Publications: Electronic Health Records: Legal Perils with Stark and Anti-Kickback Laws

I. Introduction

Research indicates that replacing more traditional paper-based medical record systems with electronic health record ("EHR") systems can lead to considerable health care savings, reduction of medical errors, and an overall improvement in the health of a population.¹ Recognizing these benefits, the federal government and numerous healthcare advocates are promoting health information technology as a partial solution to the cost conundrum currently facing the healthcare industry.² Accordingly, physicians are looking for ways to access capital necessary to implement EHR systems, which ironically is a rather costly endeavor. Recognizing the mutual benefit of implementing EHR systems, larger organizations with sufficient access to capital (such as hospitals and health systems) are considering subsidizing the adoption of physician EHR systems for physicians who are not directly employed by the organization.

Federal regulations, however, pose significant hurdles to these sorts of subsidies. Many hospitals and health systems are 501(c)(3) tax exempt organizations—a designation that comes with certain strings attached. Additionally, federal regulators are always skeptical of any benefit provided by hospitals and health systems to their referral-source physicians. Failure to comply with laws governing financial relationships between such parties could result in the imposition of significant civil, and in some cases criminal, penalties.

This article provides an overview of the legal requirements and other guidance governing a hospital's subsidy of EHR software and services to non-employed physicians. Specifically, this article clarifies the regulatory requirements promulgated under the Stark Law and the Anti-kickback Statute as well as the Internal Revenue Service ("IRS") guidance on this issue. It also discusses what provider organizations can and cannot provide to physicians within the scope of existing guidance and regulations. Finally, this article briefly discusses the implications of the primary federal patient privacy law, the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and related state patient confidentiality rules, on data sharing.

II. Legal Requirements and Guidance

A. The Stark Law Exception

The Stark Law prohibits physicians from referring Medicare patients to any entity (such as a hospital) with which the physician (or his/her immediate family member) has a financial relationship, for the provision of certain designated health services (including all hospital inpatient and outpatient services), unless an exception under the law applies to that particular type of relationship.³ The Stark Law also prohibits any entity from billing for any of the designated health services provided pursuant to a prohibited referral. In simpler terms this means that whenever a physician gets any payment or benefit from a hospital and such physician refers Medicare patients to that hospital, the arrangement must meet one of a number of specific exceptions under the Stark Law. If it does not, and the physician refers a Medicare patient, both the physician and hospital are at risk of penalties under the Stark Law and related statutes governing such relationships.

An exception to the Stark Law states that software or information technology and training services that are necessary and used predominantly to create, maintain, transmit or receive EHRs do not constitute a "financial relationship" for Stark Law purposes if the following (very detailed) requirements are met:⁴

1. The items and services are provided by a hospital to a physician;
2. The software is interoperable at the time it is provided to the physician. The Stark regulations define "interoperable" as "able to communicate and exchange data accurately, effectively, securely, and consistently with different information technology systems, software applications, and networks, in various settings; and exchange data such that the clinical or operational purpose and meaning of the data are preserved and unaltered."⁵ Software is deemed to be interoperable if a certifying body that is recognized by the Secretary of the U.S. Department of Health and Human Services ("HHS") has certified the software no more than twelve (12) months prior to the date on which the software is provided to the physician;
3. The hospital (or a person acting on the hospital's behalf) must not take any action to limit or restrict the use, compatibility or interoperability of the items or services with other electronic prescribing or EHR systems;
4. Before receiving the software and services, the physician pays the hospital at least fifteen percent (15%) of the hospital's cost for the software and services;
5. The hospital may not finance the physician's payment, nor may the hospital loan funds to the physician to pay for the EHR software and services;
6. Neither the physician nor his practice may make receipt of the software and services, or the amount or nature of the software and services, a condition of doing business with the hospital;
7. The hospital may not take into account the volume or value of referrals or other business generated between the hospital and the physician when determining the physician's eligibility for the subsidized software and services or the amount or nature of the software and services. The determination will not be viewed as taking into account the volume or value of referrals or business if it is based on:
   a. The number of prescriptions written by the physician;
   b. The size of the physician's practice;
   c. The total number of hours the physician practices medicine;
   d. The physician's overall use of technology in his or her practice;
   e. Whether the physician is a member of the hospital's medical staff;
   f. The level of uncompensated care provided by the physician; or
   g. Another reasonable and verifiable justification;
8. The subsidy arrangement must be set forth in a signed written agreement which specifies:
   a. The software and services being provided;
   b. The hospital's cost for the software and services; and
   c. The amount of the physician's contribution;
9. The agreement must cover all EHR software and services provided by the hospital; 
10.  The hospital must not have actual knowledge of, and must not act in reckless disregard or deliberate ignorance of, the fact that the physician has EHR software or services equivalent to those provided by the hospital;
11. The hospital does not restrict or take action to limit the physician's right or ability to use the software or services for any patient;
12. The software and services must not include staffing of physician offices and must not be used primarily to conduct personal business or business unrelated to the physician's medical practice;
13. The EHR software must contain electronic prescribing capability (or the ability to interface with a physician's existing e-prescribing system) that meets the applicable standards under Medicare Part D as of the time the software and services are provided;
14. The arrangement does not violate the Anti-kickback Statute or any federal or state law or regulation that governs billing or claims submission; and
15. The transfer of the software or services occurs and all conditions of the Stark Law exception are satisfied on or before December 31, 2013.

The Centers for Medicare and Medicaid Services ("CMS") also issued a related advisory opinion which concluded that a hospital's payment for the development of customized software that would allow the hospital's EHR system to communicate with the EHR systems of physicians on its medical staff (and the purchase of licenses to authorize use of the same) does not constitute a compensation arrangement under the Stark Law (i.e., it was "excepted" from the statute).⁶ The interfaces at issue would be limited to allowing the physicians to order and communicate about lab tests and procedures furnished by the hospital. The hospital stated that the interfaces could not be applied or altered to perform other functions and could not be resold, transferred or assigned by the recipient physicians. Please note that this advisory opinion is specific to the facts and parties presented. Absent an individual opinion or compliance with the EHR exception noted above, these types of arrangements could be problematic under the Stark Law.

B. The Anti-kickback Statute Safe Harbor

The Anti-kickback Statute prohibits the offer, payment, solicitation or receipt of any remuneration, directly or indirectly, overtly or covertly, in cash or in kind, to induce or in exchange for (i) the referral of patients covered by a federal health care program, or (ii) the leasing, purchasing, ordering or arranging for or recommending the lease, purchase or order of any item, good, facility or service covered by a federal health care program.⁷ In simpler terms, it is illegal to pay, in any manner, for referrals.

The Anti-kickback Statute regulations contain a number of safe harbors which expressly protect certain arrangements. However, unlike application of exceptions under the Stark Law, failure to comply with an Anti-kickback safe harbor does not mean an arrangement is illegal.⁸ Rather, an arrangement is generally safe from scrutiny by the Office of Inspector General if it fits within a safe harbor. Similar to the Stark Law EHR subsidy exception, there is a safe harbor to the Anti-kickback Statute protecting EHR subsidy arrangements that meet certain requirements. The safe harbor requirements essentially mirror the requirements of the Stark Law exception, with two main differences. The Anti-kickback safe harbor specifies that it applies only to hospitals that participate in federal health care plans such as Medicare.⁹ The safe harbor also provides that the hospital may not shift the cost of the software and services to any federal health care program (e.g., attempt to bill the government in some way).¹⁰

C. Internal Revenue Service Guidance

The IRS precludes organizations that are exempt from Federal income tax—otherwise known as § 501(c)(3) organizations—from providing impermissible private benefit to others, including physicians.¹¹ This means that a tax-exempt hospital must ensure that it operates primarily for one or more charitable purposes and that any private benefit it confers (such as subsidized EHR for private practice physicians) is an incidental benefit that, on balance, is appropriate in that it is reasonable and also confers some benefit to the community.

Given the importance of EHR to the broader community, this is an area that the IRS has specifically addressed for exempt hospitals. It has promulgated a "safe harbor" outlining a permissible way for tax-exempt hospitals to provide physicians with subsidized EHR software and services. As with the Anti-kickback Statute safe harbor, tax-exempt hospitals will not automatically fall out of compliance with IRS regulations if the subsidy arrangement does not fall within these parameters. However, compliance with this guidance assures a hospital that its EHR subsidy will not be deemed to generate impermissible private benefit or inurement.

The IRS guidance states that it will not treat the EHR subsidies as impermissible private benefit or inurement if the arrangement complies with the Stark Law exception and the Anti-kickback Statute safe harbor and meets the following additional requirements:

1. The EHR subsidy arrangement is between a hospital and its medical staff physicians;
2. The arrangement requires both the hospital and the physicians to comply with the Stark Law exception and the Anti-kickback safe harbor on a continuing basis;
3. The arrangement provides that, to the extent permitted by law, the hospital may access all of the EHRs created by a physician using the subsidized software;
4. The hospital ensures that the software and services are available to all its medical staff physicians; and
5. The hospital either provides the same level of subsidy to all of its medical staff physicians or varies the level of subsidy based on criteria related to meeting the health care needs of the community.¹²

In frequently asked questions released to further clarify its guidance, the IRS expands on the requirement that the donor hospital be allowed to access the physician's EHRs created with the software. The IRS states that the physician may prevent the hospital from accessing EHRs when federal or state law would be violated or if the access would violate the physician's contractual obligations to patients. The IRS also states that the hospital and the physician may agree to reasonable conditions on the hospital's ability to access these EHRs (such as allowing access only when the patient is a patient of the hospital or denying access to portions dealing with billing, insurance or referral information). The IRS also clarifies that the hospital is not required to make the subsidized EHR software and services available to all of its medical staff physicians at the same time, but that it may provide access at different times according to criteria related to meeting the health care needs of the community. The IRS states that the hospital should have an established plan for providing physician access to the subsidized software and services.¹³

III. Practical Considerations for EHR Subsidy

A. What Hospitals May Subsidize

1. A hospital may subsidize EHR software, as well as access to EHR software, licensing, and information technology necessary and used predominately to create, maintain, transmit, or receive EHRs.
2. A hospital may also subsidize EHR services, including installation of the EHR software, configuration and testing of the EHR software, training on the EHR software, and maintenance and support of the EHR software.
3. A hospital may subsidize upgrades to a physician's existing EHR software as long as the upgrades enhance the functionality of the EHR software or make it more user friendly. A hospital can also subsidize related information technology and services that correspond to the allowable upgrade, such as maintenance, support and/or training.
4. A hospital may cap or limit the subsidy on EHR services (such as limiting the subsidy on maintenance costs to a specified dollar amount).

B. What Hospitals May Not Subsidize

1. A hospital may not subsidize the cost of hardware.
2. A hospital may not subsidize the staffing of physician offices (such as the cost of staff necessary to input data into EHRs).
3. A hospital may not subsidize EHR software/services beyond December 31, 2013 (barring a change in the existing regulations).
4. If a physician has EHR software (comparable to that being subsidized by a hospital) that he or she no longer wishes to use, the physician may replace this software by purchasing EHR software from the Hospital at fair market value. The hospital may not subsidize in any way this software or any related items or services.

C. Recipients of Subsidized Software/Services

1. A hospital may provide subsidized EHR software and services to physicians or physician groups.
2. To fall within the IRS safe harbor, we recommend that a hospital offer the subsidized software/services to all physicians on the medical staffs of a given hospital or hospital system.

D. Limitations on Subsidized Software/Services¹⁴

1. Subsidized software must be used predominantly to create, maintain, transmit or receive EHRs.
2. Subsidized software/services must not be used primarily to conduct personal business or business unrelated to the physician's medical practice.
3. Subsidized software must contain electronic prescribing capability or must be able to interface with a physician's existing e-prescribing system.
4. Neither the hospital nor the physician may condition the subsidized software/services on doing business with the hospital.
5. The hospital may not take into account the physician's volume or value of referrals to the hospital when determining the subsidy and the physician's eligibility for the same.
6. A hospital cannot limit or restrict the use, compatibility, or interoperability of the software with other EHR or e-prescribing systems and may not restrict the physician's ability to use the software for any patient.
7. Any subsidized software must be deemed to be interoperable no more than 12 months prior to the date of provision of the software (as further described in Section II(A)).

E. Subsidy Levels, Payment and Funding

1. The hospital may subsidize the software/services up to 85% of the cost to the hospital. Recipient physicians must pay at least 15% of the cost of the subsidized software/services prior to receiving the software/services.
2. A hospital may subsidize less than 85% of the cost of the software/services. We recommend that the hospital offer the same level of subsidy to all of its medical staff physicians (unless the hospital chooses to vary the level of subsidy by applying criteria designed to meet the healthcare needs of the community, such as by providing an 85% subsidy to physicians who treat a high number of Medicaid patients and a 70% subsidy to other medical staff physicians).
3. A hospital has the option to provide access to the subsidy to different physicians at different times, so long as this plan is based on criteria related to meeting the healthcare needs of the community (for example, a hospital can roll out the subsidized EHR software/services first to primary care physician groups that treat large numbers of patients in the hospital's communities first before providing the subsidized software/services to a small cardiology practice). 
4. A hospital may not finance the non-subsidized cost of the EHR software/services and may not loan funds to the physician for the purchase of the software/services.
5. A hospital may not shift the cost of the software/services to any federal health care program.

F. Suggested Items to Include in EHR Subsidy Agreement

1. We recommend including a provision that the hospital is allowed to access, to the extent permitted by law, all of the EHRs created by a physician using the subsidized EHR software.
2. We recommend that contract state that the hospital and the physician will comply with the Anti-kickback Statute safe harbor and Stark Law exception related to EHR software and services on a continuing basis.
3. The agreement must specify the hospital's cost for the EHR software/services.
4. It also must specify the amount the physician is paying toward the purchase of the software/services.
5. We recommend including a provision stating that the hospital has no knowledge of, and has not acted in reckless disregard or deliberate ignorance of, the fact that the physician has equivalent EHR software or services.
6. The agreement should specify that all subsidies will end on or before December 31, 2013.

G. Payment for Interface

1. A hospital may pay for an interface to allow a physician's existing EHR system to communicate with the hospital's EHR system when the interface is limited to allowing the physicians to communicate about and order lab tests and other procedures furnished by the hospital. This interface must not be provided with the intent to induce referrals.
2. If a hospital purchases such an interface, we recommend that the hospital make the interface available to all of its medical staff physicians.

IV. Data Sharing & HIPAA

EHRs truly facilitate the sharing and exchange of medical information, and providers will face increasing pressures to share data as reimbursement mechanisms shift toward cost and quality accountability, measured through data comparatives. Any data sharing, however, must comply with state and federal patient confidentiality rules. For example, HIPAA and the corresponding Standards for Privacy of Individually Identifiable Health Information regulations and the Security Standards for Protection of Electronic Protected Health Information prescribe very specific protections governing medical records and personal health information.¹⁵ State laws governing patient records are sometimes even more restrictive. As a general rule, only those involved in treatment should have access to medical records, subject to specific exceptions with appropriate safeguards in place. Moreover, HIPAA has very particular security requirements that must be part of any EHR system (such as data encryption requirements).

For example, data sharing is appropriate with certain third party vendors, like billing companies, so long as there is a Business Associate Agreement in place between the Covered Entity (treatment provider) and the Business Associate (vendor/billing company), whereby the vendor agrees to a number of safeguards and stipulations in connection with its receipt of such information.¹⁶ Outside of these Business Associate relationships, HIPAA regulations require Covered Entities (treatment providers) to obtain the written permission from patients before sharing or disclosing their health information in most circumstances.¹⁷ For those few situations in which permission to disclose information is not required, there are varying requirements regarding de-identification depending on the purpose of the disclosures.¹⁸ While detail on this is beyond the scope of this article, it is important to understand that EHR implicates HIPAA and related state rules and regulations. Providers need to make sure that their EHR systems, and they way they handle information, comply with these rules and regulations.

IV. Next Steps

In the event that a hospital and its physicians decide to move forward with an EHR initiative as outlined herein, the parties should seek legal guidance from an experienced healthcare law practice in order to properly structure and document this initiative. This will protect the parties under applicable rules and regulations. Firms that have done this for a number of hospitals will have all core agreements and other documents—with the requisite safeguards to meet Stark, Anti-Kickback and IRS provisions—ready to tailor for a new EHR initiative, and they will be well-prepared to walk the parties through the various complexities.

__________________________

¹ Richard Hillestad et al., Can Electronic Medical Records Systems Transform Health Care? Potential Benefits, Savings, and Costs, 24 Health Affairs 1103, 1103 (Project HOPE-The People to People Health Foundation, Inc., 2005).
² See THE LEWIN GROUP, HEALTH INFORMATION TECHNOLOGY LEADERSHIP PANEL FINAL REPORT 3 (2005) (categorizing the implementation of health information technology as a “high priority” for health care).
³ 42 U.S.C. § 1395 nn et seq. (this prohibition applies to all designated health services rendered after December 31, 1994).
⁴ 42 C.F.R. § 411.357(w).
⁵ 42 C.F.R. § 411.351.
⁶ CMS Advisory Opinion 2008-01.
⁷ 42 U.S.C. § 1320a-7b(b)(1).
⁸ 42 C.F.R. 1001.952.
⁹ 42 C.F.R. § 1001.952(y)(1)(i).
¹⁰ 42 C.F.R. § 1001.952(y)(12)
¹¹ Income Tax Regulations § 1.501(c)(3)-1(c)(1).
¹² Internal Revenue Service Memorandum, Hospitals Providing Financial Assistance to Staff Physicians Involving Electronic Health Records, May 11, 2007, available at http://www.irs.gov/pub/irs-tege/ehrdirective.pdf.
¹³ Internal Revenue Service, Q&A on Hospitals' Health IT Subsidy Arrangements with Medical Staff Physicians, available at http://www.irs.gov/pub/irs-tege/ehr_qa_062007.pdf.
¹⁴ Please note that these limitations also apply to any software upgrades that a hospital may provide, as discussed in Section III(A).
¹⁵ Pub. L. No. 104-191 (August 21, 1996); 45 C.F.R. §§ 160, 162, 164 (2009).
¹⁶ Under HIPAA, a Covered Entity means 1) a health plan; 2) a health care clearinghouse; or 3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. 45 C.F.R. § 160.103 (2009). The term Business Associate is also defined in the regulations and is generally understood to contemplate any organization that does business with a Covered Entity that involves the disclosure of individually identifiable health information from the Covered Entity. See id.
¹⁷ 45 C.F.R. § 164.502 (2009).
¹⁸ 45 C.F.R. § 164.506-514 (2009).