Business & Practice

INSIGHT: Donating Health Care Electronic Health Record Systems, Cyber Tech Could Get Easier

Dec. 24, 2019, 9:01 AM

In an effort to expand the adoption of electronic health records (EHR) and increase the use of cybersecurity technology, the Department of Health and Human Services has proposed expanding protections for EHR and cybersecurity donations.

The HHS recognizes that barriers (whether real or perceived) to the adoption of EHR and cybersecurity technology will hinder the growth of care coordination, which is at the heart of the health care system’s move from a volume-based to a value-based system.

The HHS Office of Inspector General (OIG) and the Centers for Medicare & Medicaid Services (CMS) (collectively the Agencies) each included two proposals toward that end in their respective proposed coordination of care regulations issued in October.

First, the Agencies proposed expanding and extending the existing anti-kickback statute (AKS) safe harbor and physician self-referral (Stark) law exception for EHR donations.

Second, they proposed a new AKS safe harbor and Stark exception for donations of cybersecurity technology and related services.

EHR Donations Clarifications and Amendments

The AKS safe harbor and Stark exception for EHR donations were finalized in 2006 and amended in 2013. The newly proposed regulations attempt to inject some standardization around the concepts of interoperability, information blocking, and data lock-in. The regulations also propose a number of other modifications that would expand the EHR donations.

Interoperability (Deeming Provisions, Information Blocking and Data Lock-in)

The Agencies propose significant updates to the deeming provisions around the interoperability of EHR software. Under the new proposed rules, the donated EHR software must have current certification as of the date of donation.

The Agencies also propose aligning the EHR prohibition against donors who take actions to limit or restrict the use, compatibility, or interoperability of the items or services with other electronic prescribing or EHR systems (now known as information blocking) with the 21st Century Cures Act (Cures Act) definition of information blocking.

Under the Cures Act, information blocking occurs when the provider “knows that [the] practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of [EHR].”


The Agencies clarify that the EHR safe harbor and exception have always protected certain cybersecurity software and services. The Agencies state that an entity donating EHR software and training may also donate the related cybersecurity software and services needed to protect the donated EHR.

Definitions of Interoperability and Electronic Health Records

The Agencies propose to modify the definitions of Electronic Health Records and Interoperability consistent with the definitions in the Cures Act and the proposed regulations of the Office of National Coordinator for Health Information Technology.


The EHR exception and safe harbor currently require a 15% cost-sharing contribution, but the proposed regulations seek comments on eliminating or reducing the percentage (1) across the board; (2) just for small or rural practices; or (3) for updates to previously donated EHR software or technology.

Sunset Provision

The current EHR safe harbor and exception are scheduled to end on Dec. 31, 2021. The Agencies propose eliminating this sunset provision, although they seek comments on whether a later sunset date should be chosen.

Cybersecurity Exception and Safe Harbor

The Agencies propose a new, separate cybersecurity donation exception and safe harbor. The Agencies stress the growing threats posed by cyberattacks. Without adequate cybersecurity, these attacks can prevent access to and lead to corruption of health-related information.

For a donation to qualify for the cybersecurity safe harbor or exception, the proposed arrangement must meet the following conditions:

1. The donated technology and/or services must be necessary and must be predominantly used to implement, maintain, or reestablish cybersecurity.

2. Under the Stark exception, the donor cannot condition the donation, the amount or nature of the donation, or the eligibility for donation on referrals or business generated.

3. Under the AKS safe harbor:
a. The donor cannot directly take into account the volume or value of referrals or other business between the parties when determining eligibility for donation, “or the amount or nature of the technology or services to be donated.”

b. The donor cannot condition the donation, the amount or the nature of the donation on future referrals.

4. The potential recipient and/or the potential recipient’s practice (including employees or staff members) cannot make the cybersecurity donations a condition of doing business with the donor.

5. The arrangement must be documented in writing, identify the parties, and include a general description of the cybersecurity technology and related service to be donated, the estimated value of the donation, and any shared financial responsibility. The AKS safe harbor requires the written arrangement be signed.

6. Under the AKS safe harbor, the donor may not shift donation costs to federal health care programs.

Newly Defined Terms

The proposed cybersecurity exception and safe harbor include broad definitions for the terms cybersecurity and technology. Protection is provided for software, training, and services specifically related to cybersecurity, but not for general services like help desk services.

Although the proposed definition of technology excludes hardware, the Agencies seek comments on whether to include any types of hardware.

Cost Sharing

The cybersecurity proposals do not include contribution requirements for cybersecurity donations.


If adopted, these proposals would open the door to greater use of EHR and cybersecurity technology in the health care industry. Such expansion would also facilitate coordination of care as the industry moves from a volume-based to a value-based system.

To this end, the proposals are designed to work congruently with other federal laws and regulations protecting health information technology.

The Agencies have invited feedback on a number of aspects of the proposals, and seem to genuinely want to make these regulations workable and reflect existing realities of health care IT. Public comments are due by Dec. 31.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners

Author Information

Bill Mathias is the co-chair of Baker Donelson’s Fraud and Abuse Team within the Health Law practice. He represents clients across the country in all areas of the health care industry, with a focus on fraud and abuse, internal and government investigations and corporate compliance matters.

Adetoro Olugbemi, an associate at the firm, advises hospitals and health systems to address health care regulatory issues.

To read more articles log in.