Health Information Technology

HHS Announces Crackdown on “Information Blocking” Violations

WyattLLP Electronic Health Records, Health Information Technology , , , , , , ,

By: Kathie McDonald-McClure

The 21st Century Cures Act of 2016 (Cures Act) was passed by Congress and signed into law by President Obama on December 13, 2016. The Cures Act seeks to ensure access, exchange, and use of electronic health information. The Act mandated the U.S. Department of Health and Human Services (HHS) to establish rules prohibiting “information blocking” by developers of certified electronic health information technology (CEHRT), healthcare providers, health information networks (HINs), and health information exchanges (HIEs).

HHS, during the first Trump Administration, proposed and finalized initial information blocking rules for CEHRT developers and healthcare providers. The rules were initially set to take effect in November 2020 but were delayed due to the COVID-19 pandemic. The Biden Administration HHS announced that there would be no further delays and those initial information blocking rules became effective on April 21, 2021. These rules are applicable to developers of CEHRT and healthcare providers as well as HINs and HIEs. See 45 C.F.R. Part 171—Information Blocking and see our April 6, 2021 article discussing these complex rules, “Information Blocking Rule Effective April 5, 2021: Are Providers Ready?

The next mandate under the Cures Act was to establish civil monetary penalties (CMPs) for CEHRT developers and “appropriate disincentives” for healthcare providers who violate the information blocking rules. The Biden Administration HHS Office of Inspector General (OIG) proposed and finalized the CMPs of not more than one million dollars per violation for CEHRT developers who commit information blocking. Those rules became effective September 1, 2023. See 42 C.F.R. Part 1003 Subpart N.

The Biden Administration HHS also proposed and finalized the disincentives for certain healthcare providers who run afoul of the information blocking rule. These disincentives became effective on July 31, 2024. See 45 C.F.R. 171.1000.

On September 3, 2025, HHS, under the direction of Secretary Robert F. Kennedy, Jr., announced a crackdown on information blocking violations. The announcement states that the Cures Act was “published” during the first Trump Administration despite being signed into law by President Obama. The announcement goes on to say that “[i]nformation blocking was not a priority under the Biden Administration” despite the implementation of penalties and disincentives for violations.

Nevertheless, it is important to note the intent of HHS under Secretary Kennedy to prioritize enforcement of the information blocking rules. The announcement summarizes the penalties and disincentives for information blocking violations. The disincentives for hospitals, critical access hospitals, and clinicians are not as straightforward as the CMPs for CEHRT developers because they are tied to Medicare payment formulas. Although not detailed in the HHS announcement, we discuss the disincentives in more depth in our July 3, 2024 article, “HHS Adds New Teeth to Information Blocking Law for Health Care Providers.”

Looking for assistance in navigating compliance and avoiding the pitfalls associated with the information blocking rules?  We work with our clients regarding their policies and procedures related to compliance with information blocking, HIPAA and other data privacy and security laws and regulations. If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Levi Young at (859) 288-7469. To learn more about Wyatt’s health care, data privacy and cyber security practice, visit the following Wyatt website pages: Wyatt Data Privacy & Cyber Security and Wyatt Health Care.

HHS Adds New Teeth to Information Blocking Law for Health Care Providers

Kathie McDonald-McClure Cures Act and Program Interoperability, Electronic Health Records, Health Information Technology, HITECH Law, Meaningful Use , , , , , , , , , , , , , ,

by Margaret Young Levi, Kathie McDonald-McClure, and Drayden Burton (Wyatt Summer Associate)

On July 1, 2024, the U.S. Department of Health and Human Services (HHS) published a final rule entitled “21st Century Cures Act: Establishment of Disincentives for Health Care Providers That Have Committed Information Blocking,” 89 Fed. Reg. 54662 (Final Rule) establishing “disincentives” for health care providers who commit information blocking. Importantly, the 21st Century Cares Act explicitly delegated the authority to HHS to establish “appropriate disincentives” for information blocking through notice and comment rulemaking. 42 U.S. Code § 300jj–52(b)(2)(B). Previously, on October 23, 2023, HHS published its proposed rule seeking comments on the proposed appropriate disincentives (Proposed Rule).   

In general, “information blocking” means knowingly and unreasonably interfering with, preventing, or materially discouraging the access, exchange, or use of “electronic health information” (EHI) unless such blocking is required by law or permitted by regulatory exceptions. To learn more about information blocking and the permitted exceptions, see our article “Information Blocking Rule Effective April 5, 2021: Are Providers Ready?,” which provides an overview of the Rule’s key elements and requirements. The prohibition on information blocking went into effect on April 5, 2021, but until now did not contain any penalties for health care providers who engage in information blocking.  Previously, on June 27, 2023, the HHS Office of Inspector General (HHS-OIG) established civil monetary penalties of up to $1 million per information blocking violation by developers of certified health information technology and for health information networks (HINs) and health information exchanges (HIEs).  (88 Federal Register 42820).

This Final Rule adds some teeth, aiming to ensure that individuals and their health care providers always have access to the individual’s health information.  Some of the comments that HHS had received to its Proposed Rule supported disincentives that incentivize an exchange of EHI across care settings on the basis that this will lead to better patient outcomes. In issuing its Final Rule HHS stated, “When health information can be appropriately accessed and exchanged, care is more coordinated and efficient, allowing the health care system to better serve patients.”

The “Disincentives”

The Final Rule establishes certain “disincentives” for several categories of health care providers that HHS-OIG finds to have engaged in activities that interfere with or prevent access to EHI that constitute information blocking. These disincentives are as follows:

Continue reading

Changes to the Health Breach Notification Rule Include Regulations for Health Apps

Wyatt Data Breach & Notification, Data Privacy & Security, Electronic Health Records, FTC Enforcement, Health Information Technology, HIPAA , , , , , , , , , , ,

Written by: Margaret Young Levi and Casey Parker-Bell (Wyatt Summer Associate)

Vendors who maintain personal health records will soon be subject to amended rules for notifying customers of data breaches. The Federal Trade Commission (“FTC”) has issued a Final Rule, finalizing changes to the Health Breach Notification Rule (“HBNR“) first issued in 2009 (the “2009 Rule”). The Final Rule clarifies the HBNR’s application to apps and other new technologies in the healthcare industry.

New technology, like fitness trackers and other direct-to-consumer health tech and wearable apps, have increased the amount of health data collected from consumers. There is a growing concern that some companies are disclosing or selling individuals’ personal health data for marketing and other purposes, while not subject to protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information.” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the new rule will allow it to keep up with marketplace trends, and respond to development and changes in technology.” The FTC has announced this Final Rule to address these new technologies.

The Final Rule’s Changes to the HBNR

The HBNR requires vendors of personal health records (“PHRs”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured PHR identifiable health information. The HBNR also requires third-party service providers of personal health records to provide notifications. After seeking comments on proposed changes to better protect consumer who use PHRs, the FTC finalized the following changes to the HBNR:

Continue reading

CMS Issues Updated Guidance on Texting Patient Orders

Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology, HIPAA, Privacy & Security , , , , , , , , , ,

By: Margaret Young Levi

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors.  This 2024 Memo now permits the texting of patient orders among members of the hospital care team—if the texting is accomplished on a secure platform that protects the privacy and integrity of the patient information. 

This new guidance updates CMS’ previous memorandum entitled Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) (the 2017 Memo), which permitted texting patient information if done through a secure platform, but prohibited texting of patient orders regardless of the platform utilized.

Even though texting of patient orders through a secure platform is now permitted by CMS, that does not mean it is recommended.  CMS still prefers that providers enter their orders into the medical record via computerized provider order entry (CPOE) or even a handwritten order because of concerns about medical record retention, accuracy, privacy and security, etc. as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation (CoPs), and, if applicable, The Joint Commission (TJC) standards discussed below.

Continue reading

HHS and American Hospital Association Alert Providers to Act Now on “Citrix Bleed” Vulnerability

Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Health Information Technology , , , , , , , ,

The United States Health & Human Services Department (HHS) Health Sector Cybersecurity Coordination Center (HH3) issued an HH3 Sector Alert for a software vulnerability dubbed the “Citrix Bleed“. The HH3 Alert advises on a Citrix security advisory regarding a zero-day vulnerability that impacts the NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (fomerly Citrix Gateway). The HH3 Alert, issued on November 30, 2023, urges healthcare organizations to upgrade their devices to prevent damage to the health sector from cyber attacks, including ransomware.

Per the HH3 Alert, even if the patch that Citrix released for this vulnerability was implemented, Citrix warns that compromised sessions will still be active after the patch is implemented. Organizations should follow the Citrix guidance to upgrade devices and remove any active or persistent sessions with the commands listed in the Alert.

On December 1, 2023, the American Hospital Association (AHA) similarly alerted its members about the Citrix Bleed issuing its own alert titled, “Urgent: Hospital Action Needed to Protect Against ‘Citrix Bleed’ Threat.” AHA also published the following article the same day: “HHS-HC3 calls for immediate hospital action to protect against ‘Citrix Bleed’ vulnerability and ransomware threat.”

In its weekly Medicare MLN Connects news on December 7, 2023, the Centers for Medicare and Medicaid Services (CMS) asks providers to make sure their IT department reads the information and takes necessary action. Providers also should share the HH3 Alert with their network clearinghouse and vendors.

Relatedly, on December 6, 2023, CNN reported that HHS shared exclusively with CNN a plan focused on getting more money and training to small and rural health care providers who lack dedicated cybersecurity staff. CNN reported that Biden administration officials “have long been concerned that software providers continue to sell insecure products that hackers are too easily able to exploit.” Click here to read the full CNN article, titled “US health officials call for surge in funding and support for hospitals in wake of cyberattacks that diverted ambulances,” by Sean Lyngass.

Looking for assistance with your organization’s data security policies? We work with clients and their IT team in the preparation and updating of information security policies and procedures to comply with the HIPAA Security Rule, FTC Safeguards Rule, and more.  Such policies are essential in today’s cyber threats environment to meet the expectations of regulatory enforcement agencies such as the HHS Office for Civil Right and FTC. Information security policies also aide organizations in meeting other legal requirements and expections, e.g., contractual, cyber insurance underwriting, consumer, and other third-parties. If you are looking for assistance in this area, and to learn more about Wyatt’s data privacy and cyber security practice, visit the Wyatt Data Privacy & Cyber Security webpage.

If you need additional information, contact: Kathie McDonald-McClure, kmcclure@wyattfirm.com, at 502.562.7526