The Health and Human Services (HHS) Office of Inspector General’s (OIG) final rule amending the safe harbors to the federal Anti-Kickback Statute (AKS) recently took effect on January 19, 2021. The AKS final rule significantly changes the regulatory landscape, especially for value-based care arrangements, and provides new (although more limited than some had hoped) opportunities for medical technology company engagement and participation in value-based and other arrangements. The OIG issued the final rule on November 20, 2020, as part of HHS’s Regulatory Sprint to Coordinated Care, which aims to advance the transition to value-based care and improve care coordination across settings, and in conjunction with the Centers for Medicare and Medicaid Services’ final rule amending the Stark Law regulations. For a quick reference chart of amended safe harbors under the AKS final rule discussed in this article, please see below:

Care Coordination Arrangements

Ineligible Entities

The AKS final rule includes various new safe harbors for value-based care arrangements involving value-based enterprise participants, or “VBE participants.” While the proposed rule initially excluded certain medical technology companies from the definition of a “VBE participant,” the final rule takes a slightly different approach, although with largely the same effect. Specifically, the value-based safe harbors in the final rule include an ineligible entity list, meaning that remuneration exchanged by entities on the list is not eligible for protection under these valuebased safe harbors. The ineligible entity list includes, among others, (i) manufacturers of a device or medical supply, (ii) medical device distributors and wholesalers that are not otherwise manufacturers of devices or medical supplies (e.g., some physician-owned distributors), and (iii) entities or individuals that sell or rent durable medical equipment, prosthetics, orthotics, or supplies (DMEPOS) covered by a federal health care program (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services).

The term “manufacturer of a device or medical supply” means an entity that meets the definition of applicable manufacturer under 42 CFR § 403.902 (i.e., the Open Payments program definition) because it is engaged in the production, preparation, propagation, compounding, or conversion of a device or medical supply that meets the definition of covered drug, device, biological, or medical supply in 42 CFR § 403.902, but does not include entities under common ownership with such entity. Thus, while a medical device company may now be a “VBE participant” in a value-based entity arrangement, the remuneration exchanged by the medical device company would not be protected under the value-based safe harbors (except in limited circumstances as described below).

Limited Technology Participants

The OIG did allow a limited avenue for protection under the care coordination arrangements safe harbor for certain ineligible entities that are “limited technology participants” that exchange “digital health technology” with a valuebased enterprise (VBE) or other VBE participants, provided that the arrangement does not contain exclusivity provisions or minimum purchase requirements. Note that this is a relatively narrow exception, as the digital health technology must be in-kind (i.e., it cannot be a payment to the VBE participant to reimburse the cost of the technology).

“Limited technology participants” generally include manufacturers of medical devices or supplies (other than physician-owned medical device or supply companies) and entities or individuals that sell or rent DMEPOS. This means that a health technology company that would otherwise be ineligible (i.e., because it is a medical device manufacturer) could rely on the care coordination arrangements safe harbor for arrangements involving digital health technology if it qualifies as a limited technology participant. Health technology companies that are not ineligible entities are able to rely on the value-based safe harbors for all types of arrangements that meet the safe harbor conditions.

The OIG reiterated its interest in protecting remuneration in the form of a wide range of mobile and digital technologies for the coordination and management of patient care, such as remote monitoring, predictive analytics, data analytics, care consultations, patient portals, telehealth and other communications, and software and applications that support services to coordinate and monitor patient care and health outcomes (for individuals and populations).

“Digital health technology” is defined broadly to include hardware, software, or services that electronically capture, transmit, aggregate, or analyze data and that are used for the purpose of coordinating and managing care, and includes any internet or other connectivity service that is necessary and used to enable the operation of the item or service for that purpose. For example, this would include a software solution that enables hospitals to access data from cardiac devices used by EMS providers in the field so that they can coordinate and manage the care of patients undergoing a cardiac emergency (e.g., have advance notice of patients en route and provide consultation back to EMS personnel to direct the patient to the appropriate treatment location), including connectivity services, such as mobile hotspots and plans, necessary to enable the EMS providers to transmit data from the field to the hospital.

While the care coordination arrangements safe harbor requires navigating numerous definitions and requirements (including a requirement for the recipient to pay at least 15% of the offeror’s cost or fair market value), it does at least permit certain medical technology companies to participate in certain value-based arrangements that will likely drive the future of healthcare and provides some much-needed flexibility (e.g., no fair market value requirement). For example, a medical technology company could partner with physician practices to better coordinate and manage care for patients discharged from a hospital with digitally-equipped devices that collect and transmit data to the physicians to help monitor the patients’ recovery and flag the need to intervene in real time (e.g., a device that monitors range of motion that could inform what an appropriate physical therapy intervention may be).

Patient Engagement and Support

While the care coordination arrangements safe harbor only protects the exchange of remuneration between or among the VBE participants and the VBE, the patient engagement and support safe harbor protects in-kind remuneration up to $500 annually in the form of patient engagement tools and supports furnished directly by a VBE participant to a patient in the target population. And while this safe harbor includes a lengthy list of entities ineligible for protection (including DMEPOS companies – other than a manufacturer of a device or medical supply), it does permit certain manufacturers of medical devices and supplies that are not physician-owned to furnish patient engagement tools and support that constitute digital health technology directly to the patient if all of the safe harbor requirements are met.

Thus, a health technology company is potentially eligible to be a VBE participant and furnish protected tools and supports if it does not fall within the ineligible entities list. For example, furnishing connected scales or blood pressure monitors that track and transmit data to a patient’s licensed health care professional, applications that allow a patient’s mobile devices to monitor activity or other health data, a smartphone that facilitates telehealth services with a patient’s licensed health care professional, a platform or software that facilitates telehealth services, a tablet that facilitates a patient’s participation in a diabetes remote monitoring program, a device or 4 program that reminds patients to take a medication or attend a scheduled office visit, or broadband access to enable remote monitoring or virtual care. However, if that health technology company is a manufacturer of a medical device or supply, it may only furnish tools and supports in the form of digital health technology.

Cybersecurity Donation

The OIG added a new safe harbor for nonmonetary remuneration consisting of cybersecurity technology and services that are necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity if certain conditions are met. Importantly, this safe harbor is available for all donors (there are no ineligible entities), there is no contribution requirement, recipients can include patients (without any monetary cap, although the donation must be necessary), and it protects hardware that meets the requirements as well as software and services. Protected donations could include business continuity software that mitigates the effects of a cyberattack and data recovery systems to ensure that the recipient’s operations can continue during and after a cyberattack, but the OIG notes that this would not include payments of any ransom to or on behalf of a recipient in response to a cyberattack.

To receive safe harbor protection, the cybersecurity technology (which can include hardware) and services (e.g., installation and configuration of software), must be used predominantly to implement, maintain, or reestablish effective cybersecurity. This means that multifunctional hardware would likely not satisfy the requirement. For example, servers, drives, upgraded wiring, physical security systems, fire retardant or warning technology, highsecurity doors, and a virtual desktop that includes access to programs and services beyond cybersecurity software were cited by the OIG as examples of technology that would not meet this requirement (e.g., the recipient would use an encrypted server predominantly for other purposes, such as hosting its computer infrastructure).

However, computer privacy screens, two-factor authentication dongles, security tokens, facial recognition cameras for secure access, biometric authentication, secure identification card and device readers, intrusion detection systems, data backup, data recovery systems, and patches and updates of software could be protected by the safe harbor if all of the requirements were met. In addition, while donations of general IT help desk services would not meet the “predominant use” requirement, donating services through a donor organization’s primary service desk or IT help desk limited to reporting cybersecurity incidents could satisfy the requirement.

Staffing a recipient’s practice with a full-time cybersecurity officer would likewise only be protected by the safe harbor if the officer’s duties were used predominantly for implementing, maintaining, or reestablishing effective cybersecurity and were necessary. The OIG specifically notes that other safe harbors may still apply. For example, a donation of data analytics software that includes cybersecurity features may be protected by the value-based safe harbors.


The OIG amended the existing warranty safe harbor to protect warranties related to a bundle of items or a bundle of items and services. Note that while the warranty safe harbor now protects a bundle of items and services, it does not protect warranties that warrant only services. The amendments require that if the warranty is for more than one item or one or more items and related services, the federally reimbursable items and services subject to the warranty must be reimbursed by the same federal health care program and in the same federal health care program payment.

In addition, the new safe harbor prohibits the manufacturer or supplier from conditioning the warranty on a buyer’s exclusive use of, or a minimum purchase of, any of the manufacturer’s or supplier’s items or services. The amendments also exclude beneficiaries from the reporting requirements and define “warranty” directly (instead of by reference to 15 U.S.C. § 2301(6), clarifying that the safe harbor is available for drugs and devices regulated under the Federal Food, Drug, and Cosmetic Act).

The OIG noted commentators’ concerns regarding the limited insight that sellers may have in the ultimate method of reimbursement for an item or service, but the OIG stated that sellers should be able to craft warranty offerings that meet the terms of the safe harbor, even if a particular bundle of items or items and services could potentially be reimbursed in different ways. For example, a seller’s written warranty could specify that warranty remuneration is available only in circumstances in which the bundle is reimbursed under the same federal health care program and in the same payment. Note that the same program/same payment requirement means that protection under the safe harbor does not extend to warranties for items used across a patient population.

For example, a manufacturer could offer a bundled warranty that warranties the clinical effectiveness of a selfinjected drug contingent on the patient receiving post-prescribing product administration and use education through nurse support offered by the manufacturer. However, the warranty safe harbor does not protect free or reduced-priced items or services that sellers provide either as part of a bundled warranty arrangement or ancillary to a warranty arrangement.

The OIG notes that if non-reimbursable items or services offered for free as part of a bundled warranty have independent value to a buyer, the parties may look to other safe harbors to protect the exchange of those items and services, such as the personal services and management contracts safe harbor discussed below. The safe harbor could also be used to protect remuneration for hospital expenses incurred as a result of a bundle of items that failed to meet the clinical outcomes guaranteed by a warranty arrangement, but note that the total warranty remuneration provided (including the cost of any replacement items) is limited to the original cost of the items and services incurred by the buyer.

Personal Services and Management Contracts

The OIG amended the existing safe harbor for personal services and management contracts to increase flexibility for part-time or periodic arrangements and arrangements where the aggregate compensation is not known in advance. Specifically, the OIG (1) deleted the requirement for part-time or periodic service arrangements to specify the exact schedule of intervals, their precise length, and the exact charge for the intervals, and (2) revised the compensation requirement so that the methodology for determining the compensation must be set in advance (instead of the aggregate or total compensation being set in advance). It is worth noting that the compensation must still be consistent with fair market value and not determined in a manner that takes into account the volume or value of referrals or business otherwise generated between the parties.

These changes now permit arrangements other than just flat fee arrangements (such as hourly payments where the total number of hours may vary) to receive safe harbor protection, so long as the other requirements are met. These changes are likely critical for health technology companies that are excluded from protections under many of the value-based safe harbors, as they may be left to rely on the personal services and management contracts safe harbor for their arrangements. For example, the OIG specifically recognized that entities on the ineligible list may structure arrangements to meet other safe harbors, including the personal services arrangements or the warranties safe harbor, and may also use the OIG’s advisory opinion process to the extent they want prospective protection for potential arrangements.

Note that while the OIG added new safe harbor provisions for outcomes-based payments in this safe harbor, it excluded payments made directly or indirectly by the entities on the ineligible entities list.

For assistance structuring arrangements involving medical technology companies or other questions, please contact a member of our Healthcare and Life Sciences practice group.