Changes to Stark and Anti-Kickback Regulations Address Technology Advances, Tighten Rules for EHR Contributions, and Promote Cybersecurity

Fraud and abuse regulations have been adapted to meet today’s technology for electronic data, promoting cooperation among health care providers for the exchange of health information and the protection of such information from cyberattacks.

*This is the ninth article in a series analyzing recent updates to the Stark Law and Anti-Kickback Statute and their effects on health care providers. To request a copy of the entire series, click here.

The final rule published in the December 2, 2020 Federal Register (the Final Rule(s)) updates the existing Stark Law exceptions and AKS safe harbors to address the evolution of technology, provide for greater cybersecurity, and integrate the 21st Century Cures Act provisions related to information blocking and certifications of EHR by the Office of the National Coordinator (ONC). Although most of the changes provide for more flexibility and clarity as it relates to the donation of EHR and Cybersecurity assistance to providers, donors will have stricter requirements to meet with respect to satisfying the mandatory monetary contribution recipients must pay for EHR they receive.

Key Definition Changes

CMS and OIG initially proposed to change the definition of EHR to align with the Cures Act definition for “electronic health information.” However, in the Final Rule, the agencies decided to retain the definition of EHR to mean “the consumer health status information in computer processable form used for the clinical diagnosis and treatment for a broad array of clinical conditions.” The decision to keep this definition was based upon a concern that the proposed definition might be interpreted to expand the scope of the EHR exception. This was not the intention, and so the proposed change to the definition was withdrawn. The decision not to change the EHR definition re-enforces the concept that donated EHR software and services are for clinical support in the diagnosis and treatment of patients.

An important element of EHR eligible for donation under the exception and safe harbor is that it provides for interoperability to allow full access, secure exchange, and use of electronically accessible health information between other health information technologies. The definitions essentially remain the same as in prior versions of the regulations except that the revised definition drops the qualification “without special effort” on the part of the EHR user. The other qualification that prohibits information blocking is amended to coincide with the Cures Act that addresses both information blocking and interoperability certification by the ONC National Coordinator.

Additionally, definitions for ‘Cybersecurity’ were added to the Stark Law and AKS regulations to mean “the process of protecting information by preventing, detecting, and responding to cyberattacks.” The new regulations expand protection for cybersecurity safeguards in EHR software and services. However, the HHS and OIG distinguished EHR and Cybersecurity as separate exceptions and safe harbors in the Final Rule.

The EHR Stark Law Exception and AKS Safe Harbor

Some of the requirements set forth in the prior version of the AKS safe harbor remain the same. However, the Final Rules incorporate the same requirement in the Stark Law exception and makes several notable changes.

The requirement that the recipient of donated EHR must contribute at least fifteen percent (15%) of the cost of the EHR is in both rules. However, the new rules clarify that the contribution requirement applies to subsequent donations of EHR, not just the initial donation, thereby precluding a donor from swapping out EHR software and services with no additional cost to the recipient. In addition, the new rules specifically prohibit the donor to finance physician payments or otherwise loan funds for physician recipients to use for their mandated EHR contributions.

Other changes include:

The Cybersecurity Stark Law Exception and AKS Safe Harbor

The Final Rules create a new Stark Law exception and AKS safe harbor for non-monetary donations of cybersecurity technology and related services that is necessary and predominantly used to create or sustain effective cybersecurity. If the cybersecurity functions are integrated into EHR, then the EHR exception and safe harbor apply. The benefits of the Cybersecurity exception and safe harbor is that it does not preclude the donation of hardware technology and does not require a financial contribution by the recipient.

Incorporated in the new cybersecurity provisions are requirements common to other exceptions and safe harbors, specifically:

The AKS safe harbor has an additional requirement that the donor does not shift the costs of the offered technology or services to any Federal health care program.

What This Means to You

The new regulations demonstrate the importance placed by the agencies on the security of health information exchange networks from cyberattacks. Hospitals, physicians and other providers will have broad flexibility in working together to establish a secure infrastructure for the exchange of electronic health data.

Changes to the EHR exception and safe harbor recognize the changes in technology and the interoperability of technology as well as the development of other laws that cover these issues. At the same time, changes in the definition of EHR and clarifications on the fifteen percent (15%) contribution requirement suggest the agencies want to tighten up possible loopholes in the EHR rules based upon a more liberal interpretation of the old regulations. The new rules will be particularly important to consider as EHR systems are updated or replaced.