On December 2, 2020, the Department of Health and Human Services (“HHS”) Office of Inspector General (“OIG”) and the Centers for Medicare & Medicaid Services (“CMS”) published in the Federal Register long-awaited, companion final rules to revise the Anti-Kickback Statute, the civil monetary penalties (“CMP”) law, and the federal physician self-referral law (commonly referred to as the “Stark Law”) to address obstacles to coordinated care.[1] The new rules are the culmination of the agencies’ efforts in connection with the Regulatory Sprint to Coordinated Care, an HHS-led effort to remove potential regulatory barriers under the fraud and abuse laws to care coordination and value-based care.

OIG’s final rule largely adopts the proposals advanced in the agency’s October 2019 proposed rulemaking.[2] OIG described stakeholder reaction to its proposals as largely positive, noting that, through its final rule, it seeks to strike the right balance between providing entities the requisite flexibility to promote innovation and imposing the necessary safeguards to protect patients and federal health care programs from fraud, waste, and abuse.

Many in the industry will welcome the new flexibilities available under OIG’s new and modified safe harbors, including the new safe harbors for value-based arrangements and care coordination and the easing of the long-standing criterion in the personal services and management contracts safe harbor that aggregate compensation must be set in advance. However, others may be disappointed that the protection does not go far enough to move the needle on value-based care and care coordination, by the number and extent of the criteria some of the safe harbors impose to qualify for protection, and by the wholesale exclusion of key players in the health care and life sciences community from the new rule’s protection.

In particular, OIG identifies significant segments of the health care and life sciences industry as ineligible to use the value-based safe harbors and the outcomes-based payment provisions of the personal services safe harbor: pharmaceutical manufacturers, distributors, and wholesalers; pharmacy benefit managers (“PBMs”); laboratory companies; pharmacies that primarily compound drugs or primarily dispense compounded drugs; manufacturers of devices or medical supplies; entities or individuals that sell or rent durable medical equipment, prosthetics, orthotics, and supplies (“DMEPOS”) (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services); and medical device distributors and wholesalers (collectively, “Ineligible Entities”).

CMS and OIG collaborated throughout the rulemaking process and sought to align the rules’ terminology and conditions wherever possible; however, the agencies noted that complete alignment is not feasible because of fundamental differences between the Anti-Kickback Statute’s and Stark Law’s structures and sanctions. Because the Stark Law is a strict liability statute, arrangements that implicate the Stark Law must satisfy an exception to avoid overpayment liability. The Anti-Kickback Statute, on the other hand, is a criminal, intent-based statute under which compliance with a safe harbor is voluntary. On this issue, OIG states in its preamble:

[I]n designing our safe harbors, rather than mirror CMS’s exceptions, we have included safe harbor conditions designed to ensure that protected arrangements are not disguised kickback schemes. We recognize that, for purposes of those arrangements that implicate both the physician self-referral law and the Federal anti-kickback statute, the value-based safe harbors may therefore protect a narrower universe of such arrangements than CMS’s exceptions. To protect Federal health care programs and beneficiaries, we believe that it is important for the Federal anti-kickback statute to serve as “backstop” protection against abusive arrangements that involve the exchange of remuneration intended to induce or reward referrals and that might be protected by the physician self-referral law exceptions. In this way, the OIG and CMS rules, operating together, create pathways for parties entering into value-based arrangements that are subject to both laws to develop and implement value-based arrangements that avoid strict liability for technical noncompliance, while ensuring that the Federal Government can pursue those parties engaging in arrangements that are intentional kickback schemes.

Value-Based Safe Harbors

In its October 2019 proposed rule, OIG proposed three new safe harbors for remuneration exchanged between or among participants in value-based arrangements and created new terminology to define the universe of value-based arrangements that may qualify for safe harbor protection. The proposed safe harbors provide greater flexibility, and impose fewer requirements, as the parties to the value-based arrangements take on more financial risk.

OIG finalized the following three new safe harbors as proposed, with modifications: (i) care coordination arrangements to improve quality, health outcomes, and efficiency (paragraph 1001.952(ee)); (ii) value-based arrangements with substantial downside financial risk (paragraph 1001.952(ff)); and, (iii) value-based arrangements with full financial risk (paragraph 1001.952(gg)).

The three new safe harbors consistently use the following key terms:

  • “Value-based enterprise” (“VBE”),which means two or more VBE participants that are collaborating to achieve at least one value-based purpose, each of which is a party to a value-based arrangement with the other or at least one other VBE participant. OIG notes that this definition is intended to be both broad and flexible. The VBE is required to have an accountable body and a governing document.
  • “Value-based arrangement,” whichmeans an arrangement to provide at least one “value-based activity” for a target patient population to which the only parties are (i) the VBE and one or more VBE participants or (ii) two or more VBE participants in the same VBE.
  • “Target patient population,” which means an identified patient population selected by the VBE or its VBE participants using legitimate and verifiable criteria that are set out in writing in advance of the commencement of the value-based arrangement and further the VBE’s value-based purpose.
  • “Value-based activity,” which is defined as providing an item or service, or taking or refraining from taking an action, that is reasonably designed to achieve at least one of the VBE’s value-based purposes. This definition does not require that the activity actually achieve the value-based purpose. A value-based activity does not include the making of a referral.
  • “VBE participant,”which means an individual (other than a patient) or entity that engages in at least one value-based activity as part of a VBE. OIG notes that nothing in this definition precludes an integrated delivery system from creating a value-based arrangement within its own system.
  • “Value-based purpose,” which means coordinating and managing the care of a target patient population, improving the quality of care for a target patient population, appropriately reducing costs without compromising quality, or transitioning from health care delivery mechanisms based on volume to mechanisms based on value.

OIG’s final rule also provides a pathway for the protection of certain “digital health technology” arrangements involving “limited technology participants” that are otherwise ineligible to use the value-based safe harbors. OIG defines those terms as follows:

  • “Digital health technology” means hardware, software, or services that electronically capture, transmit, aggregate, or analyze data and that are used for the purpose of coordinating and managing care. This term includes any internet or other connectivity service that is necessary and used to enable the operation of the item or service for that purpose.
  • “Limited technology participant”means a VBE participant that exchanges digital health technology with another VBE participant or a VBE and that is either (i) a manufacturer of a device or medical supply (but not including a physician-owned distributorship), or (ii) an entity or individual that sells or rents durable medical equipment, prosthetics, orthotics, or supplies covered by a federal health care program (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services).

Care Coordination Safe Harbor

The new safe harbor for care coordination arrangements to improve quality, health outcomes, and efficiency, 42 CFR 1001.952(ee) (the “Care Coordination” safe harbor), protects in-kind remuneration exchanged between a VBE and VBE participant, or between VBE participants, regardless of whether the entities assume any financial risk. The remuneration exchanged pursuant to the value-based arrangement must be used predominantly to engage in value-based activities that are directly connectedto the coordination and management of care for the target patient population. In addition, the parties must document the value-based arrangement’s material terms in writing in advance of, or contemporaneous with, the commencement of the value-based arrangement.

To receive safe harbor protection, the value-based arrangement must be commercially reasonable, both individually and when considering all of the other value-based arrangements within the VBE. Protected arrangements cannot do the following: (i) induce VBE participants to furnish medically unnecessary care or reduce or limit medically necessary care, (ii) limit medical decision-making or patient freedom of choice, or (iii) take into account the volume or value of referrals of patients who are not part of the target patient population or business outside the value-based arrangement. While educational activities are permissible, the remuneration exchanged under a value-based arrangement cannot be used or exchanged for the purpose of marketing a VBE or VBE participant’s items or services or for patient recruitment activities. The safe harbor also requires that the offeror of the remuneration “does not and should not know” that the remuneration is likely to be diverted, resold, or used for an unlawful purpose.

The Care Coordination safe harbor does not protect remuneration exchanged by the Ineligible Entities listed above, with one notable exception: the Care Coordination safe harbor permits manufacturers of devices and medical supplies (other than physician-owned distributorships) and DMEPOS companies to rely on the safe harbor when those entities exchange digital health technology with a VBE or another VBE participant. In such circumstances, the manufacturers of devices and medical supplies, and DMEPOS companies, are “limited technology participants” that are entitled to safe harbor protection if they satisfy all of the safe harbor’s other requirements and do not condition the exchange of remuneration on any recipient’s exclusive use or minimum purchase of any item or service that they manufacture, distribute, or sell. OIG notes that, by creating a pathway to protect digital health technology arrangements, the safe harbor divides the universe of VBE participants into three categories: (i) VBE participants that may rely on the safe harbors for all qualifying arrangements, (ii) limited technology participants that are eligible to rely on the safe harbor exclusively for arrangements involving digital health technology, and (iii) VBE participants that are ineligible to rely on any of the value-based safe harbors for any types of arrangements.

In a move likely disappointing to many, OIG finalized the contribution requirement set forth in its October 2019 proposed rule. As a result, the Care Coordination safe harbor requires the VBE participant receiving the in-kind remuneration to pay at least 15 percent of either the offeror’s cost or the fair market value of the remuneration. OIG explains its reasoning for including the contribution requirement by noting that it increases the likelihood that the recipient will use care coordination items or services, and ensures that the remuneration is well tailored to the recipient’s needs. OIG did not finalize any exceptions to the contribution requirement for providers with financial constraints, noting that the requirement serves as both an important guardrail to prevent fraud and abuse as well as an incentive for parties to develop prudent and effective arrangements.

The Care Coordination safe harbor requires the parties to a value-based arrangement to establish one or more legitimate outcome or process measures that the parties reasonably anticipate, based on clinical evidence or credible medical or health science support, will advance the coordination and management of care for the target patient population. The outcome or process measures cannot be based solely on patient satisfaction or convenience, and must include at least one benchmark against which the parties periodically assess the arrangement to determine whether it is advancing the coordination and management of the target patient population’s care. If the VBE’s accountable body or responsible person determines, based on the benchmark assessments, that the value-based arrangement resulted in material deficiencies in care or is unlikely to further the coordination and management of care for the target patient population, the parties must, within 60 days, either terminate the arrangement or develop and implement a corrective action plan. OIG describes the Care Coordination safe harbor’s monitoring and assessment requirements as critical safeguards to ensure oversight of value-based arrangements but emphasizes that the safe harbor requires only that the parties to the value-based arrangement reasonably anticipate that the outcome or process measures will advance the coordination and management of the target patient population’s care. OIG distinguishes this safe harbor’s requirement from the modifications it finalized to the personal services and management contracts safe harbor protecting outcomes-based payments, described further below, which require the agents actually to achieve the outcome measure to receive payment.

Finally, the safe harbor requires the VBE or VBE participant to retain documentation sufficient to establish compliance with the safe harbor’s conditions for at least six years.

Value-Based Arrangements with Substantial Downside Financial Risk

The second value-based safe harbor is the “value-based arrangements with substantial downside risk” safe harbor, 42 CFR 1001.952(ff) (the “Substantial Downside Financial Risk” safe harbor). This safe harbor protects both cash payments and in-kind remuneration exchanged between a VBE and a VBE participant pursuant to a value-based arrangement in cases where the VBE has assumed “substantial downside financial risk” and the VBE participant “meaningfully shares” in the VBE’s substantial downside financial risk.

OIG defines the term “substantial downside financial risk” through the following three methodologies:

  • Shared Savings and Losses Methodology: Shared savings with a repayment obligation to the payor of at least 30 percent of any shared losses, where savings and losses are calculated by comparing current expenditures for all items and services that are covered by the applicable payor and furnished to the target patient population to a bona fide benchmark designed to approximate the expected total cost of such care;
  • Episodic Payment Methodology: A repayment obligation of at least 20 percent of any total loss, where savings and loss is calculated by comparing current expenditures for all items and services furnished collectively in more than one setting to the target patient population pursuant to a defined clinical episode of care that is covered by the applicable payor to a bona fide benchmark designed to approximate the expected total cost of care for the defined clinical episode of care; or
  • VBE Partial Capitation Methodology: A prospective partial capitated payment from the payor that is (i) designed to produce material savings and (ii) paid on a monthly, quarterly, or annual basis for a predefined set of items or services furnished to a target patient population designed to approximate the expected total cost of expenditures for the predefined set of items and services.

The safe harbor allows the parties a six-month “phase-in period” during which they may exchange remuneration before the VBE must assume substantial downside financial risk.

The safe harbor requires VBE participants to “meaningfully share” in the VBE’s substantial downside risk through one of two mechanisms: (i) via a two-sided risk-sharing payment methodology, pursuant to which a VBE participant is at risk for at least 5 percent of the amount under the VBE’s agreement with the applicable payor (e.g., a 5-percent withhold, recoupment payment or shared losses payment), or (ii) by receiving from the VBE a prospective, per-patient payment on a monthly, quarterly, or annual basis for a predefined set of items and services furnished to the target patient population by the VBE participant, which payment is designed to approximate the expected total cost of those expenditures for the predefined items or services. VBE participants cannot separately claim payment in any form from the payor for the predefined items or services covered by the partial capitated payment.

Ineligible Entities are precluded from protection under this safe harbor. Downstream arrangements among VBE participants are not protected under this safe harbor, nor does the safe harbor protect ownership or investment interests in the VBE or any distributions related to an ownership or investment interest.

Remuneration exchanged between the VBE and VBE participant must be directly connected to one or more of the following value-based purposes regarding the target patient population: the coordination and management of care; improving the quality of care; and appropriately reducing the costs to, or growth in expenditures of, payors without reducing the quality of care. The value-based arrangement, not merely the remuneration exchanged, may not induce the VBE or VBE participant to reduce or limit medically necessary items or services furnished to any patient.

The Substantial Downside Financial Risk safe harbor requires the parties to document the manner in which the VBE assumes risk from a payor, and the VBE participant must assume a meaningful share of such risk. The writing, or collection of documents, must be established in advance of, or contemporaneous with, the commencement of the value-based arrangement and any material change to that arrangement.

Value-Based Arrangements with Full Downside Financial Risk

The third value-based safe harbor is the “value-based arrangements with full financial risk” safe harbor, 42 CFR 1001.952(gg) (the “Full Financial Risk” safe harbor). This safe harbor protects both cash payments and in-kind remuneration exchanged between a VBE and a VBE participant in cases where the VBE, or a VBE participant, other than the payor, acting on behalf of the VBE, has assumed, through a written contract or a value-based arrangement, “full financial risk” on a prospective basis for the cost of all items and services covered by the applicable payor for each patient in a target population.

As noted above, a value-based enterprise is a collection of two or more VBE participants. OIG acknowledges that some or all of the VBE participants (besides the payor) that comprise the VBE can combine their respective risk to satisfy the definition of “full financial risk” as long as the VBE participants’ collective risk amounts to risk for all items and services covered by the applicable payor for the target patient population. In recognition of the operational challenges associated with assuming full financial risk, the safe harbor provides for a one-year phase-in period, during which time the parties may exchange protected remuneration if all of the safe harbor’s other conditions are met.

Given the amount of financial risk assumption required by this safe harbor, VBEs likely will consider risk mitigation strategies in their arrangements with the payor, such as reinsurance for catastrophic losses and risk adjustment reconciliations. As long as the VBE has assumed full financial risk for a term of at least one year prior to the provision of items and services to patients in the target patient population, the payor and VBE can engage in retrospective reconciliations that would consider risk adjusted payments.

One example of an arrangement that could qualify for protection under the Full Financial Risk safe harbor is a contract with a Medicare Advantage organization to receive a fixed per-patient-per-month amount that covers the cost of all items and services furnished by the Medicare Advantage plan for the target patient population. Examples of arrangements that would not qualify for protection are partial capitation arrangements and bundled payment programs or payments. Like the Substantial Downside Financial Risk safe harbor, the Full Financial Risk safe harbor precludes Ineligible Entities from protection, and does not protect downstream arrangements among VBE participants or ownership or investment interests in the VBE or any distributions related to an ownership or investment interest.

While the Full Financial Risk safe harbor’s requirements are less onerous than the requirements of the Care Coordination and Substantial Downside Financial Risk safe harbors, this safe harbor is likely to be of more limited utility to smaller, less sophisticated entities that might not be able to financially take on full risk.

Patient Engagement and Support Safe Harbor

OIG finalized a new safe harbor for arrangements for patient engagement and support to improve quality, health outcomes, and efficiency, 42 CFR 1001.952(hh) (the “Patient Engagement and Support” safe harbor). This safe harbor protects in-kind patient engagement tools and supports that VBE participants furnish directly to patients in a target patient population when those tools or supports advance (i) a patient’s adherence to a drug or treatment regimen, (ii) a patient’s adherence to a follow-up care plan, (iii) the prevention or management of a patient’s disease or condition, or (iv) patient safety. The safe harbor imposes a $500 (retail value) annual, aggregate per-patient cap, and requires that the provision of the tool or support not result in medically unnecessary or inappropriate federally reimbursable items or services.

Like the Care Coordination safe harbor, the Patient Engagement and Support safe harbor does not protect remuneration furnished, funded, or contributed by an Ineligible Entity, with one exception: digital health technology tools or supports funded or furnished by manufacturers of devices and medical supplies (other than physician-owned distributorships) are entitled to safe harbor protection if all of the safe harbor’s other requirements are satisfied. Unlike the Care Coordination safe harbor, however, the Patient Engagement and Support safe harbor protects only digital health technology furnished by manufacturers of devices and medical supplies; DMEPOS companies are ineligible for protection under this safe harbor without exception. OIG explains the disparate treatment by noting that DMEPOS companies have more personal relationships with, and sell more products directly to, patients than do manufacturers of medical devices and supplies, and that OIG’s enforcement experience reveals “persistent and troubling fraud and abuse in sectors of the DMEPOS industry.” This limitation may be significant for certain manufacturers that have direct sales operations with DMEPOS billing numbers.

The Patient Engagement and Support safe harbor requires the in-kind tool or support to have a direct connection to the coordination and management of care of the target patient population. OIG notes that its intent is to ensure that the final rule is agnostic with respect to the specific types or categories of tools and supports protected by this safe harbor but clarifies that certain remuneration does not qualify for protection. Specifically, cash, cash equivalents, and most gift cards would not qualify for protection under this safe harbor; however, vouchers for particular tools and supports and limited-use gift cards that can be redeemed only for certain categories of items may satisfy the safe harbor’s in-kind requirement. Waivers or reductions of cost-sharing amounts also are not protected. OIG further clarifies that the final rule protects in-kind tools and supports that address social determinants of health as long as the tool or support otherwise satisfies all of the safe harbor’s conditions, including the requirement for a direct connection to the coordination and management of the care of the target patient population.

The tool or support must be funded by a VBE participant that is a party to the applicable value-based arrangement, must be recommended by a patient’s licensed health care professional, and may not be used to market other reimbursable items or services or to recruit patients.

The safe harbor also requires that VBE participants make the tools or supports available to patients in the target patient population without taking into account the patients’ types of insurance coverage. OIG states that this requirement is designed to ensure that VBE participants provide tools and supports to patients based on clinical characteristics, and does not require VBE participants to provide unwanted tools or supports when they cannot be used.

Finally, the safe harbor requires VBE participants to retain documentation sufficient to establish that the tool or support was distributed in a manner that satisfied the safe harbor’s conditions for at least six years.

CMS-Sponsored Model Arrangements and CMS-Sponsored Model Patient Incentives

Recognizing the need for uniformity and predictability for parties participating in a model or other initiative being tested or expanded by the Center for Medicare and Medicaid Innovation under section 1115A of the Social Security Act (“the Act”) and the Medicare Shared Savings Program under section 1899 of the Act (collectively, “CMS-sponsored models”), OIG finalized a new safe harbor to permit remuneration (i) between and among parties to the arrangements and (ii) in the form of incentives provided by CMS-sponsored model participants and their agents to covered patients.

CMS defines the scope of CMS-sponsored models, including the arrangements or incentives that are permitted under the model or initiative, the entities that may participate and/or provide an incentive, and the period of time in which remuneration may be provided in connection with the model or initiative. In developing the terms of a CMS-sponsored model, CMS must affirmatively state that this new safe harbor is available for specific CMS-sponsored model arrangements and patient incentives within a particular model or initiative. CMS also may determine that the safe harbor is available for CMS-sponsored model arrangements and patient incentives that already exist, but CMS must issue a public notice or a notice to individual participants stating that such safe harbor protection is available.

If CMS determines that this safe harbor is available with respect to a particular CMS-sponsored model, “remuneration” will not include the exchange of anything of value between or among CMS-sponsored model parties under a CMS-sponsored model arrangement if, among other criteria, the arrangement will advance one or more goals of the CMS-sponsored model and the remuneration is not made to induce the furnishing of medically unnecessary items or services, reduce or limit medically necessary items or services, or induce or reward federal health care program referrals or business generated outside of the CMS-sponsored model. In addition, the safe harbor protects patient incentives, if among other things, the incentive (i) will advance one or more goals of the CMS-sponsored model and (ii) has a direct connection to the patient’s health care, unless CMS specifies a different standard in the CMS-sponsored model’s participation documents.

In adopting this singular, uniform safe harbor for CMS-sponsored models, OIG has largely eliminated the need for separate, model-specific fraud and abuse waivers. However, OIG confirms that this new safe harbor does not supersede existing fraud and abuse waivers, nor does it preclude OIG from issuing model-specific waivers in the future. Further, although OIG sought comments on whether to expand the safe harbor to include remuneration between and among parties to arrangements under CMS initiatives that are not authorized by sections 1115A and 1899 of the Act, OIG declined to expand the safe harbor to include such arrangements.

Cybersecurity Technology and Related Services

OIG finalized a new safe harbor that protects donations of, and discounts for, cybersecurity technologies that prevent, detect, and respond to cyberattacks (the “Cybersecurity” safe harbor) (42 C.F.R. 1001.952(jj)). The new safe harbor addresses the health care industry’s urgent need to address the increase in, and intensity of, cyberattacks that have resulted in a significant uptick in data breaches. This safe harbor is designed to improve the health care industry’s overall cybersecurity posture. In promulgating this safe harbor, OIG considered the significant costs that health care providers, both large and small, incur to protect the information and IT systems that drive patient care and ensure that patient information is accurate, accessible, and available when needed. The Cybersecurity safe harbor protects all categories of donors; OIG declined to place restrictions or limitations on the type of individuals or entities that may donate or discount cybersecurity technologies. In addition, the Cybersecurity safe harbor allows for donations of or discounts for cybersecurity technologies, including software and information technology, as well as certain cybersecurity hardware as long as certain conditions are met.

OIG defines “cybersecurity” as the process of protecting information by preventing, detecting, and responding to cyberattacks and “technology” as any software or other types of information technology. OIG relies on the National Institute of Standards and Technology (“NIST”) “Framework for Improving Critical Infrastructure Cybersecurity” for its definitions, so as not to unintentionally limit the scope of donations or types of technologies that the safe harbor protects. By defining “cybersecurity” in a broad and neutral way, OIG captures a wide range of technologies, including software, services, and certain hardware, and the services to support them as the technologies change and cyber threats evolve over time.

The safe harbor limits the scope of the cybersecurity technologies and services that may be donated or discounted to those technologies that are “necessary and used predominately to implement, maintain or reestablish cybersecurity.” This standard is intended to ensure that donations are made to address legitimate cybersecurity needs of donors and recipients.

To address the concern that parties may improperly use the Cybersecurity safe harbor to entice new business, recipients and donors are required to document their arrangement in writing, generally describing the cybersecurity technologies that are being donated and any amount that the recipient might be contributing to the cost of the cybersecurity technologies. Donors are not permitted to consider the volume or value of referrals or other business generated between the parties when determining a recipient’s eligibility for the donation, or the amount or nature of the cybersecurity technologies or services being donated. Conversely, recipients may not make the receipt of cybersecurity technologies a condition of doing business with the donor. Finally, the cost of the technology cannot be shifted to any federal health care program.

OIG recognizes that, by establishing a new Cybersecurity safe harbor, it creates some overlap with the electronic health records (“EHR") safe harbor, which protects certain arrangements involving the donation of interoperable EHR software or information technology and training services (discussed in more detail below). However, this was deliberate on OIG’s part, as the EHR safe harbor is specifically designed to protect donations of EHR software and services and also requires a contribution of 15 percent, but excludes hardware. By comparison, the stand-alone Cybersecurity safe harbor finalized in paragraph 1001.952(jj) is broader, requires no contribution from the recipient, and is meant to protect donations of cybersecurity hardware software and services.

Electronic Health Records Items and Services

OIG and CMS finalized revisions to the Anti-Kickback Statute and Stark Law, respectively, with almost identical changes to the existing EHR protections currently in effect. The updates are designed to encourage the adoption of interoperable EHR technology solutions. OIG and CMS both adopted the revised definition of “interoperable” that aligns with the definition and requirements for interoperability under the 21st Century Cures Act. Specifically, with this new definition, the exception and safe harbor require donated technology to be certified as interoperable by the Office of the National Coordinator for Health Information Technology (also known as “ONC”) as of the date of donation.

OIG and CMS considered the unintended consequence of prohibiting donations of equivalent items or services. When EHR software and systems become obsolete or outdated, and health care providers lack the resources to invest in upgrades or replacement, they often find themselves “locked in” to their EHR. CMS strikes a balance by permitting donations of replacement EHR items or services under the EHR exception. Both OIG and CMS retained the 15-percent contribution requirement for initial and replacement EHR items and services, which must be paid in advance, but removed the requirement that the 15-percent contribution must be paid in advance with respect to updates to existing EHR systems.

Finally, both OIG and CMS eliminated the sunset provision to make the EHR safe harbor and exception permanent. In doing so, the agencies are encouraging the ongoing adoption of certified EHR technology among health care providers, especially for new providers who are just entering the practice and stragglers who may have been slow adopters of EHR technology.

Personal Services and Management Contracts and Outcome-Based Payment Arrangements

OIG finalized the two modifications and the new provisions for outcomes-based payments it proposed to the personal services and management contracts safe harbor, 42 CFR 1001.952(d) (the “Personal Services” safe harbor). First, OIG substituted the safe harbor’s condition that required parties to set the aggregate compensation to be paid to the agent over the term of the agreement in advance with a requirement that the parties establish the compensation methodology in advance. OIG notes in its final rule that this change modernizes the safe harbor, but cautions that arrangements that take the volume or value of referrals or other business generated into account when establishing the aggregate compensation would be precluded from safe harbor protection. Second, OIG eliminated the requirement that agreements providing for the services of an agent on a periodic, sporadic, or part-time basis specify the schedule, length, and the exact charge for such intervals in order to accommodate a broad range of part-time and sporadic-need arrangements.

OIG also finalized, with modifications, its proposal to protect outcomes-based payment arrangements that facilitate care coordination, encourage provider engagement across care settings, and advance the transition to value. Unlike the Care Coordination safe harbor, which allows for the exchange of in-kind remuneration as long as the parties to the value-based arrangement reasonably anticipate that the arrangement will advance the coordination and management of care of a target patient population, the outcomes-based payment provisions of the Personal Services safe harbor expressly require the agent to achieve one or more legitimate outcomes measures to receive payment. The parties must select outcome measures based on clinical evidence or credible medical support. Process measures that are supported by strong evidence of improving an outcome may serve as a component of an outcome measure that must be achieved to receive payment under an outcomes-based payment arrangement. Although OIG notes that the Personal Services safe harbor’s new outcomes-based protections do not necessarily preclude product standardization, the safe harbor, as modified, does not protect traditional gainsharing arrangements that reduce internal costs only to the providers making the payments.

The methodology for determining outcomes-based payments must be set in advance, commercially reasonable, consistent with fair market value, and not determined in a manner that directly takes into account the volume or value of referrals or other federally reimbursable business generated between the parties. In addition, the safe harbor excludes any payments made directly or indirectly by any Ineligible Entity from protection. Although OIG acknowledges that Ineligible Entities may have legitimate uses for outcomes-based payments, it states that the safe harbor’s conditions have not been tailored to outcomes-based contracting or payments in those sectors. OIG further notes that it may consider outcomes-based contracting for pharmaceutical products and medical devices manufacturers in a future rulemaking.

Warranties

In its final rule, OIG promulgated two modifications to the warranties safe harbor, 42 CFR 1001.952(g). First, OIG expanded the safe harbor’s protections to cover bundles of items as well as one or more items and related services. The safe harbor does not provide protection to warranties that relate only to services, as OIG considers such warranties to present a heightened risk of fraud and abuse. In the preamble to the final rule, OIG emphasizes that the warranties safe harbor protects only remuneration that is provided as a warranty remedy; any free items or services a seller offers as part of a bundled warranty arrangement or ancillary to a warranty arrangement are not protected by the warranties safe harbor.

The safe harbor, as modified, protects warranties that apply to bundled items, or one or more items and related services, only if the federally reimbursable items and services subject to the warranty arrangement are reimbursed by the same federal health care program and in the same federal health care program payment. OIG acknowledges that this requirement serves to exclude population-based warranties from safe harbor protection, and notes that it is considering specifically tailored safe harbor protection for value-based contracting and outcomes-based contracting arrangements in a future rulemaking. The safe harbor caps the amount of remuneration that may be offered pursuant to a warranty to the cost of the items and services subject to the warranty, and prohibits a seller from conditioning any warranty on a buyer’s exclusive use, or minimum purchase, of any of the seller’s items or services.

Second, OIG finalized its proposal to define the term “warranty” directly, rather than by reference to the Magnuson-Moss Act, codified at 15 USC 2301(6). The revised definition both clarifies that the warranties safe harbor is available for drugs and devices regulated under the Federal Food, Drug, and Cosmetic Act, and reflects the safe harbor’s expansion to cover bundles of items or services in combination with one or more related items. OIG notes that it interprets the definition of “warranty” to apply to warranty arrangements conditioned on clinical outcomes guarantees; protected warranty arrangement therefore may include warranties conditioned upon value-based outcomes as long as all of the safe harbor’s other requirements are satisfied.

Local Transportation Safe Harbor

OIG promulgated two modifications to the existing “local transportation” safe harbor, 42 CFR 1001.952(g). First, OIG expanded the distance for qualifying transportation that may be offered from the previous limit of 50 miles to 75 miles. Second, OIG removed any mileage limits on transportation between a health care facility that discharges a patient and the patient’s residence, regardless of whether the patient resides in an urban or rural area.

OIG explains that expanding the mileage limit to 75 miles does not increase the risk of program abuse. OIG notes that, due to the pandemic, some patients in rural areas will have to travel distances that exceed 75 miles to obtain care and acknowledges that the safe harbor does not protect every instance of needed transportation. OIG declined to expand the safe harbor to cover transportation for non-medical purposes, noting that such arrangements pose an unacceptable risk of improper beneficiary inducements that outweigh the potential for addressing social determinants of health, such as access to shopping for food.

OIG clarifies that the exception to the mileage limit for discharged patients applies to patients who were admitted as inpatients as well as to patients who spent at least 24 hours in observation status. In addition, the destination for transportation following an inpatient discharge can now include either the patient’s residence or “another residence of the patient’s choice.” OIG explains that a residence of the patient’s choice may include, for example, the residence of a relative or friend who will be caring for the patient after discharge or a homeless shelter.

Finally, OIG clarifies that ride-sharing services offered by eligible entities that furnish health care items or services may fall within the safe harbor as long as the other elements have been satisfied. Even though these services may be offered, OIG cautions that the transportation service cannot advertise that it provides free or discounted services to a specific provider or group of providers.

Accountable Care Organization (“ACO”) Beneficiary Incentive Program

OIG finalized its proposal to codify the “ACO Beneficiary Incentive Program” safe harbor at 42 CFR 1001.952(kk) without modification. This safe harbor interprets the statutory exception to the definition of “remuneration” that was adopted in the Budget Act of 2018 for beneficiary incentive payments made by Medicare ACOs in certain two-sided risk models.

The safe harbor, as finalized, states that “an incentive payment made by an ACO to an assigned beneficiary under a beneficiary incentive program established under section 1899(m) of the Act, as amended by Congress from time to time” will not violate the Anti-Kickback Statute “if the incentive payment is made in accordance with the requirements found in such subsection.” Accordingly, the safe harbor protects payments made to patients who have been assigned to a risk-bearing Medicare ACO and who receive qualifying primary care services from providers participating in such ACOs. In the final rule, OIG clarifies that, for an incentive payment to satisfy the ACO Beneficiary Incentive Program statutory exception, and the corresponding safe harbor, all of the requirements enumerated at section 1899(m) of the Act must be satisfied. Further, while OIG does not require satisfaction of any requirements found outside of section 1899(m), such as CMS regulations specific to the Medicare Shared Savings Program, as a condition of satisfying the safe harbor, OIG recommends that it would be prudent for ACOs to review these regulations to ensure that their ACO Beneficiary Incentive Programs meet all applicable programmatic requirements.

Civil Monetary Penalties Exception for Telehealth Technologies for In-Home Dialysis

The final rule creates a new exception to the CMP law’s definition of “remuneration” at 42 CFR 1003.110(10) that carves out certain telehealth technologies related to in-home dialysis services.

This change was brought about by the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act of 2018, which allows individuals with end-stage renal disease (“ESRD”) who receive in-home dialysis to also receive their monthly ESRD-related clinical assessments at home via a telehealth link. While the Budget Act of 2018 incorporated this telehealth technology exception into the CMP law’s definition of “remuneration,” the final rule incorporates the definition into the regulations with additional interpretation.

The new exception applies to “telehealth technologies” offered by a provider of services or a qualified renal disease facility to an individual with ESRD who is receiving in-home dialysis. The term “telehealth technologies” means “hardware, software, and services that support distant or remote communication between the patient and provider, physician, or renal dialysis facility for diagnosis, intervention, or ongoing care management.” This definition is substantially broader than the proposed rule, which (i) would have required that the technology “contribute substantially” to the patient’s care, (ii) would have required that the technology not be duplicative of other technologies owned by the patient, and (iii) would have required that the cost of any telehealth technology not be shifted to any individual or health care plan. In addition, in response to the comments submitted, OIG expanded the definition of “telehealth technologies” to include a broader range of technologies (such as telephones and email communication) that are not dependent on synchronous real-time audio and video connections, and to eliminate a proposed requirement that the telehealth service itself be covered and paid under Medicare Part B.

The new exception allows the Medicare program to pay for telehealth technologies offered by a provider or supplier (including a physician) in connection with in-home dialysis if the telehealth technologies are not offered as part of an advertisement or solicitation. The exception also requires that the provider or facility that is currently providing the in-home dialysis or ESRD care to the patient furnish the telehealth technologies to the individual. This is intended to mitigate the fraud and abuse risks that may be present if the dialysis provider could selectively choose which beneficiaries could receive the telehealth technologies.

This Client Alert was authored byJason E. Christ, Anjali N.C. Downs, Karen Mandelbaum, Teresa A. Mason, David E. Matyas, Jennifer E. Michael, Victoria Vaskov Sheridan, Carrie Valiant, Robert E. Wanerman, and Lesley R. Yeung. The authors would like to thank Bailey N. Wendzel for her assistance with editing this Client Alert. For additional information about the issues discussed in this Client Alert, please contact one of the authors or the Epstein Becker Green attorney who regularly handles your legal matters.

Endnotes

[1] See OIG, “Medicare and State Health Care Programs: Fraud and Abuse; Revisions to Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements,” 85 FR 77684 (Dec. 2, 2020), available at https://www.federalregister.gov/documents/2020/12/02/2020-26072/medicare-and-state-health-care-programs-fraud-and-abuse-revisions-to-safe-harbors-under-theSee also CMS, “Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations,” 85 FR 77492 (Dec. 2, 2020), available at https://www.federalregister.gov/documents/2020/12/02/2020-26140/medicare-program-modernizing-and-clarifying-the-physician-self-referral-regulations.
[2] See OIG, “Medicare and State Healthcare Programs: Fraud and Abuse; Revisions To Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements,” 84 FR 55694 (Oct. 17, 2019), available at https://www.federalregister.gov/documents/2019/10/17/2019-22027/medicare-and-state-healthcare-programs-fraud-and-abuse-revisions-to-safe-harbors-under-theSee also CMS, “Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations,” 84 FR 55766 (October 17, 2019), available at https://www.federalregister.gov/documents/2019/10/17/2019-22028/medicare-program-modernizing-and-clarifying-the-physician-self-referral-regulations.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.