New Stark Law and Anti-Kickback Statute Final Rules: Part 3 – Cybersecurity Donation

Rachel V. Rose, JD, MBA
Rachel V. Rose, JD, MBA

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.

This is Part III in this series and the focus is on the cybersecurity donation Anti-Kickback Statute (“AKS”) safe harbor and Stark Law exception.

Published in the Federal Register on December 2, 2020, the Stark Law Final Rule and the AKS Final Rule offer a lot to digest. Part I of this series provided an overview, as well as the impetus behind the changes – value-based programs and payments. Part II of this series focused more specifically on referrals and fair market value. The final installment of this series is significant because of the subject matter – cybersecurity donations. The focus of meeting the respective exception/safe harbor centers around the value-based enterprise (“VBE”) or value-based arrangement and reducing the risk of cyberattacks.

Let’s begin with the Stark Law’s new cybersecurity exceptions: (1) the newly established exception for donations of cybersecurity technology and related services; and (2) the amended the existing exception for electronic health records (EHR) items and services. The cybersecurity donation exception has several elements, which must be met and include the following: non-monetary remuneration, which relates to cybersecurity technology and related services that are necessary and used predominantly to implement, maintain, and re-establish effective cybersecurity; a written cybersecurity technology donation agreement, which does not take into account the volume or value of referrals or other business generated between the parties; and other requirements. Physicians are not required to cost-share in the software or hardware.

The amended existing EHR exception provisions clarify the following items: (1) cybersecurity software and hardware donations are permitted (provided that the aforementioned conditions are met); (2) removing the December 31, 2021 sunset provision; (3) modifying the definitions of “EHR” and “interoperable”; (4) modifying the 15 percent physician contribution requirement, but not eliminating it; and (5) permitting select donations of replacement technology.

After considering all of the comments, according to a National Law Review article,

"CMS decided to expand the EHR exception to expressly include cybersecurity software and services so that it is clear that an entity donating EHR software and providing training and other related services may also utilize the EHR exception to protect donations of related cybersecurity software and services to protect the EHR system, provided that all the requirements of the EHR exception are satisfied. In the CMS Final Rule, CMS removed the word “certain” before “cybersecurity software and services” in the introductory paragraph to avoid ambiguity regarding the scope of the EHR exception. CMS indicated that the intent behind this change from the CMS proposed rule was to apply the scope broadly to all related cybersecurity services that would be donated and “necessary and used predominantly” to implement an effective cybersecurity program."

There are several places throughout the Stark Final Rule, which address the 15 percent contribution requirement specifically for EHR technology. See 85 Fed. Reg. 77522, 77613.

"Regarding the requirement in the EHR exception that a physician recipient must contribute 15 percent of the donor's cost of the donated items and services, under this final rule, the EHR exception retains the 15 percent cost contribution requirement at § 411.357(w)(4), but there is no cost contribution requirement under the standalone cybersecurity exception at § 411.357(bb). Thus, if parties rely on the exception at § 411.357(w) to protect an arrangement for a donation that includes both electronic health records items and services and related cybersecurity software or services, the physician recipient must contribute 15 percent of the donor's cost for the cybersecurity software or services under § 411.357(w)(4). If parties structure such a donation to satisfy the requirements of § 411.357(w) and § 411.357(bb) respectively, then the physician does not have to pay the 15 percent cost contribution for the cybersecurity software and services if the arrangement related to the cybersecurity software and services satisfies all the requirements of §411.357(bb). See 85 Fed. Reg. 77613."

There are also two AKS new cybersecurity safe harbors. The first safe harbor, “Cybersecurity Technology and Services”, permits non-monetary donations of certain cybersecurity technology, related services, and associated hardware. A key aspect of this safe harbor is that the donations must be “necessary and used predominantly to implement, maintain, or re-establish effective cybersecurity.” These objectives must be reduced to a writing between the parties, including the scope of the donation, the contribution required by the recipient of the donation, and each party’s responsibilities. One may think of the contribution required by the recipient in terms of the VBE purpose.

The second safe harbor, like its Stark Law counterpart, is more of a modification. “Electronic Health Records Safe Harbor” finalizes the proposal related to EHR items and services (§ 1001.952(y)) in the following ways, which are discussed in section III.B.9: (1) update and remove provisions regarding interoperability; (2) removing the sunset provision and prohibition on donation of equivalent technology; and (3) clarifying protections for cybersecurity technology and services included in an electronic health records arrangement. See 85Fed. Reg. 77686.

Another aspect of the AKS Final Rule, which is vitally important is the OIG’s statement that donors may not directly take into account the volume or value of referrals or other business generated between the parties or the amount or nature of the technology or services being donated when determining the eligibility of a potential recipient for donated technology or services. (§1001.952(ee)(5), 42 CFR § 411.357(bb)).

"These safeguards operate to preclude safe harbor protection for abusive arrangements such as a provider churning patients through care settings to capitalize on a reimbursement scheme or otherwise generate revenue and arrangements where VBE participants offer, or are required to provide, remuneration to receive referrals or to be included in a “preferred provider network” (i.e., “pay-to-play” arrangements). See 85 Fed. Reg. 77753."

One notable change between the proposed rule and the Final Rule was the removal of a monetary cap or a mandate that the donation recipient contribute to the overall cost of the cybersecurity technology or services. Although OIG is not requiring a risk assessment, it is incumbent upon each party to ensure HIPAA compliance by conducting an annual risk analysis, signing a BAA, encrypting data at rest and in transit, and making sure work force members undergo annual training (among other things). Overall, it is notable that the AKS safe harbor provisions are not as generous as the Stark Law exceptions.

Overall, it is crucial to remember that different safe harbors have different requirements – even in relation to referrals based on volume or value and cybersecurity donations. The focus should always be on coordinated care, patient outcomes of a target patient population, and value-based programs. Additionally, as the HIPAA Privacy Rule evolves, it is crucial that entities do not neglect the Security Rule and the requisite technical, administrative, and physical safeguards. Failing to have these in place could run afoul of the Cybersecurity Safe Harbor/Exceptions because the goal is to reduce cyberattacks. If the safeguards are not in place, as various government agencies have stated, persons in the health care sector are particularly vulnerable.

About the Author

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.