On October 9, 2019, the U.S. Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS) simultaneously released a set of proposed rules (the “Proposed Rules”) that, among other things, would create a new Anti-Kickback Safe Harbor and Stark Law Exception for the donation of “cybersecurity technology and services.” The Proposed Rules also would amend the existing Anti-Kickback Safe Harbor and Stark Law Exception for the donation of “electronic health record (EHR) items and services.” HHS and CMS are inviting comments on the Proposed Rules, as well as several specific “alternatives” that the agencies are considering including in the final rule.
The Proposed Rules include:
New Cyber Security Safe Harbor and Exception
The Proposed Rules would create a new Safe Harbor and Exception for the donation of certain cyber security technology and related services that comply with the following requirements:
- Donors would be permitted to donate “technology and services [that] are necessary and used predominantly to implement and maintain effective cybersecurity.” In the commentary to the Anti-Kickback Statute Proposed Rule, HHS explains “Our intent is to protect a wide range of technology and services that are specifically donated for the purpose of, and a necessary for, ensuring that donors and recipients have effective cybersecurity.”
- “Cybersecurity” is defined as “the process of protecting information by preventing, detecting, and responding to cyberattacks.”
- “Technology” is defined as “any software or other types of information technology, other than hardware.” In creating these broad definitions, HHS explains: “We intend for this safe harbor to be broad enough to include cyber security software and other information technology (e.g., Application Programing Interface (API), which is neither software nor a service as those terms are generally used) that is available now and technology that may become available as the industry continues to evolve.” Other examples of technology that could be donated include:
- Malware prevention software
- Software security measures to protect endpoints that allow for network access control
- Business continuity software
- Data protection and encryption
- Email traffic filtering
- While the Proposed Rules would exclude the donation of hardware, the regulators are considering, and in the Proposed Rules solicit comments regarding, an alternative that would allow the donation of cybersecurity hardware that a donor has determined to be reasonably necessary based on a risk assessment of its own organization and that of the potential recipient.
- Although the term “services” is not defined in the Proposed Rules, in the commentary to the Anti-Kickback Statute Proposed Rule, HHS makes clear that its intent is to “protect a broad range of services,” including:
- Development, installation and updating of cybersecurity software;
- Cybersecurity training services;
- Business continuity and disaster recovery;
- Third party services to manage, monitor and operate cybersecurity for their recipients;
- Risk assessments, vulnerability analyses, and penetration tests; and
- Sharing information about cyber threats and assisting recipients in responding to threats and attacks on their system.
- The recipient would not be required to pay any of the donor’s cost. This is a departure from the requirement under the existing Safe Harbor and Exception applicable to donation of EHR items and services that requires the recipient to pay at least 15% of the donor’s costs.
- Donors would be prohibited from shifting the cost of the cybersecurity technology or services to any Federal health care program.
- Donors would be prohibited from taking into account or conditioning the donation upon the volume or value of the recipient’s referrals.
- Donors would not be required to donate cybersecurity technology and services to every individual or entity that connects to the donor’s system. Instead, the donor could use selective criteria for choosing recipients, provided that neither the recipient’s eligibility nor services donated are determined in a manner that takes into account the value or volume of referrals or other business generated between the donor and recipient. In the commentary to the Anti-Kickback Statute Proposed Rule, HHS includes the following examples of selective criteria that could be used to determine eligible recipients:
- Results of risk assessments
- Medical staff membership
- Based on the type and extent of the connection between the donor and recipient (e.g., read only vs. bi-directional read/write).
- Other criteria based on the risk of the connection between the donor and recipient.
Proposed Changes to the EHR Donation Safe Harbor and Exception
The Proposed Rules also include several amendments to the existing Safe Harbor and Exception applicable to the donation of EHR items and services (the “EHR Donation Safe Harbor and Exception”). These amendments include:
- Interoperability. Under the current EHR Safe Harbor and Exception, the donated EHR must be “interoperable”, and the donor cannot take any action to limit interoperability. The Proposed Rule would define “interoperable” to mean the EHR is able to:
- Securely exchange data with, and use data from, other health information technology without special effort on the part of the user;
- Allow for complete access, exchange and use of all electronically accessible health information for authorized use under applicable State or Federal Law; and
- Does not constitute “information blocking. HHS is also soliciting comments regarding an alternative proposal to adopt a new definition of “interoperability.” In addition, an EHR would be deemed “interoperable” if, on the date it is provided to the recipient, it has been certified by a certifying body authorized by the National Coordinator for Health Information Technology.
The current EHR Safe Harbor and Exception prohibit a donor from taking any action to limit the use, compatibility, or interoperability of the donated EHR with other EHRs. This restriction was intended to address the concern that a donor might take steps to “lock-in” the recipient’s data and referrals. In order to further address this concern, the Proposed Rules require that the donor not engage in any practice constituting “information blocking” as defined in the 21st Century Cures Act.
The Proposed Rules would amend the existing EHR Safe Harbor and Exception to clarify that cybersecurity software and services are, and have always been, protected, and to more broadly protect the donation of software and services related to cybersecurity. The cybersecurity technology and services covered under the EHR Safe Harbor and Exception are the same as under the proposed standalone Cyber Security Exception and Safe Harbor discussed above.
The current EHR Safe Harbor and Exception are set to sunset on December 31, 2021. The Proposed Rules would eliminate the sunset date altogether. Commentary to the Proposed Rules indicates that the regulators also are considering an extension of the sunset date, rather than its elimination, and asks for comments on both approaches.
15% Recipient Contribution
The current EHR Donation Exception and Safe Harbor require the recipient to pay at least 15% of the donor’s costs of the donated items and services. The Proposed Rules do not include any specific amendments to the 15% contribution requirement. In the Proposed Rules, however, the agencies solicit comments on three alternatives to the current 15% contribution requirement:
- Eliminating or reducing the 15% contribution requirement for small or rural practices.
- Eliminating the 15% contribution requirement for all recipients.
- Modifying or eliminating the 15% contribution requirement for updates to previously donated EHR software.
Under the current EHR Safe Harbor and Exception, a donor cannot donate EHR software to a recipient that already has equivalent technology. In light of the fact that EHR technology advancements “are continuous, rapid and sometimes prohibitively expensive,” the Proposed Rules would eliminate this restriction.
The Proposed Rules indicate that the regulators are considering, and requesting comments on, an expansion of the types of entities that constitute permissible “donors.” The regulators are considering either eliminating the current requirement that a donor be an entity that provides healthcare services covered and reimbursed by Medicare, Medicaid or other Federal health care program, or to broaden the definition of “donor” to include “entities with indirect responsibility for patient care.” The expansion of the definition would be intended to include, for example, health systems, and ACOs that are neither health plans nor submit claims for payments.