In Short

The Situation: Despite the ongoing evolution of cybersecurity technology and services, patients' health information and other confidential data remain vulnerable to cyberattacks because such technology and services are often not utilized uniformly across the health care industry and are often costly to implement and maintain.

The Action: In the simultaneously released proposed rules, the Centers for Medicare & Medicaid Services ("CMS") and Office of the Inspector General ("OIG") have proposed a new exception to the Stark Law and a new safe harbor from the Anti-Kickback Statute ("AKS") that would permit stakeholders to donate cybersecurity technology and services in order to address the cybersecurity needs of donors and recipients.

Looking Ahead: While the agencies seek to use the proposed safe harbor and exception to encourage the necessary donation and receipt of cybersecurity technology, both agencies are considering whether to impose additional requirements that may narrow the scope of protection. Stakeholders should carefully review the final rules when published to assess how the proposed rules may have been adjusted and to promote compliance with all applicable requirements when structuring donations.

In the OIG's and CMS's October 17, 2019, proposed rules revising the AKS and physician self-referral law ("Proposed Rules"), the agencies have proposed a new safe harbor and a new exception designed to protect the donation of certain cybersecurity technology and related services. These proposals seek to promote increased interoperability and data sharing between providers by permitting the health care industry to develop a robust cyber ecosystem, in which personally identifiable health information and other confidential health data are effectively protected. These Proposed Rules were developed in tandem and, thus, the definitions and requirements for the safe harbor and exception are largely the same. Stakeholder comments submitted to both Proposed Rules likely will inform the final requirements for the safe harbor and exception.

The Cybersecurity Technology and Related Services Safe Harbor (§1001.952(jj)) and Exception (§411.357(bb))

The agencies' proposed donation of cybersecurity technology safe harbor/exception would protect certain nonmonetary remuneration in the form of a donation of cybersecurity technology and services. "Cybersecurity technology" is defined broadly to encompass any software or other type of information technology, other than hardware, that is related to the process of protecting information by preventing, detecting, and responding to cyberattacks. "Services" is also defined broadly to promote the flexible use of the safe harbor/exception, and the definition includes services relating to installation, training, data recovery, monitoring software, assessing system vulnerabilities, or responding to threats or attacks on the system. Uniquely, this safe harbor/exception does not have a requirement for recipients to contribute toward the cost of the donated technology or services.

The agencies acknowledge that the underlying purpose of the safe harbor/exception is to provide cybersecurity technology and services to providers that may not have resources to invest in such technology and services, and that a contribution requirement would minimize the effectiveness of this purpose. However, donors are permitted to negotiate a contribution toward the costs of the donation from recipients. Also, as currently proposed, there are no limitations on who may donate cybersecurity technology and services, or on who may receive such donations. The agencies, however, may narrow the scope of entities and individuals eligible for protection under the safe harbor/exception in the final rules.

The agencies have proposed four requirements that must be met in order to receive protection under this safe harbor/exception:

  1. The donated technology and services must be necessary and used predominantly to implement and maintain effective cybersecurity relative to the legitimate needs of the donors and recipients.
  2. Donors may not directly take into account the volume or value of referrals or other business between the parties when determining the eligibility of a potential recipient for the technology or services, nor may they consider future referrals when determining the amount or nature of the technology or services to be donated.
  3. Neither a potential recipient nor a potential recipient's affiliated individuals or entities may demand, implicitly or explicitly, the donation of cybersecurity technology or services as a condition for doing business with the donor.
  4. The donor and recipient must enter into a signed written agreement that provides a general description of the technology or services to be provided over the term of the agreement and outline shared financial responsibility, if any.

OIG also proposed a fifth requirement for the safe harbor that prohibits donors from shifting the costs of cybersecurity donations to federal health care programs. The agencies may impose additional requirements for the safe harbor and exception to narrow them somewhat, such as by limiting the scope of permitted donors.

Both agencies are considering an alternative proposal that would permit the limited donation of cybersecurity hardware if a donor determines that such donation is reasonably necessary, based on a risk assessment of both its own organization and that of the potential recipient. The risk assessment would need to comply with recognized industry standards and establish a reasonable basis to believe the donation of the cybersecurity hardware is reasonable and necessary.

Implications

If finalized, the donation of cybersecurity technology and services safe harbor/exception would provide a long-awaited opportunity for stakeholders to establish a robust cybersecurity network between health care industry stakeholders, regardless of any one entity or individual's relative resources and ability to invest in such technology independently. Even though agencies have drafted the safe harbor/exception broadly and flexibly to give stakeholders the ability to utilize the Proposed Rules to meet the needs of their organizations and patients and to permit the safe harbor/exception to evolve as technology does, stakeholders will still need to carefully review the final rules when published to determine how the Proposed Rules may have been adjusted and to promote compliance with all applicable requirements when structuring donations.

Three Key Takeaways

  1. OIG and CMS have proposed a new safe harbor from the Anti-Kickback Statute and a new exception to the Stark Law which would protect certain donations of cybersecurity technology and related services.
  2. Through the proposed safe harbor and exception, OIG and CMS seek to allow those donations that will further the development of a robust cybersecurity network and the protection of personally identifiable health information and other confidential health data. To further these goals, OIG and CMS have proposed broad definitions and have proposed to exclude potentially restrictive requirements, like a contribution requirement.
  3. Stakeholders should carefully review the final rules, when published, to determine how the proposed rules have been adjusted and to promote compliance with all applicable requirements when structuring donations.