Along with the two other rules that we previously wrote about (the MFN rule and the AKS safe harbor rule), on November 20, 2020, the Trump Administration published two additional final rules that were also highly anticipated and expected. The two rules focus on modernizing and streamlining fraud and abuse regulations under the federal Physician Self-Referral Law (the “Stark Law”) and the Anti-Kickback statute.
The final rules not only clarify interpretations of existing regulations by the Centers for Medicare and Medicaid Services (CMS) and Department of Health and Human Services Office of Inspector General (HHS OIG) but also include some noteworthy changes to fraud and abuse regulations.
The Stark Law Rule
The Stark Law prohibits providers from referring Medicare or Medicaid beneficiaries to another provider with which they have a financial relationship. The Stark Law was implemented in 1989 and has not been updated or modernized since then.
The final rule advances new exceptions to the Stark law for value-based arrangements, and it allows physicians and other health care providers to design and enter into value-based arrangements without worrying that legitimate activities to coordinate and improve the quality of care for patients and lower costs violate the law.
The final rule also finalizes the cybersecurity items and services exception. Specifically, the final cybersecurity exception is also applicable to hardware that is necessary and used predominantly to implement, maintain, or reestablish cybersecurity. There is no monetary cap for such donations and the type of entities that could provide remuneration under the cybersecurity exception are not restricted. These exceptions apply regardless in both the fee-for-service and value-based payment systems. The final rule also makes the electronic health record (EHR) exception permanent.
Additionally, the final rule requires that parties to the exception for value-based arrangements must monitor whether they have furnished the value-based activities required under the arrangement and whether and how continuation of the value-based activities is expected to further the value-based purpose(s) of the value-based enterprise. CMS declined to specify how entities should analyze the design of their value-based arrangements to ensure the activities are reasonably designed to achieve at least one value-based purpose.
The Anti-Kickback Statute Rule
The Anti-Kickback Statute (AKS) prohibits payment of any kind in exchange for service referrals payable by a federal program (such as Tricare, Medicare, and Medicaid). The final rule implements seven new safe harbors, modifies four existing safe harbors, and codifies one new exception under the Beneficiary Inducements CMP. Below are a few examples of the new safe harbors created in the OIG final rule.
Under the final rule, OIG creates new safe harbors in the AKS that protect value-based arrangements. The safe harbors vary in different ways including by: the types of remuneration protected (in-kind or in-kind and monetary), the types of entities eligible to rely on the safe harbors, the level of financial risk assumed by the parties, and the types of safeguards included as safe harbor conditions.
Additionally, while there are three safe harbors that offer protection for in-kind renumeration, only the safe harbors for value-based arrangements with substantial assumption of risk protect monetary renumeration. There are several entities that are not eligible for the value-based safe harbors, including pharmaceutical manufacturers, distributors, and wholesalers; pharmacy benefit managers (PBMs); medical device distributors; and wholesalers.
Also, in a timely recognition of the problem of cyber threats to the health care industry, the final rule broadens the safe harbor for cybersecurity technology and services to protect cybersecurity-related hardware. This safe harbor covers renumeration in the form of cybersecurity technology and services and is available to all types of individuals and entities.
The OIG final rule also modifies the current safe harbor for the donations of EHRs and associated services by requiring donated items and services to be interoperable. It also updates the safe harbor to use more up-to-date definitions of information blocking and clarifies that cybersecurity software and services have always been covered under the existing safe harbor for EHRs. Finally, it eliminates the sunset provision on the EHR safe harbor.
While there are some limited exceptions, the effective date for both regulations is January 19, 2021.
Reactions
While the rules have generally enjoyed bipartisan support, President-elect Joe Biden and his administration will likely have to focus on any implementation issues that pop up as a result of the final rules.
HHS Secretary Alex Azar is proud of the final rules, saying, “Today, we’ve completed historic reforms to regulations that have stood in the way of creativity and innovation by American healthcare providers for far too long. These new regulatory reforms will mean better care, including innovative arrangements with digital technology that may help patients receive care during the COVID-19 pandemic.”
OIG’s Principal Deputy Inspector General, Christie Grimm said, “Providers and the health care system are still on the front lines against COVID-19, and this rule establishes flexibilities for remote patient monitoring or other arrangements to assist in the ongoing response and recovery efforts.”