HHS OIG Proposes Safe Harbor for Electronic Health Records
The Office of Inspector General (OIG) for the U.S. Department of Health and Human Services (HHS) issued a proposed rule to create a new safe harbor under the federal Anti-Kickback Statute for electronic health records items and services. The proposed amendments include an
- update to the provision under which electronic health records software is deemed interoperable;
- removal of the electronic prescribing capability requirement; and
- extension of the sunset provision.
In addition to these proposals, OIG is soliciting public comment on other possible amendments to the safe harbor, including limiting the scope of protected donors and adding or modifying conditions to limit the risk of data and referral lock-in.
OIG maintained that this is "not a major rule" and is "not economically significant," and the agency expects the proposed changes to continue to facilitate the adoption of electronic health records technology.
In addition to the proposed rule, U.S. House Representative Jim McDermott (D-Wash.) also sent a letter to OIG chief counsel Gregory Demske, asking the agency to extend the protection beyond 2013 because the safe harbor is a "common sense policy," as reported by FierceEMR. McDermott, the ranking member of the House Ways and Means Health Subcommittee, is ironically from the same state whose attorney general recently ruled that such programs violate state law
The Anti-Kickback Statute and Safe Harbors Section 1128B(b) of the Social Security Act provides criminal penalties for individuals or entities that knowingly and willfully offer, pay, solicit, or receive remuneration in order to induce or reward the referral of business reimbursable under any of the Federal health care programs. The offense is classified as a felony and is punishable by fines of up to $25,000 and imprisonment for up to 5 years. Violations of the anti-kickback statute may also result in the imposition of civil monetary penalties (CMP), program exclusion, and liability under the False Claims Act.
The types of remuneration covered specifically include, without limitation, kickbacks, bribes, and rebates, whether made directly or indirectly, overtly or covertly, in cash or in kind. In addition, prohibited conduct includes not only the payment of remuneration intended to induce or reward referrals of patients, but also the payment of remuneration intended to induce or reward the purchasing, leasing, or ordering of, or arranging for or recommending the purchasing, leasing, or ordering of, any good, facility, service, or item reimbursable by any Federal health care program.
Because of the broad reach of the statute, concern was expressed that some relatively innocuous commercial arrangements were covered by the statute and, therefore, potentially subject to criminal prosecution. In response, Congress enacted section 14 of the Medicare and Medicaid Patient and Program Protection Act of 1987, which specifically required the development and promulgation of regulations, the so-called "safe harbor" provisions, that would specify various payment and business practices that would not be subject to sanctions under the anti-kickback statute, even though they may potentially be capable of inducing referrals of business under the Federal health care programs.
The OIG safe harbor provisions have been developed "to limit the reach of the statute some what by permitting certain non-abusive arrangements, while encouraging beneficial or innocuous arrangements." Health care providers and others may voluntarily seek to comply with safe harbors so that they have the assurance that their business practices will not be subject to any enforcement action under the anti-kickback statute, the CMP provision for anti-kickback violations, or the program exclusion authority related to kickbacks. In giving HHS the authority to protect certain arrangements and payment practices under the anti-kickback statute, Congress intended the safe harbor regulations to be updated periodically to reflect changing business practices and technologies in the health care industry.
The Electronic Health Records Safe Harbor
In the October 11, 2005 Federal Register, OIG published a notice of proposed rulemaking that would promulgate two safe harbors to address donations of certain electronic health records software and directly related training services, using our authority at section 1128B(b)(3)(E) of the Act. One proposed safe harbor would have protected certain arrangements involving donations of electronic health records technology made before the adoption of certification criteria.
The other proposed safe harbor would have protected certain arrangements involving nonmonetary remuneration in the form of interoperable electronic health records software certified in accordance with criteria adopted by the Secretary of HHS (Secretary) and directly related training services. In the same issue of the Federal, CMS simultaneously proposed similar exceptions to the physician self-referral law.
On August 8, 2006, OIG published a final rule that, among other things, finalized a safe harbor at 42 CFR 1001.952(y) (the electronic health records safe harbor) for protecting certain arrangements involving interoperable electronic health records software or information technology and training services. In the same issue of the Federal Register, CMS simultaneously published similar final regulations at 42 CFR 411.357(w). The electronic health records safe harbor is scheduled to sunset on December 31, 2013.
The present proposed rule sets forth certain proposed changes to the electronic health records safe harbor. CMS is proposing almost identical changes to the physician self-referral law electronic health records exception elsewhere in this issue of the Federal Register. OIG attempted to ensure as much consistency as possible between the proposed safe harbor changes and CMS's proposed exception changes, despite the differences in the respective underlying statutes. OIG intends the final rules to be similarly consistent.
Because of the close nexus between this proposed rule and CMS's proposed rule, OIG may consider comments submitted in response to CMS's proposed rule when crafting our final rule. Similarly, CMS may consider comments submitted in response to this proposed rule in crafting its final rule.
Provisions of the Proposed Rule - The Deeming Provision
OIG's current electronic health records safe harbor specifies that the donated software must be "interoperable at the time it is provided to the recipient." As discussed in a recently issued Request for Information (RFI) from the Department, "HHS envisions an information rich, person-centered, high performance health care system where every health care provider has access to longitudinal data onpatients they treat to make evidence-based decisions, coordinate care and improve health outcomes." Additionally, as emphasized in the RFI, interoperability will play a critical role in supporting this vision. Interoperability is also an important concept in the context of the electronic health records safe harbor.
Although OIG has long been concerned that parties could use the offer or donation of technology to capture referrals, OIG has viewed interoperability as a potential mitigating factor, or safeguard, to justify other safe harbor conditions that are less stringent than might otherwise be appropriate in the absence of interoperability. This is because if the donated technology is interoperable, the recipient will be able to use it to transmit electronic health records not only to the donor, but to others, including competitors of the donor, and will not be "locked in" to communications with the donor only.
For purposes of this safe harbor, "interoperable" means "able to communicate and exchange data accurately, effectively, securely, and consistently with different information technology systems, software applications, and networks, in various settings, and exchange data such that the clinical or operational purpose and meaning of the data are preserved and unaltered."
The current provisions of the electronic health records safe harbor state that "software is deemed to be interoperable if a certifying body recognized by the Secretary has certified the software within no more than 12 months prior to the date it is provided to the recipient." Consequently, OIG proposes to update two aspects of this deeming provision to reflect the current Office of the National Coordinator for Health Information Technology (ONC) certification program for electronic health record technology.
First, OIG proposes to modify the provision to reflect that ONC is responsible for "recognizing" certifying bodies, as referenced in this provision. To become a certifying body "recognized" by the Secretary, an entity must successfully complete an authorization process established by ONC. This authorization process constitutes the Secretary's recognition of a certifying body. Accordingly, OIG proposes to revise the phrase "recognized by the Secretary" to read "authorized by the National Coordinator for Health Information Technology."
Second, OIG proposes to modify the portion of this provision concerning the time period within which the software must have been certified. Currently, the electronic health records safe harbor deeming provision requires that software must have been certified within no more than 12 months prior to the date of donation in order to ensure that products have an up-to-date certification. Subsequent to issuing the final electronic health records safe harbor, ONC developed a regulatory process for adopting certification criteria and standards. That process is anticipated to occur on a 2-year regulatory interval.
Further, some certification criteria could remain unchanged from one edition of the electronic health record certification criteria to the next. Thus, the current 12-month timeframe is not in line with the anticipated 2-year regulatory interval and does not account for the fact that some certification criteria may not change from one edition to the next. Therefore, OIG proposes to modify this portion of the safe harbor by removing the 12-month timeframe and substituting a provision that more closely tracks the current ONC certification program.
Accordingly, OIG proposes that software would be eligible for deeming if, on the date it is provided to the recipient, it has been certified to any editionof the electronic health record certification criteria that is identified in the then-applicable definition of Certified EHR Technology. For example, for 2013, the applicable definition of Certified EHR Technology identifies both the 2011 and the 2014 editions of the electronic health record certification criteria. Therefore, in 2013, software certified to meet either the 2011 edition or the 2014 edition could satisfy the safe harbor provision as we proposed to modify it.
The current definition of Certified EHR Technology applicable for 2014, however, identifies only the 2014 edition. Thus, based on that definition, in 2014, only software certified to the 2014 edition could satisfy our proposed, modified provision. Future modifications to the definition of Certified EHR Technology could result in the identification of other editions to which software could be certified and satisfy OIG's proposed, modified provision. OIG reiterated its understanding "that the ability of software to be interoperable is evolving as technology develops. In assessing whether software is interoperable, [OIG] believe[s] the appropriate inquiry is whether the software is as interoperable as feasible given the prevailing state of technology at the time [it] is provided to the recipient." (quoting the 2006 final rule).
OIG seeks comment on its proposal, including if removing the 12-month period will impact donations and whether we should consider retaining it as an additional means of determining eligibility under the deeming provision.
The Electronic Prescribing Provision
The current electronic health records safe harbor that the donated software must "contain[ ] electronic prescribing capability, either through an electronic prescribing component or the ability to interface with the recipient's existing electronic prescribing system, that meets the applicable standards under Medicare Part D at the time the items and services are provided." In the preamble to the 2006 Final Rule, OIG stated that it included "this requirement, in part, because of the critical importance of electronic prescribing in producing the overall benefits of health information technology.
OIG said it continues to believe in the critical importance of electronic prescribing. However, in light of developments since the 2006 Final Rule, OIG does not believe that it is necessary to retain a requirement related to electronic prescribing capability in the electronic health records safe harbor. First, Congress subsequently enacted legislation addressing electronic prescribing. In 2008, Congress passed the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA).
Section 132 of MIPPA authorized an electronic prescribing incentive program (starting in 2009) for certain types of eligible professionals. Further, in 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorizes CMS to establish Medicare and Medicaid electronic health record incentive programs for certain eligible professionals, eligible hospitals, and critical access hospitals. The HITECH Act requires that eligible professionals under the Medicare and Medicaid electronic health record incentive programs demonstrate meaningful use of certified electronic health record technology, including the use of electronic prescribing.
Second, the industry has made great progress related to electronic prescribing. Recent analysis by ONC notes an increase in the percentage of physicians electronically prescribing via electronic health record technology from 7 percent in 2008 to 48 percent in 2012, reflecting rapid increases over the past few years in the rate of electronic health record-based electronic prescribing capabilities. Furthermore, the regulations recently published to implement Stage 2 of the EHR Incentive Programs continue to encourage physicians' use of electronic prescribing technology.
In light of these developments, OIG proposes to delete the electronic prescribing condition because there are sufficient alternative policy drivers supporting the adoption of electronic prescribing capabilities. OIG noted that electronic prescribing technology would remain eligible for donation under the electronic health records safe harbor or under the electronic prescribing safe harbor at. Additionally, OIG considered whether removing this condition would increase the risk of fraud or abuse posed by donations made under the safe harbor and concluded that it would not.
The electronic health records safe harbor is scheduled to sunset on December 31, 2013. In adopting this condition of the electronic health records safe harbor, OIG acknowledged "that the need for a safe harbor for donations of electronic health records technology should diminish substantially over time as the use of such technology becomes a standard and expected part of medical practice." In recent years, electronic health record technology adoption has risen dramatically, largely as a result of the HITECH Act in 2009.
However, while the industry has made great progress, use of such technology has not yet been universally adopted nationwide, and continued electronic health record technology adoption remains an important Departmental goal. OIG continues to believe that as this goal is achieved, the need for a safe harbor for donations of such technology should continue to diminish over time. Accordingly, OIG proposes to extend the sunset date to December 31, 2016.
OIG selected this date because it corresponds to the last year in which one may receive a Medicare electronic health record incentive payment and the last year in which one may initiate participation in the Medicaid electronic health record incentive program. For more information. OIG is also considering extending the sunset date to December 31, 2021, which corresponds to the end of the electronic health record Medicaid incentives. Accordingly, OIG is soliciting comments on its proposed extension and which of the dates it should chose.
The preamble to the 2006 Final Rule for the electronic health records safe harbor stated that OIG "proposed to limit the scope of protected donors under § 1001.952(y) to hospitals, group practices, [prescription drug plan (PDP)] sponsors, and [Medicare Advantage (MA)] organizations, consistent with the MMA-mandated donors for the electronic prescribing safe harbor."
However, "[m]indful that broad safe harbor protection may significantly further the important public policy goal of promoting electronic health records, and after carefully considering the recommendations of the commenters, [OIG] concluded that the safe harbor should protect any donor that is an individual or entity that provides patients with health care items or services covered by a Federal health care program and submits claims or requests for payment for those items or services (directly or pursuant to reassignment) to Medicare, Medicaid, or other Federal health care programs (and otherwise meets the safe harbor conditions)."
Notwithstanding this conclusion, OIG indicated that "[w]e remain concerned about the potential for abuse by laboratories, durable medical equipment suppliers, and others, but believe that the safe harbor conditions in the [2006 Final Rule] and the fact that the safe harbor is temporary should adequately address our concerns." 71 FR 45110, 45128 (Aug. 8, 2006). OIG said it would "monitor the situation. If abuses occur, we may revisit our determination."
In light of comments OIG received that abusive donations are being made under the electronic health records safe harbor, coupled with its continued concern for fraud and the proposed changes, OIG is proposing to limit the scope of protected donors under the electronic health records safe harbor, with the continued goal of promoting adoption of interoperable electronic health record technology that benefits patient care while reducing the likelihood that donors will misuse electronic health record technology donations to secure referrals. In this regard, OIG is considering revising the safe harbor to cover only the original MMA-mandated donors: hospitals, group practices, PDP sponsors, and MA organizations.
Accordingly, OIG is seeking comments regarding, whether other individuals or entities with front-line patient care responsibilities across health care settings, such as safety net providers, should be included, and, if so, which ones. Alternatively, OIG is considering retaining the current definition of protected donors, but excluding specific types of donors. Specifically, OIG considering excluding suppliers of ancillary services associated with a high risk of fraud and abuse, because donations by such suppliers may be more likely to be motivated by a purpose of securing future business than by purpose of better coordinating care for beneficiaries across health care settings. In particular, OIG is considering excluding laboratory companies from the scope of permissible donors as their donations have been the subject of complaints.
OIG is also considering excluding other high-risk categories, such as durable medical equipment suppliers and independent home health agencies. Thus, OIG seeks comment on the alternatives under consideration, including comments, with supporting reasons, regarding particular types of providers and suppliers that should or should not be protected donors given the goals of the safe harbor.
Data Lock-In and Exchange
In addition to limiting the scope of permissible donors to prevent "lock in referrals", OIG is also considering inclusion of new or modified conditions in the safe harbor as an alternative or additional means of achieving that result. OIG is particularly interested in new or modified conditions that will help achieve two related goals. The first goal is to prevent the misuse of the safe harbor in a way that results in data and referral lock-in. The second, related goal is to encourage the free exchange of data (in accordance with protections for privacy).
These goals reflect OIG's interest in promoting the adoption of interoperable electronic health record technology that benefits patient care while reducing the likelihood that donors will misuse electronic health record technology donations to secure referrals. It has been suggested that even when donated software meets the interoperability requirements of the rule, policies and practices sometimes affect the true ability of electronic health record technology items and services to be used to exchange information across organizational and vendor boundaries.
Accordingly, OIG seek comments on what new or modified conditions could be added to the electronic health records safe harbor to achieve our two goals and whether those conditions, if any, should be in addition to, or in lieu of, our proposal to limit the scope of permissible donors.
OIG also clarified several questions about whether certain items or services, for example services that enable the interoperable exchange of electronic health records data, fall within the scope of covered technology under the electronic health records safe harbor. OIG, citing the 2006 Final Rule, explained that the term
"'software, information technology and training services necessary and used predominantly' for electronic health records purposes to include the following, by way of example: [i]nterface and translation software; rights, licenses, and intellectual property related to electronic health records software; connectivity services, including broadband and wireless internet services; clinical support and information services related to patient care (but not separate research or marketing support services); maintenance services; secure messaging (e.g., permitting physicians to communicate with patients through electronic messaging); and training and support services (such as access to help desk services)."
Consequently, OIG said it believes that the current regulatory text, when read in light of the preamble discussion, is sufficiently clear concerning the scope of covered technology, but we seek input from the public regarding this issue.
Proposed Safe Harbor
The following payment practices shall not be treated as a criminal offense under section 1128B of the Act and shall not serve as the basis for an exclusion
(y) electronic health records items and services.
As used in section 1128B of the Act, ''remuneration'' does not include nonmonetary remuneration (consisting of items and services in the form of software or information technology and training services) necessary and used predominantly to create, maintain, transmit, or receive electronic health records, if all of the following conditions are met:
* * * * *
(2)The software is interoperable at the time it is provided to the recipient. For purposes of this subparagraph, software is deemed to be interoperable if a certifying body authorized by the National Coordinator for Health Information Technology has certified the software to any edition of the electronic health record certification criteria identified in the then-applicable definition of Certified EHR Technology in 45 CFR part 170, on the date it is provided to the recipient.
* * * * *
(13) The transfer of the items and services occurs, and all conditions in this paragraph (y) have been satisfied, on or before December 31, 2016