White Paper: OIG Finalizes New and Revises Existing AKS Safe Harbors and Creates New CMP Law Exception
On 2 December 2020, the Office of Inspector General (OIG) in the U.S. Department of Health & Human Services (HHS) issued a long-awaited final rule (the Final Rule or Rule).3The Final Rule adds multiple new safe harbors, revises several existing safe harbors under the federal Anti-Kickback Statute (AKS), and adds new protections under the Civil Monetary Penalties Law (CMP Law) which were first addressed in the 17 October 2019 proposed rule.4 The Final Rule is a key part of HHS’s Regulatory Sprint to Coordinated Care, which aims to remove potential regulatory barriers to care coordination and value-based care created by applicable health care laws. HHS identified the broad reach of the AKS and the prohibition on beneficiary inducements in the CMP Law as potentially inhibiting beneficial arrangements that would advance the transition to value-based care and improve the coordination of patient care among providers and across care settings in the context of both Federal health care programs and the commercial sector. This client alert details (i) three new safe harbors under the AKS (note that additional value-based care rules are addressed in a separate white paper), (ii) four modifications to existing AKS safe harbors, and (iii) new protections under the CMP Law related to telehealth technologies and End Stage Renal Disease (ESRD ) patients.
This white paper details the new safe harbors, the changes to well-known and existing safe harbors, and new protection provided related to inducements to beneficiaries. All of the OIG’s updates and modifications in the Final Rule are aimed at removing barriers to more efficient and effective patient care and emphasizing improved care coordination and management.
I. New Safe Harbors
CMS-Sponsored Model Arrangements and CMS-Sponsored Model Patient Incentives
(42 C.F.R. § 1001.952(ii))
The OIG is finalizing the protections extended to certain Centers for Medicare and Medicaid Services-(CMS)-sponsored model arrangements to (i) permit remuneration between and among parties to arrangements under models currently being tested by CMS, the Center for Medicare and Medicaid Innovation and the Medicare Shared Savings Program and (ii) permit certain incentives and supports provided by CMS model participants to patients under the CMS-sponsored model.5 The new safe harbors reduce the need for the OIG to issue separate fraud and abuse waivers for each CMS-sponsored model and is designed to provide greater uniformity across models.
The OIG is revising the introductory text of paragraphs 1001.952(ii)(1) and (2) to clarify that CMS determines the specific types of financial arrangements and incentives to which safe harbor protection will apply; safe harbor protection will not necessarily apply to every possible financial arrangement or incentive that CMS-sponsored model parties may wish to implement as they participate in the Medicare Shared Savings Program or another Innovation Center model.
- Key requirements of the new safe harbor for CMS-sponsored model arrangements include:
- CMS-sponsored model participants must reasonably determine that the arrangement will advance one or more goals of the CMS-sponsored model;6
- The exchange of value between or among the parties must not induce the parties to (i) provide medically unnecessary items or services or (ii) limit medically necessary items or services;7
- Any remuneration that is offered, paid, solicited, or received in return for, or to induce or reward, any referrals or other business generated outside the CMS-sponsored model is prohibited;8
- The parties must set forth the terms of the arrangement in a signed writing in advance of, or contemporaneously with, the commencement of the arrangement;9
- Parties to the arrangement must make available to the Secretary of HHS materials and records sufficient to establish whether the remuneration exchanged between the parties was done so in a manner consistent with the conditions of the safe harbor;10 and
- The participants must satisfy such other programmatic requirements as may be imposed by CMS in connection with the use of the safe harbor.11
- Key requirements of the new CMS-Sponsored Model Patient Incentives safe harbor include:12
- The participant must reasonably determine that the patient incentive will advance one or more goals of the CMS-sponsored model;13
- The patient incentive must have a direct connection to the patient’s healthcare unless the participation documentation expressly specifies a different standard, in which case that standard must be met;14
- The participant must maintain documentation sufficient to establish whether the patient incentive was distributed in a manner that meets the safe harbor;15 and
- The participant must satisfy such other programmatic requirements as may be imposed by CMS in connection with the use of the safe harbor.16
Unlike current waivers for CMS-sponsored model arrangements, which are tailored to a particular model and may be limited in duration, the duration of the safe harbor would correspond to the duration of the CMS-sponsored model itself. Thus, the arrangement would be protected for the period under which a CMS-sponsored model participant participated in a CMS-sponsored model but would not protect remuneration exchanged after the CMS-sponsored model ends.17 This safe harbor is intended to provide greater uniformity across models and to reduce the need for separate OIG fraud and abuse waivers for new CMS-sponsored models.
The Final Rule specifies that the patient incentive must have a direct connection to the patient’s health care unless the participation documentation expressly specifies a different standard, in which case that standard must be met. The safe harbor also provides at paragraph 1001.952(ii)(2)(iii) that an individual other than the CMS-sponsored model participant or its agent may furnish an incentive to a patient under a CMS-sponsored model if that is specified by the participation documentation.
In addition, the definition of “CMS-sponsored model arrangement” is clarified to refer to “a financial arrangement,” thereby further explaining the parameters of CMS-sponsored model arrangements.18
Unlike current individual waivers for CMS-sponsored model arrangements, which are tailored to a particular model and may be limited in duration, the duration of the safe harbor would correspond to the duration of the CMS-sponsored model itself. Comparatively, patient incentives protected under the safe harbor would be protected for only the period of participation in the CMS-sponsored model.19
Cybersecurity Technology
(42 CFR §1001.952(jj))
The OIG creates a new safe harbor to allow for the donation of nonmonetary remuneration in the form of cybersecurity technology, defined as the process of protecting information by preventing, detecting, and responding to cyberattacks. Included within the scope of covered technology is any software or other type of information technology.20 The safe harbor has the following key requirements:
- The donated technology or services must be necessary and used predominantly to implement and maintain effective cybersecurity. The OIG further clarifies that the technology or services must have the ability to detect and prevent cyberattacks.
- The donor must not take into account the volume or value of referrals or business between the parties when making the determination of recipients. Donations or solicitations of cybersecurity technology and services conditioned on business or in exchange for Federal health care program referrals would not be protected by this new safe harbor.21
- Neither the recipient, nor the recipient’s medical practice, may condition the receipt of such donated technology or services on doing business or continuing to do business with the donor. The OIG is not proposing a recipient contribution requirement under this provision akin to what is required under the Electronic Health Records safe harbor.22 However, the OIG notes that donors may require a recipient contribution as long as such a requirement does not take into account the volume or value of referrals between the parties.
- The arrangement must be documented in writing. Specifically, the donor and recipient must enter into a signed, written agreement that includes a general description of the donated technology and services, whether the parties share financial responsibility for the technology or services, and, if so, the extent of such shared responsibility. Through this final writing requirement, the OIG clarifies that it does not intend to: (i) introduce any fair market value requirement; (ii) force parties to determine the fair market value of the donation; or (iii) compel the parties to hire a valuation consultant.
The Final Rule makes several organizational changes here to ensure consistency with the Electronic Health Records (EHR) safe harbor. As finalized, the introductory paragraph of the cybersecurity safe harbor now mirrors the introductory paragraph in the EHR safe harbor at paragraph 1001.952(y), which provides that donated items or services must be necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records. In the commentary, the OIG emphasizes the importance of this consistency insofar as certain cybersecurity software may be able to be donated under either safe harbor.
Of note, in contrast to OIG’s proposed rule and based on the OIG’s review of public comments, the Final Rule allows for certain hardware to be protected by the safe harbor. With this said, the OIG notes that, in most cases, multifunctional hardware would not be used predominantly for effective cybersecurity and thus would fall outside the scope of protection of this safe harbor. For instance, software that provides a physician secure access to a hospital’s computer system may be protected, but software that has multiple functions, only one of which is cybersecurity, would not meet the necessary and predominantly used standard.
Accountable Care Organization (ACO) Beneficiary Incentive Program
(42 CFR 1001.952(kk))
The OIG finalizes a new safe harbor to codify the statutory exception to the definition of “remuneration” at section 1128B(b)(3)(K) of the Act, which was added under section 50341 of the Budget Act of 2018, for ACOs operating a CMS-approved beneficiary incentive program under the Medicare Shared Savings Program.23 The Final Rule clarifies that (i) an ACO may furnish incentive payments only to assigned beneficiaries and (ii) the statutory language requirement that, “the payment is made in accordance with the requirements of such subsection [section 1899(m) of the Act],” means, “the incentive payment is made in accordance with the requirements found in such subsection.”24 Accordingly, the OIG interprets this statutory requirement to mean that all of the requirements enumerated at section 1899(m) of the Act—related to both the ACO Beneficiary Incentive Programs and incentive payments made pursuant to such programs—must be satisfied.
The OIG does not propose any additional safe harbor conditions that incentive payments would have to satisfy.
II. Amendments to Existing Safe Harbors
Personal Services and Management Contracts and Outcomes-Based Payment Arrangements
(1001.952(d))
The OIG is finalizing several modifications to the safe harbor for personal services and management contracts with the goal of minimizing existing barriers to certain care coordination and value-based arrangements:
Eliminating Requirements that Aggregate Compensation Be Set in Advance25
The requirement that aggregate compensation personal services and management contracts must be set in advance was designed to lessen the chances of payment for referrals. However, to encourage innovative arrangements, the OIG is modifying this requirement. Rather than directing that aggregate compensation must be set in advance, this requirement is replaced with a requirement that only the methodology for determining compensation must be set in advance, which allows some flexibility related to crafting these contracts and aligns with the requirements for “set in advance” under the Stark Law. Compensation would still need to be commercially reasonable, reflect fair market value, and not take into account the volume or value of referrals. Of note, this change applies to all types of personal services arrangements, not just arrangements that are value-based or outcomes driven.
Eliminating Requirement to Specify Schedule of Part-Time Arrangements26
Similarly, the OIG is eliminating the requirement that agreements for periodic, part-time or sporadic services set forth in advance the exact schedule of such time periods, their length, and the exact charge for same. The OIG notes that this will also provide parties additional flexibility for entities to enter into bona fide arrangements providing legitimate services, and that other safeguards within the safe harbor are sufficient to protect against abuse.27
Protecting Outcomes-Based Payments28
The OIG is protecting outcomes-based payments in particular scenarios in order to support new payment models that promote the shift to value-based arrangements. “Outcomes-based payments” are defined as “…a reward for successfully achieving an outcome measure or a recoupment or reduction in payment for failure to achieve an outcome measure.”29 However, the OIG excludes payments made by pharmaceutical companies, PBMs, laboratories, compounding pharmacies, or manufacturers, distributors, or suppliers of DMEPOS from reliance on this safe harbor.30 The OIG acknowledges that these entities may indeed find legitimate uses for outcome-based payments, but notes its concern that the safe harbor modification in this area is not tailored to outcome-based payments in these sectors.31 Such payments also exclude “payment for internal cost savings or payments based solely on patient satisfaction or patient convenience measures.”32 Finally, the OIG clarifies that remuneration may be between or among the parties, rather than being limited to a situation in which remuneration is from the principal to the agent, noting that the safe harbor protects any outcomes-based payment that meets relevant criteria.33
The outcomes-based payment model must be specified in a signed agreement between the parties evidencing the details of the outcome-based arrangement.34 In addition, the OIG is imposing a monitoring and assessment standard, which requires the parties to “periodically assess and, as necessary revise, benchmarks and remuneration under the agreement to ensure that any remuneration is consistent with fair market value in an arm’s-length transaction.”35
Warranties
(1001.952(g))
The OIG is expanding the existing safe harbor for warranties to include bundled warranties for items and related services under certain conditions. Notably, the expansion allows warranties covering services for the first time; however, the safe harbor does not extend to warranties for services only.36 For a service to fall under the safe harbor, one or more item(s) must also be covered by the warranty.37 Such an arrangement allows manufacturers and suppliers to warrant that certain services, combined with certain items, meet a specific level of performance. The OIG notes that this would allow a health system, for example, to have additional flexibility to protect remuneration in the form of related services that may be integral to determining if the conditions of a warranty have been met.38 Bundled warranty arrangements have to meet the following conditions:
Same Program/Same Payment Requirement
All federally reimbursable items and services subject to bundled warranty arrangements must be reimbursed by the same Federal health care program and in the same Federal health care program payment.39 The OIG argues this will protect against incentives for cost-shifting or overutilization.40
Warranty Cap
A manufacturer or supplier must not pay any individual (other than the beneficiary) or entity for any medical, surgical, or hospital expense incurred by a beneficiary other than for the cost of the items and services subject to the warranty.41
Exclusivity and Minimum Purchase Requirements Prohibited
Manufacturers and suppliers cannot condition bundled warranties on the exclusive use of one or more items or services or impose minimum-purchase requirements on any items or services.42 The OIG acknowledges that, while such arrangements may promote certain efficiencies, they could also result in interference with clinical decision making as they may lock buyers into a particular item, or items and services, which results in the use of an item that is not in the patient’s best interest.43
In addition, the OIG is clarifying several issues raised by industry stakeholders:
Reporting Requirements
The OIG addressed whether innovative warranty arrangements would be protected if they extended for several years, as well as whether the safe harbor reporting requirements would apply to providers that lack specific reporting obligations under Federal health care programs or providers that do not file cost reports.44 The OIG states that the safe harbor may be applied to multiple-year warranty arrangements. It also makes clear that the reporting requirements apply even to providers who do not submit cost reports or have an express obligation to report under applicable requirements of the Federal health care program. With this said, the OIG allows that, in the event that the payor doesn’t provide a mechanism for making such a report, then the buyer is not subject to these reporting requirements.45
Defining Warranty
“Warranty” is now defined directly,46 rather than by reference to 15 U.S.C. § 2301(6) as it had been historically, in order to clarify that warranties for drugs and devices regulated under the FDA fall under the safe harbor.47
Local Transportation
(42 CFR 1001.952(bb))
The OIG recognizes the importance of transportation in patient access to care and health outcomes, and accordingly the Final Rule makes several changes to the safe harbor for local transportation provided to beneficiaries to expand its applicability.48 Notably, the OIG is eliminating the mileage restriction from the local transportation safe harbor in the context of patients being discharged from a health care facility to a residence (either the patient’s residence, or a residence of the patient’s choice). In this regard, the OIG acknowledges that post-discharge transportation home from an inpatient facility does not appear to pose the same level of risk of inducing patient referrals as transportation to the facility. Moreover, the OIG clarifies that its use of the term “residence” includes custodial care facilities that serve as a patient’s long-term residence, as well as homeless shelters.49 As such, a health care facility may provide transportation to a qualifying residence to an eligible patient being discharged following an inpatient admission or release from hospital after a 24 hour observation (as this is sufficiently similar to an inpatient stay), regardless of the distance.50
However, the OIG declines to extend the transportation safe harbor to additional locations, such as to another health care facility, observing that protecting transportation between health care providers in a position to refer to one another is not sufficiently low risk to warrant safe harbor protection.51 Similarly the OIG does not extend the safe harbor protection to transportation for health-related but non-medical purposes, as the risk of beneficiaries being improperly induced to obtain items and services is too high.52 Finally, the OIG clarifies that it does not distinguish between ride-sharing services (such as Uber and Lyft) and taxis for purposes of the local transportation safe harbor.53
The Final Rule also expands the current mileage limitation applicable to patients who reside in rural areas. The safe harbor now allows a health care provider to provide to a patient who resides in a rural area free or discounted transportation services to or from the health care provider’s facility within a radius of 75 miles, up from the previous 50 miles.54 The OIG observes that the increase to 75 miles is necessary and practical, noting that residents of rural areas often must travel more than 50 miles to obtain necessary medical services, and that travel distances for beneficiaries have increased due to factors such as provider closings.55
Several commenters had highlighted the fact that patients could legitimately need to travel in excess of 75 miles for care and thus suggested an expansion of the distance to 150 miles. However, the OIG declines to extend the limit past 75 miles in the Final Rule, citing the need for a clear, bright-line standard and reminding stakeholders that individual programs that may offer transportation for patients in rural areas at greater distances may be lawful depending on the facts and circumstances of the particular program.56
Electronic Health Records Items and Services
42 CFR 1001.952(y)
The Final Rule makes several changes to the EHR Safe Harbor. The EHR Safe Harbor “protects certain arrangements involving the donation of interoperable EHR software or information technology and training services.”57 Finalized changes to the EHR Safe Harbor include:58
Cybersecurity
The OIG is modifying the introductory language of the EHR safe harbor to clarify that “cybersecurity software and services” are within the scope of the safe harbor and therefore can be protected.59 Moreover, the definition of cybersecurity is finalized as “the process of protecting information by preventing, detecting, and responding to cyberattacks.”60 The OIG acknowledges the possible overlap between these clarifications and the new standalone cybersecurity safe harbor (discussed above) and indicates “cybersecurity software and services with the predominant purpose of protecting electronic health records can be protected under the EHR safe harbor provided the donation satisfies all other safe harbor conditions.”61
Deeming
The Final Rule clarifies that, if on the date the software is donated it is certified by a body authorized by the HHS Office of the National Coordinator for Health Information Technology (ONC), the software would be deemed interoperable. The prior regulation text read that software “is deemed to be interoperable if, on the date it is provided to the recipient, it has been certified by a certifying body...” The OIG now revises that language to read that “the software is deemed to be interoperable if, on the date it is provided to the recipient, it is certified.”62 The OIG also emphasizes that meeting this deeming provision is optional. In other words, although the safe harbor requires that software be interoperable, entities still have flexibility to meet the interoperable standard in ways other than using software certified by a body authorized by the ONC. The OIG notes, “certification provides donors and recipients with assurance that their product is interoperable for purposes of this safe harbor, but such certification is not a requirement for safe harbor protection.”63
The Sunset Provision
The Sunset Provision, which had required that all protected EHR donations occur on or before 31 December 2021, is being eliminated. The EHR safe harbor is now permanent, providing greater certainty for the “ongoing protection of donations of EHR items and services.”64 The OIG acknowledges the widespread adoption of EHR technology, and indicates that it no longer believes that the need for donated EHR technology pursuant to the exception will diminish over time or disappear.65
Contribution Requirement
After receiving comments on three proposals related to the recipient contribution requirement, the OIG is “removing the requirement that payment of the [15 percent] contribution be made in advance for updates to existing EHR systems.”66 This means that donors can now bill recipients after an update is provided or even rely on installment payments for all updates provided during a specific period. Notably, the OIG notes that it is not eliminating the contribution requirement altogether because it is “an important safeguard against fraud and abuse.”67
Equivalent Technology and Scope f Protected Donations
The OIG is eliminating the prohibition on donations of equivalent items or services, which will allow for donations of replacement EHR technology. When an entity receives replacement EHR technology, it will be treated as a new donation under the safe harbor, meaning that recipients, for instance, will be responsible for the 15 percent contribution cost.
In response to comments related to the scope of protected donations, the OIG notes that, as written, the safe harbor already encompasses some additional items and services that were suggested by commenters, including maintenance and training. Specifically, the OIG emphasizes that the standard for safe harbor protection remains unchanged: “[T]he items or services must be necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records.”68 The OIG confirms that the examples listed in the 2006 EHR Final Rule could still fall under the protection of the safe harbor and also reiterates that the EHR safe harbor would continue to exclude hardware.69
Protected Donors
The OIG is expanding the scope of protected donors under the EHR safe harbor. Under the expanded safe harbor, parent companies of hospitals, health systems, and accountable care organizations can now rely on the safe harbor to donate EHR. Entities that are generally still excluded from protection as donors based on the high risk of fraud and abuse include manufacturers and laboratories.
Definitions
The OIG is finalizing its revised definition of “Interoperable,” but will maintain the prior definition of Electronic Health Record.70 Changes to the definition of “Interoperable” were proposed to align the term with the statutory definition of “interoperability” included in the Cures Act. “Interoperable” will be defined as able to “(A) securely exchange data with, and use data from other health information technology; and (B) allow for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law.”71 The OIG removes language from the proposed definition to “avoid any implication that we are incorporating a certification requirement into the definition.”72
Notably, the OIG does not finalize its proposed reference to the information blocking definition at 45 CFR part 171. It also deletes existing language that had prohibited the donor or any person on the donor’s behalf from taking any action to limit or restrict the use, compatibility, or interoperability of the donated EHR items or services.73 The OIG asserts that HHS now has “other enforcement authorities designed to address information blocking” and, as such, safeguards against information blocking are not necessary in the EHR safe harbor.74
III. Civil Monetary Penalty Authorities: Beneficiary Inducements CMP
Exception For Telehealth Technologies For In-Home Dialysis
(42 CFR 1003.110)
In order to implement the Budget Act of 2018 amendments to the prohibition on beneficiary inducements under the CMP Law, the OIG is now finalizing certain revisions to the definition of “remuneration” for “telehealth technologies” furnished to certain in-home dialysis patients. These revisions are intended to allow ESRD patients who receive in-home dialysis to receive telehealth technologies in order to facilitate monthly ESRD-related clinical evaluations via telehealth technologies.75
This narrow exception relates only “to patients receiving in-home dialysis and certain, enumerated providers.”76 The OIG highlights that there is a low risk of fraud and abuse related to this narrow category of established patients who are receiving specific services paid for by Medicare Part B. To that end, and based on the statutory language in the Budget Act of 2018, telehealth technologies cannot be included in advertisements or solicitations to patients. The OIG also interprets the statutory language to require that the technology must be “provided for the purpose of furnishing telehealth services related to the individual’s end-stage renal disease.”77 The finalized exception to the CMP law is only available for “telehealth technologies furnished by a provider of services, physicians, or a renal dialysis facility currently providing in-home dialysis, telehealth services, or other ESRD care to the patients or has been selected or contacted by the patient to schedule an appointment or provide services.”78
In addition, the Final Rule modifies the definition of “telehealth technologies.”79 The finalized definition was drafted to broadly “include items and services that facilitate telehealth services.” Specifically, “telehealth technologies” means “hardware, software, and services that support distant or remote communication between the patient and provider, physician, or renal dialysis facility for diagnosis, intervention, or ongoing care management.” This definition is intended to focus on core functionality to support telehealth services. Therefore, specific references to types of technology are removed from the proposed definition.
Notably, the OIG is not finalizing a definition of “telehealth services” but rather counsels providers to rely on the interpretation presented in the preamble of the Final Rule.80 In part, this means that telehealth services protected by this exception are not limited to telehealth services paid for by Medicare Part B.
The OIG does not finalize several conditions it had previously proposed for this new CMP exception, often stating that, because of the narrow nature of the exception,81 additional safeguards against fraud and abuse are not necessary. Conditions not finalized in the Final Rule include a de minimis benefit requirement, a prohibition on providing telehealth technologies that are of excessive value or duplicative of technology the beneficiary already has, and a requirement that the furnishing party make a good faith determination that the recipient does not already have the necessary telehealth technology. However, the OIG does note that either (i) the value of the telehealth technology provided and, (ii) whether such technology is duplicative of the beneficiary’s existing technology, may “be a fact or circumstance used to assess whether the provision of such technology meets” the requirements of the exception as a whole.82 The OIG also does not finalize the requirement that ownership of the telehealth technology remain with the donor or that the donor need make reasonable efforts to retrieve the technology when it is no longer needed for permitted telehealth purposes. In addition, proposed requirements related to the consistent provision of telehealth technologies to all eligible patients, patient notice, and patient freedom of choice are included in the Final Rule.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.