Compliance Perspectives: When Do Cybersecurity Donations Violate Kickback Laws?

Though guarding against cyberattacks has become crucial for all businesses, the challenge is particularly great in healthcare. In a system marked by interconnectivity, each provider’s chain of cybersecurity is only as strong as its weakest link. For labs, that means that the cybersecurity solutions you invest so much to implement could be undone downstream by physicians with which you do business, especially small practices without large IT security budgets. As a result, you may be tempted to give these providers the hardware and software required to ensure the security of the sensitive medical information you entrust with them.

Though well-intentioned, these cybersecurity technology donations may lead to compliance issues if they’re deemed to be kickbacks for referrals banned by healthcare fraud laws. Here’s a briefing on the compliance risks of cybersecurity donations to physicians and what labs can do to manage them:

The kickback and false claims risks of cybersecurity donations

The compliance issues associated with cybersecurity donation arrangements arise principally under the laws that ban offering, paying, or receiving kickbacks in exchange for referrals of patients covered by Medicare, Medicaid, and other federal health programs. Those laws include the federal Anti-Kickback Statute (AKS) and Physician Self-Referral Law, (aka Stark Law) and state anti-kickback laws. Kickbacks can include not just money but anything of value. So, if you provide or offer referring physicians free or low-cost cybersecurity technology, you run the risk of liability. If you then bill federal health programs for the tests you provide as a result of those ill-gotten referrals, you also face the risk of treble damages and other penalties, not to mention qui tam whistleblower lawsuits, for submitting false claims to the government in violation of the False Claims Act (FCA).

Cybersecurity-related abuse has become an area of growing concern for federal enforcers. In October 2021, the U.S. Department of Justice (DOJ) announced a new Civil Cyber-Fraud Initiative to hold government contractors that engage in cybersecurity fraud accountable under the FCA.¹ The recognition of insufficient cybersecurity infrastructure drove the Centers for Medicare & Medicaid Services (CMS) to create a new safe harbor to protect donations of cybersecurity protections. However, given how labs have gotten into kickback trouble for donating electronic health records (EHR) technology to referral sources, labs considering making a donation of cybersecurity technology must tread carefully.

Despite the safe harbor protecting EHR donations, there have been a number of significant enforcement actions and large settlements involving EHR kickback scams. A notable case involving a lab occurred in January 2019 when pathology lab Miraca paid $63.5 million to settle claims of conspiring with EHR technology vendor Modernizing Medicine Inc. (ModMed) to pay kickbacks in exchange for test referrals. According to the DOJ, the lab colluded with ModMed to improperly donate the latter’s EHR products to physicians and other providers in a bid to increase test orders to Miraca (now known as Inform Diagnostics) and add customers to ModMed’s user base.² In November 2022, ModMed paid $45 million to resolve FCA and AKS allegations for its role in the scheme.³

New solutions to the cybersecurity donation dilemma

While donating cybersecurity technology to induce referrals is clearly not appropriate, the government recognizes that these exchanges can also serve a positive purpose, namely, protecting the industry against cyberattacks. Labs have a legitimate interest in ensuring that the physicians with whom they share healthcare information have and implement the hardware and software needed to protect that data. The issue is that physicians may not be able to afford these solutions. While offering the technology for free or at reduced cost might resolve the cybersecurity problem, it would also expose both the lab and physician to kickback liability risk. To continue working with the physician, the lab would then have to choose between risking cyberattacks against the physician or cutting the physician off from its electronic system.

In recognition of this dilemma, the U.S. Department of Health and Human Services (HHS) finalized new rules in 2021 that allow providers to make donations of technology to referral sources that are “necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity.”⁴

Modeled on the requirements for EHR technology exchanges, the new rules create a new AKS Safe Harbor and new Stark Law Exception for cybersecurity donations that meet specified conditions. The rules define “technology” broadly as “any software or other types of information technology” without regard to technology type, which could include hardware, related services, as well as technologies that are neither software nor services.^4,5

The AKS Cybersecurity Safe Harbor

Authored by the HHS Office of Inspector General (OIG) and CMS, respectively, the new AKS Cybersecurity Safe Harbor (42 C.F.R. § 1001.952(jj) and Stark Law Exception (Cybersecurity Exception (42 C.F.R. § 411.357((b)) are similar but not exactly the same. Each applies if the donation arrangement meets four basic conditions:

1. Donation can’t take into account volume or value of referrals

The first condition is that the donor not directly take into account the volume or value of referrals or other business generated in deciding either who to give the technology to or the amount or kind of technology to give. That prohibition includes directly conditioning the donation or its nature or amount on future referrals. Significantly, the agencies note that the condition doesn’t require the donor to make donations to every individual or entity that connects to its systems and allows for the donor to use selective criteria in choosing recipients.

2. Recipient can’t make donation a condition of doing business with the donor

Under both the safe harbor and exception, the referring physician or other person receiving the donation may not make the donation or its amount or nature a condition of doing business with the donor. For example, a physician practice can’t say, “we’ll only do business with your lab if you give us free cybersecurity software.”

The agencies likely included this condition in response to reports of physicians and vendors requesting such cybersecurity donations in exchange for their business. Thus, in responding to the proposed rules, the American Clinical Laboratory Association (ACLA) expressed concerns about labs being put in an “untenable position” by physicians expressly or implicitly conditioning “referrals on EHR donations and EHR vendors that encouraged physicians to request ever-more costly EHR software and services” from labs. “We are concerned that the same situations would arise if laboratories were allowed to donate cybersecurity technology and related services to physicians.”⁶ The no-donation-for-doing-business-with-us condition is designed to allay these concerns.

3. Donation must be in writing

The safe harbor and exception both require that the donation arrangement be put in writing. The safe harbor also requires that the writing:

• • be signed by the donor and recipient,

• • include a general description of the technology and services donated, and

• list the contribution amount, if any, that will be provided by a recipient that shares the costs of the donation.

4. Donor can’t shift donation costs to Medicare

The safe harbor includes another condition that’s not contained in the exception: The donor isn’t allowed to shift the cost of the donation to federal healthcare programs, such as by including it in a reimbursable cost center in a Medicare cost report, for example.

The interplay between cybersecurity and EHR safe harbors

As noted above, kickback risks in information technology sharing also arise when labs donate EHR software to physicians with whom they interface. But while the cybersecurity rules are new, having taken effect in January 2021, the AKS safe harbor and Stark Law exceptions for EHR have been around since 2013. Accordingly, your staff may be familiar with those earlier rules, even though labs aren’t allowed to take advantage of them. The new cybersecurity rules, however, are open to labs, though they are patterned after the EHR technology requirements and have a lot in common with them:

• • they both require the donation arrangement to be put in writing,

• • they both ban the recipient from demanding the contribution as a condition for doing business with the donor, and

• they both ban the donation from taking into account the volume or value of referrals between the donor and recipient.

These final two requirements caused compliance issues for many labs previously, with the labs claiming they were in the EHR safe harbor or exception (before it became unavailable to labs), but basing their donation decisions—or choice of recipients—on which provider recipients were in a position to refer the most business, or even conditioning the donation on referrals.

In addition to being available to labs, the new cybersecurity safe harbors are more generous than their EHR counterparts. The government isn’t simply tolerating cybersecurity technology sharing the way it is with EHR but clearing a wide path for it. “Cybersecurity has become an urgent matter of national security,” says Nashville healthcare attorney Danielle Sloane, noting President Biden’s May 2021 Executive Order 14028 calling on the federal government to make “bold changes” to bolster national cybersecurity and serve as an example for the private sector.⁷

In addition to covering a broader range of technology, the Cybersecurity Safe Harbor and Exception gives providers more leeway to make and receive donations. Perhaps the biggest difference is that whereas recipients of EHR donations must contribute 15 percent of the costs of donated technology and services, the cybersecurity rules have no cost contribution requirements. Labs and other donors may require recipients to contribute to the costs if they so choose, the rules explain, provided that the amount of the contribution doesn’t take into account the volume or value of referrals or other business that the parties generate for one another.

Cybersecurity vs EHR Technology Donation AKS Safe Harbors & Stark Exceptions

Topic	Cybersecurity Safe Harbor/Exception	EHR Safe Harbor/Exception
Software covered	Any cybersecurity software necessary and used predominantly to implement, maintain, or re-establish cybersecurity	EHR software necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records, including cybersecurity software necessary and used predominantly to protect electronic health records
Hardware covered	Hardware necessary and used predominantly to implement, maintain, or re-establish cybersecurity	None
Replacement technology covered	Replacement technology necessary and used predominantly to implement, maintain, or re-establish cybersecurity	Replacement technology necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records
Services covered	Services necessary and used predominantly to implement, maintain, or re-establish cybersecurity	Services necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records
Required cost contributions	None	Recipients must contribute 15 percent of donated software’s value

How to comply

If you haven’t already done so, you need to update your policies and procedures to account for the new rules governing donations of cybersecurity technology to physicians and other referral sources. Here are the seven elements those policies and procedures should include. There’s also a Model Policy on the G2 Intelligence website that you can adapt.¹⁰

7 things to include in your cybersecurity donations policy

As the template on the G2 website suggests, your cybersecurity donation policy should include seven key elements:

1. Limit donations to necessary cybersecurity purposes

The key to compliance, Sloane explains, is to ensure that all cybersecurity hardware and software donations you make to referring physicians are necessary to and used predominately for securing shared health information from hacking and cyberattack. This may be smaller referral sources that have less sophisticated systems or lack the resources necessary to implement safeguards. “What you can’t do is offer free or low-cost cybersecurity as a way to promote or market your lab and its business,” she says. For example, sales representatives can’t tout your willingness to donate technology to persuade physicians and other referral sources to select your lab over its competition.

2. Don’t donate to everybody

Remember that the rules say that you don’t have to make donations to every person and entity that connects to your laboratory information system (LIS). In addition to being extremely expensive, a policy or practice of providing free or low-cost technology to everyone with whom you interface might look more like marketing than a bona fide cybersecurity arrangement. “Be careful though,” Sloane says, “because if your selection of recipients shows a pattern of only choosing larger referral sources, it may be evidence that your donations are based on the volume or value of referrals.” By contrast, limiting donations to smaller practices with limited IT resources and smaller patient bases will suggest that your decisions are based on genuine cybersecurity considerations rather than the potential value or volume of referrals.

3. Establish objective cybersecurity standards for recipients

“Set out in your policy your objective selection criteria that is unrelated to referral volume (past or future potential volume), such as being based on a lack of cybersecurity system protections, regardless of size or referrals,” suggests Sloane. Strategy: Establish minimum security criteria, including the specific cybersecurity hardware, software, and services that all providers must have before you’d be willing to interconnect with them. Then apply those minimum standards to select the physicians to whom you make donations and what those providers need to meet for you to deem them adequately cybersecure, based on your available resources and budget.

Example: Your lab requires all providers with whom it interfaces to have adequate software protecting against ransomware and other malware, software security measures to protect endpoints that allow for network access control, data protection, and encryption and email filtering:

• • Practice A meets all your current criteria,

• • Practice B meets all criteria except for encryption, and

• Practice C meets none of your criteria.

There’s no real cybersecurity need to donate technology to Practice A. In theory, you could donate the hardware and software that Practices B and C need to meet your standard as long as you verify that the donation is necessary for and will be predominately used to ensure effective cybersecurity, provided that you meet the other requirements of the Cybersecurity Safe Harbor and Exception. However, making such a donation to Practice C may be too costly. Accordingly, you might decide to limit your cybersecurity donation of free encryption software to Practice B.

Importantly, reminds Sloane, “whatever criteria you choose, make sure to document how and why each recipient met those criteria.”

4. Screen would-be recipients for compliance with your cybersecurity criteria

Establish a process for performing due diligence on potential recipients’ IT and cybersecurity security compliance program to determine whether they meet your selection criteria. In an article on the American Bar Association website, Texas healthcare attorney Rachel V. Rose and advisory firm managing director Don Barbo suggest that you start with a general review of:¹¹

• • The provider’s business model, including aspects such as services, patients, and payers;

• • The provider’s relationships with physicians, third-party marketing firms, and important vendors, including cybersecurity vendors;

• • All past cybersecurity audits, including the past five years of the firm’s annual HIPAA Risk Analysis, Payment Card Industry Data Security Standard (PCI DSS) audits, and/or Systems and Organizational Controls 2 (SOC 2) Type 2 Reports;

• • The provider’s cybersecurity and HIPAA training programs; and

• Its compliance program and whether it meets the requirements contained in the DOJ’s Justice Manual.¹²

According to Rose and Bardo, due diligence should also dig into the provider’s IT systems, hardware, software, and other equipment, and how it deals with cybersecurity threats, including with regard to:¹¹

• • restricting access to its critical IT systems;

• • protecting its IT data;

• • storing, retrieving, and distributing IT data; and

• relying on third parties for protection against cybersecurity threats.

5. Ensure donation arrangement meets other safe harbor requirements

Upon deciding to make a cybersecurity donation to a provider, you must ensure that the arrangement meets all other requirements of the Cybersecurity Safe Harbor/Exception. The arrangement must:

• • be put into writing,

• • not take into account the volume or value of referrals,

• • not involve the recipient making the donation a condition of doing business with the lab, and

• not shift the costs of the donation to Medicare.

6. Train lab personnel in cybersecurity requirements

Be sure to train lab marketing, sales, IT, and other affected staff in the cybersecurity rules, what those rules require, and how they differ from the current AKS safe harbor and Stark Law exception for EHR technology donations, particularly, but not exclusively, with respect to the donation cost contribution requirements.

7. Account for EKRA and state anti-kickback laws

Lastly, be mindful that cybersecurity donation arrangements that meet Cybersecurity Safe Harbor/Exceptions criteria may still run afoul of other federal and state anti-fraud laws, including the Eliminating Kickbacks in Recovery Act (EKRA).

References:

1. 1. https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative

1. 1. https://www.justice.gov/opa/pr/pathology-laboratory-agrees-pay-635-million-providing-illegal-inducements-referring

1. 1. https://www.justice.gov/opa/pr/modernizing-medicine-agrees-pay-45-million-resolve-allegations-accepting-and-paying-illegal

1. 1. https://www.federalregister.gov/documents/2020/12/02/2020-26072/medicare-and-state-health-care-programs-fraud-and-abuse-revisions-to-safe-harbors-under-the

1. 1. https://www.federalregister.gov/documents/2020/12/02/2020-26140/medicare-program-modernizing-and-clarifying-the-physician-self-referral-regulations

1. 1. https://www.acla.com/wp-content/uploads/2020/02/ACLA-comments-on-AKS-Proposed-Rule.pdf

1. 1. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

1. 1. https://www.govinfo.gov/content/pkg/FR-2013-12-27/pdf/2013-30924.pdf

1. 1. https://www.govinfo.gov/content/pkg/FR-2013-12-27/pdf/2013-30923.pdf

1. 1. https://www.g2intelligence.com/compliance-tool-model-policy-on-donating-cybersecurity-technology-to-physicians/

1. 1. https://www.americanbar.org/groups/health_law/publications/aba_health_esource/2021-2022/july-2022/avoiding-a-false-claims-act-case/

1. 1. https://www.justice.gov/criminal-fraud/page/file/937501/download