Client Advisory: Coordinated Proposals of the CMS and OIG Proposed Rules to Amend the Stark, Anti-Kickback, and Civil Monetary Penalty Laws

The Centers for Medicare & Medicaid Services (“CMS”) published a proposed rule on October 17, 2019 that would amend and provide new exceptions for certain value-based compensation arrangements under the physician self-referral law or Stark law (“Stark”). The Office of the Inspector General (“OIG”) of the Department of Health and Human Services (“HHS”) published a complementary proposed rule on the same day that would add coordinated care and value-based arrangements safe harbors to the Anti-Kickback Statute (“AKS”) and add additional protections to the Civil Monetary Penalty (“CMP”) Law. This client advisory summarizes the regulatory framework and the coordinated proposals shared by these two proposed rules. Additional client advisories detailing the unique provisions of each of these rules will follow.

Regulatory Framework

At the time Stark, the AKS, and the CMP Rules were initially enacted, Federal health care programs paid for the vast majority of services under traditional fee-for-service rules; namely, providers were compensated based on the volume of services provided. These laws were intended to combat the incentives physicians and other providers had under a volume-based compensation model to refer or provide care services that a patient did not need because, the more services provided to the patient, the more payments a Federal health care program would make to the physician or provider that furnished the performed services. The proponents of these laws were concerned that the volume-based compensation model would have an adverse effect on the medical decision-making of physicians and providers.

As Federal health care programs transition to a value-based compensation system that tries to pay for health and outcomes, HHS has striven to remove regulatory barriers to care coordination and value-based care from regulations such as Stark and the AKS. HHS intends these proposed changes to alleviate the burden that Stark, the AKS, and CMP laws place on parties that participate in novel and alternative payment models, and dismantle regulatory barriers to care coordination and value-based models. HHS is concerned that these laws discourage providers, suppliers, and physicians from entering into innovative arrangements that would improve care quality outcomes, increase health system efficiencies, and lower health care costs.

Value-Based Payment Arrangements

Both proposed rules provide exceptions and safe harbors for value-based payment arrangements if they meet certain conditions. The CMS rule provides exceptions to the Stark Law for compensation arrangements, while the OIG rule adds safe harbors to the AKS for care coordination and management arrangements. The bona fide employee exception to the Stark rule would not apply to the value-based arrangement exceptions because the value-based arrangement exceptions do not include a consideration of the volume or value of referrals.

The new rules would define a value-based arrangement as “an arrangement for the provision of at least one value-based activity for a target patient population between or among: (1) the value-based enterprise and one or more of its VBE participants; or (2) VBE participants in the same value-based enterprise.[1]” A target patient population is an identified patient population selected based on legitimate and verifiable criteria set out in writing. Proper legitimate and verifiable criteria can be a variety of characteristics that define a patient group, for example medical or health characteristics (such as recent diagnoses or procedures), geographic characteristics (such as zip code or county), or payor status (such as patients with a particular plan or payor), or other defining characteristics. The proposed definition for value-based activity would specifically exclude the making of a referral.[2]

CMS is proposing to except the following value-based arrangements from the Stark Law:

  • Full Financial Risk Arrangements. These require “full financial risk” for the cost of all patient care items and services covered by the applicable payor for a specified period of time and must remain at full financial risk for the entire duration the parties seek this protection after a six-month grace, start-up period.
  • Meaningful Downside Risk to the Physician Arrangements. These require the renumeration to be paid to or from the physician but the physician must remain at meaningful downside financial risk for the entire term of the value-based arrangement. “Meaningful downside financial risk” would mean that the physician “is responsible to pay the entity no less than 25 percent of the value of the renumeration the physician receives under the value-based arrangement.”
  • Any value-based arrangement that the renumeration is for, or results from, Value-Based Activities for a Targeted Patient Population. Renumeration cannot be an inducement to reduce or limit medically necessary items or services to patients in the target patient population or conditioned on referrals of patients not in the target patient population. Methodology to calculate the renumeration must be in writing and set in advance.

OIG is proposing three related new safe harbors to the AKS covering management and care coordination arrangements:

  • Value-based arrangements with “full financial risk” (this mirrors the similar exception CMS proposes to the Stark Law).
  • Value-based arrangements with “substantial downside financial risk.” OIG proposes four separate requirements for what would constitute “substantial downside financial risk.”
  • Care coordination arrangements of in-kind renumeration to improve quality, health outcomes, and efficiency. Such value-based arrangements would be required to be commercially reasonable and would need to establish one or more evidence-based outcome measures against which the recipient of the renumeration would be measured.

To qualify for any of these proposed exceptions or safe harbors, an arrangement would be required to meet further technical requirements such as being a signed writing.

Both agencies are considering excluding certain providers, suppliers, and persons such as laboratories; DMEPOS suppliers, manufacturers, and distributors; pharmaceutical manufacturers; pharmacy benefit managers; wholesalers; and distributers from the definition of a value-based enterprise participant. Additionally, OIG is considering excluding pharmacies from its definition of value-based enterprise participants. This is based on the historical enforcement experience and activity of the two agencies, as well as the agencies’ belief that these entities would be particularly situated to abuse the new exceptions and safe harbors.

Electronic Health Records[3] (“EHR”) and Cybersecurity Exception and Safe Harbor

The Stark and Anti-Kickback rules require that all software donated under the EHR exception be “interoperable.”[4] CMS and OIG are now clarifying that the software must be certified, under the applicable certification requirements, on the day the software is donated. All changes to the certification requirements and the definition of interoperable would only apply prospectively, so if the software met the requirements of the EHR exception at the time it was donated, the donation would not lose its protected status. The donor would be prohibited, by the proposed rules, from engaging in any practice that constitutes information blocking in connection with the donated item or service after the donation. Additionally, originally set to expire on December 31, 2021, CMS proposes eliminating or extending the sunset provision of this exception.

Currently, the EHR rules require a physician to pay 15% of the donor’s cost of any EHR technology donated to the physician. CMS and OIG are considering changing this provision of the EHR exception. First, they are considering not amending it as part of the final rule. Second, they are considering eliminating or reducing the contribution percentage required for “small or rural physician organizations,” and how to define “small or rural physician organizations.” Third, they are considering reducing or eliminating the 15% contribution requirement in all contexts. Finally, they are considering retaining the 15% rule but modifying or eliminating the requirement for updates to previously donated EHR software.


CMS and OIG are proposing exceptions and safe harbors related to cybersecurity.[5] A coordinated exception and safe harbor would protect the donation of cybersecurity technology and related services including software and other types of IT, but not hardware. Cybersecurity technology and services donation protections would be broader and have fewer requirements than the general EHR exception. A donation of cybersecurity technology or services would only need to comply with the requirements of either the EHR exception or the proposed cybersecurity exception.

Donors cannot condition the cybersecurity donation on referrals from the recipient; namely, a donor cannot require that the recipient refer or recommend the donor’s business as a condition of the cybersecurity donation. Additionally, a recipient may not make the receipt of a cybersecurity donation a condition of continuing to do business with the potential donor.


With these changes, HHS wants health care providers to be freely able to enter into innovative health care arrangements that drive the value-based compensation model and promote care coordination. HHS believes that these proposed rules would tear down in-place regulatory barriers to these stated objectives. However, in practice, these proposed rules would add further regulation to an already over-saturated area of federal regulation. Instead of simplifying this area of governance, HHS has added another layer of regulation that providers will need to master and understand to ensure that all of their arrangements are in full compliance. Providers will need to review both eventual final rules, and all of their contracts and arrangements, to ensure they remain in full compliance.

Should you or your practice have any questions or concerns about the proposed rules please contact Peter Mellette, Harrison Gibbs, Elizabeth Dahl Coleman, or Scott Daisley at Mellette PC.

The full text of CMS’s proposed rule to amend the Stark law is available here and the OIG proposed rule to amend the AKS and CMP laws is available here.

This client advisory is for general educational purposes only. It is not intended to provide legal advice specific to any situation you may have. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice.

[1] Value-based enterprise is proposed to mean “two or more VBE participants: (1) Collaborating to achieve at least one value-based purpose; (2) each of which is a party to the value-based arrangement with the other or at least one other VBE participant in the value-based enterprise; (3) that have an accountable body or person responsible for financial and operational oversight of the value-based enterprise; and (4) that have a governing document that describes the value-based enterprise and how the VBE participants intend to achieve its value-based purpose.

[2] The proposed rules would define value-based activity as “any of the following activities, provided that the activity is reasonably designed to achieve at least one value-based purpose of the value-based enterprise: (1) The provision of an item or service; (2) the taking of an action; or (3) the refraining from taking an action. The making of a referral is not a value-based activity.”

[3] CMS and OIG are proposing to amend the definition of EHR to mean “a repository that includes electronic health information that: (A) is transmitted by or maintained in electronic media; and (B) relates to the past, present, or future health or condition of an individual or the provision of health care to an individual.”

[4] CMS is proposing to define interoperable to mean “(i) able to securely exchange data with and use data from other health information technology without special effort on the part of the user; (ii) allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and (iii) does not constitute information blocking as defined in section 3022 of the PHSA.” OIG is proposing a nearly identical definition.

[5] CMS is proposing to define cybersecurity as “the process of protecting information by preventing, detecting, and responding to cyberattacks.”

Categories: Uncategorized