Federal Agencies Look to Ease Burdens of the Anti-Kickback Statute and Stark Law

As part of the U.S. Department of Health and Human Services (HHS) “Regulatory Sprint to Coordinated Care,” the Centers for Medicare & Medicaid Services (CMS) and the HHS Office of Inspector General (OIG) published separate final rules in the Federal Register on December 2, 2020. The Regulatory Sprint to Coordinated Care was announced by HHS in 2018 and is an initiative aimed at reducing regulatory barriers to care coordination and accelerating the transformation of the American health care system into one that better pays for value and promotes the coordination of patient care. The CMS rule was also part of the agency’s “Patients over Paperwork” initiative announced in 2017, which has been aimed at streamlining regulations to reduce unnecessary burden, increase efficiencies, and improve the beneficiary experience. 

The OIG and CMS final rules, which have been described as historic, sweeping, and highly anticipated, modify and attempt to modernize the federal fraud and abuse framework comprised of the Anti-Kickback Statute, the physician self-referral or Stark law, and the civil monetary penalties law related to beneficiary inducements. In the press releases accompanying the final rules, the OIG simply stated that Congress intended the safe harbor regulations under the Anti-Kickback Statute to be updated periodically to reflect changing industry practices and technologies, whereas CMS included the evocative declaration from Administrator Verma: “That sound you hear is the mingled cheers and exclamations of relief from doctors and other health care professionals across the county as we lift the weight of our punishing bureaucracy from their backs.” 

The release of the notices of proposed rule-makings in October 2019 was coordinated by the OIG and CMS, after the agencies had reviewed thousands of comments received in response to the requests for information published in the summer of 2018. The final safe harbors in the OIG final rule for value-based arrangements, cybersecurity, and electronic records align with the Stark law exceptions in the CMS final rule (though compliance with a safe harbor does not automatically satisfy a Stark law exception or vice versa). The revised regulations generally become effective on January 19, 2021.

CMS Final Rule

CMS’s final rule establishes new exceptions to the Stark Law that are aimed at alleviating providers’ fears of violating the law when entering into arrangements involving legitimate activities to coordinate and improve the quality of care and to lower costs. These new exceptions involve new interconnected value-based terms such as value-based activity, value-based arrangement, value-based enterprise, and value-based purpose.

The CMS final rule establishes a new exception for the donation of cybersecurity technology and related services. Such services could include those associated with developing, installing, and maintaining software; training and help desk services; business continuity and data recovery services; and “cybersecurity as a service” models that rely on third-party service providers.

The CMS final rule also clarifies existing provisions and prior guidance, including by finalizing certain “bright-line rules” that were included in the 2019 notice of proposed rule-making. These include guidance for determining whether compensation is commercially reasonable, determined in a manner that takes into account the volume or value of referrals or takes into account other business generated between the parties. Also, “fair market value” is addressed.

OIG Final Rule

The OIG final rule establishes new safe harbors under the Anti-Kickback Statute, modifies existing safe harbors, and codifies one new exception under the civil monetary penalty rules regarding beneficiary inducements. 

The seven new safe harbors are (1) for care coordination arrangements to improve quality, health outcomes, and efficiency; (2) for value-based arrangements with substantial downside financial risk; (3) for value-based arrangements with full financial risk; (4) for arrangements for patient engagement and support to improve quality, health outcomes, and efficiency; (5) for CMS-sponsored model arrangements and CMS-sponsored model patient incentives; (6) for cybersecurity technology and related services; and (7) for accountable care organization beneficiary incentive programs for the Medicare Shared Savings Program.

The four modified safe harbors are (1) for personal services and management contracts, including outcomes-based payments; (2) for warranties to revise the definition and provide protection for bundled warranties; (3) for electronic health records items and services, to add protections for certain related cybersecurity technology, update interoperability provisions, and remove the sunset date; and (4) for local transportation, to change mileage limits for rural areas and for transportation for patients following discharge from an inpatient facility or hospital.

The new civil monetary penalty exception excludes certain telehealth technologies for in-home dialysis patients from the definition of “remuneration.”

The changes to existing rules, the addition of new exceptions and safe harbors, and clarifications regarding issues that have been questioned in the past may enable arrangements that were previously infeasible. Health care providers and others affected by these laws should consider these new possibilities. However, penalties for violating these laws remain in effect and can be severe. For example, a violation of the Stark Law can result in repayment obligations and can give rise to liability under the False Claims Act, and a violation of the Anti-Kickback Statute can lead to imprisonment, fines, or other penalties. Thus, health care providers and payors should consult with their attorneys to understand the relevant rules and structure their arrangements accordingly.

Please contact Jill McFarland, Mike Davidson, or your regular Lewis Rice attorney if you have any questions.