COVID-19 Latest Updates and Resources

Proposed Changes to Stark Law & Anti-Kickback Statute Ease Burden of Value-Based Care Arrangements

By: Sam Cohen
4 Minute Read

Last month, the Centers for Medicare & Medicaid Services (CMS) and the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) announced new proposed rules that modernize and clarify the regulations associated with the Stark Law and Anti-Kickback Statute (AKS).

The proposed revisions are intended to promote the adoption of value-based care arrangements by easing the burden of compliance on participating providers.

What Issues Do These Proposed Changes Aim to Address?

The Stark Law and the AKS are concerned with how financial incentives can motivate physicians to make improper referrals, including referrals that lead to unnecessary overutilization of healthcare services. However, the financial incentives that apply to fee-for-service payment models are distinct from those that apply to capitated and value-based payment arrangements.

The proposed changes to the Stark Law and AKS address these differences by adding specific exceptions and safe harbors for financial relationships related to value-based care arrangements and cybersecurity concerns that don’t fall under existing protections.

Promoting Value-Based Arrangements

CMS and OIG each proposed three new exceptions and safe harbors that are designed to protect arrangements involving a “value-based enterprise” (VBE). Broadly speaking, VBEs are network arrangements where the participants have agreed to collaborate for value-based purposes. As defined by the proposed rule, a VBE participant is an individual or entity that engages in at least one value-based activity as part of a VBE. VBE participants may include, but are not limited to hospitals, physician practices, payers, or social services organizations.

These proposed exceptions and safe harbors aim to reduce the number of requirements for VBE participants who assume greater financial risk, with the number of conditions and requirements generally decreasing as VBE participants take on more financial risk. Following this model, arrangements will fall into one of three categories:

  1. VBEs participating in an arrangement that does not require assumption of financial risk must meet the largest number of safeguards to obtain protection.
  2. VBEs assuming substantial downside financial risk face slightly fewer regulatory requirements to obtain protection.
  3. VBEs taking on full financial risk must comply with the least onerous requirements to obtain protection.

Despite following a similar general structure, the exceptions and safe harbors contain distinct requirements that are designed to protect different types of financial relationships. All of the proposed exceptions and safe harbors include a number of specific provisions that are required regardless of assumed financial risk, and it is likely that many VBEs and VBE participants will not qualify for protection.

Both CMS and OIG proposed to exclude certain healthcare entities from the definition of VBE participant, including laboratories; pharmaceutical manufacturers; pharmacy benefit managers; wholesalers; distributors; and manufacturers, distributors, or suppliers of durable medical equipment, prosthetics, orthotics, or supplies.

The proposed rule requests comment from the community on whether these and other healthcare entities should, in fact, be excluded.

Addressing Cybersecurity Technology and Electronic Health Records Concerns

CMS and OIG have each proposed a new exception and safe harbor to protect the donation of cybersecurity technology and related services. These protections will extend to software and other types of IT services but will exclude hardware.

In the past, some healthcare entities have cited potential cybersecurity concerns as a reason for not connecting their systems to other providers. By allowing the donation of cybersecurity technology, CMS and OIG aim to overcome this fear and promote the adoption of the interoperable healthcare IT systems that are needed to fully implement value-based care arrangements.

Examples of covered technology include malware prevention software, data protection and encryption, cybersecurity training services, and cybersecurity risk assessments.

The exception and safe harbor contain generally similar requirements, but they are not identical. CMS and OIG are also considering exception and safe harbor proposals that would complement this cybersecurity proposal by covering the donation of cybersecurity-related hardware. The proposed rule specifically solicits comments on these proposals.

Furthermore, CMS and OIG have also proposed modifying the existing Electronic Health Record (EHR) exception and safe harbor to further promote interoperability. Proposed revisions clarify that the exception and safe harbor permit an entity donating an EHR to also donate cybersecurity technology as part of the donation.

In addition to the proposed revisions described above, CMS has proposed adding or revising definitions and providing additional guidance for key Stark Law concepts, including fair market value, commercially reasonable, volume or value, and other business-generated standards. OIG is also proposing revisions to some existing safe harbors, including those related to personal services and management contracts to make it easier to satisfy requirements.

The full text of the Stark Law proposed rule is available here. A fact sheet from CMS discussing the rule is available here.

The full text of the AKS proposed rule is available here. A fact sheet from OIG on the proposed rule is available here.

Comments on the proposed rules can be submitted until December 31, 2019.

What Do These Changes Mean for Physician Practices?

Physician practices face substantial uncertainty under the Stark Law and the federal AKS when entering into innovative value-based arrangements, and the proposed changes offer potential safe avenues for practices to explore these new financial strategies. However, given the numerous requirements that must be met for relevant exceptions and safe harbors, many value-based arrangements will not be covered. Furthermore, those that are covered at the onset will need to be monitored closely to make sure they do not fall out of compliance.

The proposals to protect the donation of cybersecurity technology provide a potential avenue for under-resourced physician practices to update their cybersecurity. These proposals will be even more beneficial if CMS and OIG expand the changes to include the donation of cybersecurity-related hardware.

Currently, it’s not clear how many entities will be interested in donating cybersecurity technology to physician practices. Practices should also carefully consider whether relying on a third-party to meet their cybersecurity technology needs is a sustainable, long-term business strategy.

We encourage physicians and their practices to continue to check Curi’s News & Knowledge content for updates on these proposed changes and other potential future changes to the federal fraud and abuse laws.

Members with specific questions can reach out for additional assistance by emailing

Sam Cohen
Sam Cohen is Curi’s Senior Vice President of Health Policy. Curi members may contact him directly at and 919.878.7602. Readers also can follow him on Twitter @samuel_c_cohen.
News & Knowledge