expressly considered
comments to exclude from the definition those entities that only offer
technology, rather than modify, configure, or develop it, and declined
to do so. 85 FR 25798-99, May 1, 2020. OIG would assess whether a
provider that sublicenses technology to an unaffiliated entity meets
the definition of a health IT developer of certified health IT at 45
CFR 171.102 based on the specific facts and circumstances.
ONC specifically exempted health care providers that self-develop
health IT for their own use from the definition of ``health IT
developer of certified health IT.'' The ONC Final Rule clarifies that
health care providers that self-develop health IT for their own use
refers to health care providers that are the primary users of the
health IT and are responsible for its certification status. 85 FR
25799, May 1, 2020. The ONC Final Rule states that ONC interprets ``a
health care provider that self-develops health IT for its own use'' to
mean that a health care provider does not offer the self-developed
health IT to other entities on a commercial basis or otherwise. 85 FR
25799, May 1, 2020. The ONC Final Rule clarifies that a self-developer
is not an offeror if it issues login credentials to a licensed health
care professional in an independent practice that allow the use of a
hospital's electronic health records (EHRs) to furnish and document
care to patients in the hospital. 85 FR 25799, May 1, 2020. Whether an
individual or entity ``offers health information technology'' requires
a fact-specific inquiry, and we expect to consult with ONC in
determining whether an individual or entity meets this definition.
As part of any investigation, OIG will need to evaluate whether an
individual or entity meets the definition of health IT developer of
certified health IT or health information exchange or network. If OIG
determines this definition is met and conduct meets the definition of
information blocking, OIG may impose CMPs.
Comment: One commenter asked whether a parent company could be
subject to CMPs for information blocking based on the conduct of a
subsidiary.
Response: Whether information blocking on the part of a subsidiary
is attributable to the parent entity depends on the specific facts and
circumstances.
Specifically, if a subsidiary acts as the agent of the parent, the
parent may be subject to CMPs for the act of the subsidiary if the
subsidiary commits information blocking within the scope of agency.
Section 3022(b)(2)(C) of the PHSA states that the provisions of section
1128A of the SSA shall apply to a CMP for information blocking. Section
1128A(l) of the SSA states that a principal is liable for penalties,
assessments, and exclusion for the acts of the principal's agent acting
within the scope of agency.
There may be other instances when information blocking by a
subsidiary may create CMP liability for the parent. We note that
nothing in the statute or ONC Final Rule precludes such liability, and
the ONC Final Rule provides that a health IT developer of certified
health IT includes not only the entity that is legally responsible for
the certification status of the health IT but could also include any
subsidiaries or successors, depending on the specific facts and
circumstances of a particular case. 85 FR 25800, May 1, 2020. At this
time, we do not have sufficient experience or evidence to delineate
specific circumstances where a parent might be liable for information
blocking by its subsidiary. We would make any determinations based on
the specific facts and circumstances presented.
Comment: One commenter believed that EHR vendors may limit the
access of third-party vendors to data, data stores, databases, and
endpoints that store data that are not part of the United States Core
Data for Interoperability (USCDI).\1\ Specifically, the commenter was
concerned that an EHR vendor may grant a health care provider access to
a database and then deny a third-party vendor the same access. The
commenter suggested OIG monitor and penalize EHR vendors that restrict
access to data not represented in the USCDI.
---------------------------------------------------------------------------
\1\ USCDI is a standardized set of health data classes and
constituent data elements for nationwide, interoperable health
information exchange.
---------------------------------------------------------------------------
Response: Whether a practice constitutes information blocking
depends on the specific facts and circumstances. First, the practice
must involve EHI as defined in ONC's information blocking regulations.
On and after October 6, 2022, EHI for purposes of the information
blocking definition in 45 CFR 171.103(a) is not limited to the
information identified by data elements represented in the USCDI
standard adopted in 45 CFR 170.213, and practices that interfere with
access,
[[Page 42830]]
exchange, or use of any information falling within the definition of
EHI in 45 CFR 171.102 may constitute information blocking.
However, even after October 6, 2022, the definition of EHI still
excludes certain types of data that an actor may have. For example, EHI
does not include psychotherapy notes as defined in 45 CFR 164.501.
Therefore, the specific facts and circumstances will determine whether
the data that is the subject of a claim of information blocking
constitutes EHI.
Second, the practice must constitute information blocking and the
individual or entity must have had the requisite intent. We will assess
whether the practice is likely to interfere with the access, exchange,
or use of EHI, and whether the practice was required by law or met one
of the information blocking exceptions. For example, in assessing an
allegation similar to the commenter's fact pattern, we may assess
whether the health IT developer of certified health IT provided the EHI
to the health care provider and the third-party vendor using an
alternative manner specified by the third-party vendor consistent with
the Content & Manner Exception in 45 CFR 171.301.
Comment: One commenter encouraged OIG to impose CMPs for
information blocking on health IT developers of certified health IT
with transfer of liability provisions in their contracts. The commenter
noted that small and mid-size organizational health care providers are
often presented with service contracts that have undesirable terms on a
``take it or leave it'' basis because they may have only one health IT
developer available or lack the market share (i.e., leverage) necessary
to negotiate out of the undesirable terms.
Response: OIG's information blocking regulations establish the
basis for imposing CMPs for information blocking, which is whether the
conduct constitutes information blocking as defined in 45 CFR 171.103.
The ONC Final Rule established that a variety of contractual provisions
could interfere with the access, exchange, and use of EHI and thus
implicate the information blocking provision. For example, ONC
explained that a contract may implicate the information blocking
provision if it includes unconscionable terms for the access, exchange,
or use of EHI, or licensing of an interoperability element that could
include, but is not limited to, agreeing to indemnify the actor for
acts beyond standard practice, such as gross negligence on the part of
the actor. ONC explained further that such terms may be problematic
with regard to information blocking in situations involving unequal
bargaining power relating to accessing, exchanging, and using EHI. 85
FR 25812, May 1, 2020. We will consult with ONC as necessary to inform
our determinations as to whether specific service contracts,
provisions, and related practices that transfer liability implicate the
information blocking provision.
Comment: One commenter stated that the CMS Final Rule requires
State Medicaid agencies to make claims with a service date on or after
January 1, 2016, available to a beneficiary or a beneficiary's personal
representative. But the rule did not specify how long these claims had
to be made available. The commenter asked whether the purging of those
claims would subject State Medicaid agencies to information blocking
penalties.
Response: OIG does not intend to use its authority to investigate
information blocking under section 3022(b)(1) of the PHSA to
investigate compliance under CMS program requirements. If an
investigation uncovers conduct that suggests non-compliance with CMS
program requirements, OIG may refer such matters to CMS.
4. Definition of Violation
OIG proposed that a violation be defined as a practice, as defined
at 45 CFR 171.102, that constitutes information blocking, as defined at
45 CFR part 171. We have finalized the definition of violation as
proposed with a slight modification at 42 CFR 1003.1410(a).
Comment: Many commenters expressed support for our proposed
definition of ``violation'' and the incorporation of ONC's definition
of ``practice.'' Commenters requested that we provide additional
clarity and guidance as to the distinction between a single violation
and multiple violations. Other commenters stated that we should provide
more specific criteria for identifying a single violation as opposed to
multiple violations. Some commenters requested additional clarity as to
whether a practice involving multiple patient records would constitute
multiple violations.
Response: As finalized in this rule, a violation is a practice, as
defined in 45 CFR 171.102, that constitutes information blocking, as
set forth in 45 CFR part 171. We note that we have changed the language
from ``as defined in'' to ``as set forth in,'' consistent with our
intent to incorporate all of ONC's regulations. Whether a practice
constitutes a violation depends on the specific facts and
circumstances. We did not propose, and therefore this rule does not
finalize, specific criteria that we would use to identify single or
multiple violations because we do not have enough information or
experience with information blocking enforcement to allow us to
establish a set of criteria that could apply uniformly to all
information blocking allegations. As we gain more experience in
assessing allegations, conducting information blocking investigations,
and imposing CMPs, we may identify patterns or data that allow us to
develop guidance with more specific criteria.
In response to commenters' requests, we are providing below
hypothetical examples illustrating how we would determine whether
information blocking practices constitute single or multiple
violations. The examples set out in the proposed rule at 85 FR 22986-87
remain applicable. But, we clarify that the examples provided in the
proposed rule should be understood as involving health IT developers of
certified health IT, since health IT developers that do not meet the
regulatory definition of health IT developers of certified health IT
would not be subject to CMPs. We emphasize that the examples in this
preamble and in the preamble to the proposed rule are illustrative,
fact-dependent, and not exhaustive. We further note that while our
examples discuss the use of health information technology certified
under the ONC Certification Program, an individual or entity that meets
the definition of a health IT developer of certified health IT or HIE/
HIN may engage in conduct that constitutes information blocking
relating to health IT certified under the ONC Certification Program,
health IT not certified under the ONC Certification Program, or a
combination of both.
The following hypothetical examples of conduct assume that the
facts meet all the elements of the information blocking definition--
including the requisite level of statutory intent.
<bullet> A health IT developer (D1) connects to an API supplied by
health IT developer of certified health IT (D2). D2's API has been
certified to 45 CFR 170.315(g)(10) (standardized API for patient and
population services) of the ONC Certification Program and is subject to
the ONC Condition of Certification requirements at 45 CFR 170.404
(certified API technology). A health care provider using D1's health IT
makes a single request to receive EHI for a single patient via D2's
certified API technology. D2 denies this request. OIG would consider
this a single violation by D2 affecting a single patient. The violation
would consist of D2's denial of
[[Page 42831]]
the request to exchange EHI to the provider through D2's certified API.
<bullet> A health care provider using technology from a health IT
developer (D1) makes a single request to receive EHI for 10 patients
through the certified API technology of a health IT developer of health
IT (D2). D2 takes a single action to prevent the provider from
receiving any patients' information via the API. OIG would consider
this as a single violation affecting multiple patients. This is a
single violation as D2 took a single action to deny all requests from
the provider. The number of patients affected by the violation would be
considered when determining the amount of the CMP.
<bullet> A health care provider using health IT supplied by a
health IT developer (D1) makes multiple, separate requests to receive
EHI for several patients via certified API technology supplied by a
health IT developer of certified health IT (D2). Each request is for
EHI for one or more patients. D2 denies each individual request but
does not set up the system to deny all requests made by the health care
provider through D2's certified API technology. Thus, D2 is taking
separate actions to block individual requests. OIG would consider this
conduct to consist of multiple violations affecting multiple patient
records. Each denial would be considered a separate violation. The
number of patients affected by each violation would be considered in
determining the amount of the penalty per violation. We note that for
purposes of this example, each denial by D2 constitutes a separate act
and thus a separate violation. Thus, if the health care provider using
D1's health IT made one request for one patient's EHI, a second request
for three patients' EHI, and a third request for five patients' EHI,
there would be three separate violations but the penalties may vary due
to the number of patients affected by each violation. The action or
actions taken by D2 in response to the health care provider's requests
provide the basis for assessing whether a practice constitutes a single
or multiple violations.
<bullet> A health care provider using health IT supplied by a
health IT developer (D1) makes multiple requests to receive EHI for a
single patient via certified API technology supplied by a health IT
developer of certified health IT (D2). But D2 has updated its system to
deny all requests made by anyone using D1's technology. Thus, none of
the requests by the provider using D1's health IT result in the
provider receiving any EHI and D2 always denies requests based on the
system change. OIG would consider this practice a single violation. The
violation in this case is the singular action to update the system to
always deny EHI to anyone requesting to receive the EHI via D1 or D1's
health IT. The result of this violation is that all of the requests are
denied; however, each individual denial does not constitute a
violation. The number of patients affected by D2's denial may
constitute an aggravating circumstance resulting in an increased
penalty.
<bullet> A health IT developer of certified health IT enters into a
software license agreement with a health care provider that requires
that the health care provider pay a fee for the express purpose of
permitting the health care provider to export patients' EHI via the
capability certified according to 45 CFR 170.315(b)(10) for switching
health IT systems. When the health care provider requests the
electronic export, the health IT developer of certified health IT
charges the health care provider the fee. We note that the Fees
Exception in 45 CFR 171.302 excludes fees charged for an export using
functionality certified according to 45 CFR 170.315(b)(10) for purposes
of switching health IT. OIG would consider this conduct to include two
violations. The first violation would be inclusion of the contract
provision (fee) that is likely to interfere with, prevent, or
materially discourage access, exchange, or use of EHI. The second
violation would be charging the health care provider the fee. Charging
the fee in this case constitutes a separate action, and therefore a
separate violation from the inclusion of the fee in the software
license agreement.
We emphasize that information blocking only requires engaging in a
practice that is likely to interfere with, prohibit, or materially
discourage the access, exchange, or use of EHI. Information blocking
does not require that the practice actually interferes with, prohibits,
or materially discourages the access, exchange, or use of EHI.
Comment: One commenter expressed concern that the example in the
proposed rule concerning the health IT developer vetting a third-party
application might cause health IT developers to forgo necessary
security and privacy vetting of applications due to fear of potentially
committing an information blocking violation.
Response: In the preamble to the proposed rule, we provided an
example where a health IT developer requires vetting of third-party
applications before the applications can access the health IT
developer's product, but the health IT developer denies applications
based on the functionality of the application and not for a privacy or
security concern. 85 FR 22987. We note that the ONC Final Rule
contained a discussion of vetting, and we agree with the commenter that
our example in the preamble to the proposed rule at 85 FR 22987 could
benefit from additional explanation.
Before clarifying our example, we provide some of the discussion of
``vetting'' from the ONC Final Rule. First, we note that ``vetting'' in
this context is intended to mean a determination regarding whether the
application posed a security risk to the health IT developer of
certified health IT's software. Second, pursuant to the ONC Final Rule,
a vetting process applied in a discriminatory or unreasonable manner
could implicate the information blocking provision. 85 FR 25814-17, May
1, 2020. Third, the ONC Final Rule states that for certified API
technology (e.g., a Health IT Module certified to Sec. 170.315(g)(10),
which includes the use of OAuth2 among other security requirements
(see, e.g., 85 FR 25741) in addition to its focus on ``read-only''/
responses to requests for EHI to be transmitted, there should be few,
if any, security concerns about the risks posed by patient-facing apps
to the disclosing actor's health IT systems (because the apps would
only be permitted to receive EHI at the patient's decision). Thus, for
third-party applications chosen by individuals to facilitate their
access to their EHI held by actors, there would generally not be a need
for ``vetting'' on security grounds and such vetting actions would be
an interference. 85 FR 25815, May 1, 2020. Fourth, actors, such as
health care providers, have the ability to conduct whatever ``vetting''
they deem necessary of entities (e.g., app developers) that would be
their business associates under HIPAA before granting access and use of
EHI to the entities. In this regard, covered entities must conduct
necessary vetting in order to comply with the HIPAA Security Rule. 85
FR 25815, May 1, 2020.
With this in mind, we clarify the example as follows. A health IT
developer of certified health IT requires vetting of third-party
applications to determine whether the applications pose a security risk
before the applications are permitted to interface or integrate with
the health IT developer of certified health IT's product, which
contains EHI. The health IT developer of certified health IT does not
apply this vetting process to third party applications selected and
authorized by a patient or provider to receive EHI from ``certified API
technology,'' as defined as 45 CFR 170.404(c). The health IT developer
of certified health IT does not
[[Page 42832]]
apply this vetting to patients or API Information Sources, as defined
at 45 CFR 170.404(c), which are only receiving EHI through a
standardized API. And, the health IT developer of certified health IT
does not engage the third-party applications as a business associate or
business associate subcontractor. The health IT developer of certified
health IT uses vetting to deny EHI access to third-party applications
that compete with one of the developer's applications. The health IT
developer of certified health IT then denies third-party applications
solely on the basis that they compete with one of the developer's
applications. Each denial based on the competitive nature of the third-
party application is considered a separate violation, as it is a
separate act or omission.
If an actor, such as a health IT developer of certified health IT,
identifies specific security risks posed by a third-party application,
the actor may address those risks consistent with the Security
Exception at 45 CFR 171.203 to ensure its practices are not considered
information blocking.
Comment: One commenter requested that OIG consider compliance with
privacy and security standards as an important factor when evaluating
what constitutes a violation.
Response: Both section 3022(a)(1)(A) of PHSA and 45 CFR
171.103(a)(1) exempt from the definition of information blocking
practices required by law. Therefore, if a practice is required by
privacy or security laws, it does not constitute information blocking.
85 FR 25846, May 1, 2020. However, privacy and security standards that
are not required by law (such as trade best practices or voluntary
industry standards) would not be exempt from the definition of
information blocking, unless an exception applies. When investigating
an allegation, we may coordinate with other agencies to understand
whether the practice was required under applicable privacy and security
laws.
Additionally, ONC established separate Privacy and Security
Exceptions at 45 CFR 171.202 and 171.203. If a practice meets all
conditions of an exception at all relevant times, then the practice
would not be considered information blocking. When investigating an
allegation, OIG will assess whether a practice meets an exception.
Comment: Several commenters requested that OIG clarify its view on
when the enactment of a policy constitutes information blocking.
Commenters requested clarity on whether OIG would view the enactment of
a policy that constitutes information blocking as a single violation or
multiple violations. Some commenters suggested that consistent and
repetitive implementation of a policy should be considered a single
violation, regardless of the number of times the policy was applied.
Another commenter suggested that we should approach violations and
penalties as OCR did in its HIPAA Administrative Simplification
Enforcement Final Rule, 71 FR 8390, February 16, 2006, specifically
that we should consider a pattern or practice of information blocking
to be more violations than a single instance emanating from the same
conduct or type of conduct.
Response: We will treat the enactment of a policy that is likely to
interfere with, prevent, or materially discourage as one violation. But
each enforcement of the policy will constitute another, separate
violation. If the creation or existence of the policy alone is what
determined the number of violations, and not the number of times the
policy was enforced, large organizations with many customers or
significant market share would be able to enact policies--regardless of
whether they have been written or formalized--and engage in nationwide
conduct constituting information blocking against multiple individuals
or entities knowing that the maximum penalty would be the statutory
maximum of $1 million. A practice is defined as an act or omission by
an actor. 45 CFR 171.102. Given that our definition of violation
incorporates the word ``practice'' and expressly refers to ONC's
definition of practice, the number of violations is connected to the
number of discrete acts engaged in by the actor and will depend on the
specific facts and circumstances.
5. Determinations Regarding the Penalty Amounts
We proposed to add new 42 CFR 1003.1420 that would codify the
statutory factors that OIG must consider when imposing CMPs for
committing information blocking. Section 3022(b)(2)(A) of the PHSA
mandates that in determining the amount of a CMP for information
blocking, OIG must consider factors such as the nature and extent of
the information blocking and the harm resulting from such information
blocking including, where applicable, the number of patients affected,
the number of providers affected, and the number of days the
information blocking persisted. The proposed regulatory text included
these statutory factors. Given the novel nature of information blocking
investigations and enforcement, we recognized in the preamble to the
proposed rule that we have limited experience to inform the proposal of
additional aggravating and mitigating circumstances to adjust the CMP
penalties. Thus, we proposed only to implement the statutory factors
described above. We also solicited comment on any additional factors
that we should consider for the final rule. We received several
comments on proposed factors and a number of recommendations to
implement other factors.
We are finalizing 42 CFR 1003.1420 as proposed with a modification
to the regulatory text at 42 CFR 1003.1420(a), which is the factor for
``nature and extent of the information blocking.'' For this factor, we
have added to the regulatory text the specific facts that section
3022(b)(2)(A) of the PHSA directs us to take into account where
applicable: the number of patients affected (42 CFR 1003.1420(a)(1)),
number of providers affected (42 CFR 1003.1420(a)(2)), and the number
of days the information blocking persisted (42 CFR 1003.1420(a)(3)). In
the preamble of the proposed rule, we explained our intent was to
specifically implement the exact statutory factors in section
3022(b)(2)(A). 85 FR 22987, April 24, 2020.
Comment: Some commenters requested that OIG consider additional
aggravating and mitigating factors when determining the penalty amount
it will impose. Commenters suggested considering characteristics of the
actor, including an actor's size, market share, whether the actor faced
systemic barriers to interoperability, whether the actor took
corrective action prior to imposition of a penalty, and the actor's
compliance, specifically the actor's history of compliance with the
information blocking rules, the robustness of an actor's compliance
program, and whether the actor made good faith efforts to seek ONC/OIG
guidance. Some commenters suggested considering the consequences of the
conduct, such as whether the information blocking resulted in patient
harm and the severity of that harm, and whether the information
blocking impacted another actor's ability to access information (i.e.,
interfered with a provider's ability to deliver patient care). Some
commenters suggested looking at the specific conduct at issue,
specifically whether the information blocking involved a single
violation or multiple violations, whether an actor had specific intent
to engage in information blocking, whether the actor had control and
the extent of that control over the EHI, and whether there were
contributory practices by others.
[[Page 42833]]
Some commenters suggested that OIG consider mitigating factors beyond
an actor's control, such as the effects of natural disasters and public
health emergencies (such as the PHE caused by the COVID-19 pandemic) on
health care delivery and data exchange. Furthermore, commenters also
suggested that practices that exacerbate the negative impact of natural
disasters and public health emergencies be considered an aggravating
factor. Some commenters suggested that OIG should consider adopting
factors based on factors used by OCR in assessing HIPAA CMPs. Some
commenters recommended that OIG consider instances of an actor self-
disclosing information blocking conduct as a mitigating factor.
Response: We thank commenters for the recommendations of additional
aggravating and mitigating factors that OIG should consider. We may
consider implementing additional, specific factors in the future via
notice and comment rulemaking as we gain more experience in enforcing
the CMP for information blocking. At this time, however, we are
finalizing the statutory factors listed in section 3022(b)(2)(A) of the
PHSA as we proposed, with the modification to the proposed factor for
``nature and extent of the information blocking'' described above.
While we are not adopting additional aggravating and mitigating
factors specific to information blocking, we observe that the existing,
general factors we must consider under the CMPL will apply to the CMP
for information blocking and may address many of the commenters'
concerns. The PHSA requires that the provisions of section 1128A of the
SSA (other than subsection (a) and (b) of such section) apply to a CMP
for information blocking in the same manner as such provisions apply to
a CMP or proceeding under section 1128A(a) of the Act. Section 1128A(d)
of the SSA requires that OIG, when determining the amount or scope of
any assessment, penalty or exclusion imposed under subsection (a), take
into account ``(1) the nature of claims and the circumstances under
which they were presented, (2) the degree of culpability, history of
prior offenses, and financial condition of the person presenting the
claims, and (3) such other matters as justice may require.'' 42 U.S.C.
1320a-7a(d). These broad general factors apply to the CMP for
information blocking set forth in the PHSA as they do under section
1128A(a) of the SSA. They encompass some of the mitigating or
aggravating factors recommended by commenters.
The existing regulatory framework for OIG's CMPs requires that we
apply the aggravating and mitigating factors in 42 CFR 1003.140 to the
CMP for information blocking determinations in a manner consistent with
section 1128A.
As we set forth in the OIG Medicare and State Health Care Programs:
Fraud and Abuse Revisions to the Office of Inspector General's Civil
Monetary Penalty Rules Final Rule (Revisions Rule), we consider the
financial condition of an actor after we evaluate the facts and
circumstances of conduct and weigh aggravating and mitigating factors
to determine an appropriate penalty and assessment amount. 81 FR 88334,
December 7, 2016. Once OIG proposes a penalty amount, the individual or
entity may request that OIG consider its ability to pay the proposed
amount under procedures discussed in the Revisions Rule at 81 FR 88338.
In addition to the general factors in section 1128A, section
3022(b)(2)(A) of the PHSA specifies a non-exhaustive list of factors
that we must consider when imposing CMPs for information blocking. In
the proposed rule, we proposed incorporating the PHSA's specific
information blocking factors into our existing regulations at new Sec.
1003.1420 of title 42. This new section complements the existing
section at 42 CFR 1003.140.
We recognize that the statutory factors enumerated in the PHSA may
overlap with the general statutory and regulatory factors for all CMPs
in section 1128A of the SSA and in 42 CFR 1003.140. For example, we
recognize that ``the nature and circumstances of the violation,'' 42
CFR 1003.140(a)(1), is a similar factor to the ``nature and extent of
the information blocking'' and that, consequently, there may be a fact
pattern that implicates both factors. We would not apply both or
``double count'' these factors when determining the penalty. We would
make a holistic consideration of all aggravating factors when
determining the amount of any penalty; this approach would take into
account the similarity of the factors.
Many of the commenters' suggested factors, such as whether the
information blocking resulted in patient harm and the severity of that
harm, whether the actor had specific intent to engage in information
blocking, and whether there was one violation or multiple violations,
are already encapsulated by the general factors in 42 CFR 1003.140 or
the specific information blocking factors in 42 CFR 1003.1410 finalized
by this rule. We provide the following examples to illustrate how the
issues raised by commenters may be considered when we assess penalty
amounts using the two sets of factors at 42 CFR 1003.140 or 1003.1420.
For example, to assess the ``nature and circumstances'' in 42 CFR
1003.140 and ``nature and extent'' of the information blocking in 42
CFR 1003.1420, we will consider the factual nature, circumstances, and
extent of the information blocking conduct. Depending on the specific
facts and circumstances, these factors may include whether the practice
actually interfered with the access, exchange, or use of EHI; the
number of violations; whether an actor took corrective action; whether
an actor faced systemic barriers to interoperability; to what extent
the actor had control over the EHI; the actor's size; and the market
share.
Similarly, the general factor in 42 CFR 1003.140 relating to degree
of culpability would allow us to consider the commenters' suggested
factors relating to whether an actor had actual knowledge or whether an
actor had specific intent to engage in information blocking.
Additionally, to assess the ``harm'' factor in 42 CFR 1003.1420, we
will consider whether any harm--including physical or financial harm--
occurred and evaluate the severity and extent of the harm. In
accordance with the statutory language, we will consider the number of
patients affected, number of providers affected, and the duration of
the information blocking conduct. We recognize that the primary factors
set forth at Sec. 1003.140 may also contemplate harm. (For example, in
the Revisions Rule, we stated that our consideration of the ``nature
and circumstances'' would include ''whether patients were or could have
been harmed.'' 81 FR 88337, December 7, 2016.)
With respect to consideration of self-disclosure of information
blocking conduct, it is a mitigating circumstance under the general
factors at 42 CFR 1003.140(a)(2) for an actor to take appropriate and
timely corrective action in response to a violation. Relevant
corrective action must include disclosing the violation to OIG through
the SDP and fully cooperating with OIG's review and resolution of such
disclosure. As discussed in section III.C of the preamble, OIG does not
currently have an SDP for information blocking and plans on creating a
specific SDP for information blocking after publication of this rule.
We are also not adding factors related to the circumstances
surrounding the commission of the act, such as a factor that evaluates
whether there were contributory practices by others or an intervening
natural disaster. In some
[[Page 42834]]
instances, these factors are subsumed in existing general factors.
Moreover, section 3022(a)(6) of the PHSA states that ``information
blocking, with respect to an individual or entity, shall not include an
act or practice other than an act or practice committed by such
individual or entity.'' Information blocking, as to health IT
developers of certified health IT, HIEs, and HINs, is a practice that
an actor ``knows'' or ``should know'' is likely to interfere with,
prevent, or materially discourage the access, exchange, or use of EHI.
For example, in the circumstance of an intervening natural disaster
that prevents an actor from responding to requests for data, the actor
may not have the requisite level of intent. In such a situation, it is
unlikely that there would be a sufficient basis to pursue CMPs for
information blocking against the actor, and consideration of the
factors relating to determination of the amount of any penalty would
not be necessary.
Finally, we note that the modification to 42 CFR 1003.1420(a)
finalized in this final rule adds three specific facts OIG must
consider where applicable (number of patients affected, number of
providers, and number of days the information blocking persisted). This
modification aligns the factors at Sec. 1003.1420(a) more precisely
with the language of the PHSA. As we stated in the proposed rule,
section 3022(b)(2)(A) of the PHSA mandates the consideration of the
nature and extent of the information blocking and harm resulting from
such information blocking including, where applicable, the number of
patients affected, the number of providers affected, and the number of
days the information blocking persisted. We intended the language of
our proposed rule to reflect these statutory factors. 85 FR 22987,
April 24, 2020. These factors may also address several of the
commenters' concerns related to consideration of impact on patients and
providers.
Comment: Some commenters suggested an additional mitigating factor
of whether an actor was acting in accordance with another Federal law,
State law, or court order limiting or prescribing certain behaviors.
Response: Section 3022(a)(1)(A) of the PHSA and 45 CFR
171.103(a)(1) explicitly exclude conduct that is required by law from
the definition of information blocking. Therefore, if an actor's
conduct is required by law, it would not meet the definition of
information blocking, and OIG would not have the authority to impose
CMPs. In the ONC Final Rule, ONC explained that court orders and
binding administrative decisions are considered ``required by law.'' 85
FR 25794, May 1, 2020.
Comment: Some commenters sought clarification about how OIG will
consider the proposed factors and whether they will be weighted. Some
commenters requested additional detail on the range of potential
penalty amounts that OIG may issue and the circumstances or thresholds
that trigger such penalty amounts. For example, one commenter requested
a chart to show how different facts and circumstances would result in
different penalty amounts. This commenter also proposed that OIG set a
baseline penalty amount to provide guidance on how OIG would set
penalties for specific conduct. Some commenters requested clarification
on the circumstances and thresholds leading up to the maximum penalty
of $1 million. One commenter asked whether penalties assessed would be
per organization impacted by the information blocking or per patient
impacted by the information blocking.
Response: Our goal in setting penalty amounts is for a penalty to
be fair, reasonable, and commensurate with the conduct so that
wrongdoers are held accountable and future information blocking conduct
is deterred. Accordingly, setting penalty amounts necessitates
consideration of the particular facts of each case and does not lend
itself to one-size-fits-all formulas or thresholds. The amount of each
penalty will be determined per violation and will be based on the
aggravating and mitigating factors.
Section 3022(b)(2)(A) of the PHSA requires the consideration of the
number of providers affected and the number of patients affected when
evaluating the nature and extent of the information blocking and the
harm resulting from such information blocking. We consider the number
of providers affected and number of patients affected under 42 CFR
1003.1420. In evaluating the nature and extent of the violation, we may
also consider the number of organizations impacted by the information
blocking, in addition to the number of patients and providers
affected.\2\
---------------------------------------------------------------------------
\2\ We could consider the number of organizations under the
``nature and circumstances of the violation'' factor at 42 CFR
1003.140 or the ``nature and extent of information blocking'' at 42
CFR 1003.1420. As we discuss elsewhere in this section IV.A.5 of the
preamble, the factors set forth at 42 CFR 1003.140 may overlap at 42
CFR 1003.1420, but we would not double count them.
---------------------------------------------------------------------------
The penalty amount will be based on a case-specific application of
each identified aggravating and mitigating factor. Because penalty
amounts require case-by-case evaluation, we decline to set a baseline
penalty amount, set thresholds, or create a chart as commenters
requested. Similarly, in assessing a penalty amount, OIG may weigh the
aggravating and mitigating factors at 42 CFR 1003.140 and 1003.1420,
but this weighting will not follow a formula. Application of the
aggravating and mitigating factors will result in the penalty assessed
being fair and reasonable. We would expect that the maximum penalty of
$1 million per violation would apply to particularly egregious conduct.
Comment: Some commenters had concerns that when considering the
number of patients and number of providers affected, OIG would impose
lower penalty amounts for information blocking against smaller
entities, thereby incentivizing information blocking against smaller
entities. Other commenters raised concerns that the inclusion and
implementation of the ``number of days'' factor in determining CMP
amounts would result in an improperly low penalty amount for conduct
that had serious effects but did not last long.
Response: Section 3022(b)(2)(A) of the PHSA requires OIG to
consider, among other factors, the number of patients affected, the
number of providers affected, and the number of days the information
blocking persisted. As noted above, OIG's determination of a penalty
amount will not rely on a rigid formula for weighing those factors but
rather on a case-specific analysis of each identified aggravating and
mitigating factor. Nothing in these factors would require OIG to impose
a lower CMP amount for information blocking against small entities,
even when such entities have fewer patients and providers than larger
entities. OIG is mindful that information blocking against small
entities can have significant adverse impacts for the entities and
their patients and providers. For example, application of the factors
at 42 CFR 1003.1420(a) and (b) to the specific facts and circumstances
could result in a higher penalty because the information blocking had
significant, negative impacts even for short periods of time on an
individual or small entities. Moreover, if conduct results in
significant harm, including lasting harm to patients, OIG would
consider such harm as a potential aggravating factor when determining
the appropriate penalty amount.
Comment: Some commenters requested clarification about what OIG
considers to be ``harm resulting from'' information blocking. Some
commenters suggested OIG should interpret ``harm'' to mean physical
harm to a patient's
[[Page 42835]]
health and well-being and suggested that OIG also consider financial
harm that patients, providers, or third-party actors suffer as a result
of information blocking. Other commenters raised concerns that
intentional information blockers will be allowed to get away with
``near misses'' if OIG does not consider both the potential and actual
harm resulting from information blocking as aggravating factors.
Response: In the proposed rule, we stated that section
3022(b)(2)(A) of the PHSA mandates that OIG must take into
consideration factors such as the nature and extent of the information
blocking and the harm resulting from such information blocking
including, where applicable, the number of patients affected, the
number of providers affected, and the number of days the information
blocking persisted in determining the amount of a CMP. 85 FR 22987,
April 24, 2020. We proposed incorporating these factors at 42 CFR
1003.1420, and noted that these factors were like factors found in
other sections of part 1003. We did not propose a definition of
``harm'' in the proposed rule. We solicited comment on this factor and
other potential factors we should consider.
In response to commenters' suggestions regarding the types of harm
covered by Sec. 1003.1420(b), we agree that ``harm'' should cover both
physical and financial harm. Nothing in section 3022(b)(2)(B) of the
PHSA indicates that harm should be limited to only one type or a
specific type of harm. We are not finalizing a definition of the word
harm. We intend to interpret harm in accordance with its plain meaning,
ensuring that we can consider a range of harms that may result from
information blocking conduct. As we gain more experience investigating
and imposing CMPs for information blocking, we may add additional
factors related to specific types of harm through rulemaking.
We appreciate the concern regarding intentional information
blockers that might get away with ``near misses.'' We do not believe
this would be the case. The definition of information blocking applies
to conduct that is ``likely'' to interfere with the access, exchange,
or use of EHI, thus capturing conduct with a potential to cause harm.
With respect to determination of a penalty amount after information
blocking is established, as noted above OIG will consider a range of
aggravating factors and would not consider ``resulting in harm'' in
isolation.
6. Additional Comments
Comment: One commenter noted that the proposed rule stated
investigated parties may incur some costs in response to an OIG
investigation or enforcement action and encouraged OIG not to impose
CMPs unless OIG determined the party committed information blocking.
The commenter also asked how investigative fees are calculated in the
instance that investigated parties incur costs in response to an OIG
investigation or enforcement action.
Response: OIG will impose CMPs where appropriate and does not
separately charge costs to investigated parties as the comment
contemplates. OIG also does not reimburse investigated parties for
costs. We included estimated costs for investigated parties or subjects
in the proposed rule as part of our Regulatory Impact Analysis (RIA).
The costs described in the RIA only estimate the potential economic
impact of the proposed rule, which includes costs that a subject being
investigated may incur. For example, a party may incur costs in
preparing documents in response to a subpoena or hiring an attorney to
represent them during an investigation.
B. CMPs, Assessments, and Exclusions for Fraud or False Claims or
Similar Conduct Related to Grants, Contracts, and Other Agreements
The Cures Act amendments to the CMPL authorize the Secretary to
impose penalties, assessments, and exclusions for a variety of
fraudulent and other improper conduct related to HHS grants, contracts,
and other agreements. 42 U.S.C. 1320a-7a(o)-(s). In the proposed rule,
we proposed to incorporate this authority into 42 CFR parts 1003 and
1005, which is the existing regulatory framework for the imposition and
appeal of OIG penalties, assessments, and exclusions. We received
comments related to this authority on only three topics: (1) the
proposed definition of ``other agreement'' in 42 CFR 1003.110; (2) the
proposed aggravating and mitigating factors in 42 CFR 1003.720 that
will be used by OIG to determine the severity of the penalties,
assessments, and exclusions it imposes; and (3) OIG enforcement
priorities. We received no comments on the definitions we proposed to
add to 42 CFR 1003.110 except ``other agreement'' as noted above, and
are finalizing those definitions accordingly. We received no comments
on 42 CFR 1003.710, which identifies the maximum penalties and
assessments OIG may impose for fraud and other improper conduct
involving HHS grants, contracts, and other agreements. We also received
no comments on changes to 42 CFR 1003.130, 1003.1550, and 1003.1580,
which relate to the calculation and collection of assessments imposed
under this part and the use of statistical sampling. We finalize 42 CFR
1003.130, 1003.710, 1003.1550, and 1003.1580 as proposed without
modification accordingly. We received no comments on 42 CFR 1003.700,
which sets forth the bases for OIG's imposition of sanctions for fraud
and other improper conduct related to grants, contracts, and other
agreements, but are modifying 42 CFR 1003.700(a)(5) for clarity by
adding a citation to the existing regulatory definition of ``failure to
grant timely access'' at 42 CFR 1003.200(b)(10). We proposed, and are
finalizing, that the changes to 42 CFR 1003.110, 1003.130, 1003.700,
1003.710, 1003.720, 1003.1550, and 1003.1580 will be effective 30 days
from the publication date of the final rule.
1. Definition of ``Other Agreement''
In the proposed rule, we proposed adopting at 42 CFR 1003.110 the
statutory definition of ``other agreement'' that would apply to CMPs
brought under 42 CFR 1003.700. This definition includes but is not
limited to a cooperative agreement, scholarship, fellowship, loan,
subsidy, payment for a specified use, donation agreement, award, or
subaward (regardless of whether one or more of the persons entering
into the agreement is a contractor or subcontractor). 42 U.S.C. 1320a-
7a(q)(3). We noted in the proposed rule that this definition is broad
and identifies a nonexclusive list of arrangements that could
constitute ``other agreements'' under the statute. We stated that when
OIG investigates potential misconduct and decides whether to impose
sanctions, it will evaluate matters on a case-by-case basis to
determine whether the funding arrangement at issue constitutes an
``other agreement'' under the statute and whether the conduct at issue
violates the statute. We are finalizing the definition of ``other
agreement'' as proposed in 42 CFR 1003.110, without modification.
Comment: Several commenters requested that OIG provide more detail
on which arrangements could constitute ``other agreements'' under the
regulation. For example, one commenter asked OIG to provide additional
clarity on how OIG will determine which ``other agreements'' fall
within the meaning of the statute. Another commenter asked OIG to
provide specific examples of scenarios involving ``other agreements''
where it would apply its CMPL authority.
Response: The statutory definition of ``other agreement,'' which
has been
[[Page 42836]]
incorporated verbatim into 42 CFR 1003.110, is broad and defines
``other agreement'' to include (but not be limited to) a ``cooperative
agreement, scholarship, fellowship, loan, subsidy, payment for a
specified use, donation agreement, award, or subaward (regardless of
whether one or more of the persons entering into the agreement is a
contractor or subcontractor).'' It is not possible to identify with
specificity all the various types of agreements that may fall under the
definition of ``other agreement.'' The nine examples of ``other
agreement'' identified in the statute along with the text of 42 U.S.C.
1320a-7a(o)-(s) demonstrate that Congress intended ``other agreement''
to be read broadly to include, for example, not only those direct
agreements between the Secretary and recipients of HHS funding but also
agreements between recipients of HHS funding and subrecipients such as
subcontractors and subawardees. The definition of ``specified claim,''
for example, includes those requests for payment submitted by a
subawardee to an HHS awardee that is receiving funding directly from
the Secretary. 42 U.S.C. 1320a-7a(r). In addition, 42 U.S.C. 1320a-
7a(o)(2) permits OIG to impose sanctions upon an entity that, among
other things, creates false documents that are required to be submitted
in order to indirectly receive funds from the Secretary. Any person
that receives HHS funding directly or indirectly through an agreement
is potentially subject to liability under the CMPL if they engage in
any of the improper conduct identified in the regulation including but
not limited to making misrepresentations in applications for the
funding, presenting false or fraudulent specified claims related to the
funding, and creating false records related to the funding.
2. Factors in Mitigation and Aggravation
The regulation at 42 CFR 1003.720 of the proposed rule proposed
factors for OIG to consider in mitigation and aggravation when
determining the appropriate penalty, assessment, and period of
exclusion to impose upon persons who engage in fraud and other improper
conduct related to HHS grants, contracts, and other agreements. In 42
CFR 1003.720(a), for example, we proposed that OIG would consider
identifying as a mitigating factor a circumstance in which the amount
of funds involved with the improper conduct was less than $5,000. Then,
in 42 CFR 1003.720(b), we proposed considering as an aggravating factor
a circumstance in which the amount of funds involved was more than
$50,000. We are finalizing 42 CFR 1003.720 as proposed without
modification.
Comment: One commenter suggested that the proposed monetary
thresholds created in 42 CFR 1003.720(a) and (b) of $5,000 and $50,000
are too low and need to be adjusted upwards because they will lead to
overly harsh determinations for CMPL violations related to grants,
contracts, and other agreements that involve what the commenter
characterized as small amounts of HHS funding. The commenter suggested
that OIG consider it a mitigating factor in 42 CFR 1003.720(a) if the
amount of funds involved with the improper conduct was less than
$50,000 and consider it an aggravating factor in 42 CFR 1003.720(b) if
the amount of funds involved with the improper conduct was more than
$250,000.
Response: We are not accepting the commenter's suggestion to
upwardly adjust the monetary thresholds proposed in 42 CFR 1003.720(a)
and (b). The thresholds proposed in 42 CFR 1003.720(a) and (b) are the
same thresholds that exist under 42 CFR 1003.220 related to damages
sustained by HHS for fraud and similar conduct related to the Federal
health care programs. OIG believes it is important for 42 CFR 1003.720
and 1003.220 to be consistent because both provide guidelines for OIG
to evaluate the same factor and relate to damages sustained by HHS
programs as a result of fraud or similar conduct.
Comment: Two commenters requested that OIG consider as a mitigating
circumstance in an action for failure to grant timely access to OIG
under 42 CFR 1003.700(a)(5) whether a party acted in good faith in
attempting to comply with OIG's request for timely access in matters
involving HHS grants, contracts, or other agreements. The commenters
both pointed to challenges surrounding the current COVID-19 pandemic as
an example of a circumstance in which a party might act in good faith
in attempting to comply with OIG's request for access but might be
unable to comply with it.
Response: We are not adopting this suggestion. Existing mitigating
factors in 42 CFR 1003.140 that apply to all CMPs in 42 CFR part 1003
address commenters' request to assess whether the party acted in good
faith as a mitigating factor. As finalized, section 1003.720 identifies
factors in mitigation that OIG should consider when imposing sanctions
and states that those factors should be read in conjunction with the
factors listed in 42 CFR 1003.140. Section 1003.140 requires OIG to
consider in mitigation ``the degree of culpability'' of the person
against whom a sanction is imposed (42 CFR 1003.140(a)(2)), ``the
nature and circumstances of the violation'' (42 CFR 1003.140(a)(1)),
and ``such other matters as justice may require'' (42 CFR
1003.140(a)(5)). Under these existing mitigating factors, we would
account for a party's good faith in attempting to comply with an OIG
timely access request consistent with 42 CFR 1003.140(a)(1), (2), and
(5). Therefore, it is unnecessary to explicitly add good faith as a
mitigating factor to 42 CFR 1003.720.
3. OIG Enforcement Regarding Grants, Contracts, and Other Agreements
The regulation at 42 CFR 1003.700 identifies the grounds for OIG's
imposition of penalties, assessments, and exclusions for fraud and
other improper conduct related to HHS grants, contracts, and other
agreements, and sets forth the levels of intent required to violate
each offense. One commenter asked that OIG only exercise its discretion
to impose sanctions when it finds bad intent or other truly abusive,
egregious, and intentional wrongdoing. We are not adopting this
suggestion and are finalizing 42 CFR 1003.700 as proposed with
modification only to 42 CFR 1003.700(a)(5) as discussed below.
Comment: One commenter noted that many HHS grants, contracts, and
other agreements are complex and require specific and detailed
information from and actions by parties applying for the funds. The
commenter also noted that regulatory requirements sometimes change,
especially in times of a PHE such as the PHE for COVID-19, and that
complying with shifting requirements can be difficult. The commenter
asked that OIG take into consideration these complexities, ambiguities,
and shifting requirements when exercising its discretion in enforcing
the CMPs and that it do so only when the facts demonstrate bad intent
or other truly abusive, egregious, and intentional wrongdoing by the
parties applying for or receiving HHS funds.
Response: The CMPL authorizes the imposition of penalties,
assessments, and exclusions for a variety of fraudulent and other
improper conduct related to HHS grants, contracts, and other
agreements, and sets forth the levels of intent required to violate
each of the offenses it creates. 42 U.S.C. 1320a-7a(o). In determining
whether to impose sanctions and the severity of those sanctions, OIG
will consider all of the relevant facts and circumstances surrounding
an allegation of wrongdoing in light of the factors identified in the
CMPL (42 U.S.C.
[[Page 42837]]
1320a-7a(d)) and the regulation. 42 CFR 1003.140 and 1003.720.
Depending on the facts and circumstances of any particular case, it may
be appropriate for OIG to consider the difficulties raised by the
commenter, including those related to the PHE for COVID-19, in
determining whether a person has violated the CMPL and, if so, the
severity of the sanction OIG proposes to impose.
4. Modification to 42 CFR 1003.700(a)(5)
The regulation at 42 CFR 1003.700(a)(5) incorporates into part 1003
OIG's statutory authority under 42 U.S.C. 1320a-7a(o)(5) to impose
CMPs, assessments, and exclusions for the failure to grant timely
access to OIG for the purpose of audits, investigations, evaluations,
or other statutory functions of OIG in matters involving grants,
contracts, or other agreements. We stated in the proposed rule at 85 FR
22982 that 42 U.S.C. 1320a-7a(o)(5) largely mirrors the statutory
language that has for many years given OIG the authority to impose
sanctions for the failure to grant timely access to OIG related to
health care claims. Furthermore, we stated at 85 FR 22980 of the
proposed rule that it was our intent to incorporate into OIG's existing
CMP regulations the new CMP authorities related to fraud and other
misconduct involving HHS grants, contracts, and other agreements.
However, our proposed regulatory text at 42 CFR 1003.700(a)(5) omitted
a citation to the existing regulatory definition of ``failure to grant
timely access'' that is located at Sec. 1003.200(b)(10), in a section
of part 1003 that relates to fraud involving Federal health care
claims. Consistent with our intent to incorporate into part 1003 our
authority to impose sanctions for failure to grant timely access
related to grants, contracts, and other agreements, our view that this
authority mirrors the authority OIG has had for many years related to
health care claims and, for clarity, we are finalizing 42 CFR
1003.700(a)(5) with a cross-reference to the existing definition of
``failure to grant timely access'' to make clear that the definition of
that term at 42 CFR 1003.200(b)(10) is applicable to actions under 42
CFR 1003.700(a)(5).
C. The Bipartisan Budget Act of 2018
The BBA of 2018 amended the CMPL to increase certain CMP amounts
contained in 42 U.S.C. 1320a-7a(a) and (b). The BBA 2018 increased
maximum civil money penalties in section 1128A(a) of the SSA (42 U.S.C.
1320a-7a) from $10,000 to $20,000; from $15,000 to $30,000; and from
$50,000 to $100,000. The BBA 2018 increased maximum civil money
penalties in section 1128A(b) of the SSA from $2,000 to $5,000 in
paragraph (1), from $2,000 to $5,000 in paragraph (2), and from $5,000
to $10,000 in paragraph (3)(A)(i). This statutory increase in CMP
amounts is effective for acts committed after the date of enactment,
February 9, 2018. In the proposed rule, we proposed increasing the
civil money penalties in accordance with the BBA 2018. Specifically,
for conformity with the CMPL as amended by the BBA 2018, we proposed to
revise the civil money penalties contained at 42 CFR 1003.210,
1003.310, and 1003.1010.
The BBA 2018 increased penalty maximums for conduct that occurred
after February 9, 2018. Accordingly, for each of the provisions below,
we proposed language increasing the maximum penalty for conduct that
occurred after February 9, 2018, and maintaining the pre-BBA 2018
penalty maximums for conduct that occurred on or before that date. The
penalty amounts for conduct that occurred after February 9, 2018, in
proposed 42 CFR 1003.210 were as follows: $20,000 for paragraphs
(a)(1), (3), (4), and (8); $30,000 for paragraphs (a)(2) and (9);
$100,000 for paragraphs (a)(6) and (7); and $10,000 for paragraph
(a)(10)(i). Similarly, we proposed to increase the penalty maximum for
conduct that occurred after February 9, 2018, at 42 CFR 1003.310(a)(3)
to $100,000, and at 42 CFR 1003.1010(a) to $20,000. We received no
comments on this proposal and we are finalizing the penalty amounts as
proposed without modification, effective August 2, 2023 as required by
the Administrative Procedure Act (APA).
E. Additional Changes to Part 1003
We proposed to change the cross-reference in 42 1003.140(c)(3) to
correct a scrivener's error from a prior rulemaking on December 7,
2018. 81 FR 88354. We proposed to add a new paragraph (d)(5) to 42 CFR
1003.140 stating that the penalty amounts in part 1003 are adjusted
annually for inflation and eliminating the footnotes 1 through 12 in
part 1003 to simplify those sections. We received no comments on these
proposed changes, and we are finalizing them with a correction to a
typographical error in the regulatory text in the citation to the
Federal Civil Penalties Inflation Adjustment Act of 1990 (Pub. L. 101-
410) effective August 2, 2023.
F. Changes to 42 CFR Part 1005
The procedures set forth in part 1005 govern the appeal of CMPs,
assessments, and exclusions in all cases for which OIG has been
delegated authority to impose those sanctions including cases involving
grants, contracts, and other agreements, and information blocking. As
such, we proposed deleting the phrase ``under Medicare or the State
health care programs'' from the definitions of ``civil money penalty
cases'' and ``exclusion cases'' at 42 CFR 1005.1 to correctly define
those terms as applying to all cases for which OIG has been delegated
authority to apply CMPs, assessments, and exclusions not only to those
cases involving Medicare or the State health care programs. We received
no comments regarding this change and are finalizing it as proposed,
without modification, in 42 CFR 1005.1, effective August 2, 2023.
IV. Regulatory Impact Statement
We have examined the impact of this final rule as required by
Executive Order 12866, the Regulatory Flexibility Act (RFA) of 1980,
the Unfunded Mandates Reform Act of 1995, and Executive Order 13132.
A. Executive Order No. 12866
Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, if regulations are
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, and public health and
safety effects; distributive impacts; and equity). A regulatory impact
analysis must be prepared for major rules with significant effects per
section 3(f)(1) of Executive Order 12866 (i.e., $200 million or more in
any given year). This is not a major rule as defined at 5 U.S.C.
804(2); it is not significant per section 3(f)(1) because it does not
reach that economic threshold. The vast majority of Federal health care
programs would be minimally impacted from an economic perspective, if
at all, by these proposals.
This final rule would enact new statutory enforcement provisions,
including new CMP authorities. The regulatory changes implement
provisions of the Cures Act and BBA 2018 into 42 CFR parts 1003 and
1005. We believe that the likely aggregate economic effect of these
regulations would be significantly less than $100 million.
The expected benefits of the regulation are deterring conduct that
negatively affects the integrity of HHS grants, contracts, and other
agreements and potentially enhanced statutory compliance by HHS
grantees, contractors, and other parties. It also will deter
information blocking conduct
[[Page 42838]]
that interferes with effective health information exchange and
negatively impacts many important aspects of health and health care. We
refer readers to the impact analysis of the benefits of prohibiting and
deterring information blocking in section XII.C.2.a.(4.2) of the ONC
Final Rule, 85 FR 25906, May 1, 2020.
We anticipate that OIG will incur some costs associated with
investigation and enforcement of the statutes underlying these penalty
provisions. The Consolidated Appropriations Act, 2022 appropriates to
OIG funding necessary for carrying out information blocking activities.
Public Law 117-103, March 15, 2022. Additionally, investigated parties
may incur some costs in response to an OIG investigation or enforcement
action. Absent information about the frequency of prohibited conduct,
we are unable to determine precisely the potential costs of this
regulation.
Civil money penalties and assessments, if any, would be considered
transfers. However, we are unable to reliably estimate potential
penalty and assessment amounts because enforcement action will depend
on the facts and circumstances of individual cases, some conduct
subject to enforcement will be newly regulated, and some cases may
result in settlement. We did not receive any comments on potential
impacts of the rulemaking.
B. Regulatory Flexibility Act
The RFA and the Small Business Regulatory Enforcement and Fairness
Act of 1996, which amended the RFA, require agencies to analyze options
for regulatory relief of small businesses. For purposes of the RFA,
small entities include small businesses, nonprofit organizations, and
Government agencies.
The Department considers a rule to have a significant impact on a
substantial number of small entities if it has an impact of more than 3
percent of revenue for more than 5 percent of affected small entities.
This final rule should not have a significant impact on the operations
of a substantial number of small entities, as these changes would not
impose any new requirement on any party. These changes largely enact
existing regulatory authority. In addition, we expect that increases in
the maximum penalty finalized here will only have an impact in a small
number of cases. As a result, we have concluded that this final rule
likely will not have a significant impact on a substantial number of
small entities and that a regulatory flexibility analysis is not
required for this rulemaking.
In addition, section 1102(b) of the SSA (42 U.S.C. 1302) requires
us to prepare a regulatory impact analysis if a rule under Titles XVIII
or XIX or section B of Title XI of the SSA may have a significant
impact on the operations of a substantial number of small rural
hospitals. We have concluded that this final rule should not have a
significant impact on the operations of a substantial number of small
rural hospitals because these changes would not impose any requirement
on any party and small rural hospitals are not subject to CMPs for
information blocking under this final rule. Therefore, a regulatory
impact analysis under section 1102(b) is not required for this
rulemaking.
C. Unfunded Mandates Reform Act
Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law
104-4, also requires that agencies assess anticipated costs and
benefits before issuing any rule that may result in expenditures in any
one year by State, local, or Tribal governments in the aggregate, or by
the private sector, of $100 million, adjusted annually for inflation.
We believe that there are no significant costs associated with these
revisions that would impose any mandates on State, local, or Tribal
governments or the private sector that would result in an expenditure
of $158 million (after adjustment for inflation) or more in any given
year and that a full analysis under the Unfunded Mandates Reform Act is
not necessary.
D. Executive Order 13132
Executive Order 13132, Federalism, establishes certain requirements
that an agency must meet when it promulgates a rule that imposes
substantial direct requirements or costs on State and local
governments, preempts State law, or otherwise has federalism
implications. In reviewing this rule under the threshold criteria of
Executive Order 13132, we have determined that this final rule would
not significantly affect the rights, roles, and responsibilities of
State or local governments. Nothing in this final rule imposes
substantial direct requirements or costs on State and local
governments, preempts State law, or otherwise has federalism
implications. We are not aware of any State laws or regulations that
are contradicted or impeded by any of the provisions in this final
rule.
The Secretary is authorized by 42 U.S.C. 1320a-7a(o), which we
enact in the regulation at 42 CFR 1003.700, to impose CMPs and
assessments against individuals and entities that engage in fraud and
other improper conduct against specified State agencies that administer
or supervise the administration of grants, contracts, and other
agreements funded in whole or in part by the Secretary. Additionally,
42 U.S.C. 1320a-7a(f)(4) directs that these CMPs and assessments be
deposited into the Treasury of the United States. Amounts collected
under this authority could not be used to compensate a State for
damages it incurs due to improper conduct related to grants, contracts,
or other agreements funded by the Secretary that are administered or
supervised by specified State agencies.
However, neither 42 U.S.C. 1320a-7a nor this final rule preclude or
impede any State's authority to pursue actions against entities and
individuals that defraud or otherwise engage in improper conduct
related to grants, contracts, or other agreements funded by the
Secretary that are administered or supervised by specified State
agencies. For this reason, the Secretary's authority related to
specified State agencies will not have a substantial direct effect on
the States, on the relationship between the National Government and the
States, or on the distribution of power and responsibilities among the
various levels of government.
Based on OIG's prior approach to enforcement that involves State
programs and agencies, we also anticipate coordinating closely with the
relevant State authorities, which would provide States notice about the
improper conduct and the opportunity to pursue action under the State
authority.
V. Paperwork Reduction Act
These changes to parts 1003 and 1005 impose no new reporting
requirements or collections of information. Therefore, a Paperwork
Reduction Act review is not required.
List of Subjects
42 CFR Part 1003
Contracts, Fraud, Grant programs--health, Information blocking,
Penalties.
42 CFR Part 1005
Administrative practice and procedure.
For the reasons stated in the preamble, the Office of Inspector
General, Department of Health and Human Services, amends 42 CFR chapter
V, subchapter B, as follows:
[[Page 42839]]
PART 1003--CIVIL MONEY PENALTIES, ASSESSMENTS AND EXCLUSIONS
0
1. Revise the authority citation for part 1003 to read as follows:
Authority: 42 U.S.C. 262a, 300jj-52, 1302, 1320a-7, 1320a-7a,
1320b-10, 1395u(j), 1395u(k), 1395cc(j), 1395w-141(i)(3),
1395dd(d)(1), 1395mm, 1395nn(g), 1395ss(d), 1396b(m), 11131(c), and
11137(b)(2).
0
2. Amend Sec. 1003.100 by:
0
a. Revising paragraph (a); and
0
b. In paragraph (b)(1), adding ``(CMPs)'' following ``civil money
penalties'' and a semicolon following ``this part''.
The revision reads as follows:
Sec. 1003.100 Basis and purpose.
(a) Basis. This part implements sections 1128(c), 1128A, 1140,
1819(b)(3)(B), 1819(g)(2)(A), 1857(g)(2)(A), 1860D-12(b)(3)(E), 1860D-
31(i)(3), 1862(b)(3)(C), 1867(d)(1), 1876(i)(6), 1877(g), 1882(d),
1891(c)(1); 1903(m)(5), 1919(b)(3)(B), 1919(g)(2)(A), 1927(b)(3)(B),
1927(b)(3)(C), and 1929(i)(3) of the Social Security Act; sections
421(c) and 427(b)(2) of Public Law 99-660; section 201(i) of Public Law
107-188 (42 U.S.C. 1320a-7(c), 1320a-7a, 1320b-10, 1395i-3(b)(3)(B),
1395i-3(g)(2)(A), 1395w-27(g)(2)(A), 1395w-112(b)(3)(E), 1395w-
141(i)(3), 1395y(b)(3)(B), 1395dd(d)(1), 1395mm(i)(6), 1395nn(g),
1395ss(d), 1395bbb(c)(1), 1396b(m)(5), 1396r(b)(3)(B), 1396r(g)(2)(A),
1396r-8(b)(3)(B), 1396r-8(b)(3)(C), 1396t(i)(3), 11131(c), 11137(b)(2),
and 262a(i)); and section 3022 of the Public Health Service Act (42
U.S.C. 300jj-52).
* * * * *
0
3. Amend Sec. 1003.110 by:
0
a. Adding the definitions of ``Department,'' ``Obligation,'' ``Other
agreement,'' and ``Program beneficiary'' in alphabetical order;
0
b. Revising the definition of ``Reasonable request;'' and
0
c. Adding the definitions of ``Recipient,'' ``Specified claim,'' and
``Specified State agency'' in alphabetical order.
The revision and additions read as follows:
Sec. 1003.110 Definitions.
* * * * *
Department means the Department of Health and Human Services.
* * * * *
Obligation for the purposes of Sec. 1003.700 means an established
duty, whether or not fixed, arising from an express or implied
contractual, grantor-grantee, or licensor-licensee relationship for a
fee-based or similar relationship, from statute or regulation, or from
the retention of any overpayment.
Other agreement for the purposes of Sec. 1003.700 includes a
cooperative agreement, scholarship, fellowship, loan, subsidy, payment
for a specified use, donation agreement, award, or subaward (regardless
of whether one or more of the persons entering into the agreement is a
contractor or subcontractor).
* * * * *
Program beneficiary means--in the case of a grant, contract, or
other agreement designed to accomplish the objective of awarding or
otherwise furnishing benefits or assistance to individuals and for
which the Secretary provides funding--an individual who applies for or
who receives such benefits or assistance from such grant, contract, or
other agreement. Such term does not include--with respect to such
grant, contract, or other agreement--an officer, employee, or agent of
a person or entity that receives such grant or that enters into such
contract or other agreement.
Reasonable request with respect to Sec. Sec. 1003.200(b)(10) and
1003.700(a)(5) means a written request signed by a designated
representative of the OIG and made by a properly identified agent of
the OIG during reasonable business hours. The request will include:
(1) A statement of the authority for the request;
(2) The person's rights in responding to the request;
(3) The definition of ``reasonable request'' and ``failure to grant
timely access'' under this part;
(4) The deadline by which the OIG requests access; and
(5) The amount of the civil money penalty or assessment that could
be imposed and the effective date, length, and scope and effect of the
exclusion that would be imposed for failure to comply with the request,
and the earliest date that a request for reinstatement would be
considered.
Recipient for the purposes of Sec. 1003.700 means any person
(excluding a program beneficiary as defined in this section) directly
or indirectly receiving money or property under a grant, contract, or
other agreement funded in whole or in part by the Secretary, including
a subrecipient or subcontractor.
* * * * *
Specified claim means any application, request, or demand under a
grant, contract, or other agreement for money or property, whether or
not the United States or a specified State agency has title to the
money or property, that is not a claim (as defined in this section) and
that:
(1) Is presented or caused to be presented to an officer, employee,
or agent of the Department or agency thereof, or of any specified State
agency; or
(2) Is made to a contractor, grantee, or other recipient if the
money or property is to be spent or used on the Department's behalf or
to advance a Department program or interest, and if the Department:
(i) Provides or has provided any portion of the money or property
requested or demanded; or
(ii) Will reimburse such contractor, grantee, or other recipient
for any portion of the money or property which is requested or
demanded.
Specified State agency means an agency of a State government
established or designated to administer or supervise the administration
of a grant, contract, or other agreement funded in whole or in part by
the Secretary.
* * * * *
0
4. Revise Sec. 1003.130 to read as follows:
Sec. 1003.130 Assessments.
The assessment in this part is in lieu of damages sustained by the
Department, a State agency, or a specified State agency because of the
violation.
0
5. Amend Sec. 1003.140 by:
0
a. In paragraph (c)(3), removing the phrase ``(as defined by paragraph
(e)(2) of this section)'' and adding the phrase ``(as defined by
paragraph (d)(2) of this section)'' in its place.
0
b. Adding paragraph (d)(5).
The addition reads as follows:
Sec. 1003.140 Determinations regarding the amount of penalties and
assessments and the period of exclusion.
* * * * *
(d) * * *
(5) The penalty amounts in this part are updated annually, as
adjusted in accordance with the Federal Civil Penalties Inflation
Adjustment Act of 1990, as amended by the Federal Civil Penalties
Inflation Adjustment Act Improvements Act of 2015 (section 701 of Pub.
L. 114-74). Annually adjusted amounts are published at 45 CFR part 102.
0
6. Amend Sec. 1003.210 by revising paragraphs (a)(1) through (4) and
(6) through (9), (a)(10) introductory text, and (a)(10)(i) to read as
follows:
Sec. 1003.210 Amount of penalties and assessments.
(a) * * *
[[Page 42840]]
(1) Except as provided in this section, the OIG may impose a
penalty of not more than $10,000 for conduct that occurred on or before
February 9, 2018, and not more than $20,000 for conduct that occurred
after February 9, 2018, for each individual violation that is subject
to a determination under this subpart.
(2) The OIG may impose a penalty of not more than $15,000 for
conduct that occurred on or before February 9, 2018, and not more than
$30,000 for conduct that occurred after February 9, 2018, for each
person with respect to whom a determination was made that false or
misleading information was given under Sec. 1003.200(b)(2).
(3) The OIG may impose a penalty of not more than $10,000 for
conduct that occurred on or before February 9, 2018, and not more than
$20,000 for conduct that occurred after February 9, 2018, per day for
each day that the prohibited relationship described in Sec.
1003.200(b)(3) occurs.
(4) For each individual violation of Sec. 1003.200(b)(4), the OIG
may impose a penalty of not more than $10,000 for conduct that occurred
on or before February 9, 2018, and not more than $20,000 for conduct
that occurred after February 9, 2018, for each separately billable or
non-separately-billable item or service provided, furnished, ordered,
or prescribed by an excluded individual or entity.
* * * * *
(6) The OIG may impose a penalty of not more than $50,000 for
conduct that occurred on or before February 9, 2018, and not more than
$100,000 for conduct that occurred after February 9, 2018, for each
false statement, omission, or misrepresentation of a material fact in
violation of Sec. 1003.200(b)(7).
(7) The OIG may impose a penalty of not more than $50,000 for
conduct that occurred on or before February 9, 2018, and not more than
$100,000 for conduct that occurred after February 9, 2018, for each
false record or statement in violation of Sec. 1003.200(b)(9).
(8) The OIG may impose a penalty of not more than $10,000 for
conduct that occurred on or before February 9, 2018, and not more than
$20,000 for conduct that occurred after February 9, 2018, for each item
or service related to an overpayment that is not reported and returned
in accordance with section 1128J(d) of the Act in violation of Sec.
1003.200(b)(8).
(9) The OIG may impose a penalty of not more than $15,000 for
conduct that occurred on or before February 9, 2018, and not more than
$30,000 for conduct that occurred after February 9, 2018, for each day
of failure to grant timely access in violation of Sec.
1003.200(b)(10).
(10) For each false certification in violation of Sec.
1003.200(c), the OIG may impose a penalty of not more than the greater
of:
(i) $5,000 for conduct that occurred on or before February 9, 2018,
and $10,000 for conduct that occurred after February 9, 2018; or
* * * * *
0
7. Amend Sec. 1003.310 by revising paragraph (a)(3) to read as
follows:
Sec. 1003.310 Amount of penalties and assessments.
(a) * * *
(3) $50,000 for conduct that occurred on or before February 9,
2018, and $100,000 for conduct that occurred after February 9, 2018,
for each offer, payment, solicitation, or receipt of remuneration that
is subject to a determination under Sec. 1003.300(d).
* * * * *
0
8. Add subpart G (consisting of Sec. Sec. 1003.700, 1003.710, and
1003.720) to read as follows:
Subpart G--CMPs, Assessments, and Exclusions for Fraud or False
Claims or Similar Conduct Related to Grants, Contracts, and Other
Agreements
Sec.
1003.700 Basis for civil money penalties, assessments, and
exclusions.
1003.710 Amount of penalties and assessments.
1003.720 Determinations regarding the amount of penalties and
assessments and period of exclusion.
Sec. 1003.700 Basis for civil money penalties, assessments, and
exclusions.
The OIG may impose a penalty, assessment, and an exclusion against
any person including an organization, agency, or other entity, but
excluding a program beneficiary (as defined in Sec. 1003.110), that,
with respect to a grant, contract, or other agreement for which the
Secretary provides funding:
(a) Knowingly presents or causes to be presented a specified claim
(as defined in Sec. 1003.110) under such grant, contract, or other
agreement that the person knows or should know is false or fraudulent;
(b) Knowingly makes, uses, or causes to be made or used, any false
statement, omission, or misrepresentation of a material fact in any
application, proposal, bid, progress report, or other document that is
required to be submitted in order to directly or indirectly receive or
retain funds provided in whole or in part by such Secretary pursuant to
such grant, contract, or other agreement;
(c) Knowingly makes, uses, or causes to be made or used, a false
record or statement material to a false or fraudulent specified claim
under such grant, contract, or other agreement;
(d) Knowingly makes, uses, or causes to be made or used, a false
record or statement material to an obligation (as defined in Sec.
1003.110) to pay or transmit funds or property to such Secretary with
respect to such grant, contract, or other agreement, or knowingly
conceals or knowingly and improperly avoids or decreases an obligation
to pay or transmit funds or property to such Secretary with respect to
such grant, contract, or other agreement; or
(e) Fails to grant timely access (as defined in Sec.
1003.200(b)(10)), upon reasonable request (as defined in Sec.
1003.110), to the Inspector General of the Department, for the purpose
of audits, investigations, evaluations, or other statutory functions of
such Inspector General in matters involving such grants, contracts, or
other agreements.
Sec. 1003.710 Amount of penalties and assessments.
(a) Penalties. (1) In cases under Sec. 1003.700(a)(1), the OIG may
impose a penalty of not more than $10,000 for each specified claim.
(2) In cases under Sec. 1003.700(a)(2), the OIG may impose a
penalty of not more than $50,000 for each false statement, omission, or
misrepresentation of a material fact.
(3) In cases under Sec. 1003.700(a)(3), the OIG may impose a
penalty of not more than $50,000 for each false record or statement.
(4) In cases under Sec. 1003.700(a)(4), the OIG may impose a
penalty of not more than $50,000 for each false record or statement or
not more than $10,000 for each day that the person knowingly conceals
or knowingly and improperly avoids or decreases an obligation to pay.
(5) In cases under Sec. 1003.700(a)(5), the OIG may impose a
penalty of not more than $15,000 for each day of the failure described
in Sec. 1003.700(a)(5).
(b) Assessments. (1) In cases under Sec. 1003.700(a)(1) and (3),
such a person shall be subject to an assessment of not more than three
times the amount claimed in the specified claim described in Sec.
1003.700(a)(1) and (3) in lieu of damages sustained by the United
States or a specified State agency because of such specified claim.
(2) In cases under Sec. 1003.700(a)(2) and (4), such a person
shall be subject to an assessment of not more than three times the
total amount of the funds described in Sec. 1003.700(a)(2) and (4),
respectively (or, in the case of an obligation to transmit property to
the Secretary described in Sec. 1003.700(a)(4), of the
[[Page 42841]]
value of the property described in Sec. 1003.700(a)(4)) in lieu of
damages sustained by the United States or a specified State agency
because of such case.
Sec. 1003.720 Determinations regarding the amount of penalties and
assessments and period of exclusion.
In considering the factors listed in Sec. 1003.140:
(a) It should be considered a mitigating circumstance if all the
violations included in the action brought under this part were of the
same type and occurred within a short period of time, there were few
such violations, and the total amount claimed or requested related to
the violations was less than $5,000.
(b) Aggravating circumstances include but are not limited to:
(1) The violations were of several types or occurred over a lengthy
period of time;
(2) There were many such violations (or the nature and
circumstances indicate a pattern of false or fraudulent specified
claims, requests for payment, or a pattern of violations);
(3) The amount requested or claimed or related to the violations
was $50,000 or more; or
(4) The violation resulted, or could have resulted, in physical
harm to any individual.
Sec. 1003.1010 [Amended]
0
9. Amend Sec. 1003.1010 in paragraph (a) by removing the figure
``$10,000'' and adding in its place the phrase ``$10,000 for conduct
that occurred on or before February 9, 2018, and $20,000 for conduct
that occurred after February 9, 2018,''.
0
10. Effective September 1, 2023, add subpart N (consisting of
Sec. Sec. 1003.1400, 1003.1410, and 1003.1420) to read as follows:
Subpart N--CMPs for Information Blocking
Sec.
1003.1400 Basis for civil money penalties.
1003.1410 Amount of penalties.
1003.1420 Determinations regarding the amount of penalties.
Sec. 1003.1400 Basis for civil money penalties.
The OIG may impose a civil money penalty against any individual or
entity described in 45 CFR 171.103(a)(2) that commits information
blocking, as set forth in 45 CFR part 171.
Sec. 1003.1410 Amount of penalties.
The OIG may impose a penalty of not more than $1,000,000 per
violation.
(a) For this subpart, violation means a practice, as defined in 45
CFR 171.102, that constitutes information blocking, as set forth in 45
CFR part 171.
(b) [Reserved]
Sec. 1003.1420 Determinations regarding the amount of penalties.
In considering the factors listed in Sec. 1003.140, the OIG shall
take into account:
(a) The nature and extent of the information blocking including
where applicable:
(1) The number of patients affected;
(2) The number of providers affected; and
(3) The number of days the information blocking persisted; and
(b) The harm resulting from such information blocking including
where applicable:
(1) The number of patients affected;
(2) The number of providers affected; and
(3) The number of days the information blocking persisted.
Sec. 1003.1550 [Amended]
0
11. Amend Sec. 1003.1550 in paragraph (b) by removing the phrase
``where the claim'' and adding the phrase ``where the claim or
specified claim'' in its place.
0
12. Amend Sec. 1003.1580 by revising paragraph (a) to read as follows:
Sec. 1003.1580 Statistical sampling.
(a) In meeting the burden of proof in Sec. 1005.15 of this
chapter, the OIG may introduce the results of a statistical sampling
study as evidence of the number and amount of claims, specified claims,
and/or requests for payment, as described in this part, that were
presented, or caused to be presented, by the respondent. Such a
statistical sampling study, if based upon an appropriate sampling and
computed by valid statistical methods, shall constitute prima facie
evidence of the number and amount of claims, specified claims, or
requests for payment, as described in this part.
* * * * *
Sec. Sec. 1003.210, 1003.310, 1003.410, 1003.510, 1003.610, 1003.810,
1003.910, 1003.1010, 1003.110, 1003.1210, and 1003.1310 [Amended]
0
13. In addition to the amendments set forth above, in 42 CFR part 1003,
amend each section referenced in the first column of the following
table by removing the footnote referenced in the second column.
------------------------------------------------------------------------
Section Footnote
------------------------------------------------------------------------
1003.210(a) heading......................................... 1
1003.310(a) heading......................................... 2
1003.410(a) heading......................................... 3
1003.410(b)(2).............................................. 4
1003.510 introductory text.................................. 5
1003.610(a) introductory text............................... 6
1003.810 introductory text.................................. 7
1003.910.................................................... 8
1003.1010 introductory text................................. 9
1003.1110 introductory text................................. 10
1003.1210 introductory text................................. 11
1003.1310................................................... 12
------------------------------------------------------------------------
PART 1005--APPEALS OF EXCLUSIONS, CIVIL MONEY PENALTIES AND
ASSESSMENTS
0
14. The authority citation for part 1005 continues to read as follows:
Authority: 42 U.S.C. 405(a), 405(b), 1302, 1320a-7, 1320a-7a
and 1320c-5.
0
15. Amend Sec. 1005.1 by revising the definitions of ``Civil money
penalty cases'' and ``Exclusion cases'' to read as follows:
Sec. 1005.1 Definitions.
Civil money penalty cases refers to all proceedings arising under
any of the statutory bases for which the OIG has been delegated
authority to impose civil money penalties (CMPs).
* * * * *
Exclusion cases refers to all proceedings arising under any of the
statutory bases for which the OIG has been delegated authority to
impose exclusions.
* * * * *
Dated: June 26, 2023.
Xavier Becerra,
Secretary.
[FR Doc. 2023-13851 Filed 6-30-23; 8:45 am]
BILLING CODE 4152-01-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on July 3, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.