Article by Guy Milhalter, Esq.
The new rules include an important “Cybersecurity exception” which could benefit cybersecurity technology firms.
On Friday, November 20th, the U.S. Department of Health and Human Services (HHS) released two final rules which update and add to the existing list of exceptions to the physician self-referral law (Stark Law) and safe harbor provisions of the Anti-Kickback Statute. The purpose of the new Stark Law rule and the Anti-Kickback rule is to encourage the healthcare sector to embrace new value-based care models as an alternative to the traditional fee-for-service model.
The new rules and regulatory guidance, at a combined length of over 1,600 pages, are comprehensive and detailed. While many elements of the new rules are relevant to digital health companies and technology companies operating in the healthcare sector, one part of the rule involving cybersecurity technology and related services is of key interest to cybersecurity technology firms.
The Anti-Kickback Statute and Stark Law in a Nutshell
The Anti-Kickback Statute is a criminal statute which “prohibits the knowing and willful payment of ‘remuneration’ to induce or reward patient referrals or the generation of business involving any item or service payable by the Federal health care programs (e.g., drugs, supplies, or health care services for Medicare or Medicaid patients).”[1]
The Physician Self-Referral Law, also known as the Stark Law, is a civil, strict liability, statute which “prohibits physicians from referring patients to receive ‘designated health services’ payable by Medicare or Medicaid from entities with which the physician or an immediate family member has a financial relationship, unless an exception applies.”[2]
In a healthcare system almost entirely built on a fee-for-service model, the prohibition on providing anything of value to induce or reward patient referrals makes perfect sense and serves as a strong deterrent to activities that could lead to fraud and abuse in the healthcare sector. Nevertheless, even in a fee-for-service world, many types of payments and business arrangements that are perfectly sensible and beneficial to patients and the healthcare system as a whole would violate the Anti-Kickback Statute and Stark Law. Therefore, over the years, HHS has promulgated various safe harbors and exceptions to these laws to make clear that some business arrangements and transactions that would violate the Anti-Kickback Statute or Stark Law would be permissible.
As U.S. policymakers increased their efforts to encourage the development of value-based care models as an alternative to the traditional fee-for-service model, the need for additional exceptions and safe harbors became more apparent. While the Anti-Kickback Statute and Stark Law serve a very important purpose of keeping fraud and abuse in the healthcare sector in check, these laws could also have a chilling effect on market participants’ willingness to experiment with new care models out of fear that these new models would violate these laws.
The new rules modify existing exceptions and safe harbors as well as create new ones, all with the overarching goal of encouraging greater collaboration and coordination of care in the healthcare industry.
The Cybersecurity Exception
One interesting aspect of these new rules involves the addition of a new “cybersecurity exception” to the general prohibition on payment of any form of remuneration to induce or encourage patient referrals. Under this new exception, healthcare providers will be allowed to accept nonmonetary remuneration (i.e. a donation) “that is necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity” if certain conditions are met.
In practice, what this means is that larger healthcare systems will be able to provide smaller healthcare providers with cybersecurity solutions at no charge. As a result of this new exception, cybersecurity technology companies will have the opportunity to expand their footprint by enabling healthcare systems to sublicense their technology to smaller practices.
Cybersecurity technology and service providers who focus on the healthcare sector should consider negotiating new sublicense and distribution terms and should update their license and subscription fees to enable healthcare providers to purchase additional licenses or subscriptions to “donate” to approved sublicensees.
[1] https://oig.hhs.gov/compliance/physician-education/01laws.asp#:~:text=The%20AKS%20is%20a%20criminal,for%20Medicare%20or%20Medicaid%20patients).
[2] Id.