HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Proposes New Stark Law Safe Harbor Covering Cybersecurity Donations

The U.S. Department of Health and Human Services (HHS) has proposed changes to physician self-referral and federal anti-kickback regulations which will see the creation of a new safe harbor covering hospital donations of cybersecurity software and associated services to physicians.

The proposed law change is detailed in two new rules issued by the HHS’ Office of Inspector General (OIG) and the Centers for Medicaid and Medicare Services (CMS) which aim to modernize and clarify regulations that interpret the Federal Anti-Kickback Statute and Physician Self-Referral law known as Stark Law.

The proposed rules are part of the HHS’s Regulatory Sprint to Coordinated Care which promotes value-based care by eliminating federal regulatory barriers that are impeding efforts to improve the coordination of care between providers.

“The digitization of the healthcare delivery system and related rules designed to increase interoperability and data sharing in the delivery of healthcare create numerous targets for cyberattacks,” explained OIG. “The healthcare industry and the technology used to deliver healthcare have been described as an interconnected ‘ecosystem’ where the ‘weakest link’ in the system can compromise the entire system.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Physician practices are a possible weak link that could be exploited by threat actors to compromise the whole system. Many small healthcare providers lack the necessary resources to improve their security posture and ensure that their systems, networks, and patient data are adequately protected.

The proposed updates are intended to provide greater clarity for healthcare providers participating in value-based arrangements and are providing coordinated care for patients. They are intended to ease the compliance burden for healthcare providers while ensuring strong safeguards are maintained to protect patients and programs from fraud and abuse.

There is already an exception to Stark Law which permits healthcare providers to make EHR-related donations to physicians as well as donations of cybersecurity software and services. The proposed rule seeks to provide greater certainty for healthcare providers that such donations do not violate Stark Law.

The new safe harbor will remove real or perceived barriers that prevent parties from using cybersecurity technologies to improve security. The safe harbor was recommended by the HHS Healthcare Industry Cybersecurity Task Force in 2017 and will cover certain cybersecurity technologies and associated services that are essential for protecting against cyberattacks on the healthcare industry. Those attacks increase the costs of healthcare delivery and often prevent healthcare providers from accessing health records and other information essential for healthcare delivery.

In the context of the proposed rule changes, OIG defines cybersecurity as “the process of protecting information by preventing, detecting, and responding to cyberattacks.” Covered cybersecurity technology includes software or information technology that improves cybersecurity, but there are limitations on what can be donated. The rule includes software, cybersecurity training services, business continuity and data recovery services, services associated with security risk assessments, threat sharing services, and cybersecurity-as-a-service offerings.

The OIG rule does not permit donations of hardware as it could have uses outside of cybersecurity and would increase the risk of donations being made to influence referrals. OIG says it may consider updating its proposed rule to include certain types of stand-alone hardware that can only be used for cybersecurity purposes, such as multi-factor authentication dongles.

The proposed rules will help to reduce the cost of healthcare by helping smaller healthcare providers avoid the costs of improving their security posture and reduce the potential for costly cyberattacks. By receiving donations of necessary software and cybersecurity services, they will be able to direct funds to other items and services not covered by the proposed safe harbor.

“Administrative costs are driving up the cost of healthcare in America – to the tune of hundreds of billions of dollars. The Stark proposed rule is an important next step in President Trump’s healthcare agenda for Americans. We are updating our antiquated regulations to decrease burden for providers and helping bring down these increasingly escalating costs,” said CMS administrator Seema Verma.

“Regulatory reform has been a key piece of President Trump’s agenda not just for faster innovation and economic growth, but also better, higher-value healthcare. Our proposed rules would be an unprecedented opportunity for providers to work together to deliver the kind of high-value, coordinated care that patients deserve,” said HHS Secretary, Alex Azar.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.