In what is likely the most substantial fraud and abuse rulemaking in over a decade, the US Department of Health and Human Services Office of Inspector General (OIG) and Centers for Medicare & Medicaid Services (CMS) published on November 20, 2020, long-awaited final rules changing the regulations addressing the Anti-Kickback Statute (AKS) and Civil Monetary Penalties for Beneficiary Inducements (CMP), and the Physician Self-Referral Law (the Stark Law), respectively.
Both rules were part of the HHS Regulatory Sprint to Coordinated Care and are the culmination of a multi-year effort that began with CMS and OIG issuing requests for information in September 2018 and issuing proposed rules in October 2019 (as discussed in prior Health Law Pulse blog posts, "US regulators to align key health care regulations with transformation to value-based care system; CMS and OIG propose major overhaul of Stark Law and AKS regulations" and "CMS and OIG release sweeping proposals to modernize Stark Law and AKS regulations").
In an HHS Press release accompanying the final rules, HHS Secretary Alex Azar touted the final rules as “regulatory reforms [that] will mean better care, including innovative arrangements with digital technology that may help patients receive care during the COVID-19 pandemic.” The coordinated effort between different operating divisions of the US Department of Health and Human Services is notable in its breadth and highlights the importance of these policy changes towards the goal of removing barriers to coordinated care that aims to reduce cost and improve quality.
Value-based rules
Perhaps the most critical part of the final rules is a new three-tiered Stark Law exception for value-based arrangements and three similar but non-identical AKS safe harbors.
Stark Law value-based exception
In finalizing the new exception, CMS touts that it boldly “depart[s] from the historic exceptions to the [Stark Law] in order to facilitate the transition to a value-based health care delivery and payment system.” The three tiers of the exception are based on the level of risk being borne by the parties to the arrangement, i.e., full financial risk, meaningful downside financial risk (softened in the final rule to a 10 percent threshold from the proposed rule’s 25 percent threshold), and care coordination arrangements with no or lower risk. Greater flexibility is provided for higher-risk arrangements on the assumption that such arrangements inherently have disincentives to at least partially curb overutilization.
The value-based arrangements exception is built on a series of interwoven definitions such as “value-based activity,” “value-based arrangement,” “value-based enterprise (VBE),” “value-based purpose,” “VBE participant,” and “target patient population.” The definitions are necessarily formal as CMS and OIG strived to capture a broad universe of potential arrangements between varied types of parties. However, if one imagined a physician-hospital arrangement in which the hospital incentivized a physician group to enhance the quality of care to surgical patients, including through the postoperative phase, with a goal of improving outcomes such as reducing readmissions, the “value-based enterprise” would simply be the miniature ‘network’ of the hospital and the physician group (as governed by the contract between the parties), the “value-based purpose” would be to improve the quality of care to surgical patients, and the “value-based activity” could be the physicians group’s efforts to develop and adhere to redesigned care protocols. Under this new exception, the parties would have greater flexibility in structuring the compensation payable to the physician group, as, for example, the parties would not need to satisfy—at least for Stark Law purposes —the element of ‘fair market value,’ which does not always cleanly fit into the value-based context.
The final rule was largely consistent with the proposed rule, resulting in an exception that should be fairly flexible. For example, the proposed rule floated the possibility of tightening the proposed definition of “VBE participant” to exclude laboratories, DMEPOS suppliers, and various pharmaceutical-related parties such as manufacturers and benefit managers, but the final rule refrained from excluding specific types of suppliers. However, in the final rule, for arrangements below the meaningful downside risk threshold, (i) CMS added a “commercially reasonable” element and (ii) was more prescriptive regarding active monitoring of whether an arrangement is in fact furthering its value-based purpose(s), with express requirements to promptly amend or terminate arrangements that are not found to be furthering their value-based purpose(s). The table below summarizes the elements applicable to each tier of the exception.
Element
|
Full risk
|
Meaningful downside risk
|
Value-based
|
No inducement to reduce medically necessary items/services; remuneration is for value-based activities undertaken for the target patient population,* standard limitations on required referrals; 6 year record-keeping requirement
|
Yes
|
Yes
|
Yes (* with express monitoring requirement)
|
Any performance/quality standards must be written, objective/measurable, with only prospective changes
|
No
|
No express element
|
Yes
|
Set in advance requirement
|
No
|
Yes
|
Yes
|
Signed writing requirement
|
Very limited
|
Limited
|
Yes
|
Commercially reasonable requirement
|
No
|
No
|
Yes
|
Volume/value of referral or other business generated prohibition
|
No
|
No
|
No
|
Fair market value requirement
|
No
|
No
|
No
|
AKS value-based safe harbors
The OIG finalized three value-based safe harbors designed on a sliding scale like the similar Stark exception, in that the more significant the financial risk undertaken by the participants, the greater the flexibility provided by the AKS safe harbors. The OIG states that “[a]n overarching goal of our proposals was to develop final rules that protect low-risk, beneficial arrangements without opening the door to fraudulent or abusive conduct that increases Federal health care program costs or compromises quality of care for patients or patient choice.”
The OIG and CMS underscored that there are some differences between the Stark Law’s value-based arrangements exception and the corresponding AKS safe harbors promulgated in the OIG’s final rule, even if the basic definitional framework is quite similar. The OIG noted their intent to align value-based termination and safe harbor conditions with those being finalized by CMS, but noted that “complete alignment is not feasible because of fundamental differences in statutory structures and sanctions across the two laws.” Additionally, the OIG states that the AKS final rule is intended to “provide ‘backstop’ protection for Federal health care programs and beneficiaries against abusive arrangements that involve the exchange of remuneration intended to induce or reward referrals under arrangements that could potentially satisfy the requirements of an exception to the physician self-referral law.”
All three safe harbors protect in-kind remuneration, but—in a key departure from the corresponding Stark Law exception—monetary remuneration is only protected under the substantial downside financial risk and full financial risk safe harbors. The three value-based safe harbors are as follows:
- Care coordination arrangements to improve quality, health outcomes and efficiency. This safe harbor applies to VBE participants that have little or no financial risk and it only protects in-kind remuneration. In order to meet the safe harbor, the value-based arrangement must take on at least one evidence-based outcome measure. The parties must establish legitimate outcome or process measures that the parties reasonably anticipate will advance the “coordination and management of care for the target patient population based on clinical evidence or credible medical or health science support.” The arrangement must be commercially reasonable and the offeror of the remuneration may not take into account the volume or value of, or condition the remuneration on “(i) referrals of patients that are not part of the value-based arrangement’s target patient population; or (ii) business not covered under the value-based arrangement.” The recipient of remuneration must contribute at least fifteen percent of the offer’s cost or the FMV of the in-kind remuneration.
- Value-based arrangements with substantial downside risk. This safe harbor protects in-kind and monetary remuneration between VBEs and VBE participants. Many of the safe harbor’s elements align with the Care Coordination safe harbor but also requires substantial downside financial risk for at least one year. VBE participants are required to “meaningfully share” in downside, meaning at least five percent of the losses and savings (OIG had proposed eight percent). The shared savings and losses threshold is reduced in the final rule to thirty percent, from the forty percent threshold that was proposed. A twenty percent threshold is required for clinical episodes of care.
- Value-based arrangements with full financial risk. This safe harbor covers monetary and in-kind remuneration between a VBE and VBE participant. In order to have full financial risk, “the VBE is financially responsible on a prospective basis for the cost of all items and services covered by the applicable payor for each patient in the target patient population for a term of at least one year.”
Throughout the final rule, the OIG states that they have placed “guardrails” to “prevent fraud and abuse under the guise of a value-based arrangement.” Similarly, the OIG reiterates the longstanding principle that failing to meet a safe harbor does not make an arrangement unlawful. Instead, “[a]rrangements that do not fit in a safe harbor are analyzed for compliance with the Federal anti-kickback statute based on the totality of their facts and circumstances, including the intent of the parties.”
The final rule permits, in a change from the proposed rule, any type of actor to be a value-based participant (VBP). However, despite their ability to participate as a VBP, these entities are ineligible to use the value-based safe harbors to protect remuneration: pharmaceutical manufacturers, distributors, and wholesalers; pharmacy benefit managers; laboratory companies; pharmacies that primarily compound drugs or primarily dispense compounded drugs; manufacturers of devices or medical supplies; entities or individuals that sell or rent DMEPOS (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services); and medical device distributors and wholesalers. The final rule acknowledges that digital health can play an important role in care coordination. The OIG creates a special pathway for medical device manufacturers and medical supply and DMEPOS companies to be eligible under the care coordination arrangements safe harbor. The entities are considered “limited technology participants” under the final rule.
Therefore, while the OIG creates a wider umbrella for entities to participate in VBEs, it will be critical to track remuneration between these entities and the VBE/VBE participants because certain remuneration will not be protected under the safe harbor.
Element
|
Full risk
|
Meaningful downside risk
|
Care-coordination
|
In-kind contributions only
|
No
|
No
|
Yes
|
Legitimate and verifiable criteria
|
No
|
No
|
Yes
|
Set in advance requirement
|
No
|
Yes
|
Yes
|
Signed writing requirement?
|
Yes
|
Yes
|
Yes
|
Commercially reasonable requirement
|
No
|
No
|
Yes
|
Volume/value of referral or other business generated prohibition?
|
Yes
|
Yes
|
Yes
|
Applies to Participant-Participant Arrangements?
|
No
|
No
|
Yes
|
Evidence of compliance to HHS (upon request)
|
Yes
|
Yes
|
Yes
|
Other Stark Law changes
The Stark Law final rule also included numerous additional changes beyond the value-based arrangement exception, including various definitional changes, clarifications, liberalizations, and a pair of additional new exceptions.
Definitional changes
- Commercially reasonable. One of the more critical definitional changes is that CMS added a definition for “commercially reasonable,” whereas previously it had only briefly addressed the concept of “commercially reasonable,” primarily in its preamble to the 1998 proposed rule. Under the new definition, commercially reasonable “means that the particular arrangement furthers a legitimate business purpose of the parties to the arrangement and is sensible, considering the characteristics of the parties, including their size, type, scope, and specialty. An arrangement may be commercially reasonable even if it does not result in profit for one or more of the parties.” CMS noted in commentary that the “key question” to this analysis is “whether the arrangement makes sense as a means to accomplish the parties’ goals.” CMS gave a non-exhaustive list of examples of when an arrangement may be commercially reasonable yet not profitable, including arrangements for “community need, timely access to health care services, fulfillment of licensure or regulatory obligations, including those under [EMTALA], the provision of charity care, and the improvement of quality and health outcomes.”
- Fair market value. CMS also revised and restructured the definitions for “fair market value” and “general market value.” In the commentary describing these changes, CMS made helpful comments with respect to permissible compensation arrangements. CMS recognized that the fair market value of a transaction may not always coincide with published salary surveys. Some examples given by CMS included that a hospital might legitimately pay a salary higher than what published surveys indicate for the typical orthopedic surgeon in that hospital’s location in securing the services of one of the top orthopedic surgeons in the country, and that a higher-than-typical salary may be needed to attract a cardiothoracic surgeon to an area that currently has no cardiothoracic surgeons. CMS also acknowledged that while an entity’s compensation of a physician at an ongoing loss may present concerns, there also may be valid reasons for entering into such an arrangement.
- Isolated financial transaction. The definition of isolated financial transaction was also revised and restructured to expressly foreclose aggressive uses of the corresponding exception relating to making a lump-sum payment for services previously provided over a period of time and not previously compensated. However, changes to the writing requirement and the new exception relating to “limited remuneration to a physician” will in some cases help blunt the impact of this tightened definition.
- Designated health services. CMS also revised the definition of designated health services (DHS) to include that with respect to services furnished to inpatients by a hospital, a service is not considered a designated health service payable by Medicare if the furnishing of the service does not increase the amount of Medicare’s payment to hospital under any of the following prospective payment systems (PPS): Acute Care Hospital Inpatient, Inpatient Rehabilitation Facility, Inpatient Psychiatric Facility, or Long-Term Care Hospital. Thus, for example, if the ordering of an MRI by a specialist for a hospital inpatient does not change the payment to the hospital based on the MS-DRG assigned upon admission of the patient to the hospital, then the MRI referral would not be for DHS. From a practical perspective, we expect that the revision may be more likely to affect an overpayment analysis on a retrospective basis than it would alleviate compliance obligations (e.g., contracting) on a go-forward basis, as we expect that it would likely be difficult to anticipate prior to the referral whether any referral would cause a prospective payment to increase. Upon learning that a hospital has a financial arrangement with a physician who refers to the hospital and the arrangement does not meet a Stark exception, if that physician was not the one to order the inpatient hospital admission, the revised definition of DHS may operate to reduce the amount that needs to be refunded, as now the hospital can isolate payments only for DHS referrals by the physician that resulted in an increase over the expected MS-DRG payment (or other PPS payment) for any refund that may be required.
Clarifications and liberalizations
- “Volume or Value of Referrals.” The final rule additionally codifies what it intends to be ‘bright-line’ tests for CMS to deem that compensation “takes into account the volume or value of referrals” or other business generated and does so in a manner that should assuage stakeholder concerns regarding expansive language in the Fourth Circuit’s infamous 2015 opinion in U.S. ex rel. Drakeford v.Tuomey Healthcare System, Inc. (792 F.3d 364). In short, compensation between parties takes into account the volume or value of referrals or other business generated only if the formula used to calculate the compensation includes the physician’s referrals to the entity or other business generated as a variable, resulting in a change in compensation that correlates with the number or value of the physician’s referrals other business generated. However, if the formula focuses on the physician’s personally performed work, the fact that corresponding hospital services are billed would not render such a compensation formula improper. Notably, the codified standard is broadly applicable to multiple contexts, including without limitation the indirect compensation arrangements definition, the bona fide employment relationships exception and the personal services arrangements exception.
- Writing requirements. The final rule also extended prior CMS guidance liberalizing the writing and signature requirements (as discussed in Health Law Pulse posts here (September 2015) and here (August 2018)), offering parties greater front-end flexibility in satisfying applicable exceptions. Specifically, parties now generally have 90 days to reduce a new arrangement to writing, whereas previously, the parties technically needed to have a writing (or collection of documents) dating to the commencement of arrangement, and the 90-day grace period technically applied only to the signature requirement (even if many practitioners tended to be imprecise in their approach to analyzing such fact patterns). Historically, the Stark Law’s strict liability nature made the concept of an aggressive internal audit function a double-edged sword, as such an approach could truncate future liability but might reveal ‘foot-faults’ that would have to be self-disclosed and settled. Between the ‘collection of documents’ liberalization, the new application of a 90-day grace period to the writing requirement itself (rather than just the signature requirement), and the potential ability to combine those liberalizations with the new “limited remuneration to a physician” exception discussed below, parties should generally have a reasonable window to uncover documentation deficiencies and execute a formal agreement consistent with best practices (whether technically required in order to satisfy an exception or not).
- Payments by a physician. The final rule also amended the “payments by a physician” exception, which has required (outside of the laboratory context) that the compensation not be specifically covered by another exception, and has been gutted since the “fair market value compensation” exception was expanded in Phase III to cover payments by a physician. Specifically, CMS refined the “payments by a physician” exception’s problematic element such that now the compensation must not be specifically covered by a ‘statutory’ exception (as addressed in the regulations in 42 CFR 411.357(a) – (h)). The amended exception should generally be available to protect arrangements such as where a physician pays a hospital for providing answering services, potentially protecting arrangements that fail to meet the technical requirements of the “fair market value compensation” exception.
Additional new exceptions
In addition to the value-based arrangements exception discussed above, CMS also added new exceptions for “limited remuneration to a physician” and “cybersecurity technology and related services.” The “limited remuneration to a physician” exception does not include a ‘set in advance’ or ‘writing/signature’ element and is designed to protect modest fair market value remuneration to a physician for the provision of items and services, protecting up to $5,000 (inflation-adjusted) in payments per physician per year that fail to satisfy other exceptions (reflecting an increase from the $3,500 threshold of the proposed rule). Notably, the new exception for “cybersecurity technology and related services” lacks the 15% minimum physician contribution element of the existing “electronic health records items and services” exception, although CMS did modify the latter exception in other helpful ways, including removing the sunset element to make such exception permanent.
Other AKS Safe Harbor changes
The OIG finalized new AKS safe harbors and modified existing safe harbors in the final rule.
- Patient Engagement and Support. The Patient Engagement and Support safe harbor protects the provision of in-kind patient engagement tools and supports provided directly by a value-based enterprise (VBE) participant to a patient in a target patient population that are directly connected to the VBE purpose of care management and coordination. The OIG’s policy is to be agnostic as to the types of in-kind tools and supports that can be protected by the safe harbor if all the required conditions are met. To fall within the Patient Engagement and Support safe harbor, the tool or support: (i) must be provided directly to a patient by a VBE participant; (ii) must be in-kind and have a direct connection to the coordination and management of the care of the target patient population; (iii) may not include any cash or cash equivalent and does not result in medically unnecessary or inappropriate items or services reimbursed by a federal health care program; (iv) must be recommended by the patient’s licensed health care professional; (v) must advance one or more of the following goals: (a) adherence to a treatment regimen determined by the patient’s licensed health care professional; (b) adherence to a drug regimen determined by the patient’s licensed health care professional; (c) adherence to a follow up care plan established by the patient’s licensed health care professional; (d) prevention or management of a disease or condition as directed by the patient’s licensed health care professional; or (e) ensure patient safety; (vi) may not be funded or contributed by a VBE participant that is not a party to the applicable value-based arrangement or an entity specifically excluded from the safe harbor; (vii) must not have an aggregate retail value of $500 on an annual basis; (viii) is not exchanged or used by the VBE participant to market other reimbursable items or services or for patient recruitment purposes; and (ix) is not made available in a manner that takes into account the type of insurance coverage of the patient. Further, for at least six years, the VBE participant must make all materials and records available to the Secretary of HHS, upon request, to establish that the tool or support was distributed in a manner that satisfies these requirements.
- Cybersecurity Technology and Services. The Cybersecurity Technology and Services safe harbor is available to all types of individuals and entities and protects certain nonmonetary remuneration in the form of a donation of cybersecurity technology and services. Cybersecurity technology is defined broadly to encompass any software or other type of information technology that is related to the process of protecting information by preventing, detecting, and responding to cyberattacks. To receive protection under this safe harbor, five requirements must be met: (i) the donated technology and services must be necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity; (ii) donors may not directly take into account the volume or value of referrals or other business generated between the parties when determining the eligibility of a potential recipient for the technology or services, or the amount or nature of the technology or services to be donated, nor may they consider future referrals when determining the amount or nature of the technology or services to be donated; (iii) neither a potential recipient nor a potential recipient’s affiliated individuals or entities may demand the donation of cybersecurity technology or services as a condition of doing business with the donor; (iv) the donor and recipient must enter into a signed written agreement that provides a general description of the technology or services to be provided over the term of the agreement and outline shared financial responsibility, if any; and (v) the donor is prohibited from shifting the costs of cybersecurity donations to federal health care programs.
- CMS-Sponsored Models. The OIG finalized a CMS-Sponsored Models Safe Harbor that permits remuneration between parties participating in CMS-sponsored models, such as distribution of capitated payments and shared savings or losses distributions. The final rule notes that this will provide uniformity and increase predictability for model participants.
- Electronic Health Records. The OIG removed the sunset provision in the Electronic Health Records Items and Services safe harbor that required all EHR donations, in order to permanently receive protections under this safe harbor, to have occurred on or before December 31, 2021. The final rule also clarifies that the EHR safe harbor protects certain cybersecurity software and services, adding “including certain cybersecurity software and services” and the term “protect” to the introductory language of this safe harbor. The final rule expands the scope of protected donors to include entities such as parent companies, accountable care organizations (ACOs), and health systems. The final rule deletes the provision that prohibited the donation of EHR items and services that the recipient already possesses.
- Warranties. The OIG also modified its existing Warranties safe harbor to “protect warranties that warranty a bundle of items or a bundle of items and services.” While this safe harbor will now protect warranties covering services, the OIG explained that it will “not provide protections to warranties that warranty only services.” To be protected, the OIG also notes that the bundled items and services must be federally reimbursable items and need to be reimbursed by the same Federal healthcare program and in the same Federal healthcare program payment. The OIG finalized a definition of “warranty” directly and not by reference to 15 U.S.C. 2301(6) in an effort to clarify that the warranties safe harbor is available for FDA-regulated drugs and devices.
- Personal Services and Management Contracts. The final rule also made changes to the Personal Services and Management Contracts safe harbor. The OIG finalized its proposal to remove the requirement from the personal services and management contracts safe harbor that aggregate compensation be set in advance and to replace it with a requirement that the methodology for determining compensation be set in advance. The OIG also removed the requirement in this safe harbor that agreements that are sporadic, or on a part-time basis, must “specify the schedule, length, and the exact charge for such intervals.” The OIG provides the example of a dialysis facility medical director who’s schedule is often unpredictable based on the nature of dialysis care and that this requirement to have a predetermined schedule stood in the way of these providers utilizing this flexibility.
- Outcomes-Based Payments. The final rule creates a new Outcomes-Based Payments safe harbor to protect payments when the agent that receives the payment “achieve[s] one or more legitimate outcome measure[s]” that are “based on clinical evidence or credible medical support and with specified benchmarks related to quality of care, a reduction in costs, or both.” To receive a protected outcomes-based payment, the payment methodology must also be consistent with fair market value, commercially reasonable, and cannot take into account the volume or value of referrals.
- MSSP ACO Beneficiary Incentives. The final rule codifies the Medicare Shared Savings Program ACO Beneficiary Incentives safe harbor. The safe harbor aligns with the Balanced Budget Act of 2018 and excludes from the AKS definition of “remuneration” incentive payments for ACOs that operate a “CMS-approved Beneficiary Incentive Program under the Medicare Shared Savings Program.”
- Local Transportation. The Local Transportation safe harbor is modified to expand the distance limitations to residents of rural areas to 75 miles and removes the mileage limits from inpatient facilities post-discharge. The preamble provides that the safe harbor does not preclude ride-sharing services.
The Congressional Review Act
These final rules were released informally in pre-publication form on the Federal Register website on November 20, 2020. The Congressional Review Act provides that a major rule “shall take effect” 60 days after it is “published in the Federal Register.” A “major rule” has an annual effect on the economy of at least $100,000,000. The final rules list the effective date as January 19, 2021. However, the actual publication date in the Federal Register is December 2, 2020, which would mean the final rules would not become effective until after inauguration day. This is an unsettled question of law as to whether the sixty-day clock begins with informal public display or actual publication in the Federal Register. Historically, an incoming administration will issue a memorandum on inauguration day that places a hold on any regulation that has not been finalized.
Stay tuned to the Health Law Pulse blog and our webinar series for our insights into these significant final rules and their implications for your organization.
8.5.5