Summary of New OIG Proposed Rule Amending the Electronic Health Records Safe Harbor to
the Federal Anti-Kickback Statute
By: Caroline E. Kubovy, Esq.
On April 10, 2013, the Federal Register published a proposed rule from the Office of Inspector General (“OIG”) that would amend the safe harbor regulation under the Federal Anti-Kickback Statute (“AKS”)[1] as it pertains to electronic health records (“EHR’) items and services in three significant ways.[2] It is noteworthy that the Centers for Medicare and Medicaid proposed almost identical changes to the physician self-referral law EHR exception in the same issue of the Federal Register.[3]
The AKS provides criminal penalties for individuals or entities that knowingly and willfully offer, pay, solicit, or receive remuneration in order to induce or reward the referral of business reimbursable under any of the Federal health care programs. However, Congress has identified certain “safe harbor” provisions that would specify various payment and business practices that would not be subject to any enforcement action under the AKS, civil monetary penalties for anti-kickback violations, or the program exclusion authority related to kickbacks.
Although this is a proposed rule and the OIG will continue to solicit commentary through its formal process[4] until approximately June 9, 2013, it is important for practice administrators to examine certain practice donor/donee relationships. Specifically, practice administrators should examine relationships with other health care entities that it plans to either donate to or benefit from the donation of EHR items or services, such as software, information technology, or training services. The proposed rule, if adopted, could dramatically change the scope of who will be considered a “protected donor,” and therefore shielded from AKS liability.
1. Updating the Deeming Provision
Currently, the OIG EHR safe harbor specifies that donated software must be interoperable at the time it is provided to the recipient. The term interoperable means “able to communicate and exchange data accurately, effectively, securely, and consistently with different information technology systems, software applications, and networks, in various settings, and exchange data such that the clinical or operational purpose and meaning of the data are preserved and unaltered.[5] Furthermore, software is deemed to be interoperable if a certifying body recognized by the Secretary has certified the software within no more than 12 months prior to the date it is provided to the recipient (“Deeming Provision”).[6] The proposed rule will update two aspects of this Deeming Provision.
First, the proposed rule identifies the Office of the National Coordinator for Health Information Technology (“ONC”) as the authority responsible for “recognizing” certifying bodies. Thus, an entity must successfully complete an authorization process established by ONC in order to be “recognized” by the Secretary. Therefore, under the modification, the Deeming Provision would now read, “Software is deemed to be interoperable if a certifying body recognized by the National Coordinator for Health Information Technology has certified the software…”
Second, the proposed rule modifies the time period in the Deeming Provision within which the software must have been certified. Currently, the EHR safe harbor requires that the software must have been certified within no more than 12 months prior to the date of donation in order to ensure that products have an up-to-date certification. However, the ONC has developed a regulatory process for adopting certification criteria and standards that will occur on a 2-year regulatory basis. Therefore, under the modification, the second clause of the Deeming Provision would now provide that “Software is deemed to be interoperable if a certifying body… has certified the software to any edition of the electronic healthrecord certification criteria identified in the then-applicable definition of Certified EHR Technology in 45 CFR part 170, on the date it is provided to the recipient.”
2. Electronic Prescribing Capability
Currently, the EHR safe harbor specifies that the donated software must “contain electronic prescribing capability, either through an electronic prescribing component or the ability to interface with the recipient’s existing electronic prescribing system, that meets the applicable standards under Medicare Part D at the time the items and services are provided.”[7] However, the Medicare Improvements for Patients and Providers Act of 2008 (“MIPPA”) and the Health Information Technology for Economic and Clinical Health (HITECH) authorized incentive programs for electronic prescribing for certain eligible professionals. Furthermore, the percentage of physicians electronically prescribing has dramatically increased from 7% in 2008 to 48% in 2012.[8] Therefore in light of the above developments, the proposed rule would remove the electronic prescribing condition. With that said, OIG was careful to note that electronic prescribing technology would still remain eligible for donation under the EHR safe harbor or under the electronic prescribing safe harbor.[9]
3. Sunset Date
Currently, the EHR safe harbor is scheduled to sunset on December 31, 2013.[10] While the healthcare industry has made great technological progress, EHR technology has not yet been universally adopted nationwide and remains an important OIG goal. Thus, the proposed rule would extend the sunset date to December 31, 2016. This date corresponds with the last year in which one may receive a Medicare EHR incentive payment, as well as the last year in which one may initiate participation in the Medicaid EHR incentive program. Alternatively, the Department is also considering an alternative sunset date of December 31, 2021, which corresponds to the end of the EHR Medicaid incentives. Therefore, the Department is soliciting comment on the December 31, 2016 Sunset date, as well as the possibility of an alternative sunset date.
4. Additional Proposals and Considerations
A. Limited Scope of Protected Donors
In 2006, the OIG determined that the EHR safe harbor should protect “any donor that is an individual or entity that provides patients with health care items or services covered by a Federal health care program and submits claims or requests for payment for those items or services (directly or pursuant to reassignment) to Medicare, Medicaid, or other Federal health care programs (and otherwise meets the safe harbor conditions).”[11] However, the OIG noted that it intended to monitor the situation and modify the determination if abuses occurred.
Recently, the OIG has received comments suggesting that abusive donations are being made under the EHR safe harbor. For example, allegations were made that donors were using the EHR safe harbor to provide referral sources with items and services that appear to support the interoperable exchange of information on their face, but in practice, lead to data and referral lock in.[12]
Therefore, the OIG is considering revising the EHR safe harbor to limit the scope of protected donors to:
- Cover only MMA-mandated donors[13]: hospitals, group practices, prescription drug plan sponsors, and Medicare Advantage organizations, or
- Include individuals or entities with front-line patient care responsibilities, such as safety net providers, or
- Retain the current definition of protected donors, but exclude specific types of donors, e.g. suppliers of ancillary services associated with a high risk of fraud and abuse, laboratory companies, durable medical equipment suppliers, and independent home health agencies.
Thus, the OIG is currently seeking commentary and supporting reasons regarding the particular types of providers and suppliers that should or should not be protected donors.
B. Data Lock-In and Exchange
The OIG is considering including new or modified conditions in the EHR safe harbor that would prevent donations that are used to lock in referrals. It has been suggested that even when donated software meets the interoperability requirements of the rule, policies and practices sometimes affect the true ability of EHR technology items and services to be used to exchange information across organizational and vendor boundaries. Therefore, the OIG has identified two goals, 1) to prevent the misuse of the safe harbor in a way that results in data and referral lock-in, and 2) to encourage the free exchange of data (in accordance with protections for privacy).
For example, as a condition of the EHR safe harbor, “the donor (or any person on the donor’s behalf) may not take any action to limit or restrict the use, compatibility, or interoperability of the items or services with other electronic prescribing or EHR systems.”[14] Thus the OIG is soliciting comments regarding whether this condition could be further modified to reduce the possibility of lock-in.
C. Covered Technology
The OIG received questions regarding whether certain items or services fell within the scope of covered technology under the EHR safe harbor, e.g. services that enable interoperable exchange of EHR data. In the preamble to the 2006 Final Rule[15], the OIG explained that it interpreted the term “software information technology and training services necessary and used predominantly for EHR purposes” to include: “interface and translation software; rights, licenses, and intellectual property related to EHR software; connectivity services, including broadband and wireless internet services; clinical support and information services related to patient care (but not separate research or marketing support services); maintenance services; secure messaging (e.g., permitting physicians to communicate with patients through electronic messaging); and training and support services (such as access to help desk services).”[16] Therefore, the OIG was encouraged to modify the regulatory text of the EHR safe harbor to explicitly reflect the definition above. Although the OIG believes the preamble language above adequately clarifies the scope of covered technology, it is currently seeking input and commentary on this issue.
5. Proposed Modification
a. 42 CFR 1001.952(y)
i. (2) The software is interoperable at the time it is provided to the recipient. For purposes of this subparagraph, software is deemed to be interoperable if a certifying body recognized by the Secretary authorized by the National Coordinator of Health Information Technology has certified the software within no more than 12 months prior to the date it is provided to the recipient to any edition of the electronic health record certification criteria identified in the then-applicable definition of Certified EHR Technology in 45 CFR part 170, on the date it is provided to the recipient.
ii. (13) The transfer of the items and services occurs, and all conditions in this paragraph (y) have been satisfied, on or before December 31, 2013 December 31, 2016.
[1] 42 U.S.C. 1320a-7b(b).
[2] 78 FR 21320
[3] 78 FR 21308
[4] 78 FR 21314
[5] 42 CFR 1001.952(y).
[6] 42 CFR 1001.952(y)(2).
[7] 42 CFR 1001.952(y)(10).
[8] State Variation in E-Prescribing Trends in the United States—available at:
http://www.healthit.gov/sites/default/files/us_eprescribingtrends_onc_brief_4_nov2012.pdf.
[9] 42 CFR 1001.952(x).
[10] 42 CFR 1001.952(y)(13).
[11] 71 FR 45110, 45127 (Aug. 8, 2006).
[12] https://oig.hhs.gov/publications/docs/semiannual/2009/semiannual_fall2009.pdf
[13]
Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA), Public Law 108–173
[14] 42 CFR 1001.952(y)(3)
[15] 71 FR 45110, 45125 (Aug. 8, 2006).
[16] 71 FR 45110, 45125 (Aug. 8, 2006).