On November 20, 2020, the Office of the Inspector General of the Department of Health & Human Services (OIG) released its final rule1 implementing changes to the Anti-Kickback Statute2 (AKS) and the Beneficiary Inducements Civil Monetary Penalties Law3 (CMP Law) (OIG Final Rule). This Final Rule was released with a companion rule by the Centers for Medicare & Medicaid Services (CMS), which we discussed in detail in Part I of this series. The OIG Final Rule became effective on January 19, 2021.
Overview of Changes in the OIG Final Rule
In the OIG Final Rule, OIG finalized regulatory provisions for eleven AKS safe harbors: seven new safe harbors and four modifications of existing safe harbors. OIG also finalized one change in the OIG Final Rule to an exemption of remuneration under the CMP. These additions and revisions to the safe harbor regulations are designed to enable innovative partnerships among health care providers and suppliers, vendors and technology companies, and other health care entities to improve patient outcomes and manage costs under federal healthcare programs, and to facilitate arrangements that seek to improve outcomes and lower health care costs. While consistent with the OIG’s approach in recent years of providing greater flexibility under the AKS and CMP Law, these regulatory changes represent a dramatic expansion of protections for arrangements and programs designed to improve quality of care and reduce costs. In the OIG’s words, the safe harbors are intended “to remove potential barriers to more effective coordination and management of patient care and delivery of value-based care.”4
The OIG’s new and revised safe harbors will protect numerous different types of arrangements and programs that otherwise could have implicated the AKS. These safe harbors apply to arrangements among health care entities and providers as well as programs designed to engage, support, and incentivize beneficiaries to seek better health care and improved health. As described in greater detail below, the OIG Final Rule includes each of the following:
- Value-Based Arrangements: Three new safe harbors for certain value-based arrangements, matching those set forth in the CMS rule;
- Personal Services and Management Contracts and Outcomes-Based Payments: Expansion of the existing personal services and management contracts safe harbor to include protection for outcomes-based arrangements with payment methodologies set in advance;
- Warranties: Expansion of the existing warranty safe harbor to cover items as well as services furnished in connection with those items;
- Patient Engagement Tools and Supports: A new safe harbor for programs providing patient support in connection with a value-based arrangement;
- CMS-Sponsored Models: A new safe harbor to protect arrangements and patient incentives under CMS-sponsored models, such as initiatives advanced by the Center for Medicare & Medicaid Innovation (CMMI);
- Local Transportation: Expansion of the existing safe harbor for local transportation services to allow longer distances and to expressly allow the use of ride-sharing services;
- Accountable Care Organization (ACO) Beneficiary Incentive Programs: A new safe harbor codifying a statutory AKS exception for programs related to certain services for ACO-assigned beneficiaries;
- Telehealth for In-Home Dialysis: A new regulatory exception to the CMP Law codifies a statutory exception to allow certain technologies to be furnished to Medicare beneficiaries;
- Cybersecurity and EHR: One new safe harbor provides protection to arrangements dealing with donations of cybersecurity technology and services, and, in addition, the existing safe harbor for electronic health records (EHR) items and services is expanded to cover more types of entities and to include cybersecurity software and services with the predominant purpose of protecting EHRs.
The new protections for Value-Based Arrangements discussed immediately below, which include the three new safe harbors themselves and the introduction of new defined terms used throughout the new and revised safe harbors, overlap significantly with the Stark Law exceptions in the CMS Final Rule. After these value-based arrangement protections, we discuss the additional eight AKS safe harbors introduced or modified in the final rule and the exception to the CMP Law.
Key Takeaways and Conclusions
- The new and revised safe harbors in the OIG Final Rule represent a significant expansion of flexibility for health care entities to enter into arrangements designed to promote quality and reduce costs. The three new value-based arrangement safe harbors represent the broadest changes. Yet the other changes also extend meaningful latitude to health care entities seeking to enter into innovative arrangements to serve patients, including federal health care program beneficiaries.
- While any entity may meet the definition of a Value Based Entity, the OIG excluded the following entities from availing themselves from the value-based safe-harbors: pharmaceutical manufacturers, distributors, and wholesalers; pharmacy benefit managers (PBMs); laboratory companies; pharmacies that primarily compound drugs or primarily dispense compounded drugs; manufacturers of devices or medical supplies; entities or individuals that sell or rent durable medical equipment, prosthetics, orthotics and supplies (DMEPOS) (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services); and medical device distributors and wholesalers. One of the three new OIG value-based safe harbors protects limited digital technology arrangements involving manufacturers of devices or medical supplies and DMEPOS. Of important note, for entities with multiple lines of business, where some lines may be excluded from safe harbor protection, the OIG has explained the test for whether an entity is excluded is at the corporate level (without further definition) and based on the “predominant or core line of business” (also not further defined).
- In addition to the limitation on key participants from AKS protection, the OIG also implemented a number of additional safeguards in their value-based safe harbors that were not present in the CMS value-based exceptions we had covered in our Part I Alert. The problem with this divergence is that while not all healthcare entities need to comply with the Stark Law, all healthcare entities need to comply with the AKS. Therefore, whatever regulatory requirements the OIG has imposed will be the ultimate arbiter for what healthcare entities will need to do in order to receive fraud and abuse protection.
- The additional new safe harbors and revisions to existing safe harbors may provide new pathways for innovative arrangements. For example, the OIG expanded the application of the warranty safe harbor and the personal services safe harbor to protect outcome-based payments, which broadens the scope of these safe harbors to include potentially many more arrangements.
- Finally, like CMS, OIG created a new cybersecurity technology donation safe harbor and exception. Both agencies also revised the electronic health record (EHR) AKS safe harbor and Stark Law exception.
- It is still unclear how the new Biden Administration will react to, interpret, and enforce these regulatory changes. While we have no indication that the new Administration will significantly pull back these regulatory reforms, we do not yet know whether it will expand upon these needed changes or revise some of the limitations that have left some healthcare entities without safe-harbor protection for value-based arrangements.
Value-Based Arrangement Protections
OIG finalized three new safe harbors for certain remuneration exchanged between or among eligible participants in a value-based arrangement that fosters better coordinated and managed patient care, and set forth new defined terms for value-based arrangements, activities, entities, and participants.
A. New Terms Associated with the Value Based Safe Harbors
OIG finalized new terms associated with the three value-based safe harbors that describe the “value-based enterprises” (VBEs) and the eligible “VBE participant.”
- VBEs are two or more individuals or entities (the VBE participants, defined below) that collaborate to achieve one or more value-based purposes. The VBE must have an accountable body or person responsible for financial and operational oversight of the VBE (e.g., a board of directors), and there must be a governing document that describes the VBE and how the participants intend to achieve the value-based purpose(s).
- Value Based Purpose means one of the following:
- coordinating and managing the care of a target patient population;
- improving quality of care;
- appropriately reducing costs to, or growth in expenditures of, payers without reduction in quality of care; and
- transitioning from volume-based healthcare delivery and payment mechanisms to mechanisms based on quality of care and control of costs of care.
- VBE participant is an entity that engages in at least one value-based activity as part of a VBE, other than a patient acting in their capacity as a patient. The OIG Final Rule deletes references to manufacturers, suppliers or distributors in the VBE definition. Instead, in each safe harbor, OIG finalized a list of the eligible participants. As discussed in more detail below, each safe-harbor has certain entities that can and cannot avail themselves of protection. The exclusion of certain entities from safe-harbor protection will greatly limit the utility of many of the new OIG safe-harbors.
- Value-based arrangement is an arrangement for the provision of at least one value-based activity aimed at a target patient population.5 A value-based arrangement can be formed between (i) VBE participants in the same VBE or (ii) between the VBE itself and one or more participants.
- Value-based activity means either the provision of an item or service, the taking of an action, or the refraining from taking an action. A value-based activity cannot include the making of a referral, and must be reasonably designed to achieve at least one value-based purpose. Notably, OIG had deleted its proposed requirement that value-based arrangements have a “direct connection” to the coordination and management of care for the target population, but the “direct connection” to the VBE purposes is required under the substantial and full risk value-based safe harbors.
OIG also finalized the following new definition of digital health technology which is applicable to the three new value-based safe harbors. This definition is applicable also to the updated personal services and management contracts and outcomes-based payment arrangements safe harbor and the patient engagement and support to improve quality, health outcomes and efficiency safe harbor (42 C.F.R. § 1001.952(d), (ee)-(hh)):
- Digital health technology means “hardware, software, or services that electronically capture, transmit, aggregate, or analyze data and that are used for the purpose of coordinating and managing care; such term includes any internet or other connectivity service that is necessary and used to enable the operation of the item or service for that purpose.” OIG noted that it is intended to encompass a wide range of technologies, including associated connectivity services necessary and used to enable the operation of the item or service.
B. New Safe Harbors
The three new value-based arrangement safe harbors are:
- Care Coordination Arrangements to Improve Quality, Health Outcomes, and Efficiency (§ 1001.952(ee));
- Value-Based Arrangements With Substantial Downside Financial Risk (§ 1001.952(ff)); and
- Value-Based Arrangements With Full Financial Risk (§ 1001.952(gg)).
Under the three new safe harbors, the OIG requires fewer regulatory safeguards as the parties assume greater levels of financial risk. All three value-based safe harbors offer protection for in-kind remuneration, such as technology donations or services. But only the Value-Based Arrangements With Substantial Downside Financial Risk and Value-Based Arrangements With Full Financial Risk safe harbors protect monetary remuneration. The Care Coordination Arrangements to Improve Quality, Health Outcomes, and Efficiency safe harbor, which requires little or no assumption of risk, does not. OIG pointed out that parties to arrangements involving monetary remuneration, such as shared savings or performance bonus payments, may be eligible for the new protection for Personal Services and Management Contracts and Outcomes-Based Payment Arrangements safe harbor or the CMS-Sponsored Model Arrangements and CMS-Sponsored Model Patient Incentives, both of which are discussed in Section III.
Care Coordination Arrangements to Improve Quality, Health Outcomes, and Efficiency (42 C.F.R. § 1001.952(ee))
OIG finalized the Care Coordination Arrangements to Improve Quality, Health Outcomes, and Efficiency safe harbor, with modifications from the proposed rule. Although this safe harbor offers significant promise as the only value-based safe harbor that did not require the parties to accept financial risk, the sheer complexity of this safe harbor will make compliance difficult. There are thirteen requirements, many with multiple sub-parts. As with other very complex safe-harbors that the OIG has issued in the past, this safe-harbor may prove to be untenable because it is too expensive and labor intensive to offer realistic protection from AKS risk. Not only are many prospective entities either excluded from participating or severely limited in their participation, but also the few entities that could ultimately participate may find that the transaction costs or risk of non-compliance are too great.
This safe harbor’s 13 requirements include the following:
- Only in-kind remuneration permitted. In particular, the remuneration must be in kind (no cash or cash equivalents) and commercially reasonable; must be used predominantly to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population and does not result in more than incidental benefits to persons outside of the target patient population; and is not exchanged or used more than incidentally for billing or financial management services or for marketing items furnished by the VBE or VBE participant to patients or for recruitment.
- Writing requirements. The arrangement must be set forth in writing and signed by the parties. The writing must state certain requirements, including the value-based purpose(s) of the value-based activities and the offeror’s cost for the remuneration and the reasonable accounting methodology used by the offeror to determine its cost, or the fair market value of the remuneration.
- Termination requirement. If the VBE’s accountable body or responsible person determines, based on the monitoring and assessment that the value-based arrangement has resulted in material deficiencies in quality of care or is unlikely to further the coordination and management of care for the target patient population, within 60 days, the parties must terminate the arrangement or develop and implement a correction action plan that would remedy the deficiencies in 120 days.
- Excluded entities. This safe harbor is not available for the following entities: (i) pharmaceutical manufacturers distributors, and wholesalers; (ii) pharmacy benefit managers (PBMs); (iii) laboratory companies; (iv) pharmacies that primarily compound drugs or primarily dispense compounded drugs; (v) manufacturers of devices or medical supplies6, except for limited technology participants; (vi) entities or individuals that sell or rent durable medical equipment, prosthetics, orthotics and supplies (DMEPOS) (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services) except for limited technology participants; and (vii) medical device distributors and wholesalers.
- “Limited technology” participants protected. While this safe-harbor is not available to many entities, it is available to limited technology participants, defined as a VBE participant that exchanges digital health technology with another VBE participant or a VBE that (i) is a manufacturer of a device or medical supply but that is not and does not expect to be obligated to report physician ownership or investment interests under 42 C.F.R. § 403.9067, or (ii) an individual or entity that sells or rents DME, prosthetics, orthotic, or supplies covered by a federal health care program (other than a pharmacy or physician, provider, or other entity that primarily furnishes services).
- Recipient must pay 15% of offeror’s costs. There are a number of other specific requirements adopted in the OIG Final Rule that may have significant industry impacts. For example, contrary to the requests of many commenters, the OIG finalized the requirement that the recipient of the in-kind remuneration must contribute at least 15% of the offeror’s costs of the benefit.
- Outcome or process measures criteria. Further, the OIG requires that the parties to a value-based arrangement establish one or more outcome or process measures that meet certain criteria. In the first criteria, the OIG required that outcome or process measure is anticipated to “advance the coordination and management of care for the target patient population . . . .” In the proposed rule, these criteria were to be measured by “evidence-based, valid outcome measures.” Yet, in the OIG Final Rule, the measurement criterion was changed to “clinical evidence or credible medical or health science support.” In other words, OIG eliminated the requirement that the only appropriate measure is one that focuses on evidence-based, valid outcome measures to a criterion that is much broader and accommodating in scope. OIG noted that the outcomes or process measure requirement is flexible enough to address information technology arrangements and that no separate outcome measures requirement is needed for information technology arrangements. Finally, OIG maintained that outcome and process measures may not be based solely on patient satisfaction or patient convenience.
Value-Based Arrangements With Substantial Downside Financial Risk (42 C.F.R. § 1001.952(ff))
OIG finalized with modification from its proposed rule the Value-Based Arrangements With Substantial Downside Financial Risk where a VBE has assumed or will assume in the next six months through a written contract or value-based arrangement substantial downside financial risk from a payer for a period of at least 1 year. In order for an entity to be protected under this safe-harbor, they would need to adhere to the VBE participant requirements. They would need to accept meaningful downside risk and adhere to the other requirements of this safe harbor. There are many fewer requirements under this safe harbor compared to the care coordination safe harbor. If an entity and its partners are willing to accept financial risk for a target patient population, this particular safe harbor may hold promise.
The safe harbor has eight requirements that include the following:
- Substantial downside financial risk. Substantial downside financial risk means: (i) at least 30 percent of any loss, where losses and savings are calculated by comparing current expenditures for all items and services that are covered by the applicable payer and furnished to the target population to a bona fide benchmark designed to approximate the expected total cost of such care; (ii) 20 percent of any loss where losses and savings are calculated by comparing current expenditures for all items and services furnished to the target population pursuant to defined clinical episode (designed to certain requirements) of care that are covered by the payer to a bona fide benchmark designed to approximate the expected total cost of such care for the defined clinical episode of care; or (iii) the VBE receives from payer a prospective, per-patient payment that is designed to produce material savings and paid on a monthly, quarterly or annual basis for a predefined set of items and services furnished to the target patient population.
- Meaningful share of downside risk. Under requirement (iii) noted above, each VBE participant needs to accept a meaningful share of downside risk in order to receive protection under the safe harbor. Meaningful share means the VBE participant: (i) assumes two-sided risk for at least 5 percent of the losses and savings, as applicable, realized by the VBE pursuant to its assumption of substantial downside financial risk; or (ii) receives from the VBE a prospective, per-patient payment on a monthly, quarterly, or annual basis for a predefined set of items and services furnished to the target patient population, designed to approximate the expected total cost of expenditures for the predefined set of items and services, and does not claim payment in any form from the payer for the predefined items and services.
- Qualified VBE participants. OIG deleted its proposed rule requirements that the remuneration cannot be funded by contributions outside of the VBE. The OIG Final Rule clarifies that this safe harbor protects remuneration only between a VBE and its VBE participants; however, if that VBE or VBE participant exchanges remuneration with parties other than the VBE and a VBE participant (e.g., remuneration exchanged between a third-party donor and a VBE participant or a VBE) such remuneration alone does not disqualify the VBE and VBE participants from this safe harbor’s protection provided all requirements are met.
Value-Based Arrangements With Full Financial Risk (42 C.F.R. § 1001.952(gg))
The new Value-Based Arrangements With Full Financial Risk safe harbor has nine requirements that must be met. Here, too, the protected remuneration must be “directly connected to one or more of the VBE’s value-based purposes.”8 As with the meaningful downside risk safe harbor, if an entity is willing to participate in a VBE that is accepting full financial risk for a defined patient population, then it would be afforded significant protection from AKS risk. While the freedom to participate in innovative value-based arrangements is significant under this safe harbor, that freedom will need to be weighed against the financial risk if the VBE does not achieve its measured goals.
This safe harbor excludes the same parties as the substantial risk safe harbor and requires that the VBE has assumed full financial risk from payer for a period of at least 1 year through written contract or a value-based arrangement (or will within 6 months).
This safe harbor is defined by one main criterion: full financial risk. Full financial riskmeans the VBE is financially responsible on a prospective basis for the cost of all health care items, devices, supplies, and services (items and services) covered by the applicable payer for each patient in the target patient population for a term of at least 1 year. Prospective basismeans that the VBE has assumed financial responsibility for the cost of all items and services covered by the applicable payer prior to the provision of items and services to patients in the target patient population.
Other Safe Harbors and Exceptions
In addition to the three value-based arrangement AKS safe harbors, the OIG Final Rule addresses four additional new AKS safe harbors, four expansions of existing AKS safe harbors, and one new exception to the CMP Law.
Personal Services and Management Contracts and Outcomes-Based Payments Safe Harbor (42 C.F.R. §1001.952(d))
OIG also finalized, with modifications, new protection for outcomes-based payments in the existing safe harbor for personal services and management contracts (paragraph 1001.952(d)(2)). OIG states that the expansion of this safe harbor protects payments tied to achieving measurable outcomes that improve patient or population health or appropriately reduce payer costs. This safe harbor in particular may provide opportunities for health care vendors, consultants, and technology companies. It does not require that the relevant parties accept financial risk, and it does not have the same level of onerous requirements that are found in the care coordination safe harbor. If an entity wishes to engage in an arrangement where they are compensated based upon their assistance in the achievement of a measurable healthcare outcome, this specific safe harbor may offer a regulatorily compliant pathway.
There are a number of requirements and limitations for personal services and management contract and outcomes-based payment arrangements an agent must meet in order to qualify for protection under the safe harbor, including:
- Compensation methodology must be set in advance. Of particular note, OIG finalized a change to this safe harbor’s requirement that the methodology for determining compensation be set in advance—instead of requiring that the aggregate compensation be set in advance. OIG stated the purpose is to enhance flexibility to the health care industry to undertake innovative arrangements, including arrangements that support the transition to value and better coordinated care for patients. OIG further explained that it is possible to meet this requirement by “using an hourly rate or other set, verifiable formula provided that all other conditions of the safe harbor are met,” including that the compensation may not take into account the volume or value of referrals between the parties.9 The point of this adjustment is to allow for flexibility but to mitigate risk of parties periodically updating compensation to reward referrals or to promote unnecessary utilization of services.
- Outcomes-based payment. OIG revised the definition of “outcomes-based payment” to clarify that the payment may be a reward for successfully achieving an outcome measure or a recoupment or reduction in payment for failure to achieve an outcome measure. OIG clarified that to receive a protected outcomes-based payment, the agent must achieve one or more legitimate outcome measure selected based on clinical evidence or credible medical support and with specified benchmarks related to quality of care, a reduction in costs, or both. OIG clarified that the parties must periodically assess and revise benchmarks and remuneration under the agreement as necessary to ensure that any remuneration is consistent with fair market value in an arm’s length transaction).
- Ineligible entities. Under the OIG Final Rule, the same entities that are ineligible for the value-based safe harbors10 are ineligible for the outcomes-based payments safe harbors. OIG states that it may consider outcomes-based contracting for pharmaceutical products and medical device manufacturers in future rulemaking.
- Ineligible remuneration. OIG, finalized its policy that this protection does not apply to payments for internal cost savings for the principal or payments based solely on patient satisfaction or patient convenience measures. OIG clarified that the remuneration may be “between or among” the parties, rather than being limited to remuneration from the principal to the agent. OIG also stated that it is not limiting protection under the safe harbor to a particular list of arrangements or particular types or structures of arrangements or measures.
- Safe-guards finalized. OIG also finalized the proposed requirements related to fair market value, commercial reasonableness, and the volume or value of business, the writing requirement and additional safeguards related to clinical decision-making, stinting on care, a 1-year term, monitoring, and counseling and promotion of unlawful business, as proposed. These terms track the content of the CMS final rule, which we discussed in Part I of this series.
Warranties Safe Harbor (42 C.F.R. § 1001.952(g))
OIG finalized proposed modifications to the existing safe harbor for warranties. OIG finalized, as proposed, revisions to the definition of “warranty” and revised the safe harbor to provide protection for warranties covering not only items, but items and services associated with those items. This is a novel change that could indirectly impact companies that either partner with drug or device manufacturers, or that create medical devices that are reimbursed by federal health care programs. Unlike the value-based safe harbors, no entity type is excluded from this safe harbor.
By expanding this safe harbor, manufacturers will be able to provide warranties for both items and the technology solutions that are associated with those devices. For example, a manufacturer and technology company can warrant that a monitoring device and data analytics technology will achieve a certain outcome. Previously, the provision of technology services associated with the health care item was not covered by protection of the warranty. We expect that many manufacturers will explore how to use this expanded safe harbor in novel ways.
Patient Engagement Tools and Supports Safe Harbor (42 C.F.R. §1001.952(hh))
OIG finalized, with modifications from its proposed rule, a new safe harbor for patient engagement tools and supports furnished by a participant in a VBE to a patient in a target patient population. Specifically, the VBE must connect the provision of tools and supports to the goal of furthering value-based care. In general, entities seeking safe harbor protection for assistance provided to patients should look to the patient engagement and support safe harbor rather than the value-based safe harbors. The safe harbor includes eight requirements, including:
- Ineligible entities. This safe harbor excludes the same ineligible entities list as the three new value-based safe harbors11 but it does not exclude medical device manufacturers, where the patient engagement tool or support is digital health technology. Further, OIG did not change the requirement that only a VBE participant may offer the patient engagement tools and support.
- Eligible recipients. OIG clarified that the protected value of the engagement tool must be offered to a “patient in the target patient population of a value-based arrangement to which the VBE participant is party,” if all other requirements are met.12
- Technology agnostic. OIG noted that their policy is to be agnostic as to the types of in-kind tools and supports that can be protected by the safe harbor, confirming that preventive items or services can be protected under this safe harbor. Thus, OIG deleted previously proposed examples of an in-kind item, good, or service. OIG also noted that vouchers for a particular tool or support, such as a meal voucher, or certain limited-use gift cards would be considered “in-kind” remuneration, but that debit cards, rebate checks and most gift cards are cash equivalents and not protected by the safe harbor. Therefore, OIG stated that the new patient engagement and support tool safe harbor could protect in-kind telehealth supports if the provision of such supports satisfies all of the safe harbor’s conditions and provided an example of a smartphone or a platform that facilitates telehealth services with a patient’s licensed health care professional. OIG further stated that whether multifunctional equipment could meet this exception is a fact specific inquiry that would require that the tool or support advances one of the enumerated goals in the exception. The tool must have a direct connection to the coordination and management of care of the target patient population. Finally, OIG did not finalize its proposal to require a VBE participant to confirm that the tool or support is not duplicative of, or substantially the same as, tools and services the patient already has.
- Monetary cap. Additionally, OIG clarified that the $500 annual monetary cap on the value of patient engagement tools and supports is applied on a per patient basis for each VBE participant, meaning no single VBE participant may individually provide more than $500 in aggregate value to the patient per year.
CMS-Sponsored Models (42 C.F.R. §1001.952(ii))
OIG finalized, with modifications, a new safe harbor (paragraph 1001.952(ii)) for CMS-sponsored model arrangements and CMS-sponsored model patient incentives that would require OIG fraud and abuse waivers. OIG stated that this safe harbor is intended to provide greater predictability and uniformity across models and that it will reduce the need for separate OIG fraud and abuse waivers for new CMS-sponsored models. This safe harbor permits remuneration between and among parties to arrangements under a model or other initiative being tested or expanded by the CMMI under section 1115A of the Social Security Act (“the Act”) or under the Medicare Shared Savings Program under section 1899 of the Act. It also permits remuneration in the form of incentives provided by the CMS-sponsored model participants and their agents under the CMS-sponsored model to patients covered by the model. This safe harbor requires that patient incentives have a direct connection to the patient’s health care and it protects only financial arrangements among, and patient incentives furnished by, parties participating in the CMS-sponsored model. It does not supersede OIG’s existing fraud and abuse waivers for CMS-sponsored models. Existing model waivers will continue in effect in accordance with each set of waiver terms.
Local Transportation (42 C.F.R. § 1001.952(bb))
OIG finalized its proposed modifications to the existing safe harbor for local transportation furnished to beneficiaries. OIG is finalizing, with modifications, changes to expand mileage limits for rural areas (up to 75 miles, an increase from prior limit of 50 miles) and to eliminate mileage limits for transportation to convey patients discharged from inpatient care to their residences after being placed in observation status for at least 24 hours. In the OIG Final Rule, OIG also confirms that the safe harbor is available for transportation provided through rideshare arrangements or through other means of local transportation that may exist in the future.
Accountable Care Organization Beneficiary Incentive Programs Safe Harbor (42 C.F.R. § 1001.952(kk))
OIG finalized its proposal to codify a statutory safe harbor to the definition of “remuneration” under the anti-kickback statute related to an ACO beneficiary incentive program for the Medicare Shared Savings Program. The OIG Final Rule clarifies that an ACO may furnish incentives only to assigned beneficiaries of the ACO. This safe harbor simply codifies a statutory exception that the OIG had already provided to participants in CMS’s Medicare Shared Savings Program. Specifically, providing incentives to ACO beneficiaries who are encouraged to adhere to medically necessary protocols or other goals of the ACO will not be a violation of the AKS or the Beneficiary Inducement CMP.
The main take-away here is that there continues to be an opportunity to engage with providers and beneficiaries who are participating in CMS models and programs, including the Medicare Shared Savings Program. Therefore, if they are contracting with providers who are participants in these models or ACOs, entities can enjoy broad fraud and abuse protection without being a participant itself.
Telehealth for In-Home Dialysis Exception (42 C.F.R. §1003.110)
OIG codified a statutory exception to the definition of “remuneration” in the Civil Monetary Penalty Law for certain telehealth technologies furnished to in-home dialysis patients under Medicare Part B. This safe harbor may provide a pathway for vendors, consultants, and technology companies to furnish telehealth and other technology solutions to providers and patients operating in this space.
This exception allows for the provision of telehealth technologies by a provider of services, physician, or a renal dialysis facility currently providing in-home dialysis, telehealth services, or other ESRD care to the patient or has been selected or contacted by the patient to schedule an appointment or provide services to an individual who is receiving home dialysis paid for under a federal healthcare program if certain requirements are met.
Among these requirements, the telehealth technologies must be furnished by the provider that is currently providing the in-home dialysis, telehealth services, or other end-stage renal disease care to the individual, or has been selected or contacted by the individual to schedule an appointment or provide services; the telehealth technologies are not offered as part of any advertisement or solicitation; and the telehealth technologies are provided for the purpose of furnishing telehealth services related to the individual’s end-stage renal disease.
“Telehealth technologies.” The exception also defines “telehealth technologies” for purposes of the new provision as “hardware, software, and services that support distant or remote communication between the patient and provider, physician, or renal dialysis facility for the diagnosis, intervention, or ongoing care management.” OIG noted that the final revised definition is broad and technologically agnostic. OIG clarified that telehealth services for purposes of this exception would include virtual ESRD management (e.g., nurse assessment, social worker support, dietician care), patient education, dietary counseling, and monitoring vital signs, as well as other services not listed based on the facts and circumstances of the care being provided. Accepted clinical and care practices for use of telehealth, physician judgment, and patient and caregiver needs and preferences with respect to modalities would be relevant considerations in assessing the telehealth services under this specific condition.
Cybersecurity Technology and Related Services Safe Harbor (42 C.F.R. § 1001.952(jj))
OIG issued a new safe harbor for donations of cybersecurity technology and services. OIG adopted this new safe harbor to protect certain cybersecurity technology and services donations (e.g., to healthcare providers, suppliers, and patients) to implement, maintain, or reestablish effective cybersecurity as long as four conditions are met. Similar to the value-based arrangement protections discussed above, this new safe harbor tracks the content of the CMS final rule. And as stated below with regard to the overlap between the EHR safe harbor and the cybersecurity safe harbor, the cybersecurity safe harbor would be appropriate for a cybersecurity donation that includes a broader suite of products and services that do not have a predominant purpose to protect the EHR because there are fewer requirements under the cybersecurity safe harbor.
OIG defines “cybersecurity” as “the process of protecting information by preventing, detecting, and responding to cyberattacks.” This safe harbor aims to facilitate improved cybersecurity in health care and is available to all types of individuals and entities.
Electronic Health Records Items and Services Safe Harbor (42 C.F.R. § 1001.952(y))
OIG modified the existing safe harbor for electronic health records items and services by removing the prohibition on donation of replacement technology. Specifically, the removal of this prohibition will enable the use of technologies that complement EHRs or that are superior to existing EHR functionalities and meet the existing safe harbor. Although OIG declined to expand the scope of technology covered under the EHR definition, they did clarify that it may be interpreted more broadly than the common understanding of an EHR and that it may include cybersecurity software and services with the predominant purpose of protecting EHRs.
OIG removed the December 31, 2021 sunset date for the safe harbor and did not replace it with any sunset date. Further, the modified EHR safe harbor provides that EHR items and services may be provided to an individual or entity engaged in the delivery of health care, other than a laboratory company, that provides services reimbursed by federal health care programs or is comprised of the types of individuals that provide services reimbursed by federal health care programs or health plans. The requirements also include the following:
- Interoperability requirement. OIG continues to require that software be interoperable by meeting the definition of interoperability or being “deemed” interoperable based on certification. OIG changed the definition of interoperability to be “(A) securely exchange data with and use data from other health information technology; and (B) allow for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law.” The safe harbor has been changed to state that software is deemed interoperable if on the date it is provided to the recipient, it is certified to the then-applicable version of 45 CFR part 170 when donated. It is notable that OIG did not finalize the proposal requiring that the donor did not engage in information blocking to meet the exception. OIG also removed the prohibition on the donor acting to limit or restrict the use, compatibility, or interoperability of the donated EHR items or services. In explaining this, OIG noted that regulations regarding information blocking are better suited to address this issue. However, we note that not all donors will be subject to information blocking rules.
- Donor Contribution. Additionally, the recipient must continue to pay for 15 percent of donor’s cost for the items and services, but provides that contributions need not be made in advance in all cases.
- Overlap between EHR safe harbor and the cybersecurity safe harbor. OIG also clarified the interaction and overlap between the EHR safe harbor and the cybersecurity safe harbor. Under the EHR safe harbor, cybersecurity software and services with the predominant purpose of protecting EHRs can be protected under the EHR safe harbor provided the donation satisfies all other safe harbor conditions (e.g., an EHR system that includes cybersecurity functions to protect the EHR). The new cybersecurity safe harbor also would remain available for the protection of cybersecurity technology and services if conditions of that safe harbor were met. If a cybersecurity donation were to include a broader suite of products and services that do not have a predominant purpose to protect the EHR, given that OIG did not expand what is covered as an EHR, then parties seeking safe harbor protection may want to evaluate the arrangement in the context of the standalone cybersecurity safe harbor.
- Protected donors. OIG did not expand the scope of protected donors of EHR software by allowing individuals or entities not reimbursed by federal healthcare program entities to rely on the EHR safe harbor.
- Scope of technology that may be donated. Moreover, OIG did not change the definition of “electronic health record” and therefore did not expressly include technology that connects to, amplifies the capabilities, or leverages the data in EHRs to promote coordination and management of care. However, OIG clarifies that the term “repository” in the definition of “electronic health record” carries its common meaning, “A place where something such as data can be stored and managed” and that emerging technologies that leverage EHR data may be protected by the safe harbor, if they are “necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records.”13 Furthermore, OIG now allows for donations of replacement technology, which had been prohibited.