information blocking 21 century cures act healthcare compliance

Why Information Blocking Is Too Costly to Ignore


Imagine a situation where you cannot access your medical records. Even your doctors cannot receive copies of your complete medical history, and your healthcare providers cannot coordinate your care. Does that seem like a bad dream? Unfortunately, this is the reality for many patients today because of unnecessary "information blocking" practices.

This article will address information blocking in two primary ways. To begin, we will identify why information blocking is a serious HIPAA violation among the top compliance issues that healthcare organizations must address in 2023. Next, we will examine how to take preventative action that protects you against substantial fines and penalties.

What Does "Information Blocking" Mean?

Information blocking

The illegal act known as "information blocking" refers to any unreasonable practice that impedes authorized access to protected health information (PHI).

In one instance, a person's right to timely access to a copy of their medical records becomes nearly difficult or impossible. Another instance is when a healthcare network is prevented from accessing the information needed to provide high-quality care.

Information blocking is the new insider threat to organizations that must be avoided at all costs.

The Five Risks of Information Blocking

Information blocking can negatively affect healthcare organizations in the following ways:

  1. Financial penalties. The 21st Century Cures Act is an example of the energy and focus of enforcement agencies. Certain provisions also grant the authority to levy fines of up to $1 million per infraction. Imagine how out of control this penalty might become when multiplied by more than one patient record complaint. (Ouch!)
  2. Legal risks. Information blocking puts most HIPAA-covered entities and business associates at risk of legal repercussions. Similar to the way you and I understand that mishandling PHI is an unacceptable risk, we also must include information blocking as something to avoid and correct. The prevention of authorized access may be construed as a breach of HIPAA, state law, or other federal regulations.
  3. Reputation risks. Information blocking will threaten a company's reputation as filed complaints and investigations accumulate, diminishing patient and stakeholder trust.
  4. Reduced efficiency. Information blocking can impede the ability of healthcare providers to access and share patient information. The result often leads to inefficient outcomes and suboptimal care.
  5. OCR investigation. The HHS Office of Civil Rights (OCR) is an enforcement agency tasked with investigating potential violations of HIPAA Compliance including information-blocking allegations.

The OCR must investigate when a patient files a complaint. Full stop. If a subsequent audit discovers a business engaged in information blocking practices, then enforcement action can be taken.

For more information about how to identify this issue and exception cases, you can learn more in "The Information Rule: What Healthcare Providers Must Know."

The HIPAA Right of Access Initiative

Some medical professionals may have heard little to nothing. Here is a brief description of the Right of Access Initiative.

HIPAA Right to Access Initiative

The HIPAA Right of Access Initiative aims for individuals to have prompt and reasonably priced access to their medical records. In addition, the initiative grants the OCR power to investigate violations and take enforcement action against covered entities. Furthermore, the Department of Health and Human Services (HHS) hopes the OCR's initiative will educate healthcare professionals and raise patient awareness about patients' right to timely access.

"The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously. We will continue to ensure that health care providers and health plans take this right seriously and follow the law," said OCR Director, Melanie Fontes Rainer.

Additionally, the OCR's Right of Access Initiative seeks to eliminate other obstacles like exorbitant fees and prolonged record delivery times.

HIPAA mandates that authorized individuals have rights regarding their protected health information (PHI). Both physical and digital records are referred to here for covered entities such as health care providers, health plans, and clearinghouses.

The Costly Consequences of HIPAA Violations

Court room

As egg prices rise in our shops, so do annual hikes in fines. Each year adjusts for inflation rates, so a fresh increase in civil and monetary penalty amounts is easily predictable.

Financial penalties can vary from over $127 to $60,973 per violation now and reach upwards of $1.9 million per year. For the 2023-year increase, a 1.07745 multiplier is expected to take effect soon.

The HITECH Act sets the baseline of financial penalties. Fines range between $100 and $50,000 per violation and up to $1.5 million annually for violations of the same provision. Each OCR settlement frequently entails implementing a corrective action plan and a demonstrative due diligence process.

Failure to comply with HIPAA might subject people and healthcare organizations to hefty financial penalties. Potentially, these problems might compound that penalty.

Check out our take on "How HIPAA Financial Penalties are Determined and Calculated Explained."

A consideration factor for regulators is whether a HIPAA rules violation was reasonably avoidable. Another factor is defining the corrective action taken to immediately address the problem. Such factors will determine the severity of the HIPAA penalty.

HIPAA Compliance: What You Don't Know Can Hurt You

Our committed team of compliance advisors strives to maintain an efficient HIPAA Compliance Program and safeguard your firm. We strengthen our comprehensive knowledge with real-world enforcement patterns. A crucial component of compliance is correcting major compliance issues that frequently result in penalties or fines.

court icon

Two observations were made by our team based on the available OCR Enforcement Results. For covered entities and business associates identified, a wide variety of healthcare types are receiving fines due to mostly one HIPAA violation: the failure to provide timely access to a patient's medical record. Additionally, OCR audits are increasingly targeting smaller to medium businesses compared to previous years.

foot icon

For instance, there was a $100,000 penalty imposed on a smaller podiatry provider in 2022. What caused the higher than typical fine? After the OCR attempted to offer initial assistance multiple times, the small company's lack of response triggered an unforgiving outcome. Avoiding conflict, ignoring complaints, or remaining unresponsive during an audit is an unfruitful position.

Nurse icon

Recently, a primary care physician in Florida was fined $20,000 for not disclosing medical documents within the allotted time period of no more than 60 days. Instead, it took the woman five months to obtain all the records she had asked for while serving as the late father's personal representative, and that was only after her complaint had been examined by the OCR. To save you time, we summarized the OCR's Enforcement Results 2022 into a list of HIPAA financial penalties that were levied against HIPAA covered entities and business associates. The list offers a sobering take on which HIPAA compliance issues to prevent before it provokes an audit.

doctor icon

Remember that building and maintaining an effective HIPAA Compliance Program is the only certain protection against audit investigations. The objective is to empower your employees to adaptively respond to incidents and implement corrective action plans.

The HIPAA Wall of Shame

Check out the OCR Breach Portal to view daily cases of PHI breaches affecting 500 or more individuals. Keep in mind that the Breach Portal only represents the number of reported incidents currently under investigation. We can only imagine the actual total of unreported incidents.

medical icon

Final Thoughts

In conclusion, this article has shown you the importance of treating information blocking as a serious HIPAA violation. One that cannot be ignored by healthcare organizations. You discovered how to identify the risks to protect yourself from substantial fines and penalties. In addition, you have learned about the HIPAA Right of Access Initiative and were provided with examples of HIPAA penalties for covered entities. Doing the right thing is the true solution that protects your business. That's why we recommend ensuring an atmosphere of compliance in 2023 that begins with a wiser perspective: identifying, mitigating, and protecting against information-blocking and its unnecessary consequences.

Access Compliance Resources

brick icon

HCP specializes in assisting healthcare clients nationwide to create and maintain an efficient compliance program specific to the needs of your business (HIPAA, OSHA, corporate compliance, coding, and more). Our main distinction? We are a software company run by a group of experts in healthcare compliance.

Protection for HCP Clients

Login to the HCP Portal to access your compliance resources (only available for HCP Clients).

Compliance Solved.

Schedule a free online consultation to discover how to maintain an effective compliance program.

  • Discover how to streamline crucial procedures and get support from a committed group of compliance advisers.
  • Create an automated compliance training program for your team with access to more than 130 training sessions.
  • Find out how to get an assurance package worth up to $1 million for audit protection.