November 4, 2021

QUESTION:
We know that we can provide a computer system that includes cybersecurity technology and related services to our employed physicians.  However, we have received several inquiries from independent members of our medical staff asking whether the Hospital can assist them to obtain cybersecurity technology and related services.  What can we do?

ANSWER:
By way of background, the Stark EMR Donation exception has, for many years, permitted a hospital to donate software, information technology and/or training services (but not hardware) to the physicians on the hospital’s medical staff so long as the arrangement is: (i) pursuant to a written agreement that specifies the items and services being provided; (ii) the software is interoperable; (iii) the donor does not affect the interoperability of the software; (iv) the physician pays 15% of the donor’s cost; (v) the receipt of the item or service is not a condition of doing business with the hospital; and (vi) neither the eligibility of a physician nor the amount of the donation is determined in a manner that takes into account the volume or value of referrals.

The January 19, 2021 Rules have amended the EMR Donation Rule to:  (i) permit the donation of cybersecurity software and services (but not hardware); (ii) delete the restriction that the arrangement does not violate the Medicare Anti-Kickback Statute; (iii) require the 15% share by the physician to be paid before the donation; (iv) delete the requirement that the donor does not have actual knowledge whether the physician receiving the EMR possesses equivalent items or services; and (v) eliminate the December 31, 2021 sunset on donations pursuant to this section.

Therefore, while this exception may be used, its limitations outweigh its usefulness, especially when compared to the new cybersecurity technology and related services exception that was added by the January 19, 2021 Rules.  The new exception will provide much more flexibility for a hospital that is interested in donating cybersecurity technology and related services to a referring physician.

This new cybersecurity technology and related services exception, 42 C.F.R. § 411.357(bb), protects nonmonetary remuneration (consisting of hardware, software, or other types of information technology and services) that are necessary and used predominantly to implement, maintain, or reestablish cybersecurity, if all of the following conditions are met:  (i) neither the eligibility of a physician for the technology or services, nor the amount or nature of the technology or services, is determined in any manner that directly takes into account the volume or value of referrals or other business generated between the parties; (ii) neither the physician nor the physician’s practice (including employees and staff members) makes the receipt of technology or services, or the amount or nature of the technology or services, a condition of doing business with the donor; and (iii) the arrangement is documented in writing.

Please note that a hospital is not required to provide cybersecurity items and services to every physician on the hospital’s medical staff.  Rather, a hospital is given discretion to select the recipients of its donated cybersecurity items or services, so long as the hospital complies with the above-stated requirements.

Unlike the EMR Donation Rule described above, this new exception permits the donation of cybersecurity hardware such as encrypted servers, encrypted drives and network appliances but only if the hardware is necessary and used predominantly to implement, maintain or reestablish cybersecurity.  If the donated technology includes functions other than cybersecurity, the core functionality of the technology and services must be implementing, maintaining or reestablishing cybersecurity and cybersecurity must predominate.

Also, unlike the EMR Donation Rule, the physician is not required to pay the 15% cost sharing required by the EMR Rule.  However, the cybersecurity item or service must be nonmonetary.  Therefore, a hospital could not reimburse a physician for the cost of previously obtained cybersecurity technology or services.  Nor would this exception permit a hospital to make a ransomware payment on behalf of a non-employed physician in response to a cyberattack.