Industry Groups Call for Anti-Kickback Waiver for Cybersecurity Tech

Oct. 31, 2018
Several healthcare and health IT industry groups are calling for a wavier under anti-kickback rules to enable the donation of healthcare cybersecurity technology and services to help improve the cybersecurity posture of providers and promote secure data exchange.

Several healthcare and health IT industry groups are asking the U.S. Department of Health and Human Services (HHS) to create a wavier under anti-kickback rules to enable the donation of healthcare cybersecurity technology and services to help improve the cybersecurity posture of providers and promote secure data exchange.

The HHS Office of the Inspector General (OIG) issued a request for information (RFI) August 27 to gather stakeholder feedback on how to address modernization of the federal Anti-Kickback Statute to advance beneficial value-based health care. The OIG RFI contained a broad range of questions and topics the agency wants stakeholders to comment on, including potential arrangements that the industry is interested in pursuing, such as care coordination, value-based arrangements, alternative payment models, arrangements involving innovative technology, and other novel financial arrangements that may implicate the anti-kickback statute or beneficiary inducements civil monetary penalty (CMP).

According to the RFI, HHS OIG also wants to know what types of incentives providers and suppliers are interested in providing to beneficiaries and how those incentives would improve care quality, care coordination, and patient engagement. The RFI’s comment period ended October 26.

The Federal Anti-kickback statute provides criminal penalties for individuals or entities that knowingly and willfully offer, pay, solicit, or receive remuneration to induce or reward the referral of business reimbursable under Federal healthcare programs.

While the OIG is seeking input on the broader question of removing regulatory barriers to care coordination, the College of Healthcare Information Management Executives (CHIME) and the Healthcare Sector Coordinating Council (HSCC) both provided comments on how OIG can take steps to improve cybersecurity in healthcare.

Specifically, CHIME and HSCC both noted, in their letters, that cybersecurity threats pose a significant risk to patient safety and called on HHS to create a waiver under the anti-kickback rules that allows for the donation of cybersecurity technology and services to help improve the cybersecurity posture of providers, better protect patient information, improve patient safety, encourage secure data exchange, and help fortify the sector from growing global threats.

“The security of the healthcare system is only as strong as its weakest link, so it would benefit the entire healthcare industry to support the provision of cybersecurity resources outside of large health systems. Doing so would help to protect a community’s larger systems, as well as the affiliated small and medium-sized practices,” the HSCC wrote.

“Creating a waiver under the anti-kickback rules that allows for the donation of cybersecurity technology (both hardware and software), training, and tools to providers (i.e. under-resourced or less sophisticated ones) will improve the overall cybersecurity posture of our industry and will help guard against cyberattacks that threaten patient safety,” HSCC wrote.

HSCC also recommended that OIG work with public and private sector subject matter experts to develop a specific definition of cybersecurity technology when developing this exception.

CHIME also supports a stand-alone cybersecurity safe harbor that permits the donation or related items and services. Both CHIME and HSCC noted that a safe harbor is particularly needed for small to mid-sized healthcare providers and under-resourced providers that do not have the necessary cybersecurity resources or expertise.

“Many providers, especially smaller ones, have taken advantage of the option to accept donated electronic health records (EHRs) as a result of the safe harbor permitting this. A likeminded safe harbor for cybersecurity would thus be welcomed by some of our members,” CHIME wrote.

While some have discussed the notion of modifying the existing EHR safe harbor, CHIME recommends a separate, stand-alone safe harbor specifically designed for the purposes of supporting the donation of cybersecurity items and services. CHIME also recommends that OIG anti-kickback requirements and safe harbors be aligned with Federal Trade Commission (FTC) requirements for clinically integrated networks (CINs).

In its comments, the medical device trade group AdvaMed (Advanced Medical Technology Association) noted that the Anti-Kickback Statute has not been updated to keep pace with changes to reimbursement under federal health care programs, and this creates real-world risks for healthcare organizations when engaging in “legitimate, good-faith arrangements necessary to coordinate care, control costs and improve outcomes, absent clear safe-harbor protection.”

AdvaMed is calling for new safe harbor protections for value-based pricing and warranty arrangements to allow vendors to provide free mobile apps, training and other services to providers to assist with care coordination and to promote the goals of value-based care.

athenahealth, the EHR and practice management software company, also submitted comments in response to the RFI, specifically requesting a carve-out in Stark and anti-kickback laws that would let providers pay “fair market value” for the exchange of patient data. “The new exceptions under the Anti-Kickback Statute and Stark Laws will allow for a true functioning market for the exchange of health information,” Greg Carey, athenahealth's director of government and regulatory affairs, wrote.

Patient data transfer most frequently occurs in the context of a care referral and any accompanying transfer of value is prohibited under the Stark and/or anti-kickback laws, which forces “the curator of quality data” to “assume the cost of electronic transfer of information to a recipient.” Essentially, the sender of the data ends up paying for the “privilege of sending data electronically to a recipient,” which operates as an "effective economic disincentive to information sharing in healthcare,” Carey wrote in the letter.

"It is our experience that information exchange occurs best when there is a business case and problem to solve. We believe that new safe harbors to Stark and Anti-Kickback statute to allow for the fair market value payment for the exchange of health data will spur interoperability forward and allow the market to further realize the benefits of health IT on lowering costs and improving patient outcomes,” Carey wrote.