On November 20, 2020, the Centers for Medicare and Medicaid Services and Office of Inspector General released final rules amending the regulations to the Stark Law and the Anti-Kickback Statute and Beneficiary Inducement Civil Monetary Penalty Law. As part of these final rules, the agencies liberalized the requirements under the existing exception and safe harbor for donations of electronic health record items and services, and created a new exception and safe harbor to allow donations of cybersecurity technology and related services.
On November 20, 2020, the US Department of Health & Human Services (HHS) released final rules amending the regulations to the physician self-referral law (Stark Law) (Stark Rule) and the Anti-Kickback Statute (AKS) and Beneficiary Inducement Civil Monetary Penalty Law (collectively, AKS Rule) in connection with HHS’s Regulatory Sprint to Coordinated Care. As part of the Stark Rule and the AKS Rule, the Centers for Medicare and Medicaid Services (CMS) and HHS Office of Inspector General (OIG) liberalized the requirements under the existing exception and safe harbor for donations of electronic health record (EHR) items and services (EHR Exception and Safe Harbor), and created a new exception and safe harbor for donations of cybersecurity technology and related services (Cybersecurity Exception and Safe Harbor). This On the Subject analyzes the changes to the EHR Exception and Safe Harbor and the new Cybersecurity Exception and Safe Harbor. For additional analysis and insights on the final rules, visit McDermott’s Regulatory Sprint Resource Center.
Modifications to the EHR Exception and Safe Harbor
CMS and OIG originally issued the EHR Exception and Safe Harbor in 2006, protecting certain donations (e.g., licenses and other arrangements for less than the fair market value) of interoperable EHR software or information technology and training services to physicians and other referral sources. By meeting the conditions of the EHR Exception and Safe Harbor, a donor and donation recipient will not violate the Stark Law’s self-referral prohibition or AKS’s prohibition on remuneration to induce referrals of items and services covered by federal health care programs.
Scope of Protected Donors
The current EHR Exception protects donations from entities that provide hospital services and other designated health services, other than laboratory companies, while the current EHR Safe Harbor protects donations from individuals or entities, other than laboratory companies, that provide services covered by a federal health care program and submit claims or requests for payment, either directly or through reassignment, to the federal health care program as well as health plans.
CMS did not change the scope of protected donors for the EHR Exception. OIG, on the other hand, expanded the scope of protected donors to include entities, such as accountable care organizations and health systems, that are comprised of individuals or entities that provide services covered by federal health care programs.
Cybersecurity Software and Services
In the preamble to the Stark Rule and the AKS Rule, HHS clarified that the EHR Exception and Safe Harbor have always protected donations of certain cybersecurity software and services, such as cybersecurity features of the EHR. The agencies amended the EHR Exception and Safe Harbor to explicitly include cybersecurity software and services that protect an EHR as permissible donations, as long as the predominant purpose of the software or service is cybersecurity associated with EHR functions.
Replacement EHR Technology
The agencies removed the current EHR Exception and Safe Harbor condition that the donor not know that the donation recipient possesses EHR items and services equivalent to those included in the donation. This change will allow donors to donate a replacement EHR to referral sources that already have another certified EHR, and addresses comments from physician practices and others that the current condition unnecessarily locks them into an EHR that does not meet their needs.
Recipient Cost Sharing Condition
Currently the EHR Exception and Safe Harbor require the donation recipient to pay at least 15% of the donor’s cost of donated EHR items and services in advance of receipt of all items and services. In the final rules, CMS and OIG retained the 15% cost contribution requirement for the initial donation (or a donation of replacement items and services) in advance of receipt of the items and services. For items or services donated after the initial donation (or the replacement donation), CMS amended the EHR Exception to require the donation recipient to pay its cost contribution amount “at reasonable intervals,” while OIG amended the EHR Safe Harbor to remove the prepayment requirement for “updates.” It is not clear from the text of the EHR Safe Harbor and the AKS Rule preamble guidance whether OIG uses the term “updates” to limit the types of donations following the initial donation that can be paid in arrears by the donation recipient to upgrades to existing functionality, bug fixes and similar software maintenance services. In addition, based on the Stark Rule preamble, it is unclear whether CMS intends to except services other than updates from the prepayment condition despite its omission of the term “updates” from the EHR Exception itself.
For example, if a hospital donates the right to access and use a shared EHR instance and EHR implementation services, and subsequently provides ongoing hosting, maintenance and support services on a periodic (e.g., quarterly) basis to a referring physician practice, the plain language of the Stark Exception appears to permit the donor to collect payments in arrears for the periodic services after the initial period of service, rather than collecting payment before the beginning of the service period. However, as noted above, it is unclear whether the agencies would consider such ongoing services to be exempt from the prepayment requirement under the EHR Exception based on the Stark Rule preamble discussion of “updates” following the initial donation or under the EHR Safe Harbor based on its use of the term “updates.”
To be protected under the current EHR Exception and Safe Harbor, donated EHR items and services must be “interoperable.” Donated EHR software is deemed to be interoperable if it has been certified by a certifying body authorized by the HHS Office of the National Coordinator for Health Information Technology (ONC) to a then-applicable edition of the EHR certification criteria under ONC’s Health IT Certification Program.
HHS retained this deeming construct but clarified that the software must have a current certification on the date it is donated. HHS also made editorial changes to align the EHR Exception and Safe Harbor with ONC’s changes to its Health IT Certification Program regulations.
Information Blocking Prohibition
CMS and OIG both removed the third condition of the current EHR Exception and Safe Harbor that prohibits donors (and anyone acting on their behalf) from taking actions to limit or restrict the interoperability of the donated items or services. The condition was designed to prevent data and referral lock-in and to encourage data exchange. In 2016, Congress adopted the 21st Century Cures Act, which prohibits information blocking and authorizes HHS to issue exceptions to the prohibition. ONC issued a final rule in March 2020 to implement the prohibition and establish exceptions to the information blocking prohibition (ONC Final Rule). By removing the condition addressing information blocking, HHS indicated that it will rely on the ONC Final Rule instead of the EHR Exception and Safe Harbor to prevent information blocking. For more information on the ONC Final Rule, see our Special Report.
The specter of a sunset date has loomed over the EHR Exception and Safe Harbor since their creation in 2006. CMS and OIG kicked the can down the road in 2013 but now have removed the sunset provision altogether. The original sunset provision was based on the expectation that the need to protect EHR donations would decrease as EHR use became the standard of practice. The agencies no longer believe that the need to protect EHR donations will disappear as the industry achieves widespread adoption—which the agencies acknowledged has largely happened. HHS explained its change of heart by pointing to new entrants into medical practice, aging EHRs at existing practices, and emerging and improved technologies.
Health systems and other donors of EHR items and services should review their template EHR donation agreements and determine whether to make changes to take advantage of the more favorable conditions of the amended EHR Exception and Safe Harbor. While donors may choose to delete provisions specifically addressing the sunset date, they should consider adding or retaining a more general provision addressing changes in law. Donors should also consider updates to the template donation agreement to address information blocking concerns under the ONC Final Rule. For more information about the information blocking provisions of the ONC Final Rule and their implications for EHR donation agreements, see our On the Subject.
Creation of Cybersecurity Exception and Safe Harbor
In addition to clarifying that the EHR Exception and Safe Harbor permit certain cybersecurity donations, CMS and OIG created the Cybersecurity Exception and Safe Harbor to protect the donation of certain cybersecurity technology and related services. The Cybersecurity Exception and Safe Harbor are intended to help improve the health care industry’s overall cybersecurity posture by permitting donations to address the growing cyber threats that the industry faces.
CMS and OIG appear to have used the EHR Exception and Safe Harbor conditions as a starting point for the Cybersecurity Exception and Safe Harbor and then removed certain conditions.
Covered Technology and Services
The Cybersecurity Exception and Safe Harbor permit the donation of cybersecurity technology and related services. CMS and OIG defined “cybersecurity” to mean “the process of protecting information by preventing, detecting, and responding to cyberattacks” based on the definition included in the Framework for Improving Critical Infrastructure Cybersecurity of the National Institute for Standards and Technology. The agencies defined the term broadly to avoid unintentional limitations on what may be donated and obsolescence with the passage of time.
The agencies also broadly defined “technology” to mean “any software or other types of information technology.” The definition is intended to be agnostic to the type of cybersecurity technology and broad enough to cover technology that is neither software nor a service as those terms are generally conceived, such as application programing interfaces. Unlike the EHR Exception and Safe Harbor, the Cybersecurity Exception and Safe Harbor do not exclude certain hardware from the definition of technology that may be donated. However, the agencies will only permit hardware donations if the hardware is not integrated with multifunctional equipment and, as discussed below, is used predominantly to implement, maintain or reestablish effective cybersecurity.
Necessary and Used Predominantly for Effective Cybersecurity
The donated technology and related services must be necessary and used predominantly to implement, maintain or reestablish effective cybersecurity. Accordingly, the core function of the donation must be to protect information by preventing, detecting and responding to cyberattacks. The table below identifies examples of technology and services that could meet this condition, according to the agencies:
Potentially Protected Technology
Potentially Protected Services
Software that provides malware prevention
Any services associated with developing, installing and updating cybersecurity software
Software security measures to protect endpoints that allow for network access control »
Any kind of cybersecurity training services
Business continuity software that mitigates the effect of cyberattacks
Any kind of cybersecurity services for business continuity and data recovery services to ensure that the recipient’s operations can continue during and after a cyberattack
Data protection and encryption
Any services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis or penetration test
Email traffic filtering
Any services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis or penetration test
The agencies also offered the following examples of donations not protected by the Cybersecurity Exception and Safe Harbor: installation or improvement of physical safeguards (such as upgraded wiring or high security doors), and donations of technology and services with multiple general uses outside of cybersecurity, such as general help desk services.
Does Not Directly Take into Account Volume or Value of Referrals
The first condition of the Cybersecurity Exception and Safe Harbor prohibits the donor from directly taking into account the volume or value of referrals or other business generated between the parties when determining both the eligibility of a potential recipient for the donation or the amount or nature of the donation. The first condition of the Cybersecurity Safe Harbor also expressly prohibits the donor from conditioning the donation or the amount or nature of the donation on future referrals.
Notwithstanding this condition, the agencies acknowledged that donors will provide cybersecurity technology and services to individuals and entities that connect to their systems, which would include those that refer to the donor or receive referrals from the donor. The agencies noted that this condition does not require a donor to make donations to every individual or entity that connects to its systems, and permits certain selective criteria as long as the criteria do not directly take into account referrals or other business generation.
Unlike the corresponding condition in the EHR Exception and Safe Harbor, the Cybersecurity Exception and Safe Harbor do not include a deeming provision that identifies certain selection criteria that would automatically be determined to meet the condition. The agencies stated that they do not believe that cybersecurity donations present the same types of risks as EHR donations (because cybersecurity donations are further removed from referrals than EHR donations) and that therefore a list of selection criteria is unnecessary.
Donation Not a Condition of Doing Business with Donor
The second condition of the Cybersecurity Exception precludes the donation recipient (including the referring physician, the physician’s practice, or the practice’s employees and other staff) from making a cybersecurity donation, or the amount or nature of the donated technology or services, a condition of doing business with the donor. Similarly, the Cybersecurity Safe Harbor does not permit the donation recipient or the recipient’s practice (or any affiliated individual or entity) to make the donation, or its amount or nature, a condition of doing business with the donor.
No Cost Sharing Condition
Unlike the EHR Exception and Safe Harbor, the Cybersecurity Exception and Safe Harbor do not require that the recipient pay any of the costs (e.g., 15%) of the donation and do not limit the scope of potentially protected recipients. OIG noted that donations may be made to patients under the EHR Safe Harbor. Donors are free to require recipients to contribute to the cost, however, as long as the determination of a contribution amount does not take into account the volume or value of referrals or other business generation between the parties.
Both agencies require the donation arrangement to be documented in writing. OIG additionally requires that the writing be signed, and specifies that the writing must include a general description of the donated technology and services.
When crafting donation agreements, donors should review their license agreements for cybersecurity software to ensure that they have rights to extend the software to third parties.
Donors should also carefully consider the addition of limitations of liability and other commercial terms to a donation agreement to protect the donor from claims that the donated technology and services failed to fully protect the donation recipient or third parties from a cyberattack.
Additional Safe Harbor Condition
The Cybersecurity Safe Harbor also precludes the donor from shifting the cost of the donated cybersecurity technology or services to any federal health care program. Accordingly, the donation should not be included in a reimbursable cost center on a Medicare or Medicaid cost report.
The new Cybersecurity Exception and Safe Harbor are broader and include fewer conditions than the EHR Exception and Safe Harbor for purposes of cybersecurity technology and related service donations, and provide a useful pathway for hospitals and other donors to protect their systems through donations to connected recipients.
Please do not hesitate to contact your regular McDermott lawyer or any of the authors of this On the Subject if you have questions or need assistance with your EHR or cybersecurity donation arrangements. For more information on the various elements of these final rules, please refer to our Regulatory Sprint Resource Center.
The authors wish to thank McDermott Will & Emery law clerk Allyn Rosenberger for her contributions to this article.