New Sprint Regulations Encourage Investment in EHR and Cybersecurity Technology
On December 2, 2020, under the Trump Administration's "Regulatory Sprint to Coordinated Care" initiative, the Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) published final regulations and commentary (the Sprint Regulations), reinterpreting key aspects of the federal physician self-referral law (Stark Law) and anti-kickback statute (AKS).
Among the many changes, broadly intended to promote care coordination, are meaningful efforts to promote technology that both enables free information exchange and safeguards the integrity of the healthcare ecosystem. As we wrote when the agencies issued proposed Sprint Regulations,1 the measures reflect a prescient recognition that integrating healthcare providers can be vulnerable without investing in what the agencies call "cybersecurity hygiene."
To that end, the final Sprint Regulations (i) modify the existing Stark Law exception and AKS safe harbor for the donation of electronic health record (EHR) technology and services, and (ii) ratify a new Stark Law exception and AKS safe harbor for the donation of cybersecurity technology and related services.
Despite the fundamental differences in the Stark Law and the AKS, CMS and OIG collaborated to promote consistency between the respective exceptions and safe harbors to minimize the compliance burden associated with EHR and cybersecurity donation and further their overarching goal of removing unnecessary barriers to coordinated care.
Revisions to the Stark Law Exception and AKS Safe Harbor for Donations of EHR Software and Services
The healthcare industry long has struggled to facilitate the widespread adoption of interoperable EHR. In August 2006, CMS and OIG finalized a Stark Law exception and an AKS safe harbor, respectively, for certain arrangements involving the donation of interoperable EHR software and information technology and training services.2 The initial EHR donation exception and safe harbor were scheduled to expire on December 31, 2013.
In December 2013, CMS and OIG published final rules extending the expiration dates to December 31, 2021, excluding laboratories, and updating the provisions under which EHR software is deemed interoperable (Deeming Provision).
In the Sprint Regulations, CMS and OIG finalized parallel updates to this exception and safe harbor, reinterpreting concepts around interoperability and data lock-in, clarifying that donations of certain cybersecurity software and services are permitted under the EHR donation exception, removing the sunset provision, and relaxing one aspect of the 15 percent recipient contribution requirement.
Under the EHR donation exception and safe harbor, as amended by the Sprint Regulations, donations of nonmonetary remuneration (consisting of software and related services) that are necessary and used predominantly to implement, maintain, or reestablish effective electronic health records are protected if all of the following conditions are met (conditions unique to each law are designated below):
- 1. Stark: The items and services are provided to a physician by an entity that is not a laboratory company.
AKS: The items and services are provided to an individual or entity engaged in the delivery of healthcare by:
- (i) An individual or entity, other than a laboratory company, that provides services covered by a federal healthcare program and submits claims or requests for payment, either directly or through reassignment, to the federal healthcare program, or is comprised of such individuals or entities; or
- (ii) A health plan.
- 2. The software is interoperable at the time it is provided to the physician/recipient. Software is deemed to be interoperable if, on the date it is provided to the physician/recipient, it is certified by a certifying body authorized by the National Coordinator for Health Information Technology (NIST) to an edition of the certification criteria identified in the then-applicable version of 45 CFR part 170.
- 3. Stark:
- (i) Before receipt of the initial donation of items and services or the donation of replacement items and services, the physician pays 15 percent of the donor's cost for the items and services.
- (ii) For items and services received from the donor after the initial donation of items and services or the donation of replacement items and services, the physician pays 15 percent of the donor's cost for the items and services at reasonable intervals.
- (iii) The donor (or any party related to the donor) does not finance the physician's payment or loan funds to be used by the physician to pay for the items and services.
AKS: The recipient pays 15 percent of the donor's cost for the items and services, subject to the following conditions:
- (i) If the donation is the initial donation of EHR items and services, or the replacement of part or all of an existing system of EHR items and services, the recipient must pay 15 percent of the donor's cost before receiving the items and services. The contribution for updates to previously donated EHR items and services need not be paid in advance of receiving the update; and
- (ii) The donor (or any affiliated individual or entity) does not finance the recipient's payment or loan funds to be used by the recipient to pay for the items and services.
- Neither the physician/recipient nor the physician's/recipient's practice makes the receipt of items or services or the amount or nature of the items or services a condition of doing business with the donor.
- 4. Neither the eligibility of a physician/recipient for the items or services nor the amount or nature of the items or services is determined in a manner that directly takes into account the volume or value of referrals or other business generated between the parties. The determination is deemed not to directly take into account the volume or value of referrals or other business generated between the parties if any one of the following conditions is met:
- (i) The determination is based on the total number of prescriptions written by the physician/recipient (but not the volume or value of prescriptions dispensed or paid by the donor or billed to the program);
- (ii) The determination is based on the size of the physician's/recipient's medical practice (for example, total patients, total patient encounters, or total relative value units);
- (iii) The determination is based on the total number of hours that the physician/recipient practices medicine;
- (iv) The determination is based on the physician's/recipient's overall use of automated technology in his or her medical practice (without specific reference to the use of technology in connection with referrals made to the donor);
- (v) The determination is based on whether the physician/recipient is a member of the donor's medical staff, if the donor has a formal medical staff;
- (vi) The determination is based on the level of uncompensated care provided by the physician/recipient; or
- (vii) The determination is made in any reasonable and verifiable manner that does not directly take into account the volume or value of referrals or other business generated between the parties.
- 5. The arrangement is set forth in a written agreement that:
- (i) Is signed by the parties;
- (ii) Specifies the items and services being provided, the donor's cost of the items and services, and the amount of the physician's/recipient's contribution; and
- (iii) Covers all of the electronic health records items and services to be provided by the donor (or any affiliate). This requirement is met if all separate agreements between the donor and the physician/recipient (and affiliated parties) incorporate each other by reference or if they cross reference a master list of agreements that is maintained and updated centrally and is available for review by the Secretary upon request. The master list must be maintained in a manner that preserves the historical record of agreements.
- 6. The donor does not have actual knowledge of and does not act in reckless disregard or deliberate ignorance of the fact that the physician/recipient possesses or has obtained items or services equivalent to those provided by the donor.
- 7. For items or services that are of the type that can be used for any patient without regard to payer status, the donor does not restrict or take any action to limit the physician's/recipient's right or ability to use the items or services for any patient.
- 8. The items and services do not include staffing of the physician's/recipient's office and are not used primarily to conduct personal business or business unrelated to the physician's/recipient's clinical practice or clinical operations.
- 9. AKS: The donor does not shift the costs of the items or services to any federal healthcare program.
The EHR donation exception and safe harbor each require the donated software to be interoperable.3 Historically, CMS and OIG defined "interoperable" to mean "able to communicate and exchange data accurately, effectively, securely, and consistently with different information technology systems, software applications, and networks, in various settings; and exchange data such that the clinical or operational purpose and meaning of the data are preserved and unaltered."4
In the proposed Sprint Regulations, the agencies proposed to update the definition of "interoperable" to align with the statutory definition of "interoperability" added by the 21st Century Cures Act (Cures Act) to the Public Health Services Act (PHSA). Specifically, the agencies proposed to define "interoperable" to mean:
- (i) Able to securely exchange data with and use data from other health information technology without special effort on the part of the user;
- (ii) Allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable state or federal law; and
- (iii) Does not constitute information blocking as defined in section 3022 of the PHSA.
In the final Sprint Regulations, the agencies finalized some but not all of these proposed changes, redefining "interoperable" to mean:
- (i) Able to securely exchange data with and use data from other health information technology; and
- (ii) Allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable state or federal law.5
In commentary, the agencies explain that they omitted the third subparagraph related to information blocking in deference to significant federal government action elsewhere defining and regulating conduct characterized as "information blocking," including recent publication of final rules by the Office of the National Coordinator for Health Information Technology (ONC) implementing the Cures Act.6 The agencies omitted the phrase "without special effort on the part of the user" in the first subparagraph because ONC uses similar language in conditions of certification in the Cures Act, and the agencies wanted to avoid any implication that they were incorporating a certification requirement into their definitions of interoperable.
The agencies also finalized changes to the EHR exception's and safe harbor's optional Deeming Provisions, which provide donors and recipients with assurance that donated software is interoperable for purposes of the exception and safe harbor. Historically, under the Deeming Provisions, software is deemed to be interoperable if on the date it is provided to the recipient it has been certified by a certifying body to an edition of the EHR certification criteria identified in the then-applicable version of 45 CFR part 170.
In the Sprint Regulations, CMS and OIG finalized three proposed textual clarifications to the Deeming Provisions:
- First, the agencies modified the language to clarify that the certification must be current as of the date of the donation, as opposed to the software having been certified at some point in the past but no longer maintaining certification on the date of the donation.
- Second, the agencies removed the provision's reference to "an edition" of the EHR certification criteria to align with changes to the ONC's certification program.
- Third, the agencies removed the phrase "electronic health record" before "certification criteria" because the phrase "electronic health records certification criteria" was removed from 45 CFR part 170 as of June 30, 2020.
Providing some level of comfort, CMS indicated that the substantive modifications to the Deeming Provision are not retroactive. In other words, an arrangement that met the definition of interoperable and satisfied the exception's other requirements at the time the donation was made will not cease to be protected by the exception.7
Finally, CMS and OIG removed entirely the requirement in both the exception and the safe harbor that the donor (or any person on the donor's behalf) may not take any action to limit or restrict the use, compatibility, or interoperability of the items or services.8 The agencies reiterated their continued commitment to preventing "information blocking" but thought the requirement might unintentionally conflict with other enforcement mechanisms better suited than a Stark Law exception or AKS safe harbor to deter information blocking and hold individuals and entities that engage in information blocking appropriately accountable.
CMS and OIG finalized amendments to the EHR donation exception and safe harbor to clarify that protection is available (and always has been available) for cybersecurity software and services that protect EHR.9 The agencies both define "cybersecurity" broadly to mean "the process of protecting information by preventing, detecting, and responding to cyberattacks."10
While the agencies also finalized a new exception and safe harbor specifically to protect arrangements involving the donation of cybersecurity technology and related services, discussed below, the clarification of the EHR exception and safe harbor to expressly include cybersecurity software and services is intended to make it clear that an entity donating EHR software also may donate related cybersecurity software and services to protect the EHR.
Both agencies acknowledge "a certain amount of overlap between" the EHR exception/safe harbor and the cybersecurity exception/safe harbor but retained both options to provide donors and recipients with flexibility to protect varied arrangements under one or the other. Key differences include that the EHR donation exception and safe harbor do not cover hardware, and any cybersecurity software provided pursuant to the EHR exception or safe harbor is subject to the 15 percent recipient contribution requirement.
CMS and OIG eliminated the sunset provisions in the exception and safe harbor, which were scheduled to expire on December 31, 2021, citing "near universal support" for removal.11
CMS and OIG retained the requirement that recipients of EHR donations pay 15 percent of the donor's costs prior to receipt of the initial or any replacement EHR items or services. The agencies grounded the decision in their longstanding belief that cost sharing is an appropriate method to address some of the program integrity risks inherent in unlimited donations of EHR items and services.
However, to provide some flexibility, the agencies incorporated amendments to permit recipients to contribute their share of the costs for subsequent updates to existing EHR systems at reasonable intervals rather than prior to receipt.12 This will reduce the burdens of requiring ongoing prepayment of updates and support and the concerns of having to "shut off" a recipient for a single late payment.
Equivalent Items and Services
CMS and OIG removed in its entirety the provisions in the EHR donation exception and safe harbor excluding donations to recipients who possess items or services equivalent to those to be donated.13
The agencies removed the provision in response to concerns that it effectively locks recipients into a vendor, even if they are dissatisfied with the technology, because they must choose between paying full cost for a new "replacement" system or continuing to pay 15 percent of the cost of upgrades or additions to their current system. The agencies recognize "there may be valid business or clinical reasons for a recipient to replace an entire system rather than update existing technology."
In a departure from CMS due to the structure of the AKS's EHR donation safe harbor, OIG expanded the scope of protected donors to include entities with indirect responsibility for patient care, such as health systems, clinically integrated networks, and accountable care organizations.14
OIG expressly declined to expand the scope of protected donors any further, including specifically to laboratories, pharmaceutical manufacturers, and other manufacturers or suppliers of items.
Definition of Electronic Health Record
In the proposed Sprint Regulations, CMS and OIG proposed to update the definition of "electronic health record" to mirror ONC's definition of "electronic health information" in the Cures Act. However, in an effort to avoid introducing "undesirable complexity" to the rules in the wake of ONC's final rules implementing the Cures Act, the agencies declined to finalize any of the proposed changes to the definition of "electronic health record" and instead are retaining the existing definition.15
New Stark Exception and AKS Safe Harbor for Donations of Cybersecurity Technology and Services
Recognizing the "urgent need to improve cybersecurity hygiene in the health care industry to protect patients and the health care ecosystem," CMS and OIG finalized protections for the donation of nonmonetary cybersecurity technology and related services.16
CMS and OIG recognize that the cost of cybersecurity has increased dramatically, to the point where many in the healthcare industry are unable to invest in and therefore have not invested in adequate cybersecurity measures. The risks associated with a cyberattack on a single entity in an interconnected system ultimately are borne by every component in the system.
CMS and OIG took substantially similar approaches in protecting cybersecurity donations. Under the Sprint Regulations, donations of nonmonetary remuneration (consisting of technology and related services) that are necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity would be protected if all of the following conditions are met (conditions unique to each law are designated below):
- Stark: Neither the eligibility of a physician for the technology or services nor the amount or nature of the technology or services is determined in any manner that directly takes into account the volume or value of referrals or other business generated between the parties.
AKS: The donor does not:
- i. Directly take into account the volume or value of referrals or other business generated between the parties when determining the eligibility of a potential recipient for the technology or services or the amount or nature of the technology or services to be donated; or
- ii. Condition the donation of technology or services or the amount or nature of the technology or services to be donated on future referrals.
- Stark: Neither the physician recipient nor the physician's practice (including employees and staff members) makes the receipt of technology or services or the amount or nature of the technology or services a condition of doing business with the donor.
AKS: Neither the recipient nor the recipient's practice (or any affiliated individual or entity) makes the receipt of technology or services or the amount or nature of the technology or services a condition of doing business with the donor.
- The arrangement is documented in writing.
AKS: A general description of the technology and services being provided and the amount of the recipient's contribution, if any, are set forth in writing and signed by the parties.
- AKS: The donor does not shift the costs of the technology or services to any federal healthcare program.
Definitions of Cybersecurity and Technology
The Sprint Regulations define cybersecurity broadly, deriving the definition from NIST Framework for Improving Critical Infrastructure Cybersecurity. The same definition of cybersecurity is used for the cybersecurity donation as well as the EHR donation exceptions and safe harbors (i.e., "the process of protecting information by preventing, detecting, and responding to cyberattacks"). The preamble notes that the NIST framework is "industry agnostic and applies to any critical infrastructure in the United States," including healthcare. A broad definition was thought to avoid unintentionally limiting donations and to be less likely to become obsolete in the future.
Taking a broad and industry-neutral approach, the Sprint Regulations define technology as any software and other types of information technology, such as an Application Programming Interface (API) which is neither software nor a service, as those terms are generally used. In a change from the proposed regulations, technology includes hardware, such as encrypted servers, encrypted drives, and network appliances. Technology also includes both locally installed cybersecurity software and cloud-based cybersecurity software, as well as a license to use cybersecurity software.
Protected Donors and Recipients
Unlike for the EHR subsidy safe harbor and rule, the cybersecurity safe harbor protects all donors as long as the conditions for donation are met.
Interestingly, several organizations representing laboratory companies requested that laboratories be excluded as qualified donors; however, OIG declined this carve-out, stating that everyone plays a role in cybersecurity and noting that the Sprint Regulations do not require donations. Likewise, under the AKS safe harbor, protected recipients are unrestricted and may include patients. Recipients under the Stark exception are physicians.
Necessary and Used Predominantly Standard
The Sprint Regulations impose an overarching requirement that the cybersecurity technology and services must be necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity. The agencies designed this condition to ensure that donations address the legitimate security needs of donors and recipients.
For example, software that has multiple functions, one of which is cybersecurity, would not meet the necessary and predominant use standard. Conversely, software with multiple functions but with cybersecurity as its core function may be eligible for protection.
Also, an encrypted server that is used predominantly to host the computer infrastructure of a recipient would not satisfy the "necessary and used predominantly" requirement, even if the encrypted server has ancillary cybersecurity uses and functionality. Protections of any specific technology and services would require analysis of the facts and circumstances specific to the particular arrangement.
Qualified Technology and Services
As long as the donated technology and services are necessary and used predominantly to implement, maintain, or reestablish cybersecurity, the Sprint Regulations protect a broad range of technology and services, offering an illustrative and non-exhaustive list of examples:
- Locally installed and cloud software that provides malware prevention, software security measures to protect endpoints that allow for network access control, business continuity software, data protection and encryption, and email traffic filtering;
- Hardware, including encrypted servers, encrypted drives, and network appliances;
- Patches and updates;
- Replacement cybersecurity technology;
- Services associated with developing, installing, and updating cybersecurity software;
- Cybersecurity training services, such as training recipients on how to use the cybersecurity technology, how to prevent, detect, and respond to cyber threats, and how to troubleshoot problems with the cybersecurity technology (for example, "help desk" services specific to cybersecurity);
- Cybersecurity services for business continuity and data recovery services to ensure the recipient's operations can continue during and after a cybersecurity attack;
- "Cybersecurity as a service" models that rely on a third-party service provider to manage, monitor, or operate cybersecurity of a recipient;
- Cybersecurity services provided by third-party vendors or consultants;
- Services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis, or penetration test; and
- Services associated with sharing information about known cyberthreats and assisting recipients responding to threats or attacks on their systems.
The Sprint Regulations would not protect donations of technology and services that are otherwise used in the normal course of the recipient's business (e.g., general help desk services). In all cases, donations must be in kind and nonmonetary.
No Required Recipient Contribution
In contrast to the EHR donation exception and safe harbor discussed above, recipients are not required to contribute any portion or percentage of the cost of the cybersecurity technology or related services.
OIG and CMS concluded that contribution requirements would be burdensome because the necessity of cybersecurity technology and services may vary unpredictably and may impose real and perceived barriers to recipients in accepting cybersecurity donations. Donors are free, however, to impose a sharing obligation.
The Sprint Regulations require written documentation. The AKS safe harbor includes a bit more specificity, including that the documentation be signed by the parties and provide a general description of the cybersecurity technology and related services, and the recipient's contribution, if any.
- Donations of cybersecurity safeguards may be to patients.
- The Sprint Regulations protect donations of cybersecurity hardware, which differs from the EHR donation exception and safe harbor. Multifunctional hardware likely would not qualify, however, since it would not be used predominantly for cybersecurity.
- For example, servers, drives, upgraded wiring, physical security systems, fire retardant or warning technology, and high-security doors likely would not qualify for Sprint Regulations protection because they have "functions that that extend well beyond cybersecurity."
- Not surprisingly, cybersecurity donations must be nonmonetary.
- Parties do not have to perform a risk assessment prior to donating cybersecurity technology and services, which was under consideration in the proposed regulation. Parties that also are covered entities or business associates under HIPAA already would be required to perform, and regularly revisit, a risk analysis.
- No monetary cap on the value of the donations will apply.
- OIG expressed concern over "bargaining chips" and "bidding wars" scenarios and emphasized that the cybersecurity protections would not apply to donors who condition donations on referrals and recipients who demand donations as a condition of doing business.
- Donors may choose to whom to donate (subject to the conditions of the Sprint Regulations being met) and are not required to donate to all similarly situated entities.
- No Deeming Provision for establishing compliance with the condition that donated technology and services are necessary for cybersecurity is included in the final Sprint Regulations. CMS notes that it is concerned that any deeming provision that is specific enough to address program integrity concerns will be of limited or no utility for stakeholders.
- OIG notes the availability of the advisory opinion process for those seeking an individualized determination.
- The Sprint Regulations demonstrate recognition of the criticality of information exchange and cybersecurity and include meaningful steps to protect health information and the healthcare industry.
- The EHR donation and safe harbor/exceptions may be used in combination with the cybersecurity donation safe harbor/exception. Arrangements for the donation of standalone cybersecurity technology or services that are not used predominantly to protect electronic health records (but are used predominantly to implement, maintain, or reestablish cybersecurity) are not excepted under the EHR exception but may be protected under the cybersecurity exception if all the requirements are satisfied.
- The Sprint Regulations relating to EHR items and services and cybersecurity donations take effect January 19, 2021.
1 84 Fed. Reg. 55,766 (Oct. 17, 2019); 84 Fed. Reg. 55,694 (Oct. 17, 2019).
2 42 C.F.R. § 411.357(w); 42 C.F.R. § 1001.952(y).
3 42 C.F.R. § 411.357(w)(2); 42 C.F.R. § 1001.952(y)(2).
4 42 C.F.R. § 411.351; 42 C.F.R. § 1001.952(y).
5 85 Fed Reg. at 77,614–77,615; 85 Fed Reg. at 77,837–77,838.
6 See 85 Fed. Reg. 25,642 (May 1, 2020).
7 85 Fed Reg. at 77,609; 85 Fed Reg. at 77,837–77,838.
8 85 Fed. Reg. at 77,610–77,611; 85 Fed Reg. at 77,831–77,832.
9 85 Fed. Reg. at 77,611–77,613; 85 Fed Reg. at 77,830.
10 42 C.F.R. § 411.351; 42 C.F.R. § 1001.952(y)(14).
11 85 Fed. Reg. at 77,613–77,614; 85 Fed Reg. at 77,832–77,833.
12 85 Fed. Reg. at 77,615–77,619; 85 Fed Reg. at 77,833–77,835.
13 85 Fed. Reg. at 77,619; 85 Fed Reg. at 77,835–77,836.
14 85 Fed. Reg. at 77,836.
15 85 Fed. Reg. at 77,614; 85 Fed Reg. at 77,837.
16 42 C.F.R. § 411.357(bb); 42 C.F.R. § 1001.952(jj).