nds that all organizations have a policy and procedure on the screening of employees, contractors, and other individuals and entities against the List of Excluded and Individuals/Entities (LEIE) and any applicable State Medicaid program exclusion lists. As noted in the presentation, states may have different names for their exclusion lists; in California, for e.g., the exclusion list is called the “Suspended and Ineligible List”. Compliance requires a check against the OIG’s web-site list AND each state’s list; individuals or entities may appear on one list and not the other. States may have additional penalties for employment or contracting with an individual/entity on their lists in addition to the potential federal civil monetary penalty (CMP). This topic produced the most questions from the audience. Below we provide some basic guidance (beyond that of the GCPG) and underscore the caveat that individuals and entities should check their own state laws to assure full compliance. Federal regulations, 42 C.F.R. § 1003.200(b)(4), reflect a CMP for arranging or contracting (by employment or otherwise) with an individual or entity that the person knows, or should know, is excluded from participation in the Federal health care programs (including Medicare and Medicaid). The current amount of the CMP is $24,164. The OIG’s Health Care Fraud Self-Disclosure Protocol (updated in 2021) includes a discussion as to how to disclose conduct involving excluded persons (individuals and entities), with a possible pre-determined and potentially lesser penalty for self-disclosure. See OIG’s Health Care Fraud Self-Disclosure Protocol.State-specific laws and lists are specific to that state’s federal health care programs. There may be state-specific CMPs for submitting claims to the state Medicaid program for items or services furnished by an excluded person or entity and/or a penalty for contracting with an excluded person or entity. The state laws and exclusion lists should be checked for each state wh

n that this rule is under development.1 Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing, 89 Fed. Reg. 1192 (Jan. 9, 2024) (to be codified at 45 C.F.R. pts. 170, 171) [hereinafter HTI-1].2See HTI-1, 89 Fed. Reg. 1426 (to be codified at 45 C.F.R. § 170.102).3See HTI-1, 89 Fed. Reg. at 1244.4See HTI-1, 89 Fed. Reg. at 1244-45.5See HTI-1, 89 Fed. Reg. at 1244, 1247.6See HTI-1, 89 Fed. Reg. at 1247-48.7 HTI-1, 89 Fed. Reg. at 1431-32 (to be codified at 45 C.F.R. §170.315(b)(11)(iv), (vi)).8HTI-1, 89 Fed. Reg. at 1431-32 (to be codified at 45 C.F.R. §170.315(b)(11)(vi)).9HTI-1, 89 Fed. Reg. at 1267-68 (to be codified at 45 C.F.R. § 170.315(b)(11)(iv)(B)).10HTI-1, 89 Fed. Reg. at 1431 (to be codified at 45 C.F.R. §170.315(b)(11)(v)(B)).11 45 C.F.R. pt. 171.1245 C.F.R. § 171.103.13 Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules, 88 Fed. Reg. 42,820 (Jul. 3, 2023). Enforcement against providers is on hold pending finalization of a rule proposed by the Centers for Medicare & Medicaid Services (CMS) in November. See 21st Century Cures Act: Establishment of Disincentives for Health Care Providers That Have Committed Information Blocking, 88 Fed. Reg. 74,947 (Nov. 1, 2023).14 HTI-1, 89 Fed. Reg. at 1435-36 (to be codified at 45 C.F.R. § 171.102).15 HTI-1, 89 Fed. Reg. at 1435 (to be codified at 45 C.F.R. § 171.102).16HTI-1, 89 Fed. Reg. at 1436 (to be codified at 45 C.F.R. § 171.103).1745 C.F.R. § 171.204.18HTI-1, 89 Fed. Reg. at 1436 (to be codified at 45 C.F.R. § 171.204(a)(1)).19HTI-1, 89 Fed. Reg. at 1436 (to be codified at 45 C.F.R. § 171.204(a)(3)).20 HTI-1, 89 Fed. Reg. at 1436-37 (to be codified at 45 C.F.R. § 171.204(a)(4)).21 45 C.F.R. § 171.301.22“TEFCA” is the acronym for the Trusted Exchange Framework and Common Agreement.23 HTI-1, 89 Fed. Reg. at 1437-38 (to be codified at 45 C.F.R. § 171.403).24 45 C.F.R. § 171.302.25 45 C.F.R. § 171

n blocking conduct occurring” prior to that date, the agency said.The rule maintains the enforcement priorities OIG laid out in the proposed regulation. OIG will pursue “conduct that: (1) resulted in, is causing, or had the potential to cause patient harm; (2) significantly impacted a provider’s ability to care for patients; (3) was of long duration; (4) caused financial loss to Federal health care programs, or other government or private entities; or (5) was performed with actual knowledge.”OIG will “select cases for investigation based on these priorities and expect[s] that the enforcement priorities will evolve as OIG gains more experience investigating information blocking,” it said. Importantly, OIG stressed that it has to find an element of “intent” in an entity’s actions; otherwise, OIG lacks authority to impose a fine, according to the rule.1 Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules, 88 Fed. Reg. 42,820 (July 3, 2023), https://bit.ly/43dTrNP.2 Theresa Defino, HHS OIG Offers Guidance, “Form to Encourage Grantee Self-Disclosure of Possible Wrongdoing,” Report on Research Compliance 16, no. 8 (August 2019), https://bit.ly/3Q79Vo4.3 U.S. Department of Health & Human Services, Office of Inspector General, “Enforcement Actions,” accessed July 24, 2023, https://bit.ly/3Do7uGa.4 Theresa Defino, “After Paying HHS $1.45M, UNLV Enhances Award Oversight; OIG Touts Self-Disclosure,” Report on Research Compliance 18, no. 6 (June 2021), https://bit.ly/3cA8Hg6.5 Theresa Defino, “Two Washington Universities Ink Settlements For Exceeding Salaries, Falsified Application,” Report on Research Compliance 18, no. 12 (December 2021), https://bit.ly/3Dq8mtP.[View source.]

OIG lacks authority to impose a fine, according to the rule.The rule acknowledges that health care providers might develop IT for their own use, saying these entities are exempt from the definition of health IT developer. “The ONC Final Rule clarifies that health care providers that self-develop health IT for their own use refers to health care providers that are the primary users of the health IT and are responsible for its certification status.”1 Theresa Defino, “OCR Issues Reproductive Health Propose Rule, Focuses on Part 2—But Not Privacy Amendments,” Report on Patient Privacy 23, no. 5 (May 2023), https://bit.ly/3Mm1QbG.2 U.S. Department of Health & Human Services, Office for Civil Rights, “HIPAA Privacy: Changes to Support, and Remove Barriers to, Coordinated Care and Individual Engagement,” RIN: 0945-AA00, Spring 2023, https://bit.ly/3D5KHPs.3 Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules, 88 Fed. Reg. 42,820 (July 3, 2023), https://bit.ly/43dTrNP.4 Theresa Defino, “ONC’s Tripathi: HIPAA Doesn’t Impede Sharing, Requirements Under Info Blocking Regulation,” Report on Patient Privacy 23, no. 2 (February 2023), https://bit.ly/3ZEoAJu.5 U.S. Department of Health & Human Services, Office of Inspector General, “Information Blocking,” last updated July 5, 2023, https://bit.ly/3pFtA3M.[View source.]