Update (Feb. 22, 2021):
The final rules discussed in the alert below were given a Jan. 19, 2021,
effective date. Since publication, however, ambiguity with respect to their
effective status were created by two regulatory actions: (1) the
Government Accountability Office concluded that the final rules did not have a required 60-day delay in their
effective date and (2) on Jan. 20, 2021, the
Biden administration paused final rules from taking effect from the Trump administration. According to an industry
publication, CMS has now
clarified its view that the regulations finalized in the final rule are effective. McGuireWoods will continue to review further guidance from the new
administration to understand if the policies in this final review are
otherwise modified or retracted.
As discussed in a
previous McGuireWoods alert, the U.S. Department of Health and Human Services (HHS) published final
rules expected to be effective Jan. 19, 2021, that significantly amend the
Physician Self-Referral Law (Stark Law) and the federal Anti-Kickback
Statute (AKS). This client alert, the latest in
McGuireWoods’ summary series on these final rules, focuses on changes to
the electronic health records (EHR) items and services exception to the
Stark Law and EHR safe harbor to the AKS. This alert also provides a
summary of a new exception to the Stark Law and a safe harbor to the AKS
related to the donation of cybersecurity software and services.
These changes include the addition of a standalone cybersecurity safe
harbor and exception, and the following changes within the existing EHR
safe harbor and exception: (1) the addition of cybersecurity technology and
services, (2) modernization updates regarding interoperability provisions,
(3) changes to cost-sharing requirements, (4) removal of the replacement
technology donation prohibition and (5) removal of sunset provisions. By
implementing these changes, the Office of the Inspector General (OIG) and
the Centers for Medicare & Medicaid Services (CMS) are allowing more
flexibility around the donation of certain EHR and cybersecurity items and
services, with an overall intent by the OIG to strengthen healthcare
industry defenses against cyberattacks.
The final rules stem from HHS’ Regulatory Sprint to Coordinated Care
(discussed in a
Sept. 26, 2018, client alert), intended to incentivize value-based arrangements and patient care
coordination by expressly permitting certain activities that could be
deemed problematic under current law.
- CMS and OIG added cybersecurity technology and services to the EHR
exception and safe harbor, and added a standalone cybersecurity
technology and related services exception and safe harbor.
CMS and OIG noted that the digitization of healthcare delivery and rules
designed to increase interoperability and data sharing in the delivery of
healthcare create numerous targets for cyberattacks.
CMS and OIG finalized rules providing for the donation of cybersecurity
items and services both within the EHR exception and safe harbor and
through a standalone exception and safe harbor. To qualify under the EHR
exception and safe harbor, such software and services must have the
predominant purpose of protecting electronic health records, particularly
against cyberattacks caused by ransomware and other digital threats. In
contrast, the new cybersecurity exception and safe harbor are broader than
their EHR counterparts and include fewer conditions. For example, the
cybersecurity exception and safe harbor do not share the condition of a 15
percent required contribution from recipients that exists under the EHR
exception and safe harbor. The chart in this alert (see below) summarizes
the key differences between the EHR and cybersecurity exceptions and safe
harbors. CMS and OIG clarified that a party seeking to
protect an arrangement involving the donation of cybersecurity software and
services must comply with only one exception.
As finalized, the cybersecurity exception and safe harbor allow for the
donation of cybersecurity technology (including hardware) and related
services if certain conditions are met:
- The nonmonetary remuneration (consisting of technology and services) is
necessary and used predominantly to implement, maintain or re-establish
cybersecurity. “Cybersecurity” means the process of protecting information
by preventing, detecting and responding to cyberattacks.
- Neither the eligibility of a recipient for the technology or services,
nor the amount or nature of the technology or services, is determined in
any manner that directly takes into account the volume or value of
referrals or other business generated between the parties.
- Neither the physician nor the physician’s practice (including
employees and staff members) makes the receipt of technology or services,
or the amount or nature of the technology or services, a condition of doing
business with the donor.
- The arrangement is documented in writing, which must identify the
recipient, and includes a general description of the item or service
provided, the time frame of donation, an estimated value of the donation
and, if applicable, the recipient’s financial responsibility within the
arrangement.
The final exception and safe harbor will protect certain cybersecurity
hardware donations that meet conditions in the exception and safe harbor,
but it will not require parties to conduct a risk assessment to determine
whether the hardware is reasonably necessary, as contemplated in the
proposed rule, prior to donating hardware. The cybersecurity exception and
safe harbor include hardware that is necessary and used predominantly to
implement, maintain or re-establish cybersecurity.
CMS and OIG have taken a neutral approach toward the types of technology
that can be donated. So long as these technologies comply with the
exception and safe harbor conditions of necessity and predominate use, they
will likely be protected. CMS broadened the definitions of cybersecurity
technology and services by removing the word “effective” to encourage
donations where parties may not have the technical knowledge required to
determine the effectiveness of a software donation. CMS and OIG made it
clear that they will not distinguish between locally downloaded and
cloud-based software, and that both can qualify for protection. Some
examples of donation-eligible items and services include installed and
cloud-based cybersecurity software, EHR patches and updates, and
cybersecurity training services.
- CMS and OIG finalized modernization updates to EHR interoperability
provisions.
The original rules — discussed in an
April 12, 2013, client alert and a
Dec. 24, 2013, client alert — prohibit a donor from taking any action to limit or restrict the use,
compatibility or interoperability of EHR items or services. CMS and OIG
proposed modifications to the requirements that prohibit a donor from
taking any action to limit or restrict the use, compatibility or
interoperability of EHR items or services, in recognition of significant
intervening legal updates in this area. CMS did not finalize a proposed
information-blocking modification and indicated that the Office of the
National Coordinator for Health Information Technology is more qualified to
enforce the prohibition against information blocking.
- OIG expanded the scope of protected donors under the EHR safe harbor.
The OIG final rule expanded the scope of protected donors under the EHR
safe harbor to include certain entities comprised of the types of
individuals or entities that provide services covered by a federal
healthcare program and submit claims or requests for payment, either
directly or through reassignment, to the federal healthcare program. In
addition to the entities currently covered as protected donors, this change
now allows donation from a broader scope of entities that have an indirect
responsibility for patient care (e.g., parent companies of hospitals,
health systems and accountable care organizations). OIG explained that
there is little risk associated with these entities, as they generally do
not directly receive referrals and have existing financial risk for patient
outcomes. OIG declined to expand the list of protected donors to include
all donors.
- CMS and OIG changed the EHR cost-sharing requirements.
CMS and OIG retained the 15 percent contribution requirement for donation
under the EHR exception and safe harbor for all recipients, despite
comments requesting decreased percentages or waived requirements for rural
and small practices. Additionally, CMS and OIG clarified that a recipient
must pay the required cost contribution amount before receiving an initial
donation of electronic health records items and services or a donation of
replacement items and services. However, with respect to items or services
donated after the initial donation or the replacement donation, the final
rule does not require that the cost contribution amount be made in advance,
and allows for such amounts to be paid at reasonable intervals. The
specific example provided for “reasonable intervals” is that a donor could
bill separately for each update or bill the recipient monthly or quarterly
to combine the contribution payments for all updates during a select period
of time.
- CMS and OIG allowed donation of replacement technology.
The current EHR exception and safe harbor do not protect the donation of
replacement technology when the replacement is for “equivalent items or
services.” This prohibition has meant that where a potential recipient has
an EMR, donation of EMR technology may not be protected if it is
“equivalent” — a term that is not clearly defined. In the adopted rules,
CMS and OIG finalized the proposal to permit donations of replacement items
and services by removing the requirement that the donor not have actual
knowledge of, or not act in reckless disregard or deliberate ignorance of,
the fact that the physician possesses or has obtained items or services
equivalent to those provided by the donor. In making this change, CMS and
OIG recognized that the existing prohibition on donation of replacement
items and services effectively locks a physician recipient into a
particular vendor because recipients are forced to choose between paying 15
percent as contribution for donated software that is outdated or subpar,
and paying the full cost of replacement software.
- CMS and OIG eliminated the sunset provisions in the EHR exception and
safe harbor.
The exception and safe harbor concerning EHR items and services originally
were scheduled to sunset on Dec. 31, 2013. In 2013, CMS and OIG extended
the sunset date to Dec. 31, 2021, but retained the idea that this exception
would be obsolete once EHR technology was universal and would then be
eliminated. In the final rules, CMS and OIG removed the sunset provisions,
acknowledging that universality of cybersecurity software has not yet been
achieved nationwide, but continues to be a goal of both CMS and OIG.
With the implementation of these final rules, CMS and OIG removed burdens
on providers, without creating substantial risk of increased fraud and
abuse. While CMS and OIG acknowledged that any donation of valuable
technology poses risks of fraud and abuse, the need to protect the “weak
links” in a healthcare system outweighs these concerns due to the threat of
cyberattacks. Allowing entities to donate cybersecurity technology and
related services to physicians will lead to strengthening of the entire
healthcare ecosystem by increasing interoperability and decreasing the
overall threat posed by cyberattacks.
|
|
EHR Exception and Safe Harbor
|
Cybersecurity Exception and Safe Harbor
|
|
What software does it cover?
|
EHR software is necessary and used predominantly to create,
maintain, transmit, receive or protect electronic health
records, expressly including cybersecurity software
necessary and used predominantly to protect electronic
health records.
|
Any cybersecurity software that is necessary and used
predominantly to implement, maintain or re-establish
cybersecurity.
|
|
What hardware does it cover?
|
Does not apply to the donation of hardware, even if related
to or predominantly used for electronic health records.
|
Applies to hardware that is necessary and used
predominantly to implement, maintain or re-establish
cybersecurity.
|
|
Does this include replacement technology?
|
Yes, but only if replacement technology will qualify as
necessary and used predominantly to create, maintain,
transmit, receive or protect electronic health records. The
final rules remove the previous obstacle to this kind of
donation.
|
Yes, but only if replacement technology will qualify as
necessary and used predominantly to implement, maintain or
re-establish cybersecurity. For example, if the technology
being replaced is outdated or poses a cybersecurity risk,
replacement technology will fulfill this requirement.
|
|
What services does it cover?
|
Services that are necessary and used predominantly to
create, maintain, transmit, receive or protect electronic
health records.
|
Services that are necessary and used predominantly to
implement, maintain or re-establish cybersecurity.
|
|
Is donor contribution required?
|
Yes. All donations require the donor to contribute 15
percent of the value of the donated software.
|
No. There is no contribution requirement under the
exception and safe harbor. However, donors are free to
structure arrangements to include contribution and still
use the exception and safe harbor.
|
|
Can donation take into account the volume or value of
referrals?
|
No.
|
No.
|
|
Can donation be a condition for doing business with the
donor?
|
No.
|
No.
|
|
Must the arrangement be documented in writing?
|
Yes.
|
Yes.
|
|
Is there a deeming provision that can be used to ensure
compliance?
|
Yes. So long as the software donated is NIST-certified at
the time of donation, the software qualifies under the
deeming provision.
|
No, CMS and OIG declined to include such a provision in the
final rules.
|
Contact a McGuireWoods attorney or one of the authors of this alert for
more information regarding these final rules. Given the significance of
these changes, McGuireWoods plans to provide additional analysis and
summaries leading up to the rules’ anticipated Jan. 19, 2021, effective
date.
To review additional guidance on the final rules, see the following
McGuireWoods legal alerts:
