In October 2019, the U.S. Department of Health and Human Services (HHS) proposed changes to the Federal Anti-Kickback Statute (AKS) and the Physician Self-Referral Law (Stark Law) in order to clarify the definitions of safe cybersecurity technology and services donations. HHS created the amendments to modernize and clarify the regulations within our fast-paced digital age. The Healthcare and Public Health Sector Coordinating Council (HSCC) responded to requests for feedback with a press release, suggesting, among other topics, that patching and updates should be protected under the exception/safe harbor.
What are the Stark Law and the safe harbor amendment?
The government created AKS and Stark Law to address healthcare fraud and abuse referrals of services; AKS prohibits the exchange of remuneration while the Stark Law prohibits self-referral. Safe harbor amendments provide legal exemptions to the laws in order to provide greater flexibility to providers and value-based arrangements. According to the amendments, “The proposed rule would add a new safe harbor for donations of cybersecurity technology and amend the existing safe harbors for electronic health records arrangements, warranties, local transportation, and personal services and management contracts.” Technology safe harbors could include malware prevention, business continuity, and encryption software; services could include risk assessments as well as the installation of cybersecurity software. RELATED: HIPAA Compliant Email HHS Deputy Secretary Eric Hargan stated that the proposal is an effort to “allow innovation…while maintaining the important protections patients need.” The proposal received overall praise when first released.
Why is HSCC worried about patching?
HSCC’s December 2019 press release addressed four overarching topics including clarification regarding needed hardware and software patching and updates. A well-known cybersecurity problem within the healthcare industry is its reliance on outdated systems that no longer provide updates or security patches as well as the expense of switching and continuously maintaining new devices.
Related: What is a Threat Vector and Why It’s Important to Define HSCC’s press release emphasized that such donations are necessary to block cyberattacks and must be part of the exception/safe harbor to AKS and Stark Law. A request for clarification is vital given the healthcare industry’s continuous cyber threat concerns; HHS has yet to respond.