Attorneys in Pittsburgh, Harrisburg, New York City

Anti-Kickback EHR and Cybersecurity Safe Harbor

Articles, Privacy, Technology and Data Security

As another part of the Regulatory Sprint to Coordinated Care, OIG proposed revisions to the existing EHR Anti-Kickback Safe Harbor and added a cybersecurity component. 

The initial EHR Safe Harbor was developed in response to President George W. Bush’s 2004 initiative to extend EHR nationwide within 10 years, i.e. 2014.  The proponents of those EHR regulations presumably thought the task would be completed within that time frame, because the initial proposal had a 10 year sunset, i.e. 2014.  In 2014, the sunset was extended until 2021.  The math wizards among us recognize that as 17 years and counting, which suggests perhaps a marathon to coordinated care, or perhaps a Never Ending Story.

The concept allowed a health system to provide hardware, software and access to centralized ERH systems to physicians on related medical staffs without that “benefit” being considered as remuneration in exchange for referrals in violation of the Anti-Kickback statutes.  Apparently Parkinson’s Law of “work expanding to fill the available time” also applies to IT systems, and the computer corollary that data expands to fill the available space.  These goals have obviously been complicated by the continuing expansion of coordinated healthcare, quality incentive programs, and now “value-based enterprises”. 

The Safe Harbor in 42 CFR Section 1001.952(y) has been amended in two ways:

  1. The sunset provisions have been permanently deleted, presumably in recognition of the reality that this is not a “finite” task that will eventually be completed; just think how the GPS in your car has evolved to become a self-driving vehicle.
  2. The addition of cybersecurity protection by the change of the definition to state that remuneration will not include non-monetary items consisting of items and services for information technology, trading services, and cybersecurity software and devices. 

There is no comparable Stark change to the EHR Safe Harbor because of the nature of the prohibitions.  Stark prohibits physicians from making referrals to financial entities; provision of EHR by a healthcare system is not a physician referral.  The potential fraud or inducement risk of providing EHR was that it could be seen as remuneration in exchange for referrals. 

For additional information contact Mike Cassidy.