HHS Issues Final Cybersecurity Safe Harbor and Exception

On November 20, 2020, the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Centers for Medicare and Medicaid Services (CMS) each released a final rule (the Final Rules). The Final Rules were both formally published in the Federal Register on December 2, 2020. Among other updates, the OIG final rule established a new cybersecurity technology and services donation safe harbor under the Anti-Kickback Statute (the AKS Cybersecurity Safe Harbor¹), and the CMS final rule established a similar exception to the Stark Law (the Stark Cybersecurity Exception²). In this alert, the AKS Cybersecurity Safe Harbor and Stark Cybersecurity Exception are referred to collectively as the Cybersecurity Exception and Safe Harbor.

The Cybersecurity Exception and Safe Harbor protect arrangements that are intended to address the growing threat of cyberattacks impacting the health care ecosystem. Under the Cybersecurity Exception and Safe Harbor, donations of cybersecurity technology and related services are protected, provided that each of the following conditions are met:

• the donor does not directly take into account the volume or value of referrals or other business generated between the parties.
• the recipient does not require the donation as a condition of doing business with the donor.
• the arrangement is documented in writing.³

In addition to the above, the AKS Cybersecurity Safe Harbor explicitly provides that:

• the donor must not condition the donation on future referrals.
• the written documentation memorializing the arrangement must contain a general description of the technology and services being provided and the amount of the recipient’s contribution (if any).
• the written documentation must be signed by the parties.⁴
• the donor must not shift the costs of the technology or services to any federal health care program.

Guidance in the OIG and CMS Preambles to the Final Rules

The OIG and CMS preambles to the Final Rules include helpful guidance points, including the following:

1. Only Non-Monetary Donations Are Covered

Both the OIG and CMS make clear that only non-monetary donations would be covered by the Cybersecurity Exception and Safe Harbor. Reimbursement for costs that recipient has already incurred will not qualify.

2. Cybersecurity Technology and Services Are Broadly Defined

The Cybersecurity Exception and Safe Harbor are intended to protect the donation of a broad range of technology and services. For purposes of the AKS Cybersecurity Safe Harbor, the OIG has conditionally allowed the donation of technology (broadly defined as any software or other type of information technology) and services that are “necessary and used predominately to implement, maintain, or reestablish effective cybersecurity.”⁵

In adopting the necessary and predominant use standard in its regulation, the OIG recognized that software can have multiple functions. The AKS Cybersecurity Safe Harbor preamble addresses this concept in more detail, noting the following: “software that has multiple functions, one of which is cybersecurity, would not meet the necessary and predominant use standard . . . Conversely, if software has multiple functions but cybersecurity is the predominant function, then that software may be eligible for protection under this safe harbor.”⁶

CMS has adopted the same standards for donated technology and services, with one significant difference: the word “effective” is omitted from the Stark Cybersecurity Exception.⁷ This was a deliberate omission, based on CMS’s concern that due to the “strict liability” nature of the Stark Law, requiring “effective cybersecurity” could discourage otherwise legitimate donations because the parties may not have the knowledge to make a determination of the “effectiveness” of cybersecurity technology at the time of the donation or there may be a disagreement regarding whether cybersecurity measures are effective.⁸

A few examples of donation-eligible cybersecurity technology and services (which may be provided by the donor or a third party on the donor’s behalf) are listed below:

• Locally installed and cloud-based cyber security software
• EHR, devices, and other information technology
• Patches and updates
• Cybersecurity training services, such as training recipients on how to:
  
  • use the cybersecurity technology
  • prevent, detect and respond to cyber threats
  • troubleshoot problems with the cybersecurity technology (for example, “help desk” services specific to cybersecurity)
• Business continuity software that mitigates the effects of a cyberattack
• Data recovery services to ensure that a recipient’s operation can continue during and after a cyberattack
• “Cybersecurity as a service” models that rely on a third-party service provider to manage, monitor or operate cybersecurity of a recipient
• Services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis or penetration test
• Cybersecurity hardware (as discussed in more detail below)

3. Cybersecurity Technology Could Include Hardware

Unlike the EHR Donation Safe Harbor and Exception, the Cybersecurity Exception and Safe Harbor do cover the donation of cybersecurity hardware that is necessary and used predominately to implement, maintain or reestablish cybersecurity. Both CMS and the OIG recognize that there could be circumstances where cybersecurity hardware may have other uses (i.e., “multifunctional hardware”), and they continue to be concerned that the donation of such multifunctional hardware poses a risk of fraud and abuse. To address this concern, both CMS and the OIG have noted that the cybersecurity use must predominate and the core functionality must be implementing, maintaining or reestablishing cybersecurity. For example, CMS notes:

Thus, the cybersecurity exception at final §411.357(bb) is applicable to hardware that is necessary and used predominantly to implement, maintain, or reestablish cybersecurity. We agree with the commenters that our program integrity concerns regarding donations of valuable multifunctional hardware are adequately addressed by making the exception available only to donated technology and services [that] are necessary and used predominantly to implement, maintain, or reestablish cybersecurity, and we do not believe that a monetary cap is necessary. As explained in section II.E.2.a. above, donated technology, including hardware, may include other functionality or uses besides cybersecurity. However, the cybersecurity use must predominate and the core functionality of the hardware must be implementing, maintaining, or reestablishing cybersecurity. The hardware must also be necessary for cybersecurity.⁹

The OIG has similarly noted that:

To receive safe harbor protection, donations of such hardware must satisfy all of the conditions of the safe harbor, and specifically the requirement that the hardware be necessary and used predominately to implement, maintain, or reestablish effective cybersecurity. We intend this condition to make donations of multifunctional hardware ineligible for safe harbor protection in most cases, even if such hardware is low-cost, because such donations likely will not satisfy the predominant use condition.¹⁰

4. The Donation Can Be 100% of Costs

The Cybersecurity Exception and Safe Harbor do not require that donors of cybersecurity technology and services collect a monetary contribution from recipients. From the OIG’s perspective, this “frees up recipients to invest resources in other technology not protected by the safe harbor, such as updating legacy multifunctional hardware that may pose a cybersecurity risk or simply investing in their own computers.”¹¹

Donors may still collect monetary contributions “as long as the determination of a contribution requirement, or the amount of the contribution, does not take into account the volume or value of referrals or other business between the parties.”¹²

5. No Limitation on Who Can Be a Donor or, Under AKS, a Recipient

The Cybersecurity Exception and Safe Harbor can protect all donors. Unlike the EHR Donation Safe Harbor and Exception, there are no limitations on the type of individual or entity that can donate cybersecurity technology and services under the Cybersecurity Exception and Safe Harbor. However, all regulatory conditions must still be met for protection to apply. A key policy reason for this breadth is that an overriding need exists to improve the cybersecurity posture of the health care industry. Moreover, both CMS and the OIG concluded that donations of cybersecurity software and related services pose less risk of fraud and abuse than the donation of EHR technology and services because cybersecurity technology and service donations do not facilitate the exchange of clinical information between a recipient referral source and the donor.

The potential beneficiaries covered under AKS are greater in scope than the physicians and group practices covered under the Stark Law. Therefore, it is not surprising that the AKS Cybersecurity Safe Harbor protects all recipients of cybersecurity technology and related services. That is, a recipient under the AKS Cybersecurity Safe Harbor can be any individual or entity, without limitation and without any additional or different safeguards for any recipient.

6. Other Exceptions/Safe Harbors May Apply

The donation of cybersecurity software and services may also be covered under the EHR Donation Safe Harbor and Exception. The EHR Donation Safe Harbor and Exception are more restrictive regarding, for example, eligible donors and recipients, scope of software and services that can be donated, the requirement of a recipient contribution (15%), and the exclusion of hardware. The pre-participation waiver under the Shared Savings programs, and the new AKS Safe Harbors and Stark Law Exceptions related to value-based care, may also apply. Accordingly, any entity donating cybersecurity technology and services needs to consider each of the potentially applicable Safe Harbors and Exceptions in structuring their donation of cybersecurity technology and services. Read more about the EHR Donation Safe Harbor and Exception.

7. Requirements for Written Agreement Are Flexible

As noted previously in this client alert, the Cybersecurity Exception and Safe Harbor require written documentation memorializing the arrangement. Both the OIG and CMS have stressed flexibility regarding how the documentation requirement can be met. The OIG has noted in connection with the AKS Cybersecurity Safe Harbor that the writing does not have to be set forth in a single document. CMS has similarly noted:

We remind stakeholders that the relevant inquiry for determining compliance with the writing requirement at final §411.357(bb)(iii) is whether contemporaneous documents pertaining to the arrangement would permit a reasonable person to verify compliance with the cybersecurity exception at the time that a referral is made (80 FR 71315). We believe that providing parties with the flexibility to document their arrangements in any manner that meets this standard is preferable to detailed mandates that could result in noncompliance with the physician self-referral law due to even a slight departure from the documentation requirement.¹³

Finally, the OIG has also stated that the AKS Cybersecurity Safe Harbor’s writing requirement is not intended to “(i) introduce any fair market value requirement; (ii) force parties to determine the fair market value of the donation; or (iii) compel the parties to hire a valuation consultant.”¹⁴

For more Faegre Drinker insights on this and related topics, view our suggested reading and events.