Vitalii Gulenok/istock via Getty

Final HHS Rules Provide Safe Harbor for Cybersecurity Tech Donations

CMS and HHS OIG finalized federal anti-kickback and Stark Law rules, which included provisions allowing health systems and hospitals to donate cybersecurity technologies to provider offices.

The Department of Health and Human Services published two final rules on Friday designed to reduce regulatory barriers and improve care coordination, which both contain safe harbor provisions that will allow health systems and hospitals to donate cybersecurity technologies to provider offices.

HHS Office for the Inspector General finalized the Revisions to the Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, while the Centers for Medicare and Medicaid Services issued the final version of Modernizing and Clarifying the Physician Self-Referral Regulations, commonly called the Stark Law.

Proposed in October 2019, these changes were directed to providers participating in value-based arrangements and other care coordination programs as part of the HHS Regulatory Sprint to Coordinated Care.

Changes to the cybersecurity elements were designed to remove the real or perceived barriers to sharing these valuable tools with providers, which often have limited resources, to address the growing cybersecurity risks on data systems that could corrupt or prevent access to health records.

The cybersecurity resource provisions in both rules closely align and were developed in response to stakeholder feedback urging the implementation of safe harbor provisions for cybersecurity donations.

“Commenters on the proposed rule and RFI also emphasized the need for new exceptions to provide protection for non-abusive, beneficial arrangements between physicians and other healthcare providers,” according to CMS.

“These finalized exceptions provide new flexibility for certain arrangements, such as donations of cybersecurity technology that safeguard the integrity of the healthcare ecosystem, regardless of whether the parties operate in a fee-for-service or value-based payment system,” the agency added.

Specifically, the changes recognize the urgent risk of cyber threats impacting the healthcare sector, by broadening the new safe harbor for cybersecurity tech and services meant to protect cybersecurity-related hardware.

The OIG final rule also clarifies participation between medical device manufacturers and durable medical equipment vendors through care coordination arrangements involving digital health tech, while reducing the financial risk parties must assume to qualify under the safe harbor rule for value-based arrangements.

The goal is to facilitate improved cybersecurity across the sector, ensuring it’s available to all types of individuals and entities.

Meanwhile, the CMS final rule “establishes a new exception for certain arrangements under which a physician receives limited remuneration for items or services actually provided by the physician and establishes a new exception for donations of cybersecurity technology and related services.

The rule also clarifies “that donations of certain cybersecurity software and services are permitted under the EHR exception, remove [s] the sunset provision modifies the definitions of EHR and interoperable to ensure consistency with the Cures Act.”

Thus, CMS changed the rule’s language to include all software that protects EHRs and expressly includes software and services related to cybersecurity.

“The cybersecurity exception is broader and includes fewer requirements than the EHR exception as applied to cybersecurity software and services that are necessary and used predominantly to protect electronic health records,” according to the rule.

“Among other things, the cybersecurity exception does not require recipients to contribute to the cost of the donated cybersecurity technology or services, while the EHR exception retains the cost contribution requirement for donations of EHR items or services,” it added.

Industry stakeholders, including the Healthcare Sector Coordinating Council have been a large proponent for the allowance of cybersecurity donations in healthcare in recent years. In 2018, the group called on HHS to waive the rule to allow the donation of these technologies to improve the overall cyber posture in the sector, as security is only as strong as the weakest link.

HSCC previously asked HHS to include patching in these safe harbors. However, the agency declined to include those exceptions in the finalized rule as “in the context of this safe harbor, this requirement is important to mitigate traditional fraud and abuse risks and ensure that parties enter into arrangements that serve value-based purposes.”

“OIG’s new safe harbor regulations are designed to facilitate better coordinated care for patients, value-based care, and improved cybersecurity, while also protecting against fraudulent or abusive conduct,” said Christi A. Grimm, Principal Deputy Inspector General, in a statement. 

“Providers and the healthcare system are still on the front lines against COVID-19, and this rule establishes flexibilities for remote patient monitoring or other arrangements to assist in the ongoing response and recovery efforts,” she concluded.

Next Steps

Dig Deeper on HIPAA compliance and regulation