This is the second in a series of client alerts on the collaborative effort between the Department of Health and Human Services Office of Inspector General (OIG) and the Centers for Medicare & Medicaid Services (CMS), which each published final updates to regulations interpreting the Anti-Kickback Statute (AKS) and the federal physician self-referral law (Stark) on Dec. 2, 2020 (the Updated Rules).[1] Among the changes in these Updated Rules were two important updates related to healthcare technology. First, the OIG and CMS, respectively, established a new AKS safe harbor and a new Stark exception permitting the donation of cybersecurity technology. Second, the OIG and CMS made changes to the existing AKS safe harbor and Stark exception permitting the donation of electronic health records (EHR) items and services. Both of these changes, discussed in more detail below, will go into effect on Jan. 19, 2021.

Cybersecurity Donation

Donation of cybersecurity technology and services will now be possible once the Updated Rules become effective. According to CMS in the Stark regulatory commentary, the cybersecurity exception was created because CMS believed that:

Establishing such an exception will help improve the cybersecurity posture of the health care industry by removing a perceived barrier to donations of technology and services that address the growing threat of cyberattacks that infiltrate data systems and corrupt or prevent access to health records and other information essential to the delivery of health care. . . The risks associated with a cyberattack on a single provider or supplier in an interconnected system are ultimately borne by every component in the system. Therefore, an entity wishing to protect itself by preventing, detecting, and responding to cyberattacks has a vested interest in ensuring that the physicians with whom the entity exchanges data are also able to prevent, detect, and respond to cyberattacks, particularly where the connections allow the physicians to establish bidirectional interfaces with the entity, which inherently present higher risk than connections that permit physicians ‘‘read-only’’ access to the entity’s data systems.[2]

Permissible Cybersecurity Technology and Services

Care was taken by the regulators to remain technology-neutral in terms of what types of cybersecurity technology were permissible to donate under the Updated Rules, in which cybersecurity “technology” was broadly defined as “any software or other types of information technology.”[3] CMS noted in the Stark commentary that the types of permissible technology that may be donated under the cybersecurity exception include but are not limited to “software that provides malware prevention, software security measures to protect endpoints that allow for network access control, business continuity software, data protection and encryption, and email traffic filtering.”[4]

Donation of cybersecurity services is also permissible under the Updated Rules. CMS noted in the Stark regulatory commentary that the exception included a broad range of cybersecurity services, including:

• Services associated with developing, installing, and updating cybersecurity software;
• Cybersecurity training services;
• Cybersecurity services for business continuity and data recovery services;
• “Cybersecurity as a service’’ models that rely on a third-party service provider to manage, monitor, or operate cybersecurity of a recipient;
• Services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis, or penetration test; or
• Services associated with sharing information about known cyber threats, and assisting recipients responding to threats or attacks on their systems.[5]

However, the Updated Rules also provide that any donated cybersecurity technology and services must be nonmonetary. CMS also acknowledges in the Stark regulatory commentary that “although donated technology or services may have multiple uses, the cybersecurity exception only applies to technology and services that are necessary and used predominantly to implement, maintain, and reestablish cybersecurity” and therefore could not be used to provide general help desk services, for example.[6] In addition, the Updated Rules do not require any type of cost-sharing contribution from the recipient as part of the permitted cybersecurity donation.

Recipient Selection

The Updated Rules provide that neither the eligibility of a physician for the donated cybersecurity technology or services nor the amount or nature of the technology or services should be determined in any manner that directly takes into account the volume or value of referrals or other business generated between the parties. In addition, the Updated Rules further provide that receipt of cybersecurity technology or services cannot be a condition of doing business with the donor.

Written Documentation

Under the AKS regulations, the cybersecurity donation safe harbor requires a signed, written agreement. However, under the Stark exception, only some form of the written documentation evidencing the arrangement needs to be obtained. That form must identify the recipient of the donation and include a general description of the cybersecurity technology and services; the time frame of donations made under the arrangement; a reasonable estimate of the value of the donation(s); and, if applicable, the recipient’s financial responsibility for some (or all) of the cost of the cybersecurity technology and related services that are provided by the donor (although such cost-sharing is not required under the regulations). However, the Stark regulations do not require that the donor and recipient document their arrangement in a formal signed contract as part of the exception. Instead, CMS notes in the Stark commentary that the written requirement of the exception will be satisfied if contemporaneous documents exist that would permit a reasonable person to verify compliance with the exception at the time that a donation is made.

EHR Donation

Under the AKS and Stark, there are also parallel exceptions or safe harbors that protect arrangements in which entities donate EHR items and services to certain providers. These exceptions were originally created as temporary allowances to encourage healthcare providers to adopt and use EHR technology. As a result, the exceptions originally contained sunset provisions ending the exceptions at the end of 2021. However, pursuant to the Updated Rules, both CMS and the OIG have agreed there are legitimate reasons to permit ongoing donations of EHR items and services, and they elected to eliminate the sunset provision altogether.[7] We have summarized some of the key highlights from the Updated Rules related to the EHR donations below and have also included a chart that sets forth some of the key changes regarding EHR donations from the Updated Rules to the current Stark and AKS regulations.

Donation of Replacement or Equivalent Technology

The AKS and Stark regulations previously prohibited donations of replacement EHR technology when the recipient already had equivalent technology. This requirement created numerous regulatory obstacles for providers who felt locked in and unable to switch systems if it meant having to pay the entire amount for a different but functionally equivalent replacement, which was unaffordable for many providers. It was also difficult to determine whether the technology being replaced was truly “equivalent.” Notably, the Updated Rules removed this prohibition on donating EHRs to recipients who had equivalent technology because the regulators recognized that “there may be valid business or clinical reasons for a physician recipient to replace an entire electronic health records system rather than update existing items and services, even if the existing software meets current certification criteria and does not pose a threat to patient safety.”[8] Thus, this regulatory requirement will no longer be an obstacle when it is eliminated upon the Updated Rules taking effect on January 19, 2021.

Clarification Regarding the 15 Percent Contribution Requirements

The AKS and Stark law have always required that the recipient of the EHR technology must contribute 15 percent of the cost of the donated EHR. In 2019, CMS and the OIG solicited comments on the possibility of removing the 15 percent contribution requirement for some or all recipients. While the Updated Rules revise the language regarding the cost-sharing requirement, the Updated Rules still require recipients to pay the 15 percent contribution for all initial and subsequent donations of EHR items and services. The only effective change is that the Updated Rules will permit recipients to make payments for subsequent donations (e.g., for system updates and maintenance services) at reasonable intervals instead of having to pay the contribution prior to receipt.[9] However, under the Updated Rules, recipients must still pay an initial contribution amount prior to initial donations, as it was under the prior rules.

Applicability to Physician Organizations

Also, although the verbiage in the Stark regulations only refers to EHR donations to “physicians,” CMS’ commentary in the Updated Rules confirms that physician organizations may pay the contribution portion for individual physicians. The commentary provides that the physicians stand in the shoes of the practice with regard to such donations, and so a donation to a group practice creates a compensation arrangement between each individual physician and the donor of the EHR items and services. Although the Stark law applies directly to each compensation arrangement created between the donor and the individual physician recipients, CMS explained that “[t]he required contribution amount may be paid by each individual physician or on behalf of the physicians by the physician organization.”[10]

Elimination of Information-Blocking Provision

Previously, AKS and Stark required that the donor not take any action to limit or restrict the use, compatibility or interoperability of the donated EHR to fit within the exception or safe harbor. Pursuant to the Updated Rules, CMS and the OIG removed this requirement because they found that newer, separate authorities from new rules adopted by the Office of the National Coordinator for Health Information Technology (ONC) provide better guidance on information blocking.[11] Although the Updated Rules removed these provisions, the regulators made clear that ONC’s rules on information blocking still apply to the donor and the recipient.

Donation of Cybersecurity

The Updated Rules also provide that cybersecurity software and services may be included as part of the EHR donation as long as they are necessary and used predominantly to protect health records. The Updated Rules define cybersecurity to mean “the process of protecting information by preventing, detecting, and responding to cyberattacks.”[12]

[1] 85 Fed. Reg. 77492 (Dec. 2, 2020); 85 Fed. Reg. 77684 (Dec. 2, 2020).
[2] 85 Fed. Reg. at 77630-77631.
[3] Id. at 77682; see also 85 Fed. Reg. at 77894.
[4] Id. at 77632.
[5] Id.; see also 85 Fed. Reg. at 77816 n.92.
[6] Id.
[7] Id. at 77613; see also 85 Fed. Reg. at 77830.
[8] Id. at 77619; see also 85 Fed. Reg. at 77835.
[9] Id. at 77616; see also 85 Fed. Reg. at 77833.
[10] See id. at 77618 (emphasis added). There is no parallel applicability issue in the AKS EHR donation safe harbor because it has always permitted donations to “individuals” and “entities.” See 42 C.F.R. § 1001.952(y)(1)(i).
[11] See id. at 77610; see also 85 Fed. Reg. at 77831-77832.
[12] Id. at 77657; see also 85 Fed. Reg. at 77830.