HHS Proposes Updates to the Stark Law for Health Care Providers

Summary of Proposed Changes

The HHS proposed rule (Rule) proposes creating and/or amending the following exceptions to the physician self-referral law (the Stark Law): 

• For certain value-based compensation arrangements between or among physicians, providers, and suppliers;
• For certain arrangements under which a physician receives limited remuneration for items or services actually provided by the physician;
• For donation of cybersecurity technology and related services; and
• For electronic health records (EHR) items and services. 

Once published in the Federal Register, CMS will accept public comments on the proposed rule until 75 days after the publication date. 

Background 

The purpose of the Stark Law was to combat the concern that financial self-interest would affect a physician’s medical decision making and ensure that patients have options for quality care. The aim was to prevent a patient from being referred for services that are not needed or being steered toward less convenient, lower quality, or more expensive providers because the patient’s physician would financially benefit from the referrals. 

The Stark Law prohibits a physician from making referrals for certain designated health services payable by Medicare, to an entity with which the physician or an immediate family member of the physician has a financial relationship. The law also prohibits an entity from filing claims with Medicare for those referred services. A “financial relationship” is defined as an ownership or investment interest in the entity, or a compensation arrangement with the entity. Various exceptions to the Stark Law are already in place. 

Proposed Changes 

The proposed changes are an attempt to modernize the Stark Law given the recent emphasis on value-based payment arrangements and care coordination. Specifically, the notable proposed exceptions are as follows: 

Value-Based Compensation Arrangements (§411.357(aa))

1. The proposed rule will establish several new, key definitions that will be the basis for certain new exceptions proposed to be codified in 42 C.F.R. §411.357(aa).Specifically, a value-based arrangement (VBA) would be defined as an arrangement for at least one value-based activity for a target patient population between or among: (1) the value-based enterprise (VBE) and one or more of its VBE participants; or (2) VBE participants in the same value-based enterprise¹.

• The exceptions will apply only to compensation arrangements that qualify as VBAs.
• The Rule proposes an exception that applies to a VBA where the value-based enterprise has (during the entire term of the arrangement) assumed full financial risk from a payor for patient care services for a target patient population.
• The Rule proposes an exception that remuneration paid under a VBA, where the physician is at “meaningful downside financial risk”² for failure to achieve the value-based purposes of the value-based enterprise during the entire term of the arrangement, does not constitute prohibited remuneration.
• The proposed exceptions for VBAs do not include a requirement that the remuneration not be determined in a manner that takes into account the volume or value of referrals. 

Limited Remuneration to a Physician (§411.357(z))

• The Rule proposes an exception for limited remuneration from an entity to a physician for items or services actually provided by the physician, provided that such exception:
  1. Only applies where the remuneration does not exceed an aggregate of $3,500 per calendar year, and
  2. The remuneration may not be determined by taking into account the value or volume of referrals or other business by the physician; may not exceed fair market value for the items or services provided by the physician; and the compensation arrangement must be commercially reasonable.
• The exception is not applicable to payments from an entity to a physician’s immediate family member, or to payments for items or services provided by a physician’s immediate family member.
• The Rule proposes a further exception to the $3,500 limit for long-term arrangements for items or services where the aggregate annual compensation exceeds $3,500--such an arrangement is allowed if the compensation is set in advance, before the provision of services or items, in order to ensure that payments made over the term of the arrangement are not determined retrospectively to reward past referral or encourage increased future referrals.
• The Rule proposes to incorporate prohibitions on percentage-based and per-unit of service compensation to the extent that the remuneration is for the use or lease of office space or equipment. 

Cybersecurity Technology and Related Services (§411.357(bb))

• The proposed exception protects arrangements involving the donation of certain cybersecurity³ technology⁴ and related services.
• The exception requires that the donation be necessary and used predominantly to implement, maintain, or reestablish cybersecurity.
• The definition of “technology” excludes hardware, however, two alternative proposals are being considered to allow for donation of certain cybersecurity hardware:
  1. Proposal 1 – Exception covers specific hardware that is necessary for cybersecurity, provided that the hardware is stand-alone and only serves cybersecurity purposes; or
  2. Proposal 2 – Exception permits entities to donate a broader range of cybersecurity technology, including hardware, subject to certain requirements:
     1. The donor performs a cybersecurity risk assessment and it identifies the recipient as a risk to the donor’s cybersecurity; and
     2. The recipient has a cybersecurity risk assessment that provides a reasonable basis to determine that the donated hardware is needed to address a risk or threat identified by the assessment.

• Under the proposed exception, a donor cannot condition the amount or nature of cybersecurity donations on referrals.
• A potential recipient or potential recipient’s practice may not make receipt of cybersecurity technology and related services, or the amount or nature of cybersecurity technology and services, a condition of continuing to do business with the donor.
• The proposed exception does not require a recipient to contribute to the cost of donated cybersecurity technology or related services, but it does not prohibit donors from requiring a contribution 

Modifications to the EHR Exception

• Modifies language to clarify that in order to be deemed “interoperable,” certification of donated software must be current as of the date of donation.
• Prohibits donors from engaging in information blocking, as defined in section 3022 of the Public Health Service Act (PHSA).
• Clarifies that donations of certain cybersecurity software and services are permitted under the EHR exception.
• Removes the sunset provision.
• Modifies the definitions of “electronic health record”⁵ and “interoperable”⁶ for consistency with the 21^st Century Cures Act.
• Modifies the 15 percent physician contribution requirement in one of two possible ways:
  1. Eliminating or reducing the percentage contribution required for small or rural physician organizations; or
  2. Reducing or eliminating the fifteen percent contribution requirement for all physician recipients. 

Implications 

If passed, the proposed rule would bring significant changes to the Stark Law. It would create protections for certain value-based activities and would provide greater flexibility for physicians and entities to work together. The Rule would increase the potential for progress in cybersecurity protections in the healthcare field. Furthermore, the Rule has the potential to reduce burdens on physicians through added flexibility. The practical result of such changes is that internal and/or external compliance mechanisms must be allocated to such new arrangements to ensure they are set-up and maintained in a compliant fashion. 

Contact Us
For more information, please contact a member of the Winston & Strawn Health Care & Life Sciences Industry Group or your usual Winston contact. 

---

¹_{In addition to Value-Based Arrangement, the following new definitions are proposed:}

• _{Value-Based Activity – The provision of an item or service, the taking of an action, or the refraining from taking an action, provided that the activity is reasonably designed to achieve at least one value-based purpose of the value-based enterprise.}
• _{Value-Based Enterprise (VBE) – Two or more VBE participants (1) collaborating to achieve at least one value-based purpose; (2) with each being a party to a VBA with each other or at least one other VBE participant in the VBE; (3) that has an accountable body or person responsible for financial and operational oversight of the VBE; and (4) that have a governing document that describes the VBE and how the VBE participants intend to achieve its value-based purpose(s).}
• _{Value-Based Purpose – With regard to a target patient population: (1) coordinating and managing care; (2) improving the quality of care; (3) appropriately reducing the costs to, or growth in expenditures of, payors without reducing quality of care; or (4) transitioning from health care delivery and payment mechanisms based on volume of items and services provided to mechanisms based on the quality of care and control of costs of care.}
• _{VBE Participant – Individual or entity that engages in at least one value-based activity as part of a VBE}
• _{Target Patient Population – An identified patient population selected by a VBE or its VBE participants, based on legitimate and verifiable criteria that are set out in writing in advance of the commencement of the VBA and further the VBE’s value-based purpose(s).}

²_{The Rule proposes to define “meaningful downside financial risk” to mean that the physician is responsible to pay the entity no less than 25 percent of the value of the remuneration the physician receives under the VBA.}

³_{“Cybersecurity” is defined as the process of protecting information by preventing, detecting, and responding to cyberattacks.}

⁴_{“Technology” is defined as any software or other type of information technology other than hardware.}

⁵_{Replace the term “consumer health status information” with “electronic health information;” replace “computer processable form” with “is transmitted by or maintained in electronic media;” and replace “used for clinical diagnosis and treatment for a broad array of clinical conditions” with “relates to the past, present, or future health or condition of an individual or the provision of health care to an individual.”}

⁶_{Defined as: (i) able to securely exchange data with and use data from other health information technology without special effort on the part of the user; (ii) allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and (iii) does not constitute information blocking as defined in section 3022 of the PHSA.}