As discussed in a previous McGuireWoods alert, on Oct. 9, the Department of Health and Human Services announced two proposed rules to significantly amend the Physician Self-Referral Law (Stark Law), the federal Anti-Kickback Statute (AKS) and the Civil Monetary Penalties Law. This client alert, the third in McGuireWoods’ summary series on these proposed rules, focuses on (i) proposed changes to the electronic health records (EHR) items and services exception to the Stark Law and EHR safe harbor to the AKS, and (ii) a proposed new exception to the Stark Law and safe harbor to the AKS related to the donation of cybersecurity software and services.

The proposed rules stem from HHS’ Regulatory Sprint to Coordinated Care (discussed in a Sept. 26, 2018, client alert), intended to incentivize value-based arrangements and patient care coordination by expressly permitting certain activities that could be deemed problematic under current law. The proposed rules, respectively released by HHS’ Centers for Medicare & Medicaid Services (CMS) and the HHS Office of Inspector General (OIG), would add new value-based exceptions to the Stark Law and additional safe harbors under the AKS.

In addition to those value-based arrangement changes, other proposed changes to CMS’/OIG’s regulations are likely to ease certain burdens for healthcare providers and provide greater flexibility under these federal fraud and abuse rules, particularly regarding the donation of EHR and cybersecurity items and services.

1. CMS and OIG proposed adding cybersecurity technology and services to the EHR exception and safe harbor and adding a stand-alone cybersecurity technology and related services exception and safe harbor . CMS and OIG noted that the digitization of healthcare delivery and rules designed to increase interoperability and data sharing in the delivery of healthcare create numerous targets for cyberattacks. They further acknowledged that the cost of cybersecurity technology and related services has increased dramatically, to the point where some providers and suppliers are unable to invest in, and therefore have not invested in, adequate cybersecurity measures. Accordingly, CMS and OIG proposed providing for the donation of cybersecurity items and services both within the EHR exception and safe harbor and through a stand-alone exception and safe harbor.
CMS and OIG explained that, as proposed, the new cybersecurity exception and safe harbor are broader than their EHR counterparts are, as they require fewer conditions. For example, the cybersecurity exception and safe harbor do not share the condition of a 15 percent required contribution from recipients that exists under the EHR exception and safe harbor. CMS and OIG clarified that a party seeking to protect an arrangement involving the donation of cybersecurity software and services must comply with only one exception.
As proposed, the cybersecurity exception and safe harbor allow for the donation of cybersecurity technology and related services provided that certain conditions are met, including the following:
  1. The technology and services are necessary and used predominantly to implement and maintain effective cybersecurity.
  2. The donor does not (i) directly take into account the volume or value of referrals or other business generated between the parties when determining the eligibility of a potential recipient for the technology or services or the amount or nature of the technology or services to be donated; nor (ii) condition the donation of technology or services, or the amount or nature of the technology or services to be donated, on future referrals.
  3. Neither the recipient nor the recipient’s practice (nor any affiliated individual or entity) makes the receipt of technology or services, nor the amount or nature of the technology or services, a condition of doing business with the donor.
CMS and OIG are also considering an alternative proposal that allows for the donation of certain cybersecurity hardware when the donor has determined that the hardware is reasonably necessary based on a risk assessment of its own organization and that of the potential recipient.
2. CMS and OIG proposed modernization updates to EHR interoperability provisions . The existing rules — discussed in an April 12, 2013, client alert and a Dec. 24, 2013, client alert — prohibit a donor from taking any action to limit or restrict the use, compatibility or interoperability of EHR items or services. CMS and OIG proposed modifications in recognition of significant intervening legal updates in this area. Specifically, they proposed adopting the term “information blocking” from the 21st Century Cures Act, which generally means interfering with, preventing or materially discouraging access, exchange or use of electronic health information. CMS and OIG clarified that both engaging in information blocking related to donated items or services and using those items or services to engage in information blocking are prohibited. Further, under the existing rules, software that was once ONC-certified but is not certified at the time of donation is protected. The proposed rule would revise this provision to require that the software be certified at the time of donation to be protected. CMS and OIG noted that any changes to the deeming provision would be prospective.
3. CMS and OIG proposed changes to the EHR cost-sharing requirements . CMS and OIG requested comments on whether to eliminate or reduce the 15 percent cost-sharing requirement within the EHR exception and safe harbor for small or rural physician organizations, or, alternatively, to reduce or eliminate this requirement for all physician recipients. CMS and OIG are additionally considering eliminating or reducing the percentage for updates to previously donated software or technology (i.e., requiring a contribution for the initial investment only). These considerations are based on comments that CMS and OIG received describing the 15 percent contribution requirement as burdensome and preventative to some recipients in adopting EHR technology.
4. CMS and OIG proposed to allow donation of replacement technology . The current EHR exception and safe harbor do not protect the donation of replacement technology when the replacement is for “equivalent items or services.” In the 2013 EHR final rule comments, one commenter asserted that the current exceptions lock physicians into vendor agreements by forcing a choice between paying full price for a new system or continuing to pay 15 percent of the cost for substandard technology. The 2019 proposal by CMS and OIG, if adopted, would allow donations of replacement EHR technology.
5. CMS and OIG proposed to either eliminate or extend the EHR exception and safe harbor sunset provisions . The EHR exception and Anti-Kickback Statute safe harbor concerning EHR items and services were originally scheduled to sunset on Dec. 31, 2013. In 2013, both CMS and OIG extended the sunset date to Dec. 31, 2021, but retained the idea that this exception would be obsolete once EHR technology was universal and would then be eliminated. If adopted, these proposed rules would eliminate the sunset date, expressing CMS’ and OIG’s continued interest in promoting EHR technology adoption. OIG explained that a need for this protection persists as new parties enter medical practice and EHR technology ages. Alternatively, CMS and OIG could simply extend the sunset date, and they are seeking comments on this matter.

* * * * *

Through these proposals, CMS and OIG seek to remove burdens on providers, without creating substantial risk of increased fraud and abuse. While CMS and OIG acknowledged that any donation of valuable technology poses risks of fraud and abuse, the need to protect the “weak links” in a healthcare system outweigh these concerns due to the threat of cyberattacks. Overall, many providers will likely support these proposed changes, notwithstanding that existing provider arrangements may need to be adjusted, reformed or terminated to comply with the proposed amendments.

The proposed changes are subject to a public comment period, open until Dec. 31, 2019. Please do not hesitate to contact a McGuireWoods attorney or one of the authors of this alert for more information regarding these proposed rules or for assistance in preparing a comment to these rules. After the open comment period, the government will review and may finalize the rule with any desired changes, to reduce Stark Law and AKS burdens on providers as soon as early 2020.