In Short

The Situation: Though not universal, Electronic Health Records ("EHR") technology adoption is now widespread in the health care industry. And, while an existing safe harbor under the federal Anti-Kickback Statute ("AKS") and exception under Stark law exist, they were specifically written to encourage new adoption of EHR technology and have, therefore, become somewhat obsolete. The 2013 regulations that established these protections require revision to realign incentives to address current industry EHR technology deficiencies.

The Action: One of the most significant EHR technology challenges facing the health care industry currently is the lack of EHR interoperability. In simultaneously released proposed rules, the Centers for Medicare & Medicaid Services ("CMS") and the Office of the Inspector General ("OIG") have introduced revisions to the Electronic Health Records and Services exception to the Stark law (§ 411.357(w)) and the Electronic Health Records safe harbor under the AKS (§ 1001.953(y)) to encourage universal adoption of interoperable EHR technology.

Looking Ahead: Revisions to these AKS and Stark law protections promise to expand protections in alignment with current industry need.

Introduction

Both the OIG and the CMS proposed parallel packages of reforms on October 17, 2019, to revise the federal Anti-Kickback Statute ("AKS") and Stark law, respectively. Within those packages, both agencies proposed nearly identical revisions to the existing EHR protections currently in effect under the AKS and Stark law. The proposed revisions would modernize the regulations to promote universal adoption of interoperable EHR technology.

Electronic Health Records and Services Exception (§ 411.357(w)) and the Electronic Health Records Safe Harbor (§ 1001.953(y))

The proposed revisions to the existing EHR protections fall into five categories, which all effectively increase incentives to adopt interoperable EHR technology: (i) updates to the interoperability and data lock-in provision; (ii) express clarification that the exception and safe harbor protect the donation of cybersecurity software and services; (iii) elimination of the sunset provision; (iv) modifications to the contribution requirements; and (v) expansion to protect donations of certain replacement technology.

Updates to Interoperability and Data Lock-in Provisions: The proposed reforms would first align the definition of interoperability with the definition and requirements under the 21st Century Cures Act. Specifically, the proposed changes would require that donated technology be certified as interoperable by the Office of the National Coordinator for Health Information Technology as of the date of donation. This is a significant shift from current regulations, which permit the donating entity to voluntarily guarantee that the donated technology is interoperable (i.e., the "deeming" provision) and does not impose ongoing requirements to maintain such certification up to the date of donation. Importantly, this requirement is proposed to apply only prospectively and would not impact previously donated technologies.

As a second step, the agencies propose to expressly prohibit a donor from engaging in "information blocking" as defined in section 3022 of the Public Health Services Act ("PHSA"). This is consistent with agency concerns over preventing attempts to limit the free exchange of information. Consistent with the intent-based nature of the AKS, OIG further proposes to incorporate a knowledge requirement for information blocking violations, also consistent with section 3022 of the PHSA. Specifically, quoting section 3022 in the preamble, OIG proposes that a healthcare provider is considered to have engaged in information blocking if they "know that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information."

Express Protections of Donations of Cybersecurity: Both agencies are considering expanding the EHR protections to explicitly include the donation of cybersecurity software and services that protect electronic health records. Though both agencies clarified in the preamble that the EHR safe harbor and exception could shelter the donation of certain cybersecurity software and services if such a donation is necessary to create, maintain, transmit or receive electronic health records, OIG and CMS are proposing to include the protection in the regulations to mitigate stakeholder concerns related to donating cybersecurity software or services absent express regulatory authority. This proposed revision is distinct from the newly proposed cybersecurity safe harbor and exception, which has fewer requirements.

Removal of the Sunset Provision: In 2013, both OIG and CMS anticipated that the use of EHR protections would diminish as EHR adoption increased. EHR protections under both the AKS and Stark Law were, therefore, initially drafted with a sunset provision (with sunset currently scheduled for December 31, 2021). Both agencies propose eliminating the sunset provision to render the EHR protections permanent. This would facilitate the goal of universal adoption by providing cost certainty, ensuring that physicians newly entering the workforce or late adopters are encouraged to adopt EHR technology, and preserving the gains already made toward universal adoption. Alternatively, both agencies propose to issue an extension to the currently scheduled sunset date.

The Contribution Requirement: The EHR protections under both the AKS and Stark law currently require the donation recipient to contribute 15% of the donor's total cost of the donated technology. In response to stakeholder feedback that this requirement is prohibitively burdensome for some providers, both agencies are considering either eliminating the requirement, reducing the percent threshold, or exempting small or rural providers or provider organizations. Further, while most other proposed revisions are prospective, the agencies are considering extending this revision to previously donated technology so that recipients would not be required to contribute to the cost of any further updates to donated technology.

Donation of Replacement Technology: EHR protections under both the AKS and Stark law currently do not extend protection to EHR technology donations if the recipient already owns equivalent technology. Concerns that this requirement locks providers into certain vendors and reduces incentives to innovate have caused both CMS and OIG to propose allowing donations of replacement technology. The text of the Stark proposed rule does not reveal what CMS would propose for replacement technology, but the AKS proposed rule would accommodate replacement technology by deleting the current requirement that prohibits the donation of equivalent items or services. Both agencies sought comments regarding situations in which the donation of replacement technology is appropriate and potential safeguards to mitigate the fraud and abuse risks. Although the comment period is closed, we expect both OIG and CMS to address this issue further in any promulgated final rules.

OIG's Revisions to Protected Donors: OIG proposed one other revision to the EHR safe harbor under the AKS that was not proposed by CMS for incorporation into the EHR exception under the Stark Law: expansion of the categories of entities afforded protection as a donor of EHR technologies. AKS safe harbor protection currently extends only to those who submit claims or requests for payment, either directly or through reassignment, to a Federal health care program. OIG is considering either eliminating this requirement or expanding it to include entities with indirect responsibility for patient care, such as health systems or accountable care organizations.

Conclusion

OIG and CMS have proposed a host of revisions that would significantly expand the protections currently afforded to EHR technology donations under the AKS and Stark Law, respectively. The proposed revisions would encourage broader adoption of EHR technology and, specifically, encourage increased interoperability of EHR technology.

Three Key Takeaways

  1. OIG and CMS are considering proposed revisions to existing EHR protections currently in effect under the AKS and Stark law.
  2. Through these proposed reforms, OIG and CMS seek to modernize the regulations to allow donations of EHR technology that encourage broader adoption of such technology and, specifically, that encourage increased interoperability of EHR technology.
  3. Stakeholders should carefully review the final rules, when published, to determine how the proposed rules have been adjusted and to promote compliance with all applicable requirements when structuring donations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.