OIG and CMS Modify AKS Safe Harbor and Stark Law Exception for EHR Donations

This Commentary is part of a series of nine Commentaries on the newly finalized Stark Law and Anti-Kickback Statute exceptions and safe harbors seeking to remove regulatory barriers to care coordination.

In Short

The Situation: In light of the now widespread adoption of electronic health records ("EHR") technology, the U.S. Department of Health and Human Services Office of Inspector General ("OIG") and Centers for Medicare & Medicaid Services ("CMS") proposed modifications in October 2019 to modernize protections for EHR donations under the Anti-Kickback Statute ("AKS") and the Stark Law. The goal of the proposed modifications was to expand EHR donation protections in the regulatory safe harbor and exception and to realign them with industry needs regarding EHR technology.

The Action: OIG and CMS coordinated to finalize similar revisions to the EHR items and services safe harbor under the AKS (42 C.F.R. § 1001.952(y)) and exception under the Stark Law (42 C.F.R. § 411.357(w)) ("Final Rules"). These Final Rules encourage the broader adoption and increased interoperability of EHR technology.

Looking Ahead: Finalized revisions modernize the AKS safe harbor and Stark Law exception for EHR technology donations to bring EHR protections in line with current industry practices and to encourage the continued adoption of the most current technology. 

On November 20, 2020, following months of coordination, OIG and CMS issued their Final Rules revising the AKS safe harbor and the Stark Law exception, respectively, for donations of EHR items and services. Although the agencies adopted some of the revisions they had proposed in October 2019 in connection with EHR donations, their final revisions are more modest. Because of the agencies' coordination, however, the revisions are consistent across both Final Rules. The Final Rules became effective on January 19, 2021.

Updates to Interoperability Provisions and Removal of Information Blocking Provisions: The proposed rules sought to align the definition of interoperability with the definition and requirements under the 21st Century Cures Act ("Cures Act") and regulations issued by the Office of National Certification of Health Information Technology ("ONC"). Under the Final Rules, both OIG and CMS define "interoperable" to mean that the software can (i) "securely exchange data with, and use data from other health information technology"; and (ii) "allow for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law." This final definition of "interoperable" omits the proposed rule's requirement that the EHR be interoperable "without special effort on the part of the user." The Final Rules do, however, adopt the proposed rules' requirement that, for software to be deemed interoperable, it must—at the time of donation—be certified by an ONC-authorized body.

The proposed rules contemplated adding various provisions related to "information blocking." Because OIG and CMS determined that the Cures Act and ONC regulations are better suited to regulate information blocking, however, the Final Rules contain no information blocking provisions. The Final Rules also delete existing regulatory prohibitions against EHR donors restricting the use, compatibility, or interoperability of donated EHR technology with other electronic prescribing or EHR items or services.

Protections of Cybersecurity Donations: In the proposed rules, OIG and CMS considered expanding the EHR protections to explicitly include the donation of cybersecurity software and services that protect EHRs. In the Final Rules, the agencies clarify that the safe harbor and exception extend to cybersecurity software and services donations as long as (i) the donated cybersecurity software or services "are necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records"; and (ii) all other requirements of the regulation are met. The Final Rules also define "cybersecurity" as "the process of protecting information by preventing, detecting, and responding to cyberattacks." Note that the cybersecurity protections in this safe harbor and exception are narrower than those in the separately adopted safe harbor and exception for cybersecurity, discussed in our earlier Commentary.

Removal of the Sunset Provision: The Final Rules permanently remove the December 31, 2021 sunset date for the EHR safe harbor and exception. The proposed rules had contemplated this removal or, alternatively, an extension of the sunset date. Removal of the sunset date is intended to facilitate universal EHR adoption by providing cost certainty, ensuring that new physicians and late adopters are encouraged to adopt EHR technology, and preserving existing gains toward universal adoption.

Donation of Replacement Technology: Consistent with the proposed rules, the Final Rules extend protection to donations of replacement EHR items or services, which previously had been excluded from protection. The same criteria that apply to new items and services now apply to replacement items and services, including the requirement for advance financial contributions.

Contribution Requirement: Although the agencies had considered revising the requirement that recipients contribute 15% of the donor's cost for the EHR items and services, the Final Rules retain this requirement and the condition that the donor does not finance the recipient's contribution. The Final Rules do, however, remove the requirement that the contribution be paid in advance for updates to existing EHR systems or items and services donated after the initial or replacement donation; instead, contributions for these items and services may be made at reasonable intervals. The commentary included in CMS's Final Rule provides illustrations of how to calculate physician contributions when donations are made to a physician organization.

OIG's Expansion of Protected Donors: Consistent with OIG's proposed rules, OIG's Final Rule expands the category of protected donors to include not only all non-laboratory providers but also entities comprised of such providers (e.g., health systems and accountable care organizations). Donations by laboratories and non-providers such as manufacturers continue to be ineligible for protection under the revised AKS safe harbor and Stark Law exception.

Three Key Takeaways:

  1. OIG and CMS finalized revisions to the existing protections for EHR donations under the AKS and Stark Law, effective January 19, 2021.
  2. These reforms modernize the protections afforded to EHR items and services to foster widespread adoption and encourage increased interoperability of such technology.
  3. Stakeholders should carefully analyze these Final Rules to promote compliance when structuring future donations of EHR items and services.
Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.