Changes to Stark, Anti-kickback Rules Could Pave Way for Cyber Donations

By: Mari Savickis, VP of Federal Affairs, CHIME

The U.S. Department of Health and Human Services (HHS) is considering changing two rules that could help lesser-resourced providers in rural areas shore up their cybersecurity programs. AEHIS have been supporting these changes as way to thwart attacks by sophisticated cybercriminals who try to exploit the increasing interconnectedness of digital healthcare. Here’s an update, plus an opportunity to learn more from one of the nation’s top authorities on this topic.

As part of the administration’s Regulatory Sprint to Coordinated Care, HHS identified modernizing the Stark and anti-kickback rules among its priorities. The Centers for Medicare & Medicaid (CMS) governs Stark rules, which were enacted in 1989 to prevent physicians from making referrals for Medicare-reimbursed services with entities that they have financial relationships with. Stark makes exceptions in cases that pose no risk of harm to programs or patients. The Office of the Inspector General (OIG) governs anti-kickback statute (AKS) rules, which prohibit “remuneration” for referrals or other business that involves an item or service that is paid through a federal healthcare program. AKS includes some safe harbors that are not treated as offenses under the statute.

Working with the CHIME public policy team in Washington, D.C., CHIME and AEHIS responded to two requests for information (RFIs) about changes under consideration that would allow providers to donate cybersecurity services similar to an exemption given for EHRs. A letter to CMS based on feedback from CIOs and CISOs recommended an exemption that permits donations of cybersecurity training/education services, software and technology. Technologies with the greatest impact on improving cybersecurity hygiene were identified as firewalls/ intrusion detection and prevention systems, antivirus/malware, email filtering/encryption, data loss prevention software and advisory services. Another letter sent to OIG recommended a standalone safe harbor that would permit donations of cybersecurity items and services.

CMS and OIG are reviewing the 3,500 pages of comments submitted in response to these RFIs. We expect the administration to now publish proposed rules to come out this year following feedback received on the RFIs, which means providers may soon be in a situation where they could legally donate cyber technology, services and education. AEHIS members will be able to hear the latest developments concerning Stark and anti-kickback rules from Kimberly Brandt, JD, the principal deputy administrator for operations at CMS and a nationally recognized expert in healthcare compliance, during a keynote presentation at the CHIME Advocacy Summit on June 26-28 in Washington, D.C.

Brandt supports the administrator for all activities necessary for the operation and management of CMS and its programs, including Medicare, Medicaid and the Children’s Health Insurance Program. For seven years, she served as the CMS director of the Medicare Program Integrity Group. Prior to her first tenure at CMS, Brandt worked for five years at the HHS Office of Inspector General as special counsel and director of external affairs and as a senior counsel negotiating False Claims Act settlements. In 2016, she received the Healthcare Compliance and Ethics Professional of the Year award from the Society for Corporate Compliance and Ethics and the Health Care Compliance Association.

She will be joined by four other keynote speakers: Adam Boehler, deputy administrator for innovation and quality for CMS and director of the Center for Medicare and Medicaid innovation; U.S. Rep. Bill Johnson, the former director of the Air Force’s Chief Information Officer Staff at U.S. Special Operations Command; Will Smart, CIO of NHS England who will share lessons learned from WannaCry; and Admiral Brett P. Giroir, MD, assistant secretary for health at HHS. The summit will include an update from Capitol Hill on how the 116th Congress views innovation, cybersecurity and health IT; a presentation by Don Rucker, MD, the National Coordinator for Health IT; the FDA’s take on cybersecurity, and more.

To learn more about the Advocacy Summit and to register, please go here.

More AEHIS News