On October 17, 2019, the Department of Health and Human Services (HHS) published proposed rules to update the regulatory Anti-Kickback Statute (AKS) safe-harbors and exceptions to the Physician Self-Referral (PSR) Law, known commonly as the Stark Law (AKS proposed rule available here; PSR proposed rule available here). In an earlier blog post, we described each of the proposed rules. Among the proposed changes are a new safe harbor/exception that would generally permit entities to donate certain cybersecurity technology and related services to physicians, subject to compliance with the conditions described below. In the preamble to each proposed rule, the HHS Office of Inspector General (OIG) (which published the AKS proposed rule) and the Centers for Medicare and Medicaid Services (CMS) (which published the PSR proposed rule) noted that cyber-attacks in the health care industry are on the rise and cybersecurity technology can be cost-prohibitive for some providers. Both OIG and CMS stated their hope that the proposed rules will improve overall cybersecurity in the health care industry and reduce instances of data breaches resulting from cyber-attacks.
The proposed safe harbor/exception protects non-monetary donations of “cybersecurity” “technology” and related services. The AKS and PSR proposed rules define cybersecurity and technology as follows:
“Cybersecurity” is the process of protecting information by preventing, detecting, and responding to cyber-attacks.
“Technology” is software or other types of information technology other than hardware.
The OIG and CMS each described taking an expansive view of what qualifies as cybersecurity technology and related services, but neither the AKS safe harbor nor the PSR exception would protect the donation of technology or services that have multiple, general uses outside of cybersecurity. Examples highlighted in the preambles of technology that would be protected by the safe harbor/exception include malware prevention, business continuity and encryption software. Services that the safe harbor/exception would protect include risk assessments, installation of cybersecurity software and cybersecurity or business continuity as a service.
While the AKS and PSR proposed rules would protect the same types of donations, the conditions that would have to meet vary.
AKS Proposed Safe Harbor
The proposed AKS safe harbor contains five conditions that would have to be met:
- The technology and services must be necessary and used predominantly for cybersecurity.
- The donor must not consider the volume or value of referrals or other business in determining eligibility for a donation or condition the donation on any future referrals or business.
- The recipient must not make receipt of a donation a condition of doing business with the donor.
- The agreement must be in writing, signed by the parties, detailing the technology and any services provided to the recipient.
- The donor must not shift the costs of any technology or services to any Federal health care program.
PSR Proposed Exception
The proposed PSR exception contains four conditions that would have to be met:
- The technology and services must be necessary and used predominantly for cybersecurity.
- The donor must not consider the volume or value of referrals or other business in determining eligibility for a donation or condition the donation on any future referrals or business.
- The recipient must not make receipt of a donation a condition of doing business with an entity.
- The arrangement must be documented in writing.
Notably, neither the PSR exception nor the AKS safe harbor would require the donor to contribute any portion of the donor’s cost.
The OIG and CMS are clear that the proposals would not protect the donation of hardware; however, they are seeking comment on whether certain cybersecurity hardware donations should be permitted.
Cybersecurity threats are an ever-growing issue in the healthcare industry. These exceptions represent an effort by HHS to modernize the fraud and abuse laws to allow providers to receive good faith assistance in combating new threats to their data.
CMS and OIG are soliciting feedback on their respective proposed rules; Comments must be received by 5:00 p.m on December 31, 2019.
This post was co-authored by Nathaniel Arden and Michael Lisitano. Michael is a legal intern at Robinson+Cole and not yet admitted to practice law.
This post is also being shared on our Health Law Diagnosis blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.