This Commentary is part of a series of nine Commentaries on the newly finalized Stark Law and Anti-Kickback Statute exceptions and safe harbors seeking to remove regulatory barriers to care coordination.
The Situation: The adoption of new technologies has been a hallmark of the health care industry in the twenty-first century. While these technologies have helped to improve both industry efficiency and patient outcomes, the growing use of technology also makes the industry increasingly vulnerable to cyberattacks. Unfortunately, cybersecurity technology and services to combat the threat of cyberattacks can be prohibitively expensive for many health care providers and others.
The Action: In simultaneously released final rules containing virtually identical requirements, the Department of Health and Human Services Office of Inspector General ("OIG") and the Centers for Medicare & Medicaid Services ("CMS") have codified the new Anti-Kickback Statute ("AKS") safe harbor and Stark Law exception permitting stakeholders to donate cybersecurity technology and services to entities with which they interact. In doing so, they aim to address cybersecurity threats impacting donors and recipients, to protect against inadvertent disclosure of sensitive patient information and corruption of health records, and to preserve quality of care.
Looking Ahead: Now that the final rules have been published, stakeholders should consider ways in which the sharing of cybersecurity technology and services with other entities could help reduce the risk of cyberattacks. When structuring donations of cybersecurity technology or services, stakeholders should carefully review the final rules to promote compliance with all applicable requirements.
The Cybersecurity Technology and Related Services Safe Harbor (§ 1001.952(jj)) and Exception (§ 411.357(bb))
In October 2019, OIG and CMS published two proposed rules containing highly anticipated updates to the longstanding AKS and Stark Law regulations ("Proposed Rules"). Among many other reforms, the Proposed Rules introduced an AKS safe harbor and a parallel Stark Law exception that would protect certain nonmonetary remuneration in the form of donation of cybersecurity technology and services. Given the increasing frequency of cybersecurity attacks involving the health care industry, the Proposed Rules promoted arrangements that would protect patients–and the health care system overall–from such attacks.
In November 2020, OIG and CMS issued their respective final rules, codifying the AKS safe harbor and Stark Law exception for the donation of cybersecurity technology and services ("Final Rules"). Although the OIG and CMS rules are phrased slightly differently, they contain the same substantive requirements for the protection of these arrangements. While the safe harbor and exception were largely adopted as proposed, the Final Rules do make a few adjustments:
- Definition of "cybersecurity technology": As indicated above, the Final Rules protect the donation of "cybersecurity technology and services." The Proposed Rules had defined such technology to include any software or other types of information technology, other than hardware; however, the Final Rules do not except hardware from the types of technology that may be donated. The Final Rules were modified in response to public comments, allowing donated hardware to fall within the safe harbor/exception as long as it is "necessary and used predominantly" for effective cybersecurity and meets all the necessary conditions.
- Alternate Proposal Regarding Cybersecurity Hardware: Since the definition of "technology" under the Proposed Rules did not include hardware, the agencies had solicited comments on an alternate proposal allowing the donation of hardware if it was "reasonably necessary based on a risk assessment of the donor and recipient." Given that the revised definition of "technology" in the Final Rules now allows for hardware donations, this alternative is not necessary.
- Protected Donors: While the Proposed Rules did not restrict the types of individuals and entities qualifying for protection under the safe harbor and exception, the agencies indicated they would consider adding restrictions if deemed necessary. The agencies ultimately did not incorporate any additional restrictions in the Final Rules–the safe harbor and exception protect all donors, without any limitations, as long as the other conditions of the Final Rules are met.
- Permitted Recipients: Similarly, the Proposed Rules protected donations of cybersecurity technology and services to any individual or entity without limitation, even if the recipient was a patient. The agencies indicated that they might consider additional safeguards if deemed necessary. Commenters suggested safeguards ranging from a monetary limit on donations to restrictions against "multifunctional" software or devices, but the agencies ultimately rejected these suggestions. The Final Rules do not limit the types of entities or individuals that may receive donations of cybersecurity technology and services.
- Recipient Contribution: The agencies received numerous comments on the Proposed Rules regarding whether to require recipients to contribute to the cost of the donated cybersecurity technology or services. While the Proposed Rules did not require recipient contributions, the Electronic Health Records ("EHR") safe harbor and exception (42 C.F.R. §§ 1001.952(y) and 411.357(w)) do require the recipient to pay 15% of the donor’s cost for the EHR items and services provided. In response to the comments received, the agencies ultimately determined that (i) given the wide variety of cybersecurity technology and services that may be provided, it is often not practical to require a minimum contribution from recipients; (ii) the cybersecurity safe harbor/exception includes other conditions that prevent abuse or potential anti-competitive behavior; and (iii) donors are still free to require recipients to contribute to the cost of the technology or services provided.
These long-awaited Final Rules protecting cybersecurity technology and services provide an opportunity for stakeholders to establish a robust cybersecurity network, regardless of any one entity’s ability to independently invest in such technology. While the agencies have drafted the final safe harbor and exception broadly to give stakeholders flexibility, stakeholders should carefully review the Final Rules when structuring donations of cybersecurity technology or services to promote compliance with all applicable requirements.
Three Key Takeaways:
- OIG and CMS have finalized the new AKS safe harbor and new Stark Law exception that protect certain donations of cybersecurity technology and related services.
- Through the new exception and safe harbor, OIG and CMS seek to enable the development of a robust cybersecurity network that protects personally identifiable health information and other confidential health data, even among small and under-resourced providers. To further these goals, OIG and CMS have proposed broad definitions that permit the donation of both cybersecurity software and hardware, as long as certain conditions are met.
- Stakeholders should carefully review the Final Rules to determine how to promote compliance with all applicable requirements when structuring donations.