For those of us who work in the privacy and security space this past week has been a whirlwind with focus on the ramifications of the European Court of Justice (ECJ) decision invalidating the EU-U.S. Safe Harbor Agreement.  Much has been written on the EU-U.S. Safe Harbor Agreement and much more will be written in the coming weeks.  See Cozen O’Connor’s Cyber Law Monitor recent blog post, The End of Safe Harbor – What Does it Mean?   However, the ECJ decision was not the only news on safe harbor last week.  The U.S. Department of Health and Human Services, Office of Inspector General (“OIG”) issued their thoughts on data arrangements and safe harbor, albeit a much different safe harbor than the EU-U.S. Safe Harbor Agreement.  Healthcare providers and health IT vendors should pay close attention to OIG’s Alert.  See October 6, 2015 OIG Alert.

OIG issued the Alert during National Health IT Week and described it as a “Policy Reminder” on Information Blocking and the Federal Anti-Kickback Statute (42 U.S.C. 1320a-7b (b)).  The Federal Anti-Kickback statute prohibits individuals and entities from knowingly and willfully offering, paying, soliciting, or receiving remuneration to induce or reward referrals of business reimbursable under any Federal health care program (“FHCP”).  The Alert addresses a growing trend in the industry, arrangements involving the provision of software or information technology to a referral source.  Although there is a safe harbor for electronic health records (“EHR”) arrangements it “must fit squarely in all safe harbor conditions to be protected.” 42 CFR § 1001.952(y).

In its alert, OIG focused on the parameters of the safe harbor exception that allows donors to enter into a wide variety of arrangements involving EHR software, IT, and training services, provided there are no restrictions to the use, compatibility, or interoperability of donated items or services.  42 CFR § 1001.952(y)(3).  OIG provided guidance on this issue in 2013, explicitly stating that if the interoperability of an item or service is restricted by the donor or anyone acting on the donor’s behalf, including the recipient, then the donation violates the exemption and thus will be actionable under the Federal anti-kickback statute.

OIG’s Alert highlights practices outlined in its 2013 guidance that would be actionable under the Federal anti-kickback statute.  For example, an agreement between a donor and a recipient to limit a competitor from interfacing with the donated items or services would be actionable.  Even an agreement between a donor and an EHR technology vendor to charge non-recipient providers, non-recipient suppliers, or competitors’ high fees may be actionable.

OIG also provided an open invitation to whistleblowers to report fraud by urging persons with knowledge of violations of the safe harbor to be vigilant in reporting potential violations to their office.  Violations will occur when donors engage in information blocking, which refers to practices that unreasonably block the sharing of electronic health information (EHI).  OIG provided three criteria in a 2015 report for identifying practices that qualify as information blocking:

  1. Interference with the ability of authorized people to access, exchange, or otherwise use EHI.
  2. Knowledge, actual or expected under the circumstances, that the practice will be considered information blocking.
  3. No reasonable justification for limiting sharing of EHI.

If all three criteria are met, then the practice in question is considered information blocking.