Stark Law and Anti-Kickback Statute Proposed Rules Would Facilitate Donations of EHR and Cybersecurity Technology and Services
On October 17, 2019, the Department of Health & Human Services (HHS) published proposed rules in the Federal Register that would amend existing and create new exceptions to the physician self-referral law (Stark Law) and safe harbors to the Anti-Kickback Statute (AKS), in connection with HHS’s Regulatory Sprint to Coordinated Care (the Proposed Rules). Among the many proposals, HHS would amend the exception and safe harbor for electronic health records (EHR) items and services and create a new exception and safe harbor for donations of certain cybersecurity technology and related services.
Proposed Modifications of the EHR Exception and Safe Harbor
Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) of HHS originally issued a Stark Law exception and AKS safe harbor, respectively, protecting certain donations (i.e., licenses and other arrangements for less than the fair market value) of interoperable EHR software or information technology and training services to physicians and other referral sources (the EHR Exception and Safe Harbor) in 2006. By meeting the conditions of the EHR Exception and Safe Harbor, a donor and donation recipient will not violate the Stark Law’s self-referral prohibition and AKS’s prohibition on remuneration to induce referrals of items and services covered by federal health care programs. We discuss the proposed amendments to the EHR Exception and Safe Harbor below.
Scope of Protected Donors
The current EHR Exception protects donations from DHS entities, other than laboratory companies, while the current EHR Safe Harbor protects donations from individuals or entities, other than laboratory companies, that provide services covered by a federal health care program and submit claims or requests for payment, either directly or through reassignment, to the federal health care program as well as health plans. CMS does not propose any changes to the scope of protected donors in its Proposed Rule. OIG, on the other hand, notes that it is considering an expansion by either removing or revising the requirement that limits protected donors to those that submit claims or requests for payment. If OIG revises, rather than eliminates, the restriction, it is considering broadening the protection to donors with indirect responsibility for patient care. OIG provides, as examples of such entities, health systems and accountable care organizations that are not health plans and do not submit claims for payment. OIG also noted that it has received some comments that it should broaden the protection to include any risk-bearing entity that participates in an Advanced Alternative Payment Model entity under the Medicare Quality Payment program as a donor.
Recipient Cost Sharing Condition
Currently the EHR Exception and Safe Harbor include a condition that requires the donation recipient to pay 15% of the donor’s cost of donated EHR items and services (in advance of receipt of the items and services). This condition was intended to encourage prudent EHR arrangements, without imposing a prohibitive financial burden on recipients. However, CMS and OIG have received comments suggesting that the condition is cumbersome and acts as a barrier to EHR adoption. CMS and OIG did not propose specific regulation text for amendments to the 15% contribution condition in the Proposed Rules, but note that they are considering three alternatives to the current condition, namely: (a) eliminating or reducing the percentage contribution for small or rural practices under the safe harbor and physician organizations under the Stark EHR exception (or other subsets of potential recipients, such as critical access hospitals), (b) eliminating or reducing the percentage contribution for all recipients, and (c) if the agencies retain or reduce (but do not eliminate) the 15% contribution requirement, modifying or eliminating the contribution requirement for updates to previously donated EHRs. OIG specifically solicits input on how to define “small or rural practices” for purposes of the EHR Safe Harbor.
Notably, the agencies do not propose eliminating the requirement that any cost-sharing amounts be paid in advance of receiving the donated items and services. The pre-payment requirement has proved challenging for many donors and donation recipients that are accustomed to paying for many information technology items and services in arrears.
To be protected under the current EHR Exception and Safe Harbor, donated EHR items and services must be “interoperable.” Donated EHR software is deemed to be interoperable if it has been certified by a certifying body authorized by the National Coordinator for Health Information Technology (ONC) to a then-applicable edition of the EHR certification criteria under ONC’s Health IT Certification Program. HHS proposes to retain this deeming construct, but clarify that the software must have a current certification on the date it is donated and propose to remove references to an “edition” of the EHR certification criteria in order to align with ONC’s proposed changes to the Health IT Certification Program.
HHS also proposes to modify the definition of “interoperable” to require that donated EHR items and services (that are not deemed interoperable based on certification under the Health IT Certification Program) not constitute information blocking as defined in the 21st Century Cures Act (Cures Act). We discuss the Cures Act information blocking prohibition below.
The agencies are also considering two alternatives. First, they are considering linking the definition of “interoperable” to the ONC proposed definition of “interoperability” and second, eliminating the term “interoperable” and, in lieu of that term, using “interoperability”—which would be defined by reference to the Cures Act and ONC regulations. The agencies note that they plan to coordinate with ONC as ONC finalizes its proposed rule to ensure definitional alignment across the various agencies’ rulemaking efforts.
Information Blocking Prohibition
The third condition of the current EHR Exception and Safe Harbor prohibits donors (and anyone on their behalf) from taking actions to limit or restrict the interoperability of the donated items or services. HHS noted that the current prohibition was designed to prevent data and referral lock-in and encourage data exchange, consistent with privacy protections. Since the 2013 modifications to the EHR Exception and Safe Harbor, the concept of data lock-in has become commonly referred to as “information blocking.” In fact, the Cures Act includes a provision that explicitly prohibits information blocking and granted HHS the authority to issue exceptions to the broad prohibition. ONC issued a proposed rule in March that would, among other things, implement the statutory definition of information blocking and establish certain exceptions (for more on ONC’s proposed information blocking rule, see our On the Subjects here and here). Accordingly, CMS and OIG propose to modify the third condition to prohibit the donor (or any person on the donor’s behalf) from engaging in any practice constituting information blocking as defined under the Cures Act in connection with a donation of EHR items and services and, thereby, align the condition with ONC’s proposed definition of information blocking and related exceptions.
HHS states that the intent of the modification to align with ONC’s proposal is not to change the purpose of the exception and safe harbor condition, but to further the purpose through updated understandings as informed by the Cures Act. What it would mean, as a practical matter, is that the agencies would be incorporating an intent-based element into the exception and safe harbor conditions, which could make determinations about whether all of the conditions are met by (and, thus, whether protection attaches to) a donation arrangement all the more complex. Could this have been what CMS and OIG had in mind when crafting proposals to reduce regulatory burden?
Cybersecurity Software and Services
HHS takes the opportunity in the Proposed Rules to clarify that the EHR Exception and Safe Harbor have always protected donations of certain cybersecurity software and services, such as functions that are cybersecurity features of the EHR system. The agencies go on to propose broadening protection under the EHR Exception and Safe Harbor to explicitly include certain cybersecurity software and services that protect EHRs as permissible donations, so long as the predominant purpose of the software or service is cybersecurity associated with EHR functions.
Replacement EHR Technology
The current EHR Exception and Safe Harbor do not protect donations of equivalent EHR items or services to recipients because, in the agencies’ eyes, donations of replacement technology would not be “necessary” if the recipient has equivalent items or services. However, in light of the constantly evolving EHR technological landscape and expenses that, at times, can be prohibitively expensive, the agencies appear to be reconsidering that conclusion and now propose to remove the prohibition on donating replacement technology.
The specter of a sunset date has loomed over the EHR Exception and Safe Harbor since their creation in 2006. CMS and OIG kicked the can down the road in 2013, but now appear to be seriously considering removing the sunset provision altogether. The original thinking behind the sunset provision was that the need to protect EHR donations should reduce over time as EHR use became the standard of practice. The agencies state that they no longer believe that the need to protect EHR donations will disappear as the industry achieves widespread adoption—which the agencies acknowledge has largely happened. HHS points to the following factors to explain its change of heart regarding the ongoing need for the EHR Exception and Safe Harbor: new entrants into medical practice; aging EHR technology at existing practices; and emerging/improved technologies. However, the agencies leave open the option of a sunset date in the final rules. In addition to proposing complete removal, the agencies state that they are considering, and solicit comment on, a mere extension of the sunset date.
Although the various alternative proposals make it difficult to forecast what the agencies will finalize, if they adopt the more lenient proposals—particularly concerning removing the 15% recipient contribution requirement—the final rules could make the EHR Exception and Safe Harbor less burdensome by removing unnecessary administrative requirements associated with making protected donations. Given the variety of options on the table, it will be important for the healthcare industry to provide robust feedback on the proposals to help inform the agencies’ final rules.
Proposed Creation of a New Cybersecurity Exception and Safe Harbor
In addition to clarifying and expanding the scope of the EHR Exception and Safe Harbor to permit certain additional cybersecurity donations, CMS and OIG propose to a create new, standalone exception and safe harbor, respectively, to protect the donation of certain cybersecurity technology and related services (the Cybersecurity Exception and Safe Harbor). The agencies explain that the Cybersecurity Exception and Safe Harbor should help improve the healthcare industry’s overall cybersecurity posture by permitting donations to address the growing cyber threat that the industry faces. The Cybersecurity Exception and Safe Harbor seem to acknowledge that in an interconnected system, a weakness at one point can pose a risk for the system as a whole. The agencies appear to have used the EHR Exception and Safe Harbor as a starting point for crafting the conditions for the Cybersecurity Exception and Safe Harbor and to have been influenced by the Health Care Industry Cybersecurity Task Force’s recommendation to Congress to explore changes to the Stark Law and AKS to protect cybersecurity donations. We discuss the proposed Cybersecurity Exception and Safe Harbor in more detail below.
The agencies propose to establish definitions for two key terms in connection with the proposed Cybersecurity Exception and Safe Harbor—“cybersecurity” and “technology.” CMS and OIG propose to define “cybersecurity” as “the process of protecting information by preventing, detecting, and responding to cyberattacks.” Interestingly, the proposed definition of “cybersecurity” derives from the National Institute for Standards and Technology related to critical infrastructure that is not directly applicable to the healthcare industry. HHS chose this route to broadly define the term and to avoid unintentional limitations on what may be donated if they were to use a definition that is too narrow or becomes obsolete with the passage of time. The agencies go on to propose defining “technology” to mean “any software or other types of information technology other than hardware.” Their goal is to propose a definition that is agnostic to the type of non-hardware cybersecurity technology and to be broad enough to cover technology that is neither software nor a series as those terms are generally conceived, such as application programing interfaces.
As with the EHR Exception and Safe Harbor, the agencies propose to exclude hardware from the definition of technology that may be donated under the Cybersecurity Exception and Safe Harbor because hardware is more likely to be multifunctional and poses a higher risk of being a disguised payment for referrals. However, the agencies are considering permitting certain hardware donations if the hardware is not integrated with multifunctional equipment and meets other conditions.
The Cybersecurity Exception and Safe Harbor also impose conditions that the cybersecurity donation must meet to qualify for the corresponding exception or safe harbor. The conditions are largely consistent, but vary between the CMS and OIG proposals. We discuss the conditions below.
Necessary and Used Predominantly for Effective Cybersecurity
Both agencies propose that the donated technology and services would have to be necessary and used predominantly to implement or maintain effective cybersecurity, such that the core function of the donation would have to be to protect information by preventing, detecting, and responding to cyberattacks. We note that CMS’s proposed condition explicitly references “reestablishing” cybersecurity. That reference is omitted from the OIG’s proposed condition and it is unclear whether the agencies intend for that to be a meaningful distinction between their respective proposals. The table below identifies examples of technology and services that could meet this condition, according to the agencies:
Potentially Protected Technology
Potentially Protected Services
Software that provides malware prevention
Any services associated with developing, installing, and updating cybersecurity software
Software security measures to protect endpoints that allow for network access control
Any kind of cybersecurity training services
Business continuity software that mitigates the effect of cyberattacks
Any kind of cybersecurity services for business continuity and data recovery services to ensure the recipient’s operations can continue during and after a cyberattack
Data protection and encryption
Any kind of “cybersecurity as a service” model that relies on a third-party service provider to manage, monitor, or operate cybersecurity of a recipient
Email traffic filtering
Any services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis, or penetration test<
Any services associated with sharing information about known cyber threats and assisting recipients responding to threats or attacks on their systems
The agencies also offer examples of donations that they would not propose to protect. These include donations of cybersecurity measures outside of technology and services, such as installation or improvement of physical safeguards (like upgraded wiring or high security doors), as well as donations of technology and services with multiple, general uses outside of cybersecurity, such as general help desk services. The agencies are also considering whether it would be appropriate to deem a donation to meet the “necessary and used predominantly” condition if the parties demonstrate that the donation furthers a recipient’s ability to comply with a written cybersecurity program that reasonably conforms to a widely recognized cybersecurity framework or set of standards.
Not Directly Take Into Account Volume or Value of Referrals
CMS and OIG propose that the donor would not be able to directly take into account the volume or value of referrals or other business generated between the parties when determining both the eligibility of a potential recipient for the donation or the amount or nature of the donation. Further, donors would be precluded from conditioning the donation or the amount or nature of the donation on future referrals. Notwithstanding this condition, the agencies acknowledge that donors would provide cybersecurity technology and services to only individuals and entities that connect to their systems, which would include those that refer to the donor or receive referrals from the donor. The agencies note that this condition would not require a donor to make donations to every individual or entity that connects to its systems, but would permit certain selective criteria so long as the criteria meet this condition.
Unlike the corresponding condition in the EHR Exception and Safe Harbor, the agencies do not propose to include a deeming provision that identifies certain selection criteria that would automatically be determined to meet the condition. The agencies explain this decision by noting that they do not believe that cybersecurity donations present the same types of risks as EHR donations (because cybersecurity donations are further removed from referrals than EHR donations), and that they therefore believe that a list of selection criteria is not necessary. In connection with the first two conditions, the agencies do not propose to limit the scope of donors eligible for protection, but note that they are considering doing so.
Donation is Not a Condition of Doing Business with Donor
The agencies propose to preclude the potential donation recipient, their practice, or any affiliated individual or entity, from demanding (explicitly or implicitly) a cybersecurity donation as a condition of doing or continuing to do business with the donor. The agencies are not, however, proposing to require that the recipient make a contribution to the costs (e.g., 15%) at this time and do not propose to limit the scope of potentially protected recipients, going so far as to note that patients could be included. Notwithstanding this, donors would be free to require recipients to contribute to the cost, so long as the determination of a contribution requirement did not take into account the volume or value of referrals between the parties.
Fourth, the agencies would require that the donation arrangement be documented in writing, with OIG going further than CMS to propose requiring that the writing be signed.
Additionally, OIG would preclude the donor from shifting the cost of the donated cybersecurity technology or services to any federal health care program. Accordingly, the donation should not be included in a reimbursable cost center on a hospital Medicare or Medicaid cost report.
If the Cybersecurity Exception and Safe Harbor are finalized, when crafting donation agreements, donors will need to review their license agreements for cybersecurity software to ensure that they have rights to extend the software to third parties.
Alternative Proposal for Cybersecurity Hardware Donations
The agencies proposed an alternative whereby certain donations of cybersecurity hardware could be protected, if an additional “safeguard” is met. Specifically, the donor would have to determine that the donation of cybersecurity hardware (e.g., a two-factor authentication dongle) is reasonably necessary based on a risk assessment of its own organization and of the potential recipient. The agencies are considering limitations on this alternative proposal, such as limiting the type of potentially protected hardware to certain kinds of hardware, as well as a possible contribution requirement of 15% of the costs. Though if added, OIG and CMS would consider excluding small and rural practices from this condition of the Cybersecurity Safe Harbor or small and rural physician organizations from this condition of the Cybersecurity Exception and consider not requiring the recipient contribution in connection with upgrades, updates, and patches of previously donated technology or services.
Questions to Ponder
While the agencies solicit input and public comment throughout the Proposed Rules, they identify specific questions in connection with the proposed Cybersecurity Exception and Safe Harbor that stakeholders should consider when crafting comments on the proposals, including whether the agencies should impose a monetary value limit on the total amount of donations.
As the agencies acknowledge, the proposed Cybersecurity Exception and Safe Harbor are broader and include fewer conditions than the EHR Exception and Safe Harbor. If finalized, and depending on which alternative proposals, if any, the agencies adopt, the new Cybersecurity Exception and Safe Harbor could provide a useful pathway for potential donors to help protect their own systems through donations to connected recipients.
The agencies are accepting public comments on the Proposed Rules, including those portions related to modification of the EHR Exception and Safe Harbor and creation of a new Cybersecurity Exception and Safe Harbor, through December 31, 2019.