- Hospitals and other entities like medical device manufacturers may soon be able to donate certain cybersecurity software to physicians without fear of running afoul of the Stark Law or Anti-Kickback Statue if provisions in two recent proposed rules are finalized by CMS and the HHS Office of Inspector General.
- The goal is to allow healthcare players to protect the broader healthcare system by providing cybersecurity software to physician practices that may individually find it financially infeasible to purchase it themselves.
- The AKS cybersecurity safe harbor, as proposed, does not cover donations of hardware, such as an iPad, due to concerns donations of valuable systems "pose a higher risk of constituting a disguised payment for payment for referrals." However, HHS is asking for feedback if donations of hardware should be permitted under certain circumstances to enhance cybersecurity efforts.
CMS Administrator Seema Verma said the decision to propose loosening restrictions on sharing cybersecurity software comes amid a slate of high-profile cases where personal data was stolen by criminals.
"A hospital that wants to protect its electronic health records and other data may currently be worried about providing cybersecurity software at a reduced fee to physicians using the system due to concerns about the Stark Law," Verma told reporters. "If physicians can’t afford the cybersecurity software, the hospital has to choose between risking attack from a hacker and denying access to its electronic system."
In its proposed rule, HHS OIG noted the healthcare system "is only as strong as its weakest link," adding "even a very low-referring entity poses a cybersecurity risk."
With the cost of cybersecurity increasing, the proposed rules recognize some physician practices don’t have the resources or expertise to keep pace, according to James Cannatti III, a healthcare attorney at McDermott Will & Emery.
"Cybersecurity is an important issue as the healthcare ecosystem becomes increasingly interconnected," Cannatti told MedTech Dive. "There may be an interest by others whose systems are being connected with those weak links to ensure they increase their cybersecurity because that weakness at one place is a weakness for the system as a whole."
The dual proposals are "fairly broad" and "will be available to any individuals or entities that want to share cybersecurity hygiene software with others for the safety of the entire system," according to an HHS official.
"We note that, because we do not propose to restrict the scope of protected recipients under this safe harbor, we believe patients would be included as protected recipients," the HHS OIG proposed rule states.
Donna Clark, a healthcare attorney at Morgan Lewis, said the cybersecurity exception under the Stark Law and corresponding AKS safe harbor is straightforward, but it is unclear if hospitals will be willing to incur the cost of providing cybersecurity software.
"It’s very clear it dovetails with the overall goal of both CMS and OIG in publishing these regulations: to promote coordinated value-based care where healthcare providers of different types collaborate with each other," Clark told MedTech Dive. "Initially, the hospitals are the ones that are going to be most keyed into taking advantage of this exception because they have the connections with the physicians."
Cannatti, who previously worked as HHS OIG senior counselor for health information technology, said the set of proposed rules make clear the government is interested to hear if it struck the right balance to enable better cybersecurity for the healthcare system.
"They don’t propose to restrict the type of individuals that can donate right now, but they are considering narrowing it," Cannatti said. "So, if there are those who would like to be able to take advantage of this, and they are concerned that OIG could exclude them in the final, this would be an area that is ripe for comment."