On December 2, 2020, both the Health and Human Services Office of Inspector General ("OIG") and Centers for Medicare & Medicaid Services ("CMS") issued final rules amending the Anti-Kickback Statute safe harbor and Physician Self-Referral Law (Stark) exception for EHR donations ("EHR Donation Rules"), as well as a new safe harbor and exception for cybersecurity technology and related services ("Cybersecurity Rules"). The revisions to the EHR Donation Rules are welcomed by those entities currently providing EHR donation programs as the current EHR Donation Rules were set to expire December 31, 2021. The new Cybersecurity Rules permit a donor to provide a health care provider with cybersecurity items and services to improve the security of patient data and combat cyberattacks, including ransomware, improving the security posture of interconnected health care providers.

EHR Donation Rules

The amendment to the EHR Donation Rules: (1) removes the sunset date; (2) clarifies the eligible class of donors; (3) aligns with recently developed legal and regulatory interoperability requirements; (4) modifies recipient contribution payment requirements; (5) clarifies the permissibility of cybersecurity technology to protect the donated EHR; and (6) permits the donation of replacement EHRs.

The amended EHR Donation Rules eliminate the sunset date, which was December 31, 2021. As you may recall, the original EHR Donation Rules, issued August 8, 2006, had an expiration date of December 31, 2013, which was subsequently extended to December 31, 2021.

The OIG EHR Donation Rule modifies the eligible donors to include an entity that is composed of entities that provide services covered by a federal health care program and submit claims or requests for payment, either directly or through reassignment, to the federal health care program. This is a significant change because the prior rule did not provide for donations to be made by parent organizations of entities providing services covered by a federal health care program. The amended rule will now permit donations from parent organizations.

Interoperability of the EHR continues to be a requirement of the amended EHR Donation Rules but the amended rules modify what constitutes interoperable. A definition of interoperable has been added to the regulation. The definition requires that the donated EHR be able to exchange data with and use data from other health information technology and allow for complete access, exchange and use of all electronically accessible health information. This modification more closely aligns with the recently enacted Information Blocking regulations. Additionally, the regulation continues to deem any software that is certified by a certifying body authorized by ONC on the date it is provided under the donation.

While the proposed EHR Donation Rules sought comments as to the need for the recipient contribution toward the cost of the donated EHR items and services, the amended EHR Donation Rules retain the current requirement that the recipient of an EHR donation pay at least 15% of the donor's cost of the donated items or services. The amended rules do, however, provide some relief to the requirement that the recipient pay their contribution of the cost prior to receiving the items and services in those instances where the donated items or services are for updates to previously donated items and services.

Finally, the amended EHR Donation Rules removed the prohibition on making a donation to a recipient that possesses an equivalent EHR technology. The amended rules permit donors to make donations to recipients for purposes of replacing an EHR. It is worth pointing out that there appears to be an error in the final Anti-Kickback Statute rule in which the appropriate revision to the regulation was not made despite the preamble to the regulation indicating that the revision was being made in the new rule. We are assuming that this error will be rectified through additional rulemaking.

What Do You Need to Do?

If you are a party to an existing EHR donation arrangement, the amended rules provide an opportunity to continue the EHR donations beyond 2021. You should review your existing donation arrangements and determine for what period you wish to continue these donations. Also, you should review your existing donation agreements to determine if changes should be made to any restrictions on the types of items and services that are covered, the payment provisions for updates and the term of the agreement.

The amended EHR Donation Rules in conjunction with other recently promulgated rules, provide an opportunity for health care providers to work cooperatively to coordinate care, improve outcomes and reduce costs while delivering care to the communities they serve. If you are not a party to an existing EHR donation arrangement and had not considered the development of a donation program due to the temporary status of the EHR Donation Rules, these amendments make donations permissible indefinitely and may support a reevaluation of the use of an EHR donation program to support strategic objectives.

Cybersecurity Rules

The new Cybersecurity Rules add a safe harbor for donations of cybersecurity technology and services. CMS and OIG express the position that a cybersecurity safe harbor could remove barriers to address cyberattacks targeted at health records. The interconnectedness of health care delivery systems means that an attack on a "weak link" in the interconnected ecosystem can have repercussions that impact other members of that same ecosystem. The donation of technology and services of value to physicians and health care providers who are sources of federal health care program referrals may indeed pose increasing fraud and abuse risks, but the risk of such donation is similar to the risk of EHR donations. The value of cybersecurity technology or services ranges widely, from antivirus software at a work station to robust incident response services for a multitude of physician practices.

Cybersecurity is defined as "the process of protecting information by preventing, detecting, and responding to cyberattacks." This definition is intentionally broad because OIG acknowledges that new technology may become available.

To ensure donations are addressing the legitimate cybersecurity needs of donors and recipients to prevent detect and respond to cyberattacks, the Cybersecurity Rule is limited to only donated technology and services that are necessary and used predominantly to implement, maintain or reestablish cybersecurity. Technology consists of "any software or other types of information technology, including hardware." Technology includes encryption filtering of email traffic and software that protects endpoints. Services are also broad and can include training, cybersecurity as a service models, testing, analysis and business continuity and data recovery services. Donations of services must be non-monetary where, for example, consultant time is permitted but not money to pay for a ransom associated with a ransomware attack.

All donations of cybersecurity technology and services must be documented in a written agreement and neither the eligibility of recipients or the amount or nature of the technology or services may be determined in a manner that takes into account the volume or value of the recipient's referrals or conditioned on the recipient doing business with the donor. Costs of cybersecurity donations are not permitted to be shifted to federal health care programs. This means the cost of the donor's own cybersecurity technology and services is an administrative expense that could be included on a cost report; however, donations of cybersecurity items and services would not be permitted to be included on the cost report.

What Do You Need to Do?

If you have internal expertise, services or relationships that can assist others in your community in protecting their information technology, you may want to consider if extending these to others in your community can improve the protection of patient information. In making this determination, you should consider the legal risks associated with providing these services and craft appropriate agreements to address these risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.