Cybersecurity AKS Safe Harbor and Stark Exception

Michael A. Cassidy
Tucker Arensberg, P.C.
December 2, 2020

EHR Safe Harbor Permanent

The existing electronic health records items and services Safe Harbor in 42 CFR Section 1001.952(y) was amended by deleting the sunset provision, thereby making the protection permanent.

Cybersecurity Technology and Services

A new Safe Harbor for cybersecurity and technology services is added in 42 CFR Section 1001.952(jj) to facilitate improved cybersecurity.  The announcement states the healthcare sector is one of the most targeted industry sectors and that data breaches may have cost U.S. hospitals $6.2 billion in 2015 and 2016 – although these regulations will not be effective until 2021!

The new Safe Harbor provides that “remuneration” will not include non-monetary remuneration consisting of cybersecurity technology and services “necessary and used predominantly to implement, maintain or reestablish effective cybersecurity” if:

1. The donor does not take into account the value or volume of referrals or other business in determining eligibility and is not conditioned upon future referrals.
2. The recipient does not make the donation a condition of doing business with the donor.
3. A general description of the donation and the recipient’s contribution, if any, is set forth in writing and signed by the parties.
4. The donor does not shift the costs of the donation to a federal healthcare program.

Cybersecurity is defined as the process of protecting information by preventing, detecting and responding to cyberattacks.

Technology is defined as software or other types of information technology(?)

The Stark Exceptions definitions have been amended to add “cybersecurity technology and related services” in 42 CFR Section 411.351(bb) as an exception to prohibited compensation arrangements, but retains the requirement that physicians bear 15% of the costs.