Fraud and Abuse Rules Part II: Amended EHR and New Cybersecurity Donation Safe Harbors and Exceptions

January 12, 2021

Update (Feb. 22, 2021): The final rules discussed in the alert below were given a Jan. 19, 2021, effective date. Since publication, however, ambiguity with respect to their effective status were created by two regulatory actions: (1) the Government Accountability Office concluded that the final rules did not have a required 60-day delay in their effective date and (2) on Jan. 20, 2021, the Biden administration paused final rules from taking effect from the Trump administration. According to an industry publication, CMS has now clarified its view that the regulations finalized in the final rule are effective. McGuireWoods will continue to review further guidance from the new administration to understand if the policies in this final review are otherwise modified or retracted.


As discussed in a previous McGuireWoods alert, the U.S. Department of Health and Human Services (HHS) published final rules expected to be effective Jan. 19, 2021, that significantly amend the Physician Self-Referral Law (Stark Law) and the federal Anti-Kickback Statute (AKS). This client alert, the latest in McGuireWoods’ summary series on these final rules, focuses on changes to the electronic health records (EHR) items and services exception to the Stark Law and EHR safe harbor to the AKS. This alert also provides a summary of a new exception to the Stark Law and a safe harbor to the AKS related to the donation of cybersecurity software and services.

These changes include the addition of a standalone cybersecurity safe harbor and exception, and the following changes within the existing EHR safe harbor and exception: (1) the addition of cybersecurity technology and services, (2) modernization updates regarding interoperability provisions, (3) changes to cost-sharing requirements, (4) removal of the replacement technology donation prohibition and (5) removal of sunset provisions. By implementing these changes, the Office of the Inspector General (OIG) and the Centers for Medicare & Medicaid Services (CMS) are allowing more flexibility around the donation of certain EHR and cybersecurity items and services, with an overall intent by the OIG to strengthen healthcare industry defenses against cyberattacks.

The final rules stem from HHS’ Regulatory Sprint to Coordinated Care (discussed in a Sept. 26, 2018, client alert), intended to incentivize value-based arrangements and patient care coordination by expressly permitting certain activities that could be deemed problematic under current law.

  1. CMS and OIG added cybersecurity technology and services to the EHR exception and safe harbor, and added a standalone cybersecurity technology and related services exception and safe harbor. CMS and OIG noted that the digitization of healthcare delivery and rules designed to increase interoperability and data sharing in the delivery of healthcare create numerous targets for cyberattacks.

    CMS and OIG finalized rules providing for the donation of cybersecurity items and services both within the EHR exception and safe harbor and through a standalone exception and safe harbor. To qualify under the EHR exception and safe harbor, such software and services must have the predominant purpose of protecting electronic health records, particularly against cyberattacks caused by ransomware and other digital threats. In contrast, the new cybersecurity exception and safe harbor are broader than their EHR counterparts and include fewer conditions. For example, the cybersecurity exception and safe harbor do not share the condition of a 15 percent required contribution from recipients that exists under the EHR exception and safe harbor. The chart in this alert (see below) summarizes the key differences between the EHR and cybersecurity exceptions and safe harbors. CMS and OIG clarified that a party seeking to protect an arrangement involving the donation of cybersecurity software and services must comply with only one exception.

    As finalized, the cybersecurity exception and safe harbor allow for the donation of cybersecurity technology (including hardware) and related services if certain conditions are met:

    1. The nonmonetary remuneration (consisting of technology and services) is necessary and used predominantly to implement, maintain or re-establish cybersecurity. “Cybersecurity” means the process of protecting information by preventing, detecting and responding to cyberattacks.
    2. Neither the eligibility of a recipient for the technology or services, nor the amount or nature of the technology or services, is determined in any manner that directly takes into account the volume or value of referrals or other business generated between the parties.
    3. Neither the physician nor the physician’s practice (including employees and staff members) makes the receipt of technology or services, or the amount or nature of the technology or services, a condition of doing business with the donor.
    4. The arrangement is documented in writing, which must identify the recipient, and includes a general description of the item or service provided, the time frame of donation, an estimated value of the donation and, if applicable, the recipient’s financial responsibility within the arrangement.

    The final exception and safe harbor will protect certain cybersecurity hardware donations that meet conditions in the exception and safe harbor, but it will not require parties to conduct a risk assessment to determine whether the hardware is reasonably necessary, as contemplated in the proposed rule, prior to donating hardware. The cybersecurity exception and safe harbor include hardware that is necessary and used predominantly to implement, maintain or re-establish cybersecurity.

    CMS and OIG have taken a neutral approach toward the types of technology that can be donated. So long as these technologies comply with the exception and safe harbor conditions of necessity and predominate use, they will likely be protected. CMS broadened the definitions of cybersecurity technology and services by removing the word “effective” to encourage donations where parties may not have the technical knowledge required to determine the effectiveness of a software donation. CMS and OIG made it clear that they will not distinguish between locally downloaded and cloud-based software, and that both can qualify for protection. Some examples of donation-eligible items and services include installed and cloud-based cybersecurity software, EHR patches and updates, and cybersecurity training services.

  2. CMS and OIG finalized modernization updates to EHR interoperability provisions. The original rules — discussed in an April 12, 2013, client alert and a Dec. 24, 2013, client alert — prohibit a donor from taking any action to limit or restrict the use, compatibility or interoperability of EHR items or services. CMS and OIG proposed modifications to the requirements that prohibit a donor from taking any action to limit or restrict the use, compatibility or interoperability of EHR items or services, in recognition of significant intervening legal updates in this area. CMS did not finalize a proposed information-blocking modification and indicated that the Office of the National Coordinator for Health Information Technology is more qualified to enforce the prohibition against information blocking.

  3. OIG expanded the scope of protected donors under the EHR safe harbor. The OIG final rule expanded the scope of protected donors under the EHR safe harbor to include certain entities comprised of the types of individuals or entities that provide services covered by a federal healthcare program and submit claims or requests for payment, either directly or through reassignment, to the federal healthcare program. In addition to the entities currently covered as protected donors, this change now allows donation from a broader scope of entities that have an indirect responsibility for patient care (e.g., parent companies of hospitals, health systems and accountable care organizations). OIG explained that there is little risk associated with these entities, as they generally do not directly receive referrals and have existing financial risk for patient outcomes. OIG declined to expand the list of protected donors to include all donors.

  4. CMS and OIG changed the EHR cost-sharing requirements. CMS and OIG retained the 15 percent contribution requirement for donation under the EHR exception and safe harbor for all recipients, despite comments requesting decreased percentages or waived requirements for rural and small practices. Additionally, CMS and OIG clarified that a recipient must pay the required cost contribution amount before receiving an initial donation of electronic health records items and services or a donation of replacement items and services. However, with respect to items or services donated after the initial donation or the replacement donation, the final rule does not require that the cost contribution amount be made in advance, and allows for such amounts to be paid at reasonable intervals. The specific example provided for “reasonable intervals” is that a donor could bill separately for each update or bill the recipient monthly or quarterly to combine the contribution payments for all updates during a select period of time.

  5. CMS and OIG allowed donation of replacement technology. The current EHR exception and safe harbor do not protect the donation of replacement technology when the replacement is for “equivalent items or services.” This prohibition has meant that where a potential recipient has an EMR, donation of EMR technology may not be protected if it is “equivalent” — a term that is not clearly defined. In the adopted rules, CMS and OIG finalized the proposal to permit donations of replacement items and services by removing the requirement that the donor not have actual knowledge of, or not act in reckless disregard or deliberate ignorance of, the fact that the physician possesses or has obtained items or services equivalent to those provided by the donor. In making this change, CMS and OIG recognized that the existing prohibition on donation of replacement items and services effectively locks a physician recipient into a particular vendor because recipients are forced to choose between paying 15 percent as contribution for donated software that is outdated or subpar, and paying the full cost of replacement software.

  6. CMS and OIG eliminated the sunset provisions in the EHR exception and safe harbor. The exception and safe harbor concerning EHR items and services originally were scheduled to sunset on Dec. 31, 2013. In 2013, CMS and OIG extended the sunset date to Dec. 31, 2021, but retained the idea that this exception would be obsolete once EHR technology was universal and would then be eliminated. In the final rules, CMS and OIG removed the sunset provisions, acknowledging that universality of cybersecurity software has not yet been achieved nationwide, but continues to be a goal of both CMS and OIG.

With the implementation of these final rules, CMS and OIG removed burdens on providers, without creating substantial risk of increased fraud and abuse. While CMS and OIG acknowledged that any donation of valuable technology poses risks of fraud and abuse, the need to protect the “weak links” in a healthcare system outweighs these concerns due to the threat of cyberattacks. Allowing entities to donate cybersecurity technology and related services to physicians will lead to strengthening of the entire healthcare ecosystem by increasing interoperability and decreasing the overall threat posed by cyberattacks.

EHR Exception and Safe Harbor   Cybersecurity Exception and Safe Harbor  
What software does it cover? EHR software is necessary and used predominantly to create, maintain, transmit, receive or protect electronic health records, expressly including cybersecurity software necessary and used predominantly to protect electronic health records. Any cybersecurity software that is necessary and used predominantly to implement, maintain or re-establish cybersecurity.
What hardware does it cover? Does not apply to the donation of hardware, even if related to or predominantly used for electronic health records. Applies to hardware that is necessary and used predominantly to implement, maintain or re-establish cybersecurity.
Does this include replacement technology?   Yes, but only if replacement technology will qualify as necessary and used predominantly to create, maintain, transmit, receive or protect electronic health records. The final rules remove the previous obstacle to this kind of donation. Yes, but only if replacement technology will qualify as necessary and used predominantly to implement, maintain or re-establish cybersecurity. For example, if the technology being replaced is outdated or poses a cybersecurity risk, replacement technology will fulfill this requirement.
What services does it cover?   Services that are necessary and used predominantly to create, maintain, transmit, receive or protect electronic health records. Services that are necessary and used predominantly to implement, maintain or re-establish cybersecurity.
Is donor contribution required? Yes. All donations require the donor to contribute 15 percent of the value of the donated software. No. There is no contribution requirement under the exception and safe harbor. However, donors are free to structure arrangements to include contribution and still use the exception and safe harbor.
Can donation take into account the volume or value of referrals?   No. No.
Can donation be a condition for doing business with the donor?   No. No.
Must the arrangement be documented in writing?   Yes. Yes.
Is there a deeming provision that can be used to ensure compliance?   Yes. So long as the software donated is NIST-certified at the time of donation, the software qualifies under the deeming provision. No, CMS and OIG declined to include such a provision in the final rules.

Contact a McGuireWoods attorney or one of the authors of this alert for more information regarding these final rules. Given the significance of these changes, McGuireWoods plans to provide additional analysis and summaries leading up to the rules’ anticipated Jan. 19, 2021, effective date.

To review additional guidance on the final rules, see the following McGuireWoods legal alerts:

  • Part V: Easing Stark Law Compliance (Feb. 16, 2021)
  • Part IV: Final Changes to Existing and New Anti-Kickback Statute Safe Harbors (Feb. 3, 2021)
  • Part III: New Value-Based Arrangement Protections (Jan. 20, 2021)
  • Part I: Changes to Patient Inducement and Kickback Policies (Jan. 11, 2021)
  • Private Equity Healthcare Affiliations (Jan. 7, 2021)
  • Summary of the final rules (Nov. 23, 2020)
Subscribe