Electronic Health Records Donations: Proposed CMS And OIG Rules Revise Stark Exception And Anti-Kickback Safe Harbor

by Nossaman LLP

Originally Published in Bloomberg BNA Health IT Law & Industry Report - July 1, 2013.

View PDF

On April 10, 2013, the Centers for Medicare & Medicaid Services (‘‘CMS'') and the Office of the Inspector General of the Department of Health and Human Services (‘‘OIG'') published twin proposed rules that amend and extend the Stark Law exception and antikickback statute (‘‘AKS'') safe harbor for electronic health records (‘‘EHR'').1 The two rules were released in tandem because the exception and safe harbor mirror each other. CMS and the OIG intend for the proposed rules to remain similarly consistent.2

When they become effective, the rules will extend the sunset provision on the two regulations, eliminate the electronic prescribing requirement for EHR systems, and update the ‘‘interoperability'' requirements to conform with the current Office of the National Coordinator for Health Information Technology's (ONC) certification program. The two agencies have also solicited comments on three other proposed changes, discussed further below. 

The Stark Law and the AKS take slightly different approaches in attempting to prevent money from influencing referrals for health care services, particularly those that are reimbursed by Medicare and other federal payor programs. However, because hospitals, health systems and other providers of federally funded health services must implement EHR systems to ensure quality patient care and, in some cases, to benefit from additional federal reimbursement for doing so, such providers necessarily must enter into financial arrangements with their affiliated physicians to ensure that everyone's EHR systems integrate properly and work well within the larger system.

How Do Stark and AKS Impact EHR?

The Stark Law prohibits physicians from referring Medicare patients to an entity with which the physician (or an immediate family member) has a financial relationship, and prohibits that entity from submitting claims to Medicare for services resulting from a prohibited referral.3 The AKS, which is not limited to physician relationships, prohibits offering, paying, soliciting or receiving anything of value to induce or reward referrals or generate federal health care program business.4

Because the government recognizes that hospitals and health systems must incentivize their affiliated physicians to integrate the hospital's or health system's technology into their practices, the agencies promulgated certain criteria to encourage such integration, while attempting to impose limits on the extent to which such transactions can be used for ill-gotten gains.

The Stark Law exception and AKS safe harbor both serve to permit EHR donations if certain safeguards are met, such that an entity will not violate either law if it makes a gift of EHR technology to another entity that refers patients to it.5 A gift of an item of value like an EHR program would normally raise fraud and abuse concerns because it could induce unnecessary referrals or have a corrupting affect on providers and the health care decisions they make for their patients. However, the exemptions were crafted to encourage widespread implementation of EHRs and allow physician groups and other smaller practices to accept gifts of EHR software or programs from other entities to which they might refer patients without running afoul of these laws. The exemptions were designed with sunset provisions because, while the agencies wanted to encourage widespread EHR use, this had to be balanced against the concern of unacceptably long-term remuneration ties between medical providers.

The Current Rules

The Stark Law exception and the AKS safe harbor both currently require the EHR to contain electronic prescribing technology and for the system to be ‘‘interoperable'' (that it communicate with other technology systems and software6). Further, the donor may not limit the use or operability of the EHR or condition the gift on doing business with the donor. Also, the arrangement must be set forth in a written agreement, the software may not be primarily used to conduct business unrelated to the medical practice, and that the recipient must pay a portion (15%) of the cost of items and services provided.

The Proposed Rules

The proposed amendments to the two sets of rules affect the sunset provision, as well as the e-prescribing and ‘‘interoperability'' requirements. Currently, the exception and safe harbor are set to expire Dec. 31, 2013,7 and the agencies propose to extend them until Dec. 31, 2016. Despite the dramatic rise of EHR use since the original rules were put in place, the agencies recognize a need to lengthen the timeframe in order to encourage further adoption of EHR systems. The 2016 date was chosen because it corresponds to the last year entities may receive Medicare EHR ‘‘meaningful use'' incentive payments, and that is the last year they can initiate participation in the Medicaid EHR incentive program. However, the agencies specifically sought comments on the new sunset date because they left open the possibility of extending it further, possibly into 2021.

The amendments change the definition of the meaning of the term ‘‘interoperable.'' In an attempt to reduce fraud and abuse risk, the original rules require the EHR systems to interact smoothly with other software products and systems so that the recipient is not limited to communicating only with the donor, but may instead share patient information with other medical providers (including competitors of the donor). The current provisions deem an EHR system to be interoperable if ‘‘a certifying body recognized by the Secretary has certified the software no more than 12 months prior to the date it is provided to the recipient.''8

The new provision would update that requirement in two ways. First, it would modify the regulation to specifically recognize the ONC as the body responsible for ‘‘recognizing'' ‘‘certifying bodies.'' Second, the provision would remove the 12 month requirement to allow greater flexibility in determining interoperability. The new provision allows for any system to qualify if it was certified as interoperable according to the version of the Certified EHR Technology set forth in 45 C.F.R. part 170 when the system was donated.

The amendments also eliminate the electronic prescribing provision. The current regulations require the donated EHR to contain ‘‘an electronic prescribing component or the ability to interface with the recipient's existing electronic prescribing system, that meets the applicable standards under Medicare Part D.''9 The requirement was originally included because the agencies viewed it as critically important to ‘‘producing the overall benefits of health information technology.'"10 However, since then, Congress has enacted legislation that independently incentivizes providers to implement electronic prescribing,11 and the agencies now believe that there are ‘‘sufficient alternative policy drivers''12 that make the electronic prescribing requirement unnecessary. The agencies have further acknowledged that removing the requirement does not increase the likelihood of fraud or abuse.

Three Other Issues for Comment

The agencies solicited comments on three other proposed changes to the EHR exception and safe harbor: limiting permissible donors, adding provisions to reduce the likelihood of data lock-in, and specifically enumerating the scope of the covered technology.

Regarding donor types, the exemptions are currently very broad: the Stark Law exception applies broadly to any entity donating EHR to any physician, and the AKS safe harbor applies to any entity covered by a Federal health care program or health plan donating EHR to any entity engaged in the delivery of health care. However, since the original rules were adopted, the OIG has learned that, even when donated EHR is interoperable on its face, it can, in some cases, lead to data and referral lock-in.13 As such, the agencies propose to limit the exemptions to donors that have a ‘‘direct and primary patient care relationship and a central role in the health care delivery infrastructure.''14

The agencies particularly seek to exclude donors with a high fraud risk, such as laboratory companies, durable medical equipment (‘‘DME'') suppliers, and independent home health agencies.15 Thus, the agencies propose either to specifically enumerate what donors are protected, or leave the protected category broad but specifically disallow the high risk donors.

The agencies also seek comments on changes that could be made in the regulations to reduce data lock-in and to further encourage the free exchange of data.16 Specifically, the agencies are asking ‘‘what new or modified conditions'' could be added to accomplish those goals, and whether any new conditions should be placed in addition to, or in lieu of, the proposal to limit the scope of permissible donors.17

Lastly, the agencies solicited comments on what kinds of technology should be protected. Currently, the provisions state that protected EHR is ‘‘items and services in the form of software or information technology and training services.''18 The agencies believe the current regulatory text is clear, but in light of some confusion among stakeholders, they seek comments on changes that would make the language clearer.19

Overall Impact of the Proposed Changes

While the nuts and bolts of the Stark Law exception and AKS safe harbor remain the same, the proposed amendments would create some important changes. The extension of the sunset provisions would give donors more time to consider donating, which could lead to an increase in donations, or perhaps smooth out any donation bump that might otherwise have occurred at the end of 2013.

Because providers who receive donated EHR must pay 15% of the donor's costs before receipt, the extension will relieve recipients with budgetary concerns from facing the time-crunch under the current 2013 deadline, which would also likely lead to more providers taking advantage of the EHR exemptions. The broader definition of ‘‘interoperability'' and the removal of the 12-month limit for EHR interoperability certification will also allow for greater flexibility in types of software and programs, which is also likely to lead to more donations.

On the other hand, the new regulations would limit permissible donors. Whether the new rules ultimately enumerate precisely who may donate, or leave the protected category broad and enumerate only those who are specifically disallowed, the likely impact will be to reduce the amount and type of entities that may make protected EHR donations. Hospitals, group practices, Medicare Part D prescription drug plan sponsors, and Medicare Advantage organizations will likely continue to be included, but laboratory companies, DME suppliers, and independent home health agencies probably will not be.20 Who else will fall out of coverage remains to be seen.

Any increase in EHR donations would also likely spur more providers to seek EHR incentive payments from Medicare and Medicaid because, once they have an EHR system, providers have no real down-side to participating in either the Medicare or Medicaid incentive program. The Medicaid program allows for an incentive payment in the first year just for adopting or implementing an EHR. The Medicare program and the Medicaid program after year one require the provider to demonstrate meaningful use and other requirements. Further, providers who meet the Medicare program requirements but choose not to participate will see a reduction in Medicare payments beginning in 2015, which amounts essentially to a penalty for not participating.

For any entity considering making a donation under the Stark Law exception, the donation must precisely satisfy each aspect of the exception so that the financial relationship between the donor and recipient does not taint any referrals from the recipient to the donor for Medicare services. Similarly, in order to benefit from full protection of the EHR AKS safe harbor, the arrangement needs to meet all of its requirements. However, failure to meet an AKS safe harbor does not necessarily make the arrangement illegal under the AKS.

EHR donors and recipients should check the regulations in effect at the time a donation is made, because the regulations are not yet finalized, and the regulatory language is likely to change before the rules are formally adopted.


1 Physicians' Referrals to Health Care Entities: Exception for Certain Electronic Health Records Arrangements, 78 Fed. Reg. 21,308 (proposed Apr. 10, 2013) (to be codified at 42 C.F.R. pt. 411); Electronic Health Records Safe Harbor Under the Anti-Kickback Statute, 78 Fed. Reg. 21,314 (proposed Apr. 10, 2013) (to be codified at 42 C.F.R. pt. 1001).

2 Physicians' Referrals to Health Care Entities: Exception for Certain Electronic Health Records Arrangements, 78 Fed. Reg. at 21,310.

3 42 U.S.C. § 1395nn.

4 42 U.S.C. § 13020a-7b(b).

5 42 C.F.R. § 411.357(w); 42 C.F.R. § 1001.952(y).

6 42 C.F.R. § 1001.952(y) note.

7 42 C.F.R. § 411.357(w)(13); 42 C.F.R. § 1001.952(y)(13).

8 42 C.F.R. § 1001.952(y)(2).

9 Id. at § 1001.952(y)(10); 42 C.F.R. § 411.357(w)(11).

10 Physicians Referrals to Health Care Entities With Which They Have Financial Relationships; Exceptions for Certain Electronic Prescribing and Electronic Health Records Arrangements, 71 Fed. Reg. 45,14, 45,153 (Aug. 8, 2006).

11 The Medicare Improvements for Patients and Providers Act of 2008 (MIPPA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.

12 Physicians' Referrals to Health Care Entities: Exception for Certain Electronic Health Records Arrangements, 78 Fed. Reg. at 21,311; Electronic Health Records Safe Harbor Under the Anti-Kickback Statute, 78 Fed. Reg. at 21,317.

13 Electronic Health Records Safe Harbor Under the Anti-Kickback Statute, 78 Fed. Reg. at 21,318.

14 Id.

15 Id.

16 Id. at 21,318-19.

17 Id. at 21,319.

18 42 C.F.R. § 411.357(w); 42 C.F.R. § 1001.952(y).

19 Electronic Health Records Safe Harbor Under the Anti-Kickback Statute, 78 Fed. Reg. at 21,319.

20 Id. at 21,318.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Nossaman LLP | Attorney Advertising

Written by:

Nossaman LLP

Nossaman LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.