The Centers for Medicare & Medicaid Services (CMS) recently announced plans to form an interagency group to figure out how to minimize the regulatory barriers of federal anti-kickback laws. While the primary motivation for the formation of this group is to address barriers that have slowed providers’ move to value-based care, this is the perfect opportunity to discuss potential modifications or exemptions to support collaborative healthcare industry cybersecurity efforts.
Cybersecurity exemptions and modifications that should be addressed were identified by the HHS Healthcare Cybersecurity Task Force in their 2017 Report on Improving Healthcare Cybersecurity in the Healthcare Industry. Specifically, we asked that Congress should “Explore potential impacts to the Physician Self-Referral Law, the Anti-Kickback Statute, and other fraud and abuse laws to allow large health care organizations to share cybersecurity resources and information with their partners.”
The Task Force heard concerns related to constraints imposed by the Stark Law and the Anti-Kickback Statute, and strongly encouraged Congress to evaluate an amendment to these laws specifically for cybersecurity software. This amendment could allow healthcare organizations the ability to assist physicians in the acquisition through subsidy or donation, of this technology.
Physician groups and sole practitioners face many financial challenges.
As noted in the Task Force report, “…these financial constraints limit their ability to manage the EHR software without trained security professionals who have the expertise to provide sufficient cybersecurity programs to protect their patient records.” In addition, many organizations want to provide security and other technologies to their smaller business partners, to ensure they do not become the weak link in their supply chain. An anti-kickback exception could provide this assistance without fear of a regulatory violation.
While the interagency group explores how to minimize regulatory barriers to move to value-based care, they should also explore potential impacts of the Physician Self-Referral Law and the Anti-Kickback Statute on collaborative industry cybersecurity efforts and identify potential modifications or exemptions as appropriate.