Final Rules on Safe Harbors for Cybersecurity Donations Published by HHS

On November 20, 2020, the Office of Inspector General (OIG) and the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) launched the final rules for enhancing the coordination of health care and lessen regulatory difficulties. The two final rules consist of safe harbor conditions that permit hospitals and healthcare delivery systems to provide cybersecurity technology to physician practices.

The CMS launched the final copy of the 627-page Modernizing and Clarifying the Physician Self-Referral Regulations, generally known as Stark Law, and the OIG finalized updates to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Relating to Beneficiary Inducements.

Physician practices usually have minimal resources, making it challenging for them to use solutions to handle cybersecurity problems. Without the required protections, unauthorized persons could access, steal, remove or encrypt sensitive medical information. Threat actors may additionally perform attacks on small doctor practices and utilize them to acquire access to exploited healthcare networks.

When the policies were first planned, commenters highlighted the importance of a safe harbor to enable non-abusive, useful arrangements between doctors and other healthcare organizations. The donations of cybersecurity solutions could help protect the healthcare ecosystem. The CMS first recommended the modifications in October 2019 as a part of Regulatory Sprint to Coordinated Care.

The CMS final rule details the Stark Law conditions with regards to donations of electronic health record donations to medical doctors, extending the EHR exclusion to include cybersecurity applications and services. A separate exemption was additionally presented for greater cybersecurity donations, which include contributions of cybersecurity hardware.

CMS mentioned that the finalized exclusions give new versatility for particular arrangements, like donations of cybersecurity technology that secure the integrity of the healthcare environment, irrespective of whether the parties use a fee-for-service or value-based payment system.

The changes admit the threat of cyberattacks on the healthcare market and develop a protected harbor for cybersecurity technology and services to take care of cybersecurity-linked hardware, and will make certain that cybersecurity software program and hardware are offered to all healthcare companies of varying sizes.

The safe harbor can be applied to, but isn’t restricted to, software security steps to take care of endpoints that provide network access control, software program that gives malware protection, business continuity application, data security, and encryption as well as email traffic filtering. The exception likewise addresses the hardware that is needed and used primarily to implement, retain or re-establish cybersecurity” and a wide range of cybersecurity services for instance update and upkeep of software programs and cybersecurity training services. There is no difference in the rule between localized and cloud-based cybersecurity solutions.

Under the cybersecurity exception, recipients don’t have to add to the cost of the contributed cybersecurity technology or solutions. With the EHR exception, the cost requirement for contributions of EHR products or services is retained.

HHS stated that letting entities to contribute cybersecurity technology and related solutions to physicians will bring about strength to the whole health care ecosystem.

The final rules are meant to be posted in the federal register on December 2, 2020, and are to take effect beginning January 19, 2021.