New Safe Harbors for Telehealth

New and modified safe harbors to the Stark Law and Anti-Kickback statue allow healthcare providers and entities more flexibility to create and expand telehealth platforms in compliant fashion.

On November 20, 2020, the Centers for Medicare & Medicaid Services (“CMS”) and the Office of the Inspector General (“OIG”) finalized the rules modifying the safe harbors under the Anti-Kickback Statute and exceptions under the Stark Law, creating seven new safe harbors for value-based arrangements, modifying four already in place and codifying one new exception.

These changes offer opportunities for healthcare providers and entities to make better use of telehealth options in a “value-based enterprise” as opposed to the former regulatory framework which was tailored to a fee-for service environment.  Providers will benefit from a reduced burden of regulatory compliance.  Patients will benefit from improved outcomes and reduced cost of care.

By way of background, the Stark Law, otherwise known as the physician self-referral law, prohibits referrals by a physician to another provider if the physician or his immediate family has a financial relationship with the provider (with certain exceptions). The Anti-Kickback Statute (“AKS”), meanwhile, bars the exchange of remuneration – which according to this law is anything of value – for referrals that are payable by a federal healthcare program such as Medicare.

As part of the Department of Health and Human Services’ (“HHS”) “regulatory sprint to coordinated care”, these new rules are aimed at reducing regulatory barriers to care coordination and accelerating the transformation of the health care system, including the use of telehealth.  Healthcare providers who were previously discouraged from entering into innovative arrangements due to concerns over noncompliance with the Stark Law or other regulatory schemes now have more freedom in a system that compensates according to value rather than volume of services.

The new safe harbors fall into the following categories: three types of value-based arrangements with varying levels of financial risk (no assumed risk, substantial risk and full risk), patient engagement and support, CMS-sponsored payment and delivery models, and cybersecurity technology and services.

Prior to the new changes, if a hospital engaged a physician to provide telehealth services and paid the physician for his or her services and also provided telehealth related equipment, connectivity or software to the physician free of charge, such an arrangement likely would have been problematic under both the Stark anti-referral prohibition and the AKS.

Under the new rules, by forming a value-based enterprise and observing the financial risk guidelines of the appropriate safe harbor, it could be permissible for a provider to accept in-kind, or even potentially monetary remuneration, from a technology company in the form of free or reduced cost hardware or services, or even participate in a shared savings arrangement.

With the application of these new safe harbors, largely gone is the requirement to demonstrate fair market value of goods or services.  Another major change is near elimination of the prohibition against taking into account volume or value of referrals (again, presuming safe harbors apply).  These modifications of the regulatory scheme are designed to overcome prior hurdles related to care coordination and improving patient engagement and support.  As a result, providers will be less restricted in how they offer treatment and services via telehealth, and in particular, via Remote Patient Monitoring.  For example, in partnership with a technology company, a physician could provide a patient with a smart device at no cost to facilitate more convenient in-home monitoring whether for blood sugar, heart rate or rhythm, or other vital statistics.

In recognition of the urgent problem of cyber threats to the health care industry, these changes also include a new safe harbor for cyber security technology and services to allow remuneration in the form of cybersecurity-related hardware.  With ransomware attacks, phishing campaigns and data breaches steadily on the rise in the healthcare sector, these changes are vital to improved protection of electronic health records.

On a related note, an existing safe harbor regarding electronic health records was modified to improve interoperability, clarify cybersecurity protections and remove the sunset provision and prohibition of donated equivalent technology.

One final change related to telehealth is the addition of a new exception related to the Beneficiary Inducement Civil Monetary Penalty, allowing for programs that use telehealth in home-based dialysis treatment.

As the current pandemic continues and thereafter, telehealth is expected to remain a staple in healthcare for the foreseeable future.  The new safe harbors and exceptions offer providers and their patients a greater flexibility than ever before to use telehealth more safely and efficiently.

Originally published in Healthcare Michigan, December 2020.

About the Author:  

Kimberly Ruppel is a co-chair of Dickinson Wright PLLC’s Telehealth Task Force.  She has over 20 years’ experience as a commercial litigator who represents healthcare providers, insurers and benefit plans in matters related to healthcare litigation, licensing and regulatory disputes, governmental fraud and abuse investigations, HIPAA compliance, ERISA and insurance claims, coverage and fiduciary disputes, and class actions in state and Federal courts.