Authors: Nancy Bonifant Halstead Vicki J. Tankle
Reed Smith is providing a series of client alerts and teleseminars that focus on analyzing key aspects of the CMS and OIG proposals and significant areas for comment. Part One, which focused on the proposed AKS safe harbors and Stark Law exceptions for value-based arrangements, is available at reedsmith.com and was discussed during our teleseminar on November 5, 2019. Part Two, which examined the Stark Law proposals of general applicability, is available at reedsmith.com and was discussed during our teleseminar on November 12, 2019.
This client alert is Part Three of that series and considers the digital health perspective. Specifically, we analyze below (1) whether and how digital health companies can participate in value-based arrangements, (2) the creation of a new safe harbor and exception for the donation of cybersecurity technology and services, and (3) revisions to the EHR donation safe harbor and exception (including removal of the sunset provision). Our teleseminar discussing these proposals will take place on November 21, 2019, and you can register through Webinar Requests.
We hope this series will give clients the context needed to consider and submit comments before we ring in the New Year on December 31, 2019 (the comment due date).
Role of digital health technology in the value-based framework safe harbors and exceptions
Health care has moved online rapidly over the past decade, as patients are offered an opportunity to actively engage in their care or connect with their health care providers with increasing frequency. Well-coordinated care requires the participation of patients who are empowered to make informed health care decisions. This patient participation has been heavily aided by patient engagement platforms, portals, and applications that are designed to give patients greater insight into their health, in turn encouraging patients to build awareness of their treatment plans and invest in their own health outcomes. Health care providers and suppliers from all points along the care spectrum have rushed to make digital health technologies available to patients.
As outlined in our previous client alert, CMS and OIG have coordinated proposals for three new tiered safe harbors and exceptions that offer increasing flexibility with increasing financial risk, and OIG proposed an additional new safe harbor related to patient engagement tools, in the context of value-based arrangements. Keeping pace with technological advancements, OIG and CMS have sought a home for these digital health technologies within the proposed rulemaking’s value-based framework. They have specifically identified health technology companies as potential value-based enterprise (VBE) participants, thereby incorporating them into the fabric of the proposed safe harbors and exceptions. Yet, the extent to which the new safe harbors and exceptions protect health technology companies and their technologies depends on the type of company involved and the form of the technology provided.
1. How can health technology companies participate in the proposed protections for value-based arrangements?
Under the proposed rulemakings, only certain individuals, organizations, providers, and suppliers can benefit from the value-based arrangement safe harbors and exceptions. In a nod to the technological era, CMS and OIG offer “health technology” companies that provide mobile health and digital health technologies a possible seat at the VBE-participant table alongside the physician practices, hospitals, payors, post-acute providers, pharmacies, chronic care and disease management companies, and social services organizations it anticipates will participate. Health technology companies are those offering remote monitoring services, predictive analytics, data analytics, patient portals, etc., and furnishing devices, software, applications, and technologies to coordinate patient care and health outcomes.
Most recently, we have seen a number of existing pharmaceutical manufacturers, medical device manufacturers, and durable medical equipment, prosthetic, orthotic, and supplies (DMEPOS) distributors, manufacturers, and suppliers create digital health technologies that bring their products online to allow patients and providers to have real-time access and insight into the product being used or worn by the patient. Many anticipated that the proposed safe harbors to support care coordination and value-based arrangements might offer protections to these companies doing so. For example, OIG acknowledges its awareness of companies that provide diabetes management services, leveraging devices that can be worn by the patient to monitor blood sugar levels and transmit data, ultimately to be reviewed by the patient and clinicians managing the patient’s care.
Oftentimes, those companies providing the diabetes management services are the same ones providing the diabetes management supplies. Yet, OIG has currently excluded DMEPOS manufacturers, distributors, and suppliers from the definition of “VBE participant,” restricting them from benefiting from the proposed value-based framework safe harbors and exceptions. OIG is also considering excluding some or all device manufacturers. Further, CMS is considering whether to exclude health technology companies entirely, but has signaled its intention to align with OIG’s ultimate decision about who to include in the definition of a VBE participant. These choice exclusions leave two significant but unanswered questions.
i. Have OIG and CMS proposed to exclude key players in the “health technology company” arena?
The question is whether these exclusions could cut off at the pass a significant portion of the health technology companies that are currently pioneering in the field of patient engagement and care coordination through digital health technologies.
OIG justifies the exclusion of pharmaceutical manufacturers and DMEPOS distributors, manufacturers, and suppliers by its concern that these parties might use the safe harbor to tether patients or providers to a particular product, rather than to create value for patients and payors. OIG is further considering the exclusion of device manufacturers for similar reasons. However, given how many of those companies currently lead the charge in facilitating care coordination by connecting their own products to digital technologies that can improve care, reduce inefficiencies and lower costs, the rule as proposed might take key players out of the game. In fact, OIG has specifically acknowledged that it may be impossible to distinguish a traditional device manufacturer from a health technology company, considering how digital health technologies are being integrated into traditional medical devices.
ii. Have OIG and CMS potentially created space for concern and disincentives for care coordination by excluding manufacturers, distributors, and suppliers?
By proposing to exclude pharmaceutical (and perhaps device) manufacturers and DMEPOS manufacturers, distributors, and suppliers from the definition of VBE participant, OIG and CMS have signaled their intent to keep those parties away from value-based arrangements. Or have they?
The safe harbors and exceptions upholding the value-based arrangement framework not only prohibit non-VBE participants from engaging in the arrangements, but they also prohibit VBE participants from accepting funds or other support from non-VBE participants. Practically speaking, there is no reason that manufacturers, distributors, and suppliers could not sell items and services to VBE participants at fair market value or otherwise within the confines of a pre-existing AKS safe harbor or Stark Law exception. The nature of these strict restrictions vis-à-vis who is in and who is out, when it comes to the definition of VBE participants, however, will likely create more confusion and perceived barriers than clarity, leaving qualifying VBE participants wondering from which, if any, non-VBE participants they can buy their digital health technologies. We anticipate that VBE participants will struggle to find grey areas within which they feel comfortable buying items and services from non-VBE participants, without worrying about the perception that they have accepted funding or support from those excluded individuals.
2. What role could digital health technologies play in the proposed patient engagement safe harbor?
Under the proposed safe harbor, digital health technologies in the form of patient engagement tools or supports would not constitute remuneration under the AKS if they are furnished directly by a VBE participant to a patient in a target population, and are directly connected to the coordination and management of the patient’s care. OIG proposes that only in-kind patient engagement tools and supports qualify for the safe harbor, excluding gift cards, cash, and cash equivalents. “Tools or supports” would include preventive items, goods, or services, or items, goods or services such as health-related technology, patient health-related monitoring tools and services, or supports and services designed to identify and address a patient’s social determinants of health, that have a direct connection to the coordination and management of care of the target population. When developing its explanation of tools or supports, OIG declined to further define the meaning of “preventative care,” deferring instead to the medical judgment of the treating health care professional.
OIG anticipates that patient health-related monitoring tools and services would include wearable monitoring devices such as smart watches or trackers, but questions whether the safe harbor should also protect the provision of a cell phone or wireless service to a patient to support the use of an application when that patient already has the products and only needs the application. With this request for feedback, OIG signals its desire for input regarding how far patient engagement tools and supports can go before crossing into the territory of acting as a beneficiary inducement without offering sufficient value in care coordination. The question becomes increasingly complicated in the world of interoperability and interconnectivity, where the lines delineating the tools and services that the patient would have of their own accord blur. For example, even if the patient has their own cell phone, what if the tools they add for purposes of their care coordination exceed the current capacity of their data plan?
While OIG proposed to exclude cash or cash equivalents, such as gift cards, from qualifying for protection under the safe harbor, it seeks comment on whether to allow vouchers to satisfy the in-kind requirement. Even further, OIG signals that it might consider allowing cash or cash equivalents, likely with a cap on the dollar amount, should commenters advocate strongly enough. Especially for VBE participants concerned about purchasing digital health technologies from non-VBE participants themselves, these cash or voucher alternatives could ease that perceived barrier by allowing patients to purchase the technology directly from the source.
Establishing a new cybersecurity donation safe harbor and exception
The proposed rulemakings proffer the addition of a new safe harbor and exception related to the donation of cybersecurity technology and services. The proposals seek to remove obstacles to the adoption of cybersecurity in an increasingly digitized and interconnected health care “ecosystem” while appropriately balancing program integrity risks associated with the exchange of valuable remuneration between referral sources.
The result is a potentially far reaching safe harbor and exception that broadly protect the donation of “any [emphasis added] software or other types of information technology, other than hardware” and related services that are used predominantly to implement and maintain processes to protect information by preventing, detecting, and responding to cyberattacks. Notably, the proposed protections extend to a broad range of services, including, for example, “any kind of ‘cybersecurity as a service’ model that relies on a third-party service provider to manage, monitor, or operate cybersecurity of a recipient” and “any services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis, or penetration test.”
To qualify for protection, the donation must meet the following requirements:
- The technology and services are necessary and used predominantly to implement and maintain effective cybersecurity.
- The donor does not take into account the volume or value of referrals or other business generated between the parties when determining the eligibility or amount of the donation, or condition the donation on future referrals.
- The recipient does not condition doing business with the donor on receipt or the amount of the donation.
- The arrangement is set forth in a written agreement, signed by the parties, and describes the donated technology and services and the recipient’s contribution, if any.
- The donor does not shift the costs of the donated technology or services to any federal health care program.
Not included above are any conditions on protected donors – for example, device manufacturers and laboratories – or recipient contribution requirements, both of which are present in the existing protections related to the donation of EHRs.
Finally, with respect to cybersecurity hardware, CMS and OIG are considering an alternative proposal that would allow the donation of hardware, consistent with the five requirements above, if a risk assessment of the donor’s organization and the recipient reasonably determines that the donated cybersecurity hardware is needed to address a risk or threat identified by the risk assessment. Multifunctional hardware would remain prohibited, however, because it would not “be necessary and predominantly used to implement and maintain effective cybersecurity.” CMS and OIG believe that this alternative proposal builds on existing legal requirements and best practices related to information security generally and in the health care industry; for example, the security risk assessment required by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively HIPAA). Stakeholders, however, may offer skepticism of the new protections in public comments arguing that the proposals’ software versus hardware distinction may be impractical given that cybersecurity products are often hardware or include software tightly integrated with hardware. The line between software and hardware can also be fuzzy in the context of firmware (i.e., a software program permanently etched into a hardware device).
Other key areas for comment include:
- Whether and how to include a deeming provision (i.e., a provision that would allow a donor or recipient to demonstrate that a donation is necessary and predominantly used to implement and maintain effective cybersecurity, for example, by demonstrating that the donation furthers the recipient’s ability to comply with a written cybersecurity program that reasonably conforms to a widely recognized cybersecurity framework or set of standards), including whether such a provision would extend to cybersecurity hardware.
- Whether conditions on the donor should include a selection criteria list (i.e., whether the donor should choose a recipient for donation on the basis of certain characteristics) that, if met, would be deemed not to directly take into account the volume or value of referrals or other business generated between the parties.
- Whether the safe harbor and exception should exclude certain types of donors or recipients. And, relatedly, whether the protections should distinguish between individuals and entities with direct and primary patient care relationships, and providers and suppliers of ancillary services.
- Whether the safe harbor and exception should include provisions relating to donations to patients and if so, what types of technology or services a donor might anticipate providing to a patient.
Stakeholders who may donate pursuant to the safe harbor or exception, if finalized, should also consider the practical implications of entering into written agreements to do so. Akin to the other AKS safe harbors and Stark Law exceptions, the proposed new cybersecurity technology and services protections would require the donor and recipient to enter into a written agreement signed by both parties that includes a general description of the cybersecurity technology and services provided, and provides a reasonable estimate of the value of the donation. From a business perspective, stakeholders should query whether written agreements should also contemplate software training and maintenance and risk allocation for potential data breaches.
Updates to the EHR donation safe harbor and exception
The current EHR safe harbor and exception protect certain arrangements involving the donation of interoperable EHR software or information technology and training. CMS and OIG propose to amend the existing safe harbor and exception to align the regulations more closely with the interoperability and information blocking provisions of the 21st Century Cures Act and its forthcoming regulations, and clarify that protected donations may include related cybersecurity technology and services. These amendments also would remove the current sunset provision, which is set to expire on December 31, 2021.
First, CMS and OIG do not consider that these amendments will change the purpose of the existing requirements, “but instead further [the] longstanding goal of preventing abusive arrangements that lead to information blocking and referral lock-in through updated understandings of those concerns established in the 21st Century Cures Act.”
Second, the proposed rulemakings clarify certain aspects of the scope of the EHR safe harbor and exception that are not intended to substantively alter the application of these protections. For example, CMS and OIG also state that the donation of certain cybersecurity software and services “have always [emphasis added] been protected under this safe harbor.” Nevertheless, the proposals modify the description of protected nonmonetary remuneration to include certain cybersecurity software and services necessary and used predominantly to protect EHRs. Finally, CMS and OIG are considering amending, deleting, and adding key components of the EHR safe harbor and have expressly sought comments on the following:
- Alternatives to the existing 15 percent recipient contribution requirement
- Deletion of the prohibition on the donation of equivalent items or services to allow donations of replacement EHR technology
- Expanding the group of entities that may be protected donors under the EHR safe harbor (OIG only)
While OIG reiterates its concerns about the potential for fraud and abuse by certain donors citing to the Regulatory Sprint and its policy objectives in advancing the adoption of EHR technology, the agency is considering expanding the scope of protected donors by eliminating the requirement that protected donors be limited to those who “submit … claims or requests for payment, either directly or through reassignment, to the Federal health care program.” Alternatively, if the scope of protected donors is revised rather than eliminated, OIG is considering broadening it to include entities with indirect responsibility for patient care. This proposed expansion would protect entities such as health systems or accountable care organizations that neither are health plans nor submit claims for payment. Stakeholders considering offering comments to the proposal should address whether and how this provision should be expanded to additional potential donors or eliminated altogether, including how removal would, on the one hand, possibly slow the progress of widespread adoption of EHR technologies and, on the other hand, increase the risks of fraud and abuse. Stakeholders may also comment on a parallel expanded scope of protected donors to CMS under the EHR exception.
For question regarding the proposed rules or for assistance preparing comments, please contact one of the authors or any member of your Reed Smith team.
Client Alert 2019-274