Preparing for Interoperability: EHRs and the Law

Sept. 1, 2006

Two major obstacles in the development and dissemination of electronic health record (EHR) networks are the federal anti-kickback statute and the so-called “Stark” law, named after U.S. Representative Fortney Stark (D-Cal), prohibiting physician self-referral.

Paul F. Danello is a member of the law firm of Squire, Sanders & Dempsey LLP, headquartered in Washington, D.C., with offices in North America, Latin America, Europe and Asia and approximately 800 attorneys. Before joining Squire Sanders and while authoring this article, Mr. Danello was a member of the law firm of Ropes & Gray, in Washington, D.C.

Two major obstacles in the development and dissemination of electronic health record (EHR) networks are the federal anti-kickback statute and the so-called “Stark” law, named after U.S. Representative Fortney Stark (D-Cal), prohibiting physician self-referral. Although efforts by the Centers for Medicare and Medicaid Services (CMS), the Office of the Inspector General (OIG) of the U.S. Department of Health and Human Services (HHS), and Congress have been under way for more than two years to address these barriers, progress to date has been slow.

The generation of EHRs requires the use of computer equipment and software, usually at the point of delivery of care such as in a hospital or physician’s office. Historically, hospitals have shared information by photocopying records and using fax machines. The establishment of an EHR network by a hospital does not change the benefit a hospital provides to a physician when it transmits data concerning hospital patients.

Many commentators believe that the lack of widespread EHR adoption results primarily from issues related to who can and will pay for the necessary infrastructure. One solution is for large hospital systems and other entities, like pharmaceutical manufacturers, to provide their community physicians and clinics with the necessary hardware, software and expertise.

However, where the computer and software provided to a physician permits communication with entities other than the entity providing the computer and software, the network falls outside of the narrow range of permissible activity sanctioned by CMS and the OIG. Similarly, where the EHR platform provides more than access to hospital patient information, such as practice management software, medical decision support or access to an electronic medical library, it also falls outside of existing regulatory approvals.

EHRs and Federal Fraud and Abuse Laws

Following President Bush’s call on April 27, 2004, for the majority of Americans to have interoperable EHRs within 10 years, CMS stated that it was “trying to lower the barriers, both financial and regulatory, to the dissemination of health information technologies.”

HHS also delivered a Framework for Strategic Action entitled “The Decade of Health Information Technology: Delivering Consumer-centric and Information-rich Health Care.” The Framework identified the current physician self-referral and anti-kickback protections as a significant obstacle and recommended their alteration suggesting HHS could explore safe harbors or exceptions to these laws.

Additionally, the U.S. General Accountability Office (GAO) issued a report entitled “HHS’s Efforts to Promote Health Information Technology and Legal Barriers to Its Adoption,” stating that, despite HHS’s efforts to implement new information technologies, HHS has done little to deal with laws that may inhibit adoption.

EHRs and the Anti-kickback Statute

The anti-kickback statute prohibits the offer, solicitation, payment or receipt of any remuneration for referring or recommending the referral of items or services paid by federal health care benefit programs. The language of the statute is extremely broad, and both the courts and the OIG have construed it liberally. Its violation involves heavy criminal and civil penalties.

The OIG has long suggested that offers of free or discounted electronics are suspect under the anti-kickback statute. For example, in 1991, as part of its initial safe harbor rulemaking, the OIG observed that the functionality of free computers shipped to physicians’ offices should be limited to the medical services being acquired. If the physician is free to use the computer for a variety of other purposes, then “the computer has a definite value to the physician, and, depending on the circumstances may well constitute an illegalinducement.”

In 1997, the OIG reiterated its concerns: “[I]f the [computer] equipment is used by the recipient for any purpose other than in connection with the ordered service, there is potential illegal remuneration and potential liability for both parties to the transaction.” While the OIG acknowledged that general-purpose computer equipment may not always have separate value to a physician, it generally views all free equipment arrangements with skepticism.

The anti-kickback statute includes a number of regulatory “safe harbors” applicable to EHRs. If an arrangement fits within a safe harbor, it is immune from attack under the statute. Failure to comply with all the requirements of a safe harbor does not mean the arrangement is illegal, but rather that it is subject to a facts-and-circumstances analysis. However, practical limitations make it difficult to structure an EHR to fit within the existing anti-kickback safe harbors.

Current safe harbor criteria require that any payments be at fair market value, terms be set in advance, and the transaction be commercially reasonable. EHR networks typically are not sufficiently valuable to physicians and other noninstitutional providers to justify either the initial investment or the ongoing operational costs. If EHR networks are to succeed, the amount physicians are required to invest usually will have to be subsidized by another party. Such subsidy usually results in the EHR network falling outside existing safe harbor protection.

Even if EHR network users pay a fair price, structuring the arrangement to come within the safe harbors is problematic. For example, it may be impractical to determine in advance the exact schedule or “aggregate” compensation over the term of the agreement as the safe harbors require. In addition, determining whether the EHR’s charges to providers are fair market value may be both difficult and costly where an outside valuation consultant may have to be retained.

EHRs and the Stark Law

Even if an EHR network can comply with anti-kickback requirements, though, it faces the further hurdle of complying with the Stark law.

The Stark law is a broad, complex and ambiguous statute that prohibits a physician from referring Medicare patients for certain designated health services (DHS) to an entity with which the physician has a financial relationship, unless an exception applies. Its violation involves heavy civil penalties. Since virtually any exchange of remuneration with a physician could create a financial relationship under the Stark law, the statute presents an obstacle where an EHR network is directly or indirectly funded by a hospital, health system or any other entity furnishing DHS, such as a large physician group.

Complying with the Stark law requires either establishing that the EHR network does not constitute remuneration to the physician users or structuring the physicians’ relationships with the network to fit within one or more of the exceptions to the Stark law. Both present serious limitations.

Establishing that the EHR network does not constitute remuneration to the physician users involves the argument that the establishment of an EHR network does not change the fundamental obligation of hospitals and other providers to share information with physicians and others relating to common patients. The preamble to the most recent Stark regulations in 2004 supports this. In it, CMS states that a “hospital’s provision of a computer or other technology that is wholly dedicated to use in connection with hospital services provided to the hospital’s patients would be for the hospital’s benefit and convenience and would not constitute remuneration” for Stark law purposes.

On the other hand, a hospital sponsor often provides computer hardware to the physician so that they can access the network, provides software and pays licensing fees associated with connecting to the network or where the physician may use the hardware or software for purposes other than connecting to the network, the EHR network would have to be structured to meet a Stark law exception. To do this typically presents significant difficulties.

Four Stark exceptions are potentially applicable to establishing an interoperable EHR network: 1) a $300 nonmonetary compensation exception for referring physicians; 2) a $25 exception for on-campus benefits provided to hospital medical staff members; 3) an exception for payments by a physician for items or services at fair market value; and 4) a community health information network exception. However, all of these existing exceptions are excessively narrow, highly technical, impractically low in value and administratively cumbersome.

In the most recent revisions to the Stark regulations in 2004, CMS introduced a new exception that permits a hospital or other DHS entity to provide items or services “of information technology” to a physician to allow access to electronic health care records and complementary drug information systems, general health information, medical alerts and related information for patients. To qualify for this exception:

  • • The items or services must be principally used by the physician as part of the communitywide health information system;
  • • The items or services must be provided to the physician in a manner that does not take into account the physician’s volume or value of referrals;
  • • The health information system (including both hardware and software) must be “communitywide,” i.e., it must be available to all providers, practitioners and residents of the community who desire to participate; and
  • • The arrangement does not violate the anti-kickback statute or any federal or state laws or regulations governing billing or claims submission rules.

CMS warned that the DHS entity may only provide items and services that are necessary to enable the physician to participate in the EHR network. For example, if a physician already owns a computer, it may only be necessary to provide software or training specific to the network. To provide more items or services than necessary will not only not comply with the new exception, but also could implicate the anti-kickback statute.

Added Complexities

This current Stark law exception presents a host of difficulties and ambiguities. For example, network sponsors have struggled to define the scope of the obligations created by the requirement that the system be made “available” to all providers in the community, and the scope of the “community.” It is also unclear 1) whether the network must be available to all providers from the onset; 2) whether certain features of the network can be offered only to those physicians on a hospital’s medical staff or who have some sort of existing relationship with the network sponsor and; 3) how to reconcile patient privacy and security concerns with the exception’s mandate for broad access.

Another perplexing aspect of the exception is the requirement that the system be available to community “residents.” Many commentators agree that the exception is ambiguous and does not go far enough, particularly in regard to whom the resources must be made available and the lack of a safe harbor under the anti-kickback statute.

To date, CMS has provided very limited guidance regarding how the new communitywide health information system exception will be applied to “lower the barriers, both financial and regulatory, to the dissemination of health information technologies.” The Phase II regulations were published as an interim final rule with comment period, providing an opportunity to submit written comments by June 24, 2004. The new exception generated numerous comments, many of which criticized it as overly narrow, unduly rigid and impractical.

New e-Prescribing and EHR Stark Law Exceptions and Anti-kickback Safe Harbors

CMS and OIG returned in late 2005 with proposed Stark law and anti-kickback statute regulations to accommodate EHRs. Since many physician and hospital groups continued to protest that they had not gone far enough, however, CMS and OIG significantly changed the rules before publishing them in final form last month.

On October 11, 2005 CMS originally proposed two new exceptions to the Stark law. One of the new exceptions covered electronic prescribing (e-prescribing) technology and the other, in two parts, covered EHRs. The final regulations still keep the e-prescribing and EHR exceptions separate but simplify and liberalize the EHR exception significantly.

In the final rule, CMS abandoned its complex and unnecessary bifurcated approach that originally envisioned a narrow transitional “pre-interoperability exception” sunsetting in favor of a broader “post-interoperability exception” once appropriate certification criteria were adopted and the technology certified.

The final single exception protects software “necessary and used predominantly” for EHR creation, maintenance, transmission or receipt. Software packages may include functions related to patient administration, such as scheduling functions, billing, and clinical support, as well as directly related information technology and training services, such as internet connectivity and help desk support services (but not the providing of staff to physicians’ offices). The EHR software must include an e-prescribing component or the ability to interface with the physician’s existing e-prescribing system that complies with the CMS foundation standards under Medicare Part D, and it must be interoperable. Parties wishing to avoid uncertainty can use a “deeming” rule for interoperability if the software is certified by an HHS-recognized certifying body.

Donor Entities

In the proposed regulations, CMS had originally required that the EHR exception apply to the same three narrow protected categories of donors and recipients that governed the e-prescribing exception. The final rule expands the categories of protected donors considerably to include any entity that furnishes DHS to any physician, a change that extends protection to many types of health care facilities but still stops short of protecting pharmaceutical manufacturers and regional health information organizations (RHIOs) as donors.

Hospitals and other donor entities would be able to select physicians to receive EHR technology, and make determinations on what and how much to provide, based on criteria not directly related to referral volume or value or other business generated. This means hospitals and other donor entities could choose which physicians will be given what technology based on considerations like the following: total number of prescriptions written, medical practice size, total hours spent practicing medicine and/or the physician’s overall use of automated technology. In addition, CMS made it clear that a physician’s membership on a hospital’s medical staff would be regarded as an acceptable basis for the hospital to select the physician as a technology recipient.

The final rule does contain some new limitations. Physician recipients must pay 15 percent of the donor’s cost for the donated EHR technology and training services. Hospitals and other donors may not finance the physician recipient’s payment or loan funds to the physician to pay for them. Finally, the EHR exception, as a whole, sunsets on Dec. 31, 2013.

On Oct. 11, 2005 when CMS proposed its Stark law exceptions, the OIG proposed a new safe harbor under the anti-kickback statute for e-prescribing and additional safe harbors for interoperable EHR software and information technology and training services. The OIG’s proposed safe harbors generally paralleled the proposed Stark exceptions that CMS had proposed with as much consistency as is possible, given the differences in the two underlying statutes. In its final rule, the OIG has continued to do so, and its EHR safe harbor conditions are closely similar to those in the CMS Stark exception already described.


Congress and HHS have seized the opportunity to encourage the development of EHR networks by creating broad Stark exceptions and anti-kickback statute safe harbors for provision of health information technology below cost by a medical facility to physicians as long as it increases patient safety and is interoperable. While problems of coordinating and implementing the new exceptions and safe harbors remain for healthcare donors and physician recipients, the new final rules represent significant practical improvement more than those proposed nine months ago. 


Sponsored Recommendations

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...

Spotlight on Artificial Intelligence

Unlock the potential of AI in our latest series. Discover how AI is revolutionizing clinical decision support, improving workflow efficiency, and transforming medical documentation...

Beyond the VPN: Zero Trust Access for a Healthcare Hybrid Work Environment

This whitepaper explores how a cloud-enabled zero trust architecture ensures secure, least privileged access to applications, meeting regulatory requirements and enhancing user...

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...