Proposed Changes to Electronic Health Records (EHR) Exception and Safe Harbor

As previously noted on this blog, on October 9, 2019, two agencies of the U.S. Department of Health and Human Services (“HHS”) each released a set of wide-ranging and significant proposed rules (each a “Proposed Rule”). The Centers for Medicare & Medicaid Services (“CMS”) released a Proposed Rule modifying the Stark Self-Referral Prohibition[i] (“Stark”). Likewise, HHS’s Office of Inspector General (“OIG”) released a Proposed Rule modifying the Federal Anti-Kickback Statute[ii] (“AKS”). One item of particular note to those representing or working for hospitals or physician practices is the portion of each Proposed Rule related to the EHR donation safe harbor and exception. These proposed changes make easier the rollout of EHR conversions by health systems and other large providers who, for the sake of interoperability, provide EHR system access to additional providers.

EHR Exception

CMS’s Proposed Rule would modify the Stark Law’s EHR exception[iii] as follows:

  • Cybersecurity software and services needed to create, maintain, transmit, receive, or protect EHR and meeting required conditions may be excluded from the definition of “remuneration.”
  • The donor of such software and services must not engage in “information blocking” in connection with the donation. “Information blocking” is defined as a practice likely to disrupt, prevent, or discourage access, exchange, or use of electronic health information.[iv]
  • The sunset of the exception on or before December 31, 2021 is eliminated, thereby making the exception permanent.

EHR Safe Harbor

OIG’s Proposed Rule would modify the Anti-Kickback Statute’s safe harbor[v] as follows:

  • Certain cybersecurity software and services (same as in the Stark EHR exception) may be excluded from the definition of “remuneration.”
  • The donor must similarly not engage in “information blocking.”
  • The “sunset” date of the safe harbor is eliminated, making the safe harbor permanent.
  • The definitions of “cybersecurity and “interoperable” are updated.

Finally, the Proposed Rule includes a new safe harbor and exception relative to cybersecurity technology and services. Taken together these proposed changes involving the provision and/or donation of EHR and cybersecurity systems are significant because they help to remove some of the remaining barriers to interoperability and development of efficient, effective and secure community-wide EHR systems. Clarity with respect to these issues is something desired by healthcare providers, so it is hoped by many that these proposed changes will ultimately become effective. They certainly merit monitoring.

View the full text of the proposed changes to Stark. For the full text of the proposed changes to AKS, click here.


[i] 42 U.S.C. 1395nn.
[ii] 42 U.S.C 1320a-7b(b).
[iii] 42 C.F.R. 411.357(w).
[iv] Section 4004 of the 21st Century Cures Act, 42 U.S.C. 300jj-52(a)(1)(A).
[v] 42 C.F.R. 1001.952(y).