On November 20, 2020, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Centers for Medicare and Medicaid Services (CMS) each published a final rule (collectively, the Final Rules) that made numerous important changes to the Anti-Kickback Statute and the Stark Law regulations. In the Final Rules, the OIG finalized changes to the electronic health records (EHR) items and services safe harbor under the Anti-Kickback Statute (AKS EHR Safe Harbor). Also in the Final Rules, CMS made parallel changes to the EHR items and services exception to the Stark Law (Stark EHR Exception). The AKS EHR Safe Harbor and Stark EHR Exceptions are referred to collectively as the EHR Exception and Safe Harbor.
While in many respects the changes reflected in the Final Rules are more modest than what was outlined in the October 2019 OIG and CMS proposed rules (Proposed Rules), and do not include the more far reaching changes that were suggested by the June 2018 Request for Information which sought public input on how the Stark Law may impede care coordination, there are significant changes to note. Below is a summary of the key changes made in the Final Rules:
- Sunset Date Eliminated. The December 31, 2021, sunset date for the EHR Exception and Safe Harbor is eliminated. As a result, the EHR Exception and Safe Harbor are now permanent, and can be used to protect donations of EHR items and services in perpetuity.
- The “No Equivalent Technology” Requirement Has Been Eliminated. In order to receive protection under the original EHR Exception and Safe Harbor, the recipient of donated EHR items and services could not possess technology that was “equivalent” to those being donated, leading to differing views on how best to define equivalent. The Final Rules eliminate this requirement. Accordingly, it is now clear that the EHR Exception and Safe Harbor will protect donations of replacement technology.
- 15% “In Advance” Contribution Requirement Remains in Effect for New and Replacement EHRs. Under the original EHR Exception and Safe Harbor, a recipient of a donated EHR had to contribute at least 15% of the cost of the EHR prior to receiving the donated items and services. When the OIG and CMS issued their Proposed Rules, they solicited comments on three alternatives regarding to the original 15% contribution requirement: eliminating or reducing the percentage of contribution required for small or rural practices; reducing or eliminating the 15% contribution requirement for all recipients; or modifying or eliminating the contribution requirement for updates to previously donated EHR software and technology.
In the Final Rules, the OIG and CMS opted for the third alternative and eliminated the requirement that the 15% contribution be paid in advance for updates to previously donated EHR software and technology. CMS clarifies that payments must be made “at reasonable intervals,” however. Accordingly, while the recipients of updates who previously received a subsidy for their underlying EHR technology must still pay the 15% contribution, payment is not required in advance of receiving the update. However, recipients of donated EHR items and services, whether provided as first-time EHR technology or replacement EHR technology, must still pay the required 15% contribution in advance of the initial donation.
- Expanded List of “Protected Donors.” The EHR Exception and Safe Harbor have been revised to expand the list of the types of entities that can be donors. While the original rules required permissible donors to be eligible for enrollment in Medicare or other federal health care programs, the types of entities that are permissible donors under the Final Rules also include those entities comprised of organizations that provide “services covered by a Federal health care program and submits claims or requests for payment, either directly or through reassignment, to the Federal health care program.” The stated intent of this change is to include entities such as parent companies of hospitals, health systems and accountable care organizations (ACOs) as permissible donors.
- Donation of Cybersecurity. CMS and OIG clarified that cybersecurity software and services (with “cybersecurity” now defined in the Final Rules as “the process of protecting information by preventing, detecting, and responding to cyberattacks”) fit within the EHR Exception and Safe Harbor so long as the donated cybersecurity items or services are “necessary and used predominately to … protect health records,” and additionally that all other requirements of the EHR Exception and Safe Harbor are met.
Also within the Final Rules, the OIG and CMS each published a separate new Cybersecurity Technology and Related Services AKS Safe Harbor and Cybersecurity Technology and Related Services Stark Law Exception (collectively, the Cybersecurity Exception and Safe Harbor). It is important to note that the new Cybersecurity Exception and Safe Harbor are broader in scope and do not include all the restrictions contained in the EHR Exception and Safe Harbor. For example, unlike the EHR Exception and Safe Harbor, the Cybersecurity Exception and Safe Harbor: permits the donation of hardware in certain circumstances, and there are no contribution requirements for the software, services and hardware that qualify for donation.
The OIG and CMS recognize the donation of cybersecurity software and services may at times achieve protection under both the EHR Exception and Safe Harbor and the Cybersecurity Exception and Safe Harbors, and otherwise may be protectable only under the Cybersecurity Exceptions and Safe Harbor, depending on the items and services involved. Accordingly, any donation of cybersecurity software, services and hardware will need to be carefully evaluated to determine which of the Stark Law exceptions and AKS safe harbors are applicable.
- Interoperability Requirement. The EHR Exception and Safe Harbor clarify the meaning of “interoperable,” as required for donated EHR items and services. Under the Final Rules, “interoperable” means able to both:
- Securely exchange data with and use data from other health information technology
- Allow for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law
The EHR Exception and Safe Harbor also clarify the circumstances under which EHR technology will be deemed interoperable. In the Final Rules, CMS and OIG explain that it is deemed interoperable if “on the date it is provided to the recipient, it is certified by a certifying body authorized by the National Coordinator for Health Information Technology (ONC) to certification criteria identified in the then-applicable version of 45 CFR part 170.” It is important to note that ONC-approved certification is not the only way to meet the interoperability standard, although having such certification will provide assurance that software will be deemed interoperable.
- Information Blocking. In the preambles to the EHR Exception and Safe Harbor, both CMS and OIG acknowledge that the recently adopted final rule published by ONC and commonly referred to as the Information Blocking Rule is the more appropriate vehicle to address issues related to information blocking. Accordingly, the Final Rules eliminate the elements of the original EHR Exception and Safe Harbor restricting the donor or anyone on the donor’s behalf from taking any action to limit or restrict the use, compatibility or interoperability of the donated EHR items or services. Such prohibited information blocking conduct will now be regulated under the Information Blocking Rule.