New Stark Law And Anti-Kickback Statute Protections For Cybersecurity Technology – Technology

Private Equity Investment In Health Care Technology (Video) - Food, Drugs, Healthcare, Life Sciences

United States:

New Stark Law And Anti-Kickback Statute Protections For Cybersecurity Technology

To print this article, all you need is to be registered or login on

This Commentary is part of a series of nine
Commentaries on the newly finalized Stark Law and Anti-Kickback
Statute exceptions and safe harbors seeking to remove regulatory
barriers to care coordination.

In Short

The Situation: The adoption of new technologies
has been a hallmark of the health care industry in the twenty-first
century. While these technologies have helped to improve both
industry efficiency and patient outcomes, the growing use of
technology also makes the industry increasingly vulnerable to
cyberattacks. Unfortunately, cybersecurity technology and services
to combat the threat of cyberattacks can be prohibitively expensive
for many health care providers and others.

The Action: In simultaneously released final
rules containing virtually identical requirements, the Department
of Health and Human Services Office of Inspector General
(“OIG”) and the Centers for Medicare & Medicaid
Services (“CMS”) have codified the new Anti-Kickback
Statute (“AKS”) safe harbor and Stark Law exception
permitting stakeholders to donate cybersecurity technology and
services to entities with which they interact. In doing so, they
aim to address cybersecurity threats impacting donors and
recipients, to protect against inadvertent disclosure of sensitive
patient information and corruption of health records, and to
preserve quality of care.

Looking Ahead: Now that the final rules have
been published, stakeholders should consider ways in which the
sharing of cybersecurity technology and services with other
entities could help reduce the risk of cyberattacks. When
structuring donations of cybersecurity technology or services,
stakeholders should carefully review the final rules to promote
compliance with all applicable requirements.

The Cybersecurity Technology and Related Services Safe Harbor
(§ 1001.952(jj)) and Exception (§ 411.357(bb))

In October 2019, OIG and CMS published two proposed rules containing highly
anticipated updates to the longstanding AKS and Stark Law
regulations (“Proposed Rules”). Among many other reforms,
the Proposed Rules introduced an AKS safe harbor and a parallel
Stark Law exception that would protect certain nonmonetary
remuneration in the form of donation of cybersecurity technology
and services. Given the increasing frequency of cybersecurity
attacks involving the health care industry, the Proposed Rules
promoted arrangements that would protect patients-and the health
care system overall-from such attacks.

In November 2020, OIG and CMS issued their respective final
rules, codifying the AKS safe harbor and Stark Law exception for
the donation of cybersecurity technology and services (“Final
Rules”). Although the OIG and CMS rules are phrased slightly
differently, they contain the same substantive requirements for the
protection of these arrangements. While the safe harbor and
exception were largely adopted as proposed, the Final Rules do make
a few adjustments:

  1. Definition of “cybersecurity
    As indicated above, the Final Rules
    protect the donation of “cybersecurity technology and
    services.” The Proposed Rules had defined such technology to
    include any software or other types of information technology,
    other than hardware; however, the Final Rules do not
    except hardware from the types of technology that may be donated.
    The Final Rules were modified in response to public comments,
    allowing donated hardware to fall within the safe harbor/exception
    as long as it is “necessary and used predominantly” for
    effective cybersecurity and meets all the necessary

  2. Alternate Proposal Regarding Cybersecurity
    Since the definition of “technology”
    under the Proposed Rules did not include hardware, the agencies had
    solicited comments on an alternate proposal allowing the donation
    of hardware if it was “reasonably necessary based on a risk
    assessment of the donor and recipient.” Given that the revised
    definition of “technology” in the Final Rules now allows
    for hardware donations, this alternative is not necessary.

  3. Protected Donors: While the Proposed Rules did
    not restrict the types of individuals and entities qualifying for
    protection under the safe harbor and exception, the agencies
    indicated they would consider adding restrictions if deemed
    necessary. The agencies ultimately did not incorporate any
    additional restrictions in the Final Rules-the safe harbor and
    exception protect all donors, without any limitations, as long as
    the other conditions of the Final Rules are met.

  4. Permitted Recipients:
    Similarly, the Proposed Rules protected donations of cybersecurity
    technology and services to any individual or entity without
    limitation, even if the recipient was a patient. The agencies
    indicated that they might consider additional safeguards if deemed
    necessary. Commenters suggested safeguards ranging from a monetary
    limit on donations to restrictions against
    “multifunctional” software or devices, but the agencies
    ultimately rejected these suggestions. The Final Rules do not limit
    the types of entities or individuals that may receive donations of
    cybersecurity technology and services.

  5. Recipient Contribution: The
    agencies received numerous comments on the Proposed Rules regarding
    whether to require recipients to contribute to the cost of the
    donated cybersecurity technology or services. While the Proposed
    Rules did not require recipient contributions, the Electronic
    Health Records (“EHR”) safe harbor and exception (42
    C.F.R. §§ 1001.952(y) and 411.357(w)) do require the
    recipient to pay 15% of the donor’s cost for the EHR items and
    services provided. In response to the comments received, the
    agencies ultimately determined that (i) given the wide variety of
    cybersecurity technology and services that may be provided, it is
    often not practical to require a minimum contribution from
    recipients; (ii) the cybersecurity safe harbor/exception includes
    other conditions that prevent abuse or potential anti-competitive
    behavior; and (iii) donors are still free to require recipients to
    contribute to the cost of the technology or services provided.


These long-awaited Final Rules protecting cybersecurity
technology and services provide an opportunity for stakeholders to
establish a robust cybersecurity network, regardless of any one
entity’s ability to independently invest in such technology.
While the agencies have drafted the final safe harbor and exception
broadly to give stakeholders flexibility, stakeholders should
carefully review the Final Rules when structuring donations of
cybersecurity technology or services to promote compliance with all
applicable requirements.

Three Key Takeaways:

  1. OIG and CMS have finalized the new AKS safe harbor and new
    Stark Law exception that protect certain donations of cybersecurity
    technology and related services.

  2. Through the new exception and safe harbor, OIG and CMS seek to
    enable the development of a robust cybersecurity network that
    protects personally identifiable health information and other
    confidential health data, even among small and under-resourced
    providers. To further these goals, OIG and CMS have proposed broad
    definitions that permit the donation of both cybersecurity software
    and hardware, as long as certain conditions are met.

  3. Stakeholders should carefully review the Final Rules to
    determine how to promote compliance with all applicable
    requirements when structuring donations.

Originally published January 2021

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Legal Guide To Launching An NFT Marketplace

Foley & Lardner

Catherine Zhu and Louis Lehot of Foley & Lardner LLP discuss the increasing popularity of nonfungible tokens and legal considerations in launching an NFT marketplace.

NFTs: But Is It Art (Or A Security)?

Latham & Watkins LLP

As the current crypto boom has progressed, it seemed Decentralized Finance (DeFi) had cemented its position as the dominant new narrative of this cycle.

FinTech Comparative Guide

J. Sagar Associates

FinTech Comparative Guide for the jurisdiction of India, check out our comparative guides section to compare across multiple countries

Source link