HHS Rule Changes Allow for Cybersecurity DonationsNew 'Safe Harbors' Allow Hospitals to Donate Tech to Physician Practices
Federal regulators have issued detailed final rules containing provisions that allow hospitals and healthcare delivery systems to donate cybersecurity technology, such as software, hardware and services, to physician practices.
See Also: The Department of Defense Faces Risk
The cybersecurity exceptions are contained in a 627-page final rule issued on Friday by the Department of Health and Human Services' Centers for Medicare and Medicaid Services and a 1,049-page final rule issued by the HHS Office of Inspector General modifying so-called Stark Law and federal anti-kickback regulations.
"We believe that a primary reason that an entity would provide cybersecurity technology and related services to a physician is to protect itself from cyberattacks," HHS writes. "However, we recognize that donated cybersecurity technology and services may have value for a physician recipient insomuch as the recipient would be able to use his or her resources for needs other than cybersecurity expenses."
HHS also notes: "It is our position that allowing entities to donate cybersecurity technology and related services to physicians will lead to strengthening of the entire health care ecosystem."
The exceptions will more readily allow hospitals and healthcare delivery systems to provide physician practices and other small healthcare provider organizations with free cybersecurity technologies and services, notes regulatory attorney Marti Arvin of the privacy and security consulting firm CynergisTek.
"This, in turn, will benefit the hospital if the physician practice that is connected to the hospital's infrastructure is more secure," Arvin says.
New Safe Harbors
The CMS rule, Medicare Program: Modernizing and Clarifying the Physician Self-Referral Regulations, and the HHS OIG rule, Medicare and State Health Care Programs: Fraud and Abuse; Revisions to Safe Harbors under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, are slated to be published in the Federal Register on Dec. 2 and go into effect on Jan. 19.
The rules finalize proposals HHS issued in October 2019 as part of what it calls a "regulatory sprint to coordinated care." (See: HHS Proposes Allowing Cybersecurity Donations to Doctors)
The exceptions provide "new flexibility" for certain arrangements, such as donations of cybersecurity technology that safeguard the integrity of the healthcare ecosystem, regardless of whether the parties operate in a fee-for-service or value-based payment system, HHS notes.
The CMS rule clarifies exceptions to the Stark Law related to allowable electronic health record-related donations to physicians.
"We are finalizing our proposal to expand the EHR exception to expressly include cybersecurity software and services so that it is clear that an entity donating electronic health records software and providing training and other related services may also utilize the EHR exception to protect donations of related cybersecurity software and services to protect the electronic health records, provided that all the requirements of the EHR exception are satisfied," CMS writes.
CMS also is providing "a separate, standalone exception ... that applies to broader cybersecurity donations, including donations of cybersecurity hardware."
CMS notes that it's taking "a neutral position" with respect to the types of technologies that can be donated under the cybersecurity exception.
"We did not propose to distinguish, and the cybersecurity exception as finalized here does not distinguish, between cloud-based software and software that must be installed locally," CMS notes.
"The types of technology to which the cybersecurity exception is applicable include, but are not limited to, software that provides malware prevention, software security measures to protect endpoints that allow for network access control, business continuity software, data protection and encryption and email traffic filtering," CMS notes in the rule.
"These examples are indicative of the types of technology that are necessary and used predominantly to implement, maintain or reestablish cybersecurity."
The cybersecurity exception "also applies to hardware that is necessary and used predominantly to implement, maintain or reestablish cybersecurity," HHS says.
The exception also covers a broad range of cybersecurity-related services, CMS notes. Those include developing, installing and updating cybersecurity software and providing cybersecurity training services. Those services include training on how to use the cybersecurity technology; how to prevent, detect and respond to cyberthreats; and how to troubleshoot problems with the cybersecurity technology, for example, via "help desk" services.
The new safe harbors allowing providers to donate cybersecurity technology and services to small or under-resourced providers has the potential to improve the overall cybersecurity posture of the healthcare ecosystem and help guard against cyberattacks that threaten patient safety, says privacy attorney David Holtzman of the consulting firm HITprivacy.
"Cybersecurity risk management in the healthcare sector cannot succeed if organizations are only able to act independently, " he says. "As the healthcare system is an interconnected and interdependent network, cyber threats are a shared challenge and a shared responsibility that requires a team effort."
Arvin also says she expects the rules changes will have a positive effect on health data protection.
"For some time now, security associated with affiliated parties has been a concern, and I believe there is potential for a positive impact using this new exception," she says.
"If the hospital has good infrastructure but the connected physician practice has weak cybersecurity, then there is a natural conflict. It's either don't allow the connection because of the risk and potentially impact patient care in a negative way or allow the connection and take the risk of a cyber event because of the physician's weak infrastructure. Allowing the donation of cybersecurity technology and related services minimizes this conflict."