Compliance Tool: Model Policy on Donating Cybersecurity Technology to Physicians

Physicians with whom your lab does business may lack the cybersecurity systems and equipment necessary to keep health information you provide them safe from ransomware, hacking, and other forms of cyberattack. Before letting such physicians connect to your laboratory information system, you may want to provide them the required cybersecurity technology for free or at low cost. However, though boosting cybersecurity may be your sole objective, entering into such arrangements exposes you to risk of liability under federal kickback and anti-fraud laws. In 2021, the U.S. Department of Health and Human Services implemented new rules allowing for these cybersecurity donations under strict conditions. Here’s a Model Policy to ensure that your arrangements comply with these safe harbor requirements. Consult with legal counsel when adapting the template to your lab’s situation.

CYBERSECURITY DONATIONS POLICY

1. CONTEXT

In the course of doing business with hospitals, health systems, physician groups, and other entities and individuals that refer patients to [Insert Lab Name Here] for laboratory testing and other services and items (referred to collectively here as “provider referral sources”), it may be necessary for us to establish an interconnection between [Insert Lab Name Here]’s own laboratory information system (LIS) and that of the provider referral sources. While necessary to allow for the interchange of test results and other medical information essential for diagnosis and treatment, such interconnections and data interchanges may also render [Insert Lab Name Here]’s confidential data more vulnerable to cyberattack.

2. PURPOSE

In recognition of these cybersecurity risks, [Insert Lab Name Here] has adopted strict information systems and security policies governing when and under what conditions it is permissible for provider referral sources to interconnect with our LIS. To effectuate these policies and ensure that interconnections meet the cybersecurity standards they contain, [Insert Lab Name Here] may from time to time offer cybersecurity technology to provider referral sources for free or at prices below market rates for such equipment. Although such donations might serve legitimate and necessary purposes—namely—to guard against cyberattack, they may also raise concerns under federal and state laws, including, but not limited to, the Anti-Kickback Statute (AKS) and Physician Self-Referral Law (Stark Law) banning the offering, provision, or receipt of remuneration in exchange for referrals of services or items paid for by Medicare, Medicaid, and other federal healthcare programs. The purpose of this policy is to avoid violations of and ensure compliance with these laws by establishing clear rules governing cybersecurity donations made by [Insert Lab Name Here] to provider referral sources.

3. GENERAL RULE

[Insert Lab Name Here] shall not make donations of cybersecurity technology to provider referral sources unless those donations are necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity in accordance with the provisions of the AKS Cybersecurity Safe Harbor (42 C.F.R. § 1001.952(jj)) and Stark Law Exception (Cybersecurity Exception (42 C.F.R. § 411.357(b)(b)) and the provisions of this policy.

4. DEFINITIONS

For purposes of this policy:

• • “Cybersecurity” means the process of protecting information by preventing, detecting, and responding to cyberattacks.

• “Technology” means any software or other types of information technology, which could include hardware, related services, as well as technologies that are neither software nor services, without regard to technology type.

5. PRIOR APPROVAL OF CYBERSECURITY DONATIONS

Before entering into any proposed arrangement that involves providing cybersecurity technology to a provider referral source for free or at a below market price, [Insert Lab Name Here] personnel must notify [list contact name or title, e.g., the Compliance Offer] of all the terms of the proposed arrangement. Upon receiving such notification, [list contact name or title, e.g., the Compliance Offer] will review the contemplated donation to ensure it complies with all requirements set forth in the safe harbor/exception and this policy. Such arrangements may not be completed unless and until [list contact name or title, e.g., the Compliance Offer] provides the necessary approval.

6. CRITERIA FOR SELECTION OF CYBERSECURITY DONATION RECIPIENTS

Cybersecurity donations will not be approved unless they are determined to be necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity. In making such determinations, [list contact name or title, e.g., the Compliance Offer] shall consider whether the proposed donation is necessary to enable the recipient to meet the criteria for cybersecure interconnections with the LIS set forth in the [Insert Lab Name Here] Cybersecurity Policy, listed below:

[list minimum criteria required for allowing outside parties to connect to your own LIS]

7. CYBERSECURITY DONATIONS DUE DILIGENCE & REVIEW PROCESS

In determining whether to approve the proposed cybersecurity technology donation, [list contact name or title, e.g., the Compliance Offer] shall perform due diligence review of the proposed recipient, including, without limitation, with respect to its business model—including services, patients, and payers—relationships with physicians, third-party marketing firms, and important vendors—including cybersecurity vendors—as well as its HIPAA, cybersecurity training, and general compliance programs. In addition, due diligence will include review of the proposed recipient’s IT systems, hardware, software, and other equipment, and how it deals with cybersecurity threats, including with regard to:

• • restricting access to its critical IT systems;

• • protecting its IT data;

• • storing, retrieving, and distributing IT data; and

• relying on third parties for protection against cybersecurity threats.

8. DONATION ARRANGEMENT REQUIREMENTS

If the necessary approval is provided, donations of cybersecurity technology by [Insert Lab Name Here] to a provider referral source recipient must:

• • be made pursuant to a written agreement that is signed by both [Insert Lab Name Here] and the provider referral source recipient,

• • include a general description of the technology and services donated,

• • list the contribution amount, if any,

• • not be a condition that the recipient demands in exchange for agreeing to do business with [Insert Lab Name Here], and

• not in any way shift the costs of the donation to federal healthcare programs such as Medicare.