HHS Finalizes Highly Anticipated Final Rule Amending Anti-Kickback Statute and Stark Law Regulations, Part V: Cybersecurity Technology and Electronic Health Records
On January 19, 2021, significant changes to the regulations implementing the Anti-Kickback Statute (AKS) and the Physician Self-Referral Law (commonly known as the Stark Law) went into effect. The sweeping changes come through two final rules – one issued by the Office of Inspector General (OIG) addressing changes to the AKS and the Beneficiary Inducements CMP, and one issued by the Centers for Medicare & Medicaid Services (CMS) addressing changes to the Stark Law.
In this fifth installment of our blog series covering the changes, we dive into (i) the new AKS safe harbor and Stark Law exception for cybersecurity technology and related services, and (ii) the significant changes to the existing safe harbor and exception for electronic health records (EHR) technology.
Cybersecurity Technology and Related Services
In the face of mounting concerns about the financial losses and risks to patients caused by cyberattacks against hospitals and other health care providers, the agencies finalized a new safe harbor and a new exception for donations of cybersecurity technology and services. The health care industry – particularly hospitals – should welcome this new flexibility to donate cybersecurity technology and services to physicians and other providers who often cannot afford sufficient protection against cyberattacks and therefore weaken the entire health care information ecosystem. While the agencies believe that the primary reason a donor would make a donation would be to protect against cyberattacks, they nevertheless recognize that donations of cybersecurity technology and related services offer value to the recipients who are relieved of an expense. The need to prevent cyberattacks must therefore be balanced with compliance safeguards. The requirements of the safe harbor and exception are similar in most respects, but a few differences are noted below.
Covered technology and services must be “necessary and used predominantly to implement, maintain, or reestablish cybersecurity,” which is the same standard applied under the safe harbor and exception for EHR donations. Because the agencies did not finalize the proposed deeming provision, the parties have great discretion to decide what technology and services qualify for protection, which is a benefit as well as a risk. The parties should carefully document all decisions regarding compliance with this requirement.
Donors have wide discretion in choosing the technology to be donated. The technology can have multiple uses, but the “core functionality” must relate back to cybersecurity. Covered technology may include malware protection software, data protection and encryption tools, and email traffic filtering. However, donation of a virtual desktop that includes features beyond cybersecurity software (e.g., word processing) likely would not be protected. In contrast to the safe harbor and exception for EHR donations, this safe harbor and exception consider hardware to be protected technology if it is necessary and used predominantly to implement, maintain, or reestablish cybersecurity, but the agencies made clear that the donation of physical infrastructure improvements, such as locks on doors, upgraded writing, and physical security systems, is not permitted because such items do not qualify as technology and offer other valuable benefits.
Similarly, a broad range of services would qualify for protection, including cybersecurity training services, risk assessment or analysis services, and services associated with developing, installing, and updating cybersecurity software. CMS mentioned that a donor could potentially provide a full-time cybersecurity officer to a physician recipient’s practice. In deciding what services to provide, donors should consider the level of risk presented when placing employees or contractors in physician offices because the possibility exists that such individuals could perform other duties that are the responsibilities of the physician’s staff.
When determining eligibility or the amount or nature of a donation, donors cannot directly take into account the volume or value of referrals or other business generated between the parties. The agencies chose not to include a list of deeming criteria as they did for EHR donations because donations are likely to be based on the desire to address cybersecurity risks rather than on the desire to attract or retain business. In addition, a deeming provision might cause the parties to forgo other appropriate selection criteria, which would limit the scope and utility of the safe harbor and exception. Donors therefore are free to determine eligibility and the scope of donations as they see fit. For example, a hospital may choose to donate to physicians on its medical staff or to physician practices identified in greatest need through risk assessments. Similarly, potential recipients cannot make the receipt of a donation, or the amount or nature of the donation, a condition of doing business with the donor. The agencies believe that these safeguards address concerns expressed by commenters that parties will use donations to attract or retain business, which remains to be seen.
The most important difference between the exception and safe harbor is the writing requirement. Under the safe harbor, the arrangement must be set forth in writing and signed by the parties, and it must include a general description of the donation and the contribution amount, if any. In contrast, CMS merely requires that the arrangement be documented in writing. CMS diverged from the OIG on this point because a signature requirement could lead to delay or to inadvertent Stark Law violations where donors need to act quickly and proceed without signatures. CMS expects the parties to have written documentation evidencing the arrangement that identifies the parties and includes a general description of the donation, the timeframe, a reasonable estimate of the value, and, if applicable, the recipient’s financial responsibility. The parties could satisfy the requirement with a memorandum to file or with a compilation of contemporaneous documents (such as emails) that would permit a reasonable person to verify compliance. In the commentary, the OIG noted that it also permits a ‘“collection of documents’” approach but that a single, written approach is a “best practice from a compliance perspective.”
Both agencies considered whether to restrict the scope of potential donors but ultimately declined to do so. Various laboratory industry organizations recommended the exclusion of laboratories based on the fact that many physicians reportedly conditioned referrals on EHR donations before laboratories became excluded donors in 2013 under the exception and safe harbor for EHR donations. According to the agencies, there is no need to exclude laboratories because recipients cannot make the receipt of cybersecurity technology or services, or the amount or nature of such technology or services, a condition of doing business with the donor, but they failed to acknowledge that this same condition applies to EHR donations.
Safe Harbor and Exception for the Donation of Electronic Health Records Technology and Related Services
While the use of EHR technology is far more widespread than when the safe harbor and exception for EHR donations became effective in 2006, the agencies believe that protection for EHR donations is still necessary to encourage continued adoption and use. To that end, the agencies finalized certain changes intended to offer more flexibility and clarity to parties seeking to donate EHR items and services.
Among other things, the agencies deleted the prohibition on donating replacement technology and made the safe harbor and exception permanent by removing the sunset date of December 31, 2021. While they considered eliminating the 15 percent cost-sharing requirement applicable to recipients, they ultimately decided it remains an important safeguard against health care fraud and abuse. The agencies did, however, relax the timing requirements for any items or services received after an initial or replacement donation by allowing payment of the cost-sharing amount at “reasonable intervals.” Donors seeking to avoid cost-sharing can consider whether and to what extent the new safe harbors and exceptions for cybersecurity technology and related services or for value-based health care delivery and payment might apply.
In a surprise move, the agencies deleted the prohibition on the donor taking any action to limit or restrict the use, compatibility, or interoperability of the items or services with other e-prescribing or EHR systems (which is now known as “information blocking”). When the safe harbor and exception were implemented in 2006, HHS had few legal avenues to prevent information blocking, but the 21st Century Cures Act has now given ONC and OIG more direct authority to address HHS’ concern with this practice. Further, the proposed information blocking regulations allow for exceptions while the prohibition in the safe harbor and exception was absolute. The agencies believe that, taken together, the interoperability requirement and the deeming provision encourage an interoperable health system and prevent EHR donations intended to lock in referrals by limiting the flow of electronic health information.
Finally, the agencies added reference to “cybersecurity software and services” to the description of nonmonetary remuneration covered by the safe harbor and exception. Recognizing that the new safe harbor and exception for cybersecurity technology and related services also protects such donations, the agencies wanted to make clear that cybersecurity technology and related services can be included with an EHR donation. Donors should consider the fact that few conditions apply to donations for cybersecurity technology and related services, and the most significant difference is the cost-sharing requirements.