December 8, 2020

By Lori Beam

The new final rules implementing the Physician Self-Referral Statute (the Stark Law) and the Anti-Kickback Statute (AKS) remove the sunsetting provision that would have put a stop to on health system donations of electronic health records (EHR) items and services to independent physician practices. So there’s no more need to “implement by midnight Dec. 31, 2021” to qualify; it’s now a permanent exception.

New Exemptions for Cybersecurity

The new final rules also modify the Stark Law and AKS to exempt donations of cybersecurity technology and related services by adding a new cybersecurity technology and related services exception / safe harbor. The rules also expand the existing electronic health records items and services exception/ safe harbor to include cybersecurity.

Disclaimers

In these final rules, the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) for the Department of Health and Human Services did not remove from the existing electronic health records items and services exception / safe harbor the requirement that the physician practice pay 15% of the cost paid by the health system for donated items or services, as contemplated in 2019 proposed regulations. But, notably, the new cybersecurity technology and services exception / safe harbor does not require the physician to pay for 15% of the donor’s cost.

Specific Exemption Terms

Because of the differences between the Stark Law and AKS, the language of the Stark Law exceptions differ from the corresponding AKS safe harbors, but the substance is essentially the same. So, if you meet the Stark Law exception, you should also meet the AKS safe harbor.

Following are the specific terms of offer – the conditions that must be met for a donation arrangement to be exempt from Stark and AKS violation.

Modified Stark Law Exception and AKS Safe Harbor for EHR Items and Services Requirements:

  1. The donation is by an entity (other than a laboratory) to a physician;
  2. The arrangement is made by a written agreement signed by the parties that –
    1. Specifies all items and services the donor agrees to furnish, the donor’s cost and the physician’s 15% share, and
    2. Covers all EHR items and services to be given by the donor or cross references.
  3. The donation consists of a non-monetary donation of software or information technology or training services, which may include cybersecurity software and services, that are necessary and used predominantly to create, maintain, transmit, receive or protect EHR where –
    1. The software is interoperable at the time of donation with interoperability now defined to align with definitions used in the 21st Century Cures Act, and
    2. The items and services do not include staffing of physician offices and are not used primarily to conduct personal business or business unrelated to the physician’s medical practice.

Items and services that replace a physician’s current technology can be donated.

  • The physician pays 15% of the donor’s cost for the items and services with payment due before delivery of the items or services except in certain circumstances, and the donor does not loan or otherwise finance the physician’s share.
  • Neither the physician nor the physician’s practice makes receipt of the items or services (or their amount or nature) a condition of doing business with the donor.
  • Neither the physician’s eligibility for the donation nor their amount or nature are determined in any manner that directly takes into account the volume or value of referrals or other business generated between the parties.

New Stark Law Exception and AKS Safe Harbor for Cybersecurity Technology and Related Services Requirements:

  1. The arrangement is documented in writing-doesn’t have to be signed.
  2. Consists of a non-monetary donation of technology and services that are necessary and used predominantly to implement, maintain, or reestablish cybersecurity where –
    1. “Technology” means any software or other types of information technology including hardware, and
    2. Allows donation of replacement technology.
  3. Neither the physician nor the physician’s practice makes receipt of the items or services (or their amount or nature) a condition of doing business with the donor.
  4. Neither the physician’s eligibility for the donation nor their amount or nature are determined in any manner that directly takes into account the volume or value of referrals or other business generated between the parties.
  5. The donor doesn’t shift the costs of donation onto any federal health care program (AKS safe harbor only).

Cybersecurity Technology and Services

Both rules are neutral as to the types or versions of software that may be provided under these exceptions /safe harbors. The commentary to the rules simply state –

  • The cybersecurity technology may include but is not limited to “software that provides malware prevention, software security measures to protect endpoints that allow for network access control, business continuity software, data protection and encryption, and email filtering.”
  • The cybersecurity services could include:

(a) services for developing, installing and updating cybersecurity software

(b) cybersecurity training services on how to use the cybersecurity technology, how to prevent, detect and respond to cyber threats

(c) helpdesk services specific to cyber security

(d) business continuation and data recovery services

(e) cybersecurity as a service models that rely on a third-party service provider to manage, monitor or operate cybersecurity

(f) cybersecurity risk analysis or penetration test

  • The main caveat is the cybersecurity technology and services must be necessary and used predominantly to implement, maintain, or reestablish cybersecurity. It doesn’t apply to technology or services that predominantly relate to general business or practice operations.

Cannot Take Referrals Into Account to Determine Donations

These modifications for EHR and cybersecurity technology and services offer health systems and independent physician practices ways to ensure access to health care information essential to the delivery of care and to address the growing threat of cyberattacks that infiltrate data systems. Health systems interested in making donations of these types must develop nonreferral-based ways of determining which practices are eligible at what level of donation. Such determinations can be based on size of physician practice, whether the physician is a member of the medical staff and other factors.

Watch for More Alerts

As mentioned in our Health Law Group’s previous client alert, CMS and OIG adopted these final rules as part of their Health and Human Services’ Regulatory Sprint to Coordinated Care initiative to remove regulatory barriers that inhibit innovative arrangements for coordinating care. The regulations go into effect Jan. 19, 2021 – except for one Stark Law change that goes into effect Jan. 1, 2022.

We are breaking down the more than 1,600 pages of regulatory changes through a series of alerts you won’t want to miss. Be on the lookout for additional articles.

This article is general in nature and does not constitute legal advice.

Readers with legal questions should consult the author, Lori Beam (lbeam@sb-kc.com) or any other shareholders in Seigfreid Bingham’s Health Law Group, including Mark Thompson, Joseph Hiersteiner, Mark Gilgus, John Neyens, Heath Hoobing, Mark Opara, and John Fuchs, or your regular contact at Seigfreid Bingham at 816-421-4460.