The Stark Law Cybersecurity Exception
First, let’s take a look at cybersecurity and the Stark Law. Under the 2020 rule creating a Stark law exception for the donation of cybersecurity software and services (the Cybersecurity Exception), a core consideration is whether or not the “cybersecurity software and services … are necessary and used predominantly to protect health records.”
The Cybersecurity Exception is found at 42 C.F.R. § 411.357(b)(b): Cybersecurity technology and related services. This provision expressly states:
- Nonmonetary remuneration (consisting of technology and services) necessary and used predominantly to implement, maintain, or reestablish cybersecurity [will meet the Stark exception and not violate the law], if all of the following conditions are met:
(i) Neither the eligibility of a physician for the technology or services, nor the amount or nature of the technology or services, is determined in any manner that directly takes into account the volume or value of referrals or other business generated between the parties.
(ii) Neither the physician nor the physician's practice (including employees and staff members) makes the receipt of technology or services, or the amount or nature of the technology or services, a condition of doing business with the donor.
(iii) The arrangement is documented in writing.
- For purposes of this paragraph (bb), “technology” means any software or other types of information technology.
All of the requirements of an applicable exception, including the Cybersecurity Exception, must be evaluated and applied in light of the specific facts and circumstances.
One important aspect of the Stark Law is 42 C.F.R. § 411.354(c)(1), the “stand in the shoes” concept, because “each physician who stands in the shoes of the physician organization is deemed to have the same compensation arrangement at the physician organization.” In essence, the “stand in the shoes” concept means that an indirect compensation relationship may exist if the intermediary that is receiving the payment has an ownership or investment interest nexus to its physician employee, then the physician owner is deemed to “stand in the shoes” of the organization. Therefore, a donation of cybersecurity software or services can be a “direct” or “indirect” type of compensation, and needs to fall within the Cybersecurity Exception.
The AKS Cybersecurity Safe Harbor
Just as The Centers for Medicare & Medicaid Services (CMS) clarified that certain cybersecurity technology and related services donations are permissible so long as the Stark Law’s Cybersecurity Exception is met, the Department of Health and Human Services’ Office of Inspector General (OIG) set forth that the same types of nonmonetary cybersecurity donations are permissible so long as the AKS’ new safe harbor, the Cybersecurity Safe Harbor, is met. The AKS, which has the potential for both civil and criminal liability, utilizes safe harbors, which are akin to exceptions under the Stark Law, which is a civil, strict liability law. The Cybersecurity Safe Harbor can be found at 42 C.F.R. § 1001.952(jj). Among other provisions, donation terms must be set forth in writing and be “necessary and used predominantly to implement, maintain, or re-establish effective cybersecurity.”
The Cybersecurity Safe Harbor states:
(jj) Cybersecurity technology and related services. As used in section 1128B of the Act, “remuneration” does not include nonmonetary remuneration (consisting of cybersecurity technology and services) that is necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity if all of the conditions in paragraphs (jj)(1) through (4) of this section are met.
- The donor does not:
(i) Directly take into account the volume or value of referrals or other business generated between the parties when determining the eligibility of a potential recipient for the technology or services, or the amount or nature of the technology or services to be donated; or
(ii) Condition the donation of technology or services, or the amount or nature of the technology or services to be donated, on future referrals.
- Neither the recipient nor the recipient's practice (or any affiliated individual or entity) makes the receipt of technology or services, or the amount or nature of the technology or services, a condition of doing business with the donor.
- A general description of the technology and services being provided and the amount of the recipient's contribution, if any, are set forth in writing and signed by the parties.
- The donor does not shift the costs of the technology or services to any Federal health care program.
- For purposes of this paragraph (jj) the following definitions apply
(i) Cybersecurity means the process of protecting information by preventing, detecting, and responding to cyberattacks.
(ii) Technology means any software or other types of information technology.
Prior to these respective cybersecurity exceptions/safe harbors, there was no express text in the regulations specific to cybersecurity goods and related services donations.
New Exception/Safe Harbor Not Distinct from EHR Donation Ones
Notably, the new Cybersecurity Exception and Safe Harbor are distinct from the already existing respective electronic health record (EHR) Stark Exception and EHR AKS Safe Harbor, which pertain to donations of EHRs (and which were refined in the 2020 rules to address, among other things, interoperability and donor contributions.). First, recipients of cybersecurity software or services are not required to contribute to the cost of the donated cybersecurity technology or services, “while the EHR exception retains the [15 percent] cost contribution requirement” for EHR items or services donations. Also, “a physician need not pay the 15 percent cost contribution for cybersecurity technology and services donated in conjunction with electronic health records items and services if the donation of the cybersecurity technology or services satisfies all the requirements of final § 411.357(b)(b).”
Impact of the new Cybersecurity Exception and Safe Harbor
Given the government’s interest in thwarting both traditional fraud, waste, and abuse under the AKS and Stark Law, as well as its emphasis on cybersecurity, it is more likely than not that more False Claims Act cases claiming that the Stark law or the AKS was violated because the Cybersecurity Safe Harbor/Exception requirements were not met.
Because the DOJ’s Civil Cyber-Fraud Initiative includes traditional kickbacks, indirect relationships and compensation are relevant in assessing whether or not a particular exception/safe harbor is met. When one reads the Stark Cybersecurity Exception and the AKS Cybersecurity Safe Harbor in pari materia – that is, in conjunction with one another, commonalities emerge. First, there can be no expectation of future referrals and the agreement cannot be premised on the volume or value of referrals or having the requirement to do business. Both the AKS Cybersecurity Safe Harbor and the Stark Cybersecurity Exception require a written arrangement.
In the March 8, 2022 settlement, medical services provider Comprehensive Health Services (CHS) agreed to pay $930,000 to settle False Claims Act allegations relating to medical services at State Department and Air Force facilities in Iraq and Afghanistan. CHS had submitted claims for the cost of a secure EHR system to store patients’ confidential medical information. Among other things, CHS failed to disclose that it did not consistently store patient medical records on a secure EHR system and even after staff expressed concerns did not take adequate steps to store the information exclusively on the system.
While the CHS case did not involve either kickbacks or other alleged violations of the Stark Law and AKS, the DOJ’s Cyber-Fraud Initiative includes civil fraud enforcement – an area that has long included Stark Law and AKS violations. Prior to the promulgation of the new Cybersecurity Exception and Safe Harbor, in January 2019 the DOJ announced a $63.5 million settlement with Inform Diagnostics involving allegations of AKS and Stark Law violations for “providing to referring physicians subsidies for electronic health records (EHR) systems and free or discounted technology consulting services” but not in accordance with the requirements of the EHR Donation Stark Exception and AKS Safe Harbor. These settlements may necessitate an entity’s compliance program to be more comprehensive and a due diligence process to be more thorough when it comes to cybersecurity.
Compliance and Due Diligence Considerations
In healthcare, compliance programs to address fraud, waste, and abuse are not new. In 1998, the OIG issued a bulletin, which stated, “[t]o the extent that any obligations required by the CIA [corporate integrity agreement] replicate provisions that already exist in an entity’s own voluntary corporate compliance program, those provisions may be deemed acceptable for the purpose of the entity meeting its obligations under the CIA.” The goal was to promote self-disclosure of violations to the OIG and emphasize the importance of adopting compliance programs.
The OIG is not alone in its focus on corporate compliance programs. In June 2020, the DOJ’s Criminal Division updated a specific section of the DOJ’s Criminal Division's Justice Manual, Evaluation of Corporate Compliance Programs (Justice Manual). The Justice Manual sets forth specific factors that prosecutors should consider throughout the process of investigations, plea negotiations, and/or other agreements. “These factors include ‘the adequacy and effectiveness of the corporation’s compliance program at time of the offense, as well as at the time of a charging decision’ and the corporation’s remedial efforts ‘to implement an adequate and effective corporate compliance program or to improve an existing one.’” Having an effective compliance program in place is also considered when calculating an organization’s criminal fine under the United States Sentencing Guidelines.
Compliance programs need to be adjusted to ensure that all of the requirements of Stark Law exceptions and AKS safe harbors are being met, while always placing an emphasis on protecting patient information, patient well-being, and delivering patient care. Appreciating that compliance programs can be mitigating factors in False Claims Act, criminal, and/or OIG actions, here are some suggestions for updating compliance programs to reflect the Stark Cybersecurity Exception and the AKS Cybersecurity Safe Harbor:
- Train workforce members on the requirements of these new provisions;
- Update policies and procedures to reflect that while cybersecurity donations related to goods or services are permissible, the arrangement must be set out in writing, not be based on volume or value of referrals, and not have the motivation of increasing business; and
- Include in both the training, the policies and procedures, and the written agreements, the difference between the EHR Donation Stark Exception and AKS Safe Harbor and whether or not a contribution from the recipient is required and why.
When conducting due diligence on a company’s IT and cybersecurity compliance program, lawyers and third-party experts should consider performing the following:
- Review all past cybersecurity audits, which typically include the past five years of a company’s annual HIPAA Risk Analysis, PCI DSS audits, and/or SOC 2, Type 2 Report (Cybersecurity Audits).
- Evaluate a company’s HIPAA and cybersecurity training programs, relevant contracts, and policies and procedures in conjunction with the Cybersecurity Audits to evaluate downstream risk.
- Obtain a thorough understanding of the company’s business model, including but not limited to its services provided, patients served, payors billed, relationships with physicians, relationships with any marketing and business development firms, and key vendor relationships. Any cybersecurity goods or services and/or EHR donations need to be evaluated in the context of the Stark Law Cybersecurity and EHR exceptions and the AKS Cybersecurity and EHR safe harbors, especially in terms of key vendor relationships.
- Obtain an understanding of the company’s current compliance program to see if it meets the requirements set forth in the DOJ’s Justice Manual, including but not limited to reviewing any manuals and documents, interviewing key personnel responsible for developing and monitoring the compliance program, and reviewing how the company performs fraud, waste, and abuse training, how it monitors compliance, and how it detects and corrects any non-compliance.
- Perform an assessment of the company’s business model and activities that may have the potential for above average risk and discuss with management how it addresses and mitigates these susceptible areas in relation to cybersecurity and fraud, waste, and abuse. These may include relationships with key vendors and others regarding donated cybersecurity services and products, relationships with marketing and business development firms, and relationships with physicians for medical directorships and marketing and administrative services.
- Specific to its IT systems and cybersecurity threats, determine how the company restricts access to critical IT systems, how it protects its IT data, how it stores, retrieves, and distributes IT data, and how it protects itself against potential cybersecurity threats. Also, obtain an understanding of any third party IT firms and cybersecurity firms it uses.
- Interview the company’s personnel involved in business development, finance, compliance, and operations to determine if the company’s compliance program is actually put in use. Also review documents for proper approvals regarding key vendor relationships, physician relationships, marketing and development relationships, and other potentially risky areas and relationships.
- Determine if any government, payor, and/or other investigations have been initiated against the company and the outcome.
Conducting adequate and comprehensive due diligence up front may mitigate risk and liability for both parties on the back end of a deal in terms of government investigations, cybersecurity breaches, and/or violations of a deal’s contractual terms.
Conclusion
Cybersecurity, Stark Law requirements, AKS considerations, and enforcement actions under the False Claims Act are not going away and will increasingly intersect. The best way for healthcare organizations to protect themselves against a government enforcement action or lawsuit is to cultivate a culture of compliance, have appropriate written agreements in place, and train workforce members on the policy and procedure updates that reflect the Stark Cybersecurity Exception and the AKS Cybersecurity Safe Harbor as well as the EHR Donation Exception and Safe Harbor to the extent it applies. These issues will only continue to garner attention and the ramifications of not having the appropriate safeguards in place may range from criminal liability to an over-valuation which can lead to downstream lawsuits. Therefore, taking measures now to comply is paramount to reducing the risk of an adverse action.