HHS Releases Final Rules Regarding Safe Harbors for Cybersecurity Donations

On November 20, 2020, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) released the final rules to help improve the coordination of care and minimize regulatory obstructions. Both final rules include safe harbor terms that permit hospitals and healthcare delivery systems to contribute cybersecurity technology to physician practices.

The CMS introduced the 627-page final edition of the Modernizing and Clarifying the Physician Self-Referral Regulations, often referred to as Stark Law, and the OIG finalized changes to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Concerning Beneficiary Inducements.

Physician practices frequently have restricted resources, making it hard for them to carry out solutions to deal with cybersecurity threats. Without the required protections, unauthorized individuals can access, steal, delete or encrypt sensitive healthcare data. Threat actors can additionally carry out attacks on small doctor practices and use them to get access to exploited healthcare systems.

When the regulations were first proposed, commenters stressed the value of a safe harbor to enable non-abusive, advantageous arrangements between doctors and other healthcare organizations, such donations of cybersecurity solutions to help protect the healthcare ecosystem. The CMS first suggested the improvements in October 2019 for the Regulatory Sprint to Coordinated Care.

The CMS final rule explains the Stark Law exclusions regarding contributions of electronic health record donations to doctors, broadening the EHR exemption to include cybersecurity software programs and services. One exception was likewise offered for expanding cybersecurity donations that include donations of cybersecurity hardware.

CMS explained that the finalized exemptions offer new freedom for specific arrangements, for example, contributions of cybersecurity technology that secure the integrity of the healthcare ecosystem, whether or not the parties employ a fee-for-service or value-based payment system.

The changes acknowledge the risk of cyberattacks on the healthcare industry and make a secure harbor for cybersecurity technology and services to safeguard cybersecurity-associated hardware, and will make sure that cybersecurity software programs and hardware are available to all healthcare companies of all sizes.

The safe harbor is applicable to, but is not limited to, software security procedures to protect endpoints that permit network access control, an application that offers malware prevention, business continuity application, data protection, and encryption and email traffic control. The exception likewise includes the hardware that is needed and used mainly to implement, preserve or re-establish cybersecurity” and a big range of cybersecurity services like update and maintenance of software and cybersecurity training services. There is no differentiation in the rule between local and web-based cybersecurity solutions.

Under the cybersecurity exception, recipients do not need to contribute to the cost of the donated cybersecurity technology or services. With the EHR exception, the cost required for donations of EHR items or solutions is retained.

HHS said that allowing entities to donate cybersecurity technology and related services to physicians will result in fortifying the entire health care ecosystem.

The final rules are intended to be printed in the federal register on December 2, 2020 and are estimated to take effect starting January 19, 2021.