Medicare and State Health Care Programs: Fraud and Abuse; Revisions to Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements

A Rule by the Health and Human Services Department on 12/02/2020 originally published in Federal Register.

AGENCY:

Office of Inspector General (OIG), Department of Health and Human Services (HHS).

ACTION:

Final rule.

SUMMARY:

This final rule amends the safe harbors to the Federal anti-kickback statute by adding new safe harbors and modifying existing safe harbors that protect certain payment practices and business arrangements from sanctions under the anti-kickback statute. This rule is issued in conjunction with the Department of Health and Human Services’ (HHS’s) Regulatory Sprint to Coordinated Care and focuses on care coordination and value-based care. This rule also amends the civil monetary penalty (CMP) rules by codifying a revision to the definition of “remuneration” added by the Bipartisan Budget Act of 2018 (Budget Act of 2018).

DATES:

These regulations are effective January 19, 2021.

FOR FURTHER INFORMATION CONTACT:

Stewart Kameen or Samantha Flanzer, Office of Counsel to the Inspector General, (202) 619-0335.

SUPPLEMENTARY INFORMATION:

Social Security Act citation	United States Code citation
1128B, 1128D, 1102, 1128A	42 U.S.C. 1320a-7b, 42 U.S.C. 1320a-7d, 42 U.S.C. 1302, 42 U.S.C. 1320a-7a.

I. Executive Summary

A. Purpose of the Regulatory Action

The Secretary of HHS (the Secretary) has identified transforming the U.S. health care system to one that pays for value as a top priority. Unlike the traditional fee-for-service (FFS) payment system, which rewards providers for the volume of care delivered, a value-driven health care system is one that pays for health and outcomes. Delivering better value from the health care system will require the transformation of established practices and enhanced collaboration among providers and other individuals and entities. The purpose of this rulemaking is to finalize modifications to existing safe harbors to the Federal anti-kickback statute and finalize the addition of new safe harbors and a new exception to the civil monetary penalty provision prohibiting inducements to beneficiaries, “Beneficiary Inducements CMP,” to remove potential barriers to more effective coordination and management of patient care and delivery of value-based care.

The Department launched the Regulatory Sprint with the express purpose of removing potential regulatory barriers to care coordination and value-based care created by certain key health care laws and associated regulations, including the Federal anti-kickback statute and Beneficiary Inducements CMP.^[1] Through the Regulatory Sprint, HHS aims to encourage and improve patients’ experience of care, providers’ coordination of care, and information sharing to facilitate efficient care and preserve and protect patients’ access to data.

The Federal anti-kickback statute is an intent-based, criminal statute that prohibits intentional payments, whether monetary or in-kind, in exchange for referrals or other Federal health care program business. Safe harbor regulations describe various payment and business practices that, although they potentially implicate the Federal anti-kickback statute, are not treated as offenses under the statute. Compliance with a safe harbor is voluntary. The Beneficiary Inducements CMP is a civil, administrative statute that prohibits knowingly offering something of value to a Medicare or State health care program beneficiary to induce them to select a particular provider, practitioner, or supplier.

Stakeholders have raised concerns that these statutes have chilling effect on innovation and value-based care because arrangements in which providers and others coordinate the care of patients with other providers, share resources among themselves to facilitate better care coordination, share in the benefits of more efficient care delivery, and engage and support patients can implicate these statutes.

B. The Proposed Rule

On October 17, 2019, OIG published a notice of proposed rulemaking ^[2] (OIG Proposed Rule) to add or amend various regulatory protections under the Federal anti-kickback statute and Beneficiary Inducements CMP with the goal of proposing protections for certain value-based arrangements that would improve quality, outcomes, and efficiency. The proposals focused on arrangements to advance the coordination and management of patient care, with an aim to support innovative methods and novel arrangements, including the use of digital health technology such as remote patient monitoring and telehealth. We proposed safe harbors for value-based arrangements where the parties assume full financial risk, substantial downside financial risk, and no or lower risk. The proposed safe harbors offered more flexibility for arrangements where the parties assumed more financial risk. Consistent with OIG’s law enforcement mission and section 1128D(a)(2)(I) of the Act, the proposals included safeguards tailored to protect Federal health care programs and beneficiaries from the risks of fraud and abuse associated with kickbacks, such as overutilization and inappropriate patient steering, as well as risks associated with risk-based payment mechanisms, such as stinting on care.

The OIG Proposed Rule proposed new terminology to define the universe of value-based arrangements that could qualify for the new safe harbors, proposing to require that providers, suppliers, practitioners, and others would form value-based enterprises (VBEs) to collaborate to achieve value-based purposes, such as coordinating and managing a target patient population, improving quality of care for a target patient population, and reducing costs. VBEs could be large or small. VBEs could be formal corporate structures or looser affiliations. Under the proposed definition, VBEs would be required to have an accountable body and transparent governance. We proposed that some types of entities would not be eligible to use the value-based safe harbors because of heightened fraud risk and because the entities did not play a central, frontline role in coordinating and managing patient care.

The OIG Proposed Rule proposed to modify existing safe harbors that advance coordinated care for patients, including information sharing. OIG proposed modifications to existing safe harbors for local transportation, electronic health records arrangements, and personal services and management contracts. Further, the OIG Proposed Rule proposed new protections for outcomes-based payments, cybersecurity technology and services arrangements, remuneration in connection with CMS-sponsored models (largely supplanting the need for separate OIG fraud and abuse waivers for these models), telehealth technologies for in-home dialysis patients (statutory), and Medicare Shared Savings Program ACO beneficiary incentives (statutory). For each new safe harbor or exception, OIG proposed a set of conditions designed to ensure that the safe harbor or exception protected beneficial arrangements and reduced risks of fraud and abuse.

Taken as a whole, the OIG Proposed Rule proposed significant new flexibilities for value-based arrangements and modernization of the safe harbor regulations to account for the ongoing evolution of the health care delivery system. OIG developed its proposals in coordination with the Centers for Medicare & Medicaid Services (CMS), which concurrently issued proposed regulations in connection with the Regulatory Sprint (CMS NPRM).^[3] OIG solicited comments on the wide range of issues raised by the proposals. We received 337 timely comments, 327 of which were unique, from a broad range of stakeholders.

C. The Final Rule

We are finalizing the proposed new and modified anti-kickback statute safe harbors and exception to the Beneficiary Inducements CMP, with modifications and clarifications explained in the preamble to this rule. Stakeholder reaction was largely positive, although many commenters raised concerns and expressed preferences about specific provisions. Some commenters raised concerns about potential risks of fraud and impacts on competition.

In this final rule, we sought to strike the right balance between flexibility for beneficial innovation and better coordinated patient care with necessary safeguards to protect patients and Federal health care programs. Many beneficial arrangements do not implicate the anti-kickback statute and do not need protection. For example, the parties may be exchanging nothing of value between them or the arrangements might involve no Federal health care program patients or business. Other beneficial arrangements might implicate the statute (for example, the arrangement might involve parties that are exchanging something of value and are in a position to refer Federal health care program business between them) but will not fit in these or other available safe harbors. Arrangements are not necessarily unlawful because they do not fit in a safe harbor. Arrangements that do not fit in a safe harbor are analyzed for compliance with the Federal anti-kickback statute based on the totality of their facts and circumstances, including the intent of the parties. Some care coordination and value-based arrangements can be structured to fit in existing safe harbors.

Flexibilities to engage in new business, care delivery, and digital health technology arrangements with lowered compliance risk may assist industry stakeholders in their response to and recovery from the current public health emergency resulting from the novel coronavirus disease 2019 (COVID-19) pandemic. The final rule may also help providers and others develop sustainable value-based care delivery models for the future.

1. Final Anti-Kickback Statute Safe Harbors

We are finalizing the following regulations, as explained in section III of this preamble.

Terminology and Framework. We are finalizing, with modifications, the proposed terminology that describes VBEs and VBE participants eligible to use the value-based safe harbors and the tiered framework of three value-based safe harbors that vary based on the level of risk assumed by the parties, with more flexibility associated with assumption of more risk. See section III.2.1-2 for further discussion.

Safe Harbors for Value-Based Arrangements. We are finalizing, with modifications, three new safe harbors for remuneration exchanged between or among participants in a value-based arrangement (as further defined) that fosters better coordinated and managed patient care:

(i) Care coordination arrangements to improve quality, health outcomes, and efficiency (paragraph 1001.952(ee)) without requiring the parties to assume risk;

(ii) value-based arrangements with substantial downside financial risk (paragraph 1001.952(ff)); and,

(iii) value-based arrangements with full financial risk (paragraph 1001.952(gg)).

These safe harbors address a broad range of potential value-based arrangements for care coordination activities, including use of digital health technology. We discuss each safe harbor in more detail in section III.B.3-5. The value-based safe harbors vary, among other ways, by the types of remuneration protected (in-kind or in-kind and monetary), the types of entities eligible to rely on the safe harbors, the level of financial risk assumed by the parties, and the types of safeguards included as safe harbor conditions. By design, these safe harbors offer flexibility for innovation and customization of value-based arrangements to the size, resources, needs, and goals of the parties to them. The safe harbors allow for emerging arrangements that reflect up-to-date understandings in medicine, science, and technology.

These three new safe harbors are not the exclusive, available safe harbors for care coordination or value-based arrangements. All three value-based safe harbors offer protection for in-kind remuneration, such as technology or services. However, only the safe harbors for value-based arrangements with substantial assumption of risk (paragraphs 1001.952(ff) and (gg)) protect monetary remuneration. The care coordination arrangements safe harbor at paragraph 1001.952(ee), which requires little or no assumption of risk, does not. However, parties to arrangements involving monetary remuneration, such as shared savings or performance bonus payments, may be eligible for the new protection for outcomes-based payments at paragraph 1001.952(d)(2). Parties to arrangements under CMS-sponsored models may prefer to look to the new safe harbor specifically for those models at paragraph 1001.952(ii).

As explained at section III.B.2.e below, entities ineligible to use the value-based safe harbors are: Pharmaceutical manufacturers, distributors, and wholesalers; pharmacy benefit managers (PBMs); laboratory companies; pharmacies that primarily compound drugs or primarily dispense compounded drugs; manufacturers of devices or medical supplies; entities or individuals that sell or rent durable medical equipment, prosthetics, orthotics and supplies (DMEPOS) (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services); and medical device distributors and wholesalers. However, the care coordination arrangements safe harbor includes a separate pathway, with specific conditions, that protects digital technology arrangements (as defined at paragraph 1001.952(ee)(14)) involving manufacturers of devices or medical supplies and DMEPOS.

Patient Engagement and Support Safe Harbor. We are finalizing, with modifications, a new safe harbor (paragraph 1001.952(hh)) for patient engagement tools and supports furnished by a participant in a value-based enterprise to a patient in a target patient population (discussed in section III.B.6). This safe harbor uses the same ineligible entities list as the value-based safe harbors, above, but includes a pathway for manufacturers of devices or medical supplies to provide digital health technology.

CMS-Sponsored Models Safe Harbor. We are finalizing, with modifications, a new safe harbor (paragraph 1001.952(ii)) for CMS-sponsored model arrangements and CMS-sponsored model patient incentives that would require OIG fraud and abuse waivers. This safe harbor (discussed at section III.B.7) is intended to provide greater predictability model participants and uniformity across models. It will reduce the need for separate OIG fraud and abuse waivers for new CMS-sponsored models.

Cybersecurity Technology and Services Safe Harbor. We are finalizing, with modifications, a new safe harbor (paragraph 1001.952(jj)) for remuneration in the form of cybersecurity technology and services (discussed at section III.B.8). This safe harbor will facilitate improved cybersecurity in health care and is available to all types of individuals and entities.

Electronic Health Records Safe Harbor. We are finalizing our proposal to modify the existing safe harbor for electronic health records items and services (paragraph 1001.952(y)). We are finalizing, with modifications, changes to update and remove provisions regarding interoperability, remove the sunset provision and prohibition on donation of equivalent technology, and clarify protections for cybersecurity technology and services included in an electronic health records arrangement (discussed at section III.B.9).

Personal Services and Management Contracts and Outcomes-Based Payments. We are finalizing our proposal to modify the existing safe harbor for personal services and management contracts (paragraph 1001.952(d)(1)). We are finalizing, without modification, changes to increase flexibility for part-time or sporadic arrangements and arrangements for which aggregate compensation is not known in advance. We are also a finalizing, with modifications, new protection for outcomes-based payments (paragraph 1001.952(d)(2)). These changes are discussed at section III.B.10. The new safe harbor for outcomes-based payments protects payments tied to achieving measurable outcomes that improve patient or population health or appropriately reduce payor costs. It makes ineligible the same entities that are ineligible for the value-based safe harbors.

Warranties. We are finalizing our proposal to modify the existing safe harbor for warranties (paragraph 1001.952(g)). We are finalizing, without modification, revisions to the definition of “warranty” and to provide protection for warranties for one or more items and related services (discussed at section III.B.11). This safe harbor is available to any type of entity.

Local Transportation. We are finalizing our proposal to modify the existing safe harbor for local transportation furnished to beneficiaries (paragraph 1001.952(bb)). We are finalizing, with modifications, changes to expand mileage limits for rural areas (up to 75 miles) and eliminate mileage limits for transportation to convey patients discharged from the hospital to their place of residence (discussed at section III.B.12). We also clarify that the safe harbor is available for transportation provided through rideshare arrangements.

ACO Beneficiary Incentives. We are codifying, without modification to our proposal, the statutory exception to the definition of “remuneration” at section 1128B(b)(3)(K) of the Act related to ACO Beneficiary Incentive Programs for the Medicare Shared Savings Program (paragraph 1001.952(kk)) (discussed at section III.B.13).

2. Beneficiary Inducements CMP

The final rule amends the Beneficiary Inducements CMP regulations at 42 CFR 1003 as follows:

Telehealth Technologies for In-Home Dialysis Patients. We are codifying the statutory exception for “telehealth technologies” furnished to certain in-home dialysis patients, pursuant to section 50302(c) of the Budget Act of 2018 (discussed at section III.C.1). We are finalizing our proposal with modifications.

By operation of law, arrangements that fit in the new and modified Federal anti-kickback statute safe harbors for patient engagement and support, paragraph 1001.952(hh), and local transportation, paragraph 1001.952(bb), are also protected under the Beneficiary Inducements CMP.

II. Background

A. Purpose and Need for Regulatory Action

HHS’s Regulatory Sprint aims to remove potential regulatory barriers to care coordination and value-based care created by four key health care laws and associated regulations: (i) The physician self-referral law, (ii) the Federal anti-kickback statute, (iii) the Health Insurance Portability and Accountability Act of 1996 (HIPAA),^[4] and (iv) rules under 42 CFR part 2 related to substance use disorder treatment.

Through the Regulatory Sprint, HHS aims to encourage and improve:

• A patient’s ability to understand treatment plans and make empowered decisions;
• providers’ alignment on end-to-end treatment (i.e., coordination among providers along the patient’s full care journey);
• incentives for providers to coordinate, collaborate, and provide patients tools and supports to be more involved in their own care; and
• information sharing among providers, facilities, and other stakeholders in a manner that facilitates efficient care while preserving and protecting patient access to data.

Since the enactment in 1972 of the Federal anti-kickback statute, there have been significant changes in the delivery of, and payment for, health care items and services both within the Medicare and Medicaid programs and also for non-Federal payors and patients. Such changes include modifications to traditional FFS Medicare (i.e., Medicare Parts A and B), Medicare Advantage, and States’ Medicaid programs. The Department has a longstanding commitment to aligning Medicare payment with quality of care delivered to Federal health care program beneficiaries.

The Department identified the broad reach of the Federal anti-kickback statute ^[5] and the CMP law provision prohibiting inducements to beneficiaries, the “Beneficiary Inducements CMP” ^[6] as potentially inhibiting beneficial arrangements that would advance the transition to value-based care and improve the coordination of patient care among providers and across care settings in both the Federal health care programs and commercial sectors.

B. Federal Anti-Kickback Statute and Safe Harbors

Section 1128B(b) of the Act, (42 U.S.C. 1320a-7b(b), the anti-kickback statute), provides for criminal penalties for whoever knowingly and willfully offers, pays, solicits, or receives remuneration to induce or reward the referral of business reimbursable under any of the Federal health care programs, as defined in section 1128B(f) of the Act (42 U.S.C. 1320a-7b(f)). The offense is classified as a felony and is punishable by fines of up to $100,000 and imprisonment for up to 10 years. Violations of the Federal anti-kickback statute also may result in the imposition of CMPs under section 1128A(a)(7) of the Act (42 U.S.C. 1320a-7a(a)(7)), program exclusion under section 1128(b)(7) of the Act (42 U.S.C. 1320a-7(b)(7)), and liability under the False Claims Act (31 U.S.C. 3729-33).

The types of remuneration covered specifically include, without limitation, kickbacks, bribes, and rebates, whether made directly or indirectly, overtly or covertly, in cash or in kind. In addition, prohibited conduct includes not only the payment of remuneration intended to induce or reward referrals of patients but also the payment of remuneration intended to induce or reward the purchasing, leasing, or ordering of, or arranging for or recommending the purchasing, leasing, or ordering of, any good, facility, service, or item reimbursable by any Federal health care program.

Because of the broad reach of the statute and concerns that some relatively innocuous business arrangements were covered by the statute and therefore potentially subject to criminal prosecution, Congress enacted section 14 of the Medicare and Medicaid Patient and Program Protection Act of 1987, Public Law 100-93 (note to section 1128B of the Act; 42 U.S.C. 1320a-7b). This provision specifically requires the development and promulgation of regulations, the so-called safe harbor provisions, that would specify various payment and business practices that would not be subject to sanctions under the anti-kickback statute, even though they potentially may be capable of inducing referrals of business for which payment may be made under a Federal health care program.

Section 205 of HIPAA established section 1128D of the Act (42 U.S.C. 1320a-7d), which includes criteria for modifying and establishing safe harbors. Specifically, section 1128D(a)(2) of the Act provides that, in modifying and establishing safe harbors, the Secretary may consider whether a specified payment practice may result in:

• An increase or decrease in access to health care services;
• an increase or decrease in the quality of health care services;
• an increase or decrease in patient freedom of choice among health care providers;
• an increase or decrease in competition among health care providers;
• an increase or decrease in the ability of health care facilities to provide services in medically underserved areas or to medically underserved populations;
• an increase or decrease in costs to Federal health care programs;
• an increase or decrease in the potential overutilization of health care services;
• the existence or nonexistence of any potential financial benefit to a health care professional or provider, which benefit may vary depending on whether the health care professional or provider decides to order a health care item or service or arranges for a referral of health care items or services to a particular practitioner or provider; or
• any other factors the Secretary deems appropriate in the interest of preventing fraud and abuse in Federal health care programs.

In giving the Department the authority to protect certain arrangements and payment practices under the anti-kickback statute, Congress intended the safe harbor regulations to be updated periodically to reflect changing business practices and technologies in the health care industry.^[7] Since July 29, 1991, there have been a series of final regulations published in the Federal Register establishing safe harbors in various areas.^[8] These safe harbor provisions have been developed to limit the reach of the statute somewhat by permitting certain non-abusive arrangements, while encouraging beneficial or innocuous arrangements.^[9]

Health care providers and others may voluntarily seek to comply with final safe harbors so that they have the assurance that their business practices would not be subject to any anti-kickback enforcement action. Compliance with an applicable safe harbor insulates an individual or entity from liability under the Federal anti-kickback statute and the Beneficiary Inducements CMP only; individuals and entities remain responsible for complying with all other laws, regulations, and guidance that apply to their businesses.

C. Civil Monetary Penalty Authorities

1. Overview of OIG Civil Monetary Penalty Authorities

In 1981, Congress enacted the CMP law, section 1128A of the Act, 42 U.S.C. 1320a-7a, as one of several administrative remedies to combat fraud and abuse in Medicare and Medicaid. The law authorized the Secretary to impose penalties and assessments on persons who defrauded Medicare or Medicaid or engaged in certain other wrongful conduct. The CMP law also authorized the Secretary to exclude persons from Federal health care programs (as defined in section 1128B(f) of the Act, 42 U.S.C. 1320a-7b(f)) and to direct the appropriate State agency to exclude the person from participating in any State health care programs (as defined in section 1128(h) of the Act, 42 U.S.C. 1320a-7(h)). Congress later expanded the CMP law and the scope of exclusion to apply to all Federal health care programs, but the CMP applicable to beneficiary inducements remains limited to Medicare and State health care program beneficiaries. Since 1981, Congress has created various other CMP authorities covering numerous types of fraud and abuse.

2. The Definition of “Remuneration”

Section 1128A(a)(5) of the Act, 42 U.S.C. 1320a-7a(a)(5), the “Beneficiary Inducements CMP,” provides for the imposition of civil monetary penalties against any person who offers or transfers remuneration to a Medicare or State health care program (including Medicaid) beneficiary that the benefactor knows or should know is likely to influence the beneficiary’s selection of a particular provider, practitioner, or supplier of any item or service for which payment may be made, in whole or in part, by Medicare or a State health care program (including Medicaid). Section 1128A(i)(6) of the Act, 42 U.S.C. 1320a-7a(i)(6), defines “remuneration” for purposes of the Beneficiary Inducements CMP as including transfers of items or services for free or for other than fair market value. Section 1128A(i)(6) of the Act also includes a number of exceptions to the definition of “remuneration.”

Pursuant to section 1128A(i)(6)(B) of the Act, any practice permissible under the anti-kickback statute, whether through statutory exception or safe harbor regulations issued by the Secretary, is also excepted from the definition of “remuneration” for purposes of the Beneficiary Inducements CMP. However, no parallel exception exists in the anti-kickback statute. Thus, the exceptions in section 1128A(i)(6) of the Act apply only to the definition of “remuneration” applicable to section 1128A.

Relevant to this rulemaking, the Budget Act of 2018 created a new exception to the definition of “remuneration” for purposes of the Beneficiary Inducements CMP. This statutory exception applies to “telehealth technologies” provided on or after January 1, 2019, by a provider of services or a renal dialysis facility to an individual with end stage renal disease (ESRD) who is receiving home dialysis for which payment is being made under Medicare Part B.

D. Summary of the OIG Proposed Rule

On October 17, 2019, OIG published a proposed rule in the Federal Register (84 FR 55694) setting forth certain proposed amendments to the safe harbors under the anti-kickback statute and a proposed amendment to the Beneficiary Inducements CMP exceptions (the OIG Proposed Rule). With respect to the anti-kickback statute, we proposed seven new safe harbors and modifications to four existing safe harbors. Specifically, we proposed new protection for:

• A safe harbor for care coordination arrangements to improve quality, health outcomes, and efficiency (1001.952(ee));
• A safe harbor for value-based arrangements with substantial downside financial risk (1001.952(ff));
• A safe harbor for value-based arrangements with full financial risk (1001.952(gg));
• A safe harbor for arrangements for patient engagement and support to improve quality, health outcomes, and efficiency (1001.952(hh));
• A safe harbor for CMS-sponsored model arrangements and CMS-sponsored model patient incentives (1001.952(ii));
• A safe harbor for cybersecurity technology and related services (1001.952(jj)); and
• A safe harbor that would codify the statutory exception to the definition of “remuneration” at section 1128B(b)(3)(K) of the Act related to ACO Beneficiary Incentive Programs for the Medicare Shared Savings Program (1001.952(kk)).
• An exception to the Beneficiary Inducements CMP for telehealth technologies for in-home dialysis patients (1003.110).

We proposed to modify:

• The safe harbor for personal services and management contracts and outcomes-based payment arrangements (1001.952(d));
• The safe harbor for warranties (1001.952(g));
• The safe harbor for electronic health records items and services (1001.952(y)); and
• The safe harbor for local transportation (1001.952(bb)).

An overarching goal of our proposals was to develop final rules that protect low-risk, beneficial arrangements without opening the door to fraudulent or abusive conduct that increases Federal health care program costs or compromises quality of care for patients or patient choice. We solicited comments on our proposed policies to obtain the benefit of public input from affected stakeholders.

Our proposals are summarized in greater detail in section III of this preamble, organized by topic, along with summaries of the final decisions, and summaries of the related comments and our responses.

E. Summary of the Final Rulemaking

In this final rule, we modify existing as well as add new safe harbors pursuant to our authority under section 14 of the Medicare and Medicaid Patient and Program Protection Act of 1987 by specifying certain payment practices that will not be subject to prosecution under the anti-kickback statute. We intend to protect practices that pose a low risk to Federal health care programs and beneficiaries, as long as specified conditions are met. In doing so, we considered the factors cited by Congress in granting statutory authority to the Secretary under Section 1128D(a)(2) of the Social Security Act.^[10] Specifically, the new and modified safe harbors are designed to further the goals of access, quality, patient choice, appropriate utilization, and competition, while protecting against increased costs, inappropriate steering of patients, and harms associated with inappropriate incentives tied to referrals. We also codify into our regulations a statutory safe harbor for patient incentives offered by accountable care organizations (ACOs) to assigned beneficiaries under ACO Beneficiary Incentive Programs and an exception to the definition of “remuneration” in 42 CFR 1003.110 for certain telehealth technologies for in-home dialysis.

To facilitate review of the new and modified safe harbors and exception in context, we summarize the proposals and final regulations by topic in section III.B below. The following are the safe harbors and the exception that we are finalizing, together with the citation to where they appear in our regulations and a reference to the preamble section of this final rule where they are discussed in greater detail:

• Modifications to the existing safe harbor for personal services and management contracts, including outcomes-based payments, at paragraph 1001.952(d) (preamble section III.B.10);
• modifications to the existing safe harbor for warranties at paragraph 1001.952(g) (preamble section III.B.11);
• modifications to the existing safe harbor for electronic health records items and services at paragraph 1001.952(y) (preamble section III.B.9);
• modifications to the existing safe harbor for local transportation at paragraph 1001.952(bb) (preamble section III.B.12)
• a new safe harbor for care coordination arrangements to improve quality, health outcomes, and efficiency at paragraph 1001.952(ee) (preamble sections III.B.1, III.B.2, and III.B.3);
• a new safe harbor for value-based arrangements with substantial downside financial risk at paragraph 1001.952(ff) (preamble sections III.B.1, III.B.2, and III.B.4);
• a new safe harbor for value-based arrangements with full financial risk at paragraph 1001.952(gg) (preamble sections III.B.1, III.B.2, and III.B.5);
• a new safe harbor for arrangements for patient engagement and support to improve quality, health outcomes, and efficiency at paragraph 1001.952(hh) (preamble section III.B.6);
• a new safe harbor for CMS-sponsored model arrangements and CMS-sponsored model patient incentives at paragraph 1001.952(ii) (preamble section III.B.7);
• a new safe harbor for cybersecurity technology and related services at paragraph 1001.952(jj) (preamble section III.B.8);
• a new safe harbor for accountable care organization (ACO) beneficiary incentive program at paragraph 1001.952(kk) (preamble section III.B.13); and
• an exception for telehealth technologies for in-home dialysis at paragraph 1003.110 (preamble section III.C.1)

III. Summary of Final Provisions, Public Comments, and OIG Responses

A. General

OIG received 337 comments, 327 of which were unique, in response to the OIG Proposed Rule. A range of individuals and entities submitted these comments, including: Physicians and other types of clinicians, hospitals and health systems, other health care providers (e.g., post-acute providers, laboratories, durable medical equipment suppliers, and dialysis providers), accountable care organizations, pharmaceutical and medical device manufacturers, health technology entities, pharmacies, third-party payors, trade associations, law firms, and consumer and patient advocacy groups.

As a general matter, most commenters strongly supported the proposed safe harbors and the need for regulatory reform to the safe harbors and exceptions to the definition of “remuneration” under the Beneficiary Inducements CMP. While the majority of commenters recommended various revisions to the proposed safe harbors to increase regulatory flexibility, some commenters acknowledged that increased regulatory flexibility could increase the risk of harms associated with fraud and abuse and recommended revisions to add or strengthen safeguards in the safe harbor proposals. A few did not support the proposed safe harbor protections for value-based arrangements as proposed in paragraphs 1001.952(ee), (ff), (gg), primarily citing fraud and abuse risks. We have considered these comments carefully in developing the final rule, as described in more detail in responses to comments.

1. Alignment With CMS

Several of the final safe harbors intersect with the physician self-referral law exceptions that CMS is finalizing as part of the Regulatory Sprint: The three new safe harbors for value-based arrangements at paragraphs 1001.952(ee), (ff), and (gg), the new cybersecurity safe harbor at paragraph 1001.952(jj), and the modifications to the electronic records safe harbor at paragraph 1001.952(y).

Comment: We received comments asking OIG and CMS to align our final rules in connection with the Regulatory Sprint to the greatest extent possible. Some commenters believed that the CMS and OIG proposals would perpetuate a dual regulatory environment (where, e.g., an arrangement could potentially violate one law but meet the requirements for protection under the other) and that a lack of consistency would make it more challenging for entities to navigate an already-complex regulatory framework. Some commenters suggested that the OIG Proposed Rule was too narrow compared to the CMS NPRM and requested that OIG protect what they described as a broader universe of arrangements that would be protected under the CMS proposals. Another commenter asked that OIG clarify in the final rule that compliance with the physician self-referral law would rebut any implication of intent under Federal anti-kickback statute.

Response: We are mindful of reducing burden on providers and other industry stakeholders, and we have sought to align value-based terminology and safe harbor conditions with those being adopted by CMS in its physician self-referral regulations as part of the Regulatory Sprint wherever possible (CMS Final Rule).^[11] However, complete alignment is not feasible because of fundamental differences in statutory structures and sanctions across the two laws. As aforementioned, the Federal anti-kickback statute is an intent-based, criminal statute that covers all referrals of Federal health care program business (including, but not limited to, physician referrals). In contrast, the physician self-referral law is a civil, strict-liability statute that prohibits payment by CMS for a more limited set of services referred by physicians who have certain financial relationships with the entity furnishing the services. As a result, the value-based exceptions adopted by CMS do not need to contemplate the broad range of conduct that implicates the Federal anti-kickback statute.

Federal anti-kickback statute safe harbors and physician self-referral law exceptions also operate differently. Because the physician self-referral law is a strict-liability statute, when an arrangement implicates the law, compliance with an exception is the only option to avoid overpayment liability. In other words, the exceptions define the full universe of acceptable arrangements that implicate the physician self-referral law. Even minor or erroneous deviations from the specific terms of a physician self-referral law exception can result in non-compliance and, because of the statute’s strict liability, overpayments. In contrast, compliance with an anti-kickback statute safe harbor is voluntary, and there are many arrangements that do not fit in a safe harbor that are lawful under the anti-kickback statute. Deviating from a safe harbor does not mean that an arrangement violates the anti-kickback statute. For arrangements that do not fit in a safe harbor, liability is determined based on the totality of facts and circumstances, including the intent of the parties.

Because the Federal anti-kickback statute is not a strict liability law, the value-based safe harbors we are adopting need not capture the full universe of value-based arrangements that are legal under the Federal anti-kickback statute in order to accomplish the goals of removing barriers to more effective coordination and management of patient care. Thus, in designing our safe harbors, rather than mirror CMS’s exceptions, we have included safe harbor conditions designed to ensure that protected arrangements are not disguised kickback schemes. We recognize that, for purposes of those arrangements that implicate both the physician self-referral law and the Federal anti-kickback statute, the value-based safe harbors may therefore protect a narrower universe of such arrangements than CMS’s exceptions.

To protect Federal health care programs and beneficiaries, we believe that it is important for the Federal anti-kickback statute to serve as “backstop” protection against abusive arrangements that involve the exchange of remuneration intended to induce or reward referrals and that might be protected by the physician self-referral law exceptions. In this way, the OIG and CMS rules, operating together, create pathways for parties entering into value-based arrangements that are subject to both laws to develop and implement value-based arrangements that avoid strict liability for technical noncompliance, while ensuring that the Federal Government can pursue those parties engaging in arrangements that are intentional kickback schemes.

Further, many requirements of the final safe harbors and exceptions are consistent, particularly in the cybersecurity and electronic health records areas. In addition, the value-based terminology that describes the value-based enterprises and value-based arrangements that are eligible for protection under a value-based safe harbor under the anti-kickback statute or a value-based exception under the physician self-referral law are aligned in nearly all respects, except with respect to the definition of “value-based activities” and where slightly different language was required to integrate the new rules into the existing regulatory structures (points of difference are discussed later in this preamble). As a practical matter, this means that the same value-based enterprise or value-based arrangement can seek protection under both regulatory schemes, provided the relevant conditions of a safe harbor and an exception are satisfied.

In sum, because of statutory distinctions, compliance with a value-based safe harbor may require satisfaction of conditions additional to, or different from, those in a corresponding physician self-referral law exception. This is by design. We have endeavored to ensure that an arrangement that fits in a value-based safe harbor has a viable pathway for protection under a physician self-referral law exception. However, an arrangement that fits under a physician self-referral law exception might not fit in an anti-kickback statute safe harbor or might not fit unless additional features are added to the arrangement. That said, it is the Department’s belief that compliance with one regulatory structure should not preclude compliance with the other.

We disagree that compliance with the physician self-referral law rebuts any implication of intent under the Federal anti-kickback statute. Indeed, it is possible, depending on the facts and circumstances, that an arrangement may comply with an exception to the physician self-referral law but violate the Federal anti-kickback statute. The fact that a party complies with the requirements of the physician self-referral law is not evidence that the party does or does not have the intent to induce or reward referrals for purposes of the Federal anti-kickback statute. Parties may achieve compliance with an applicable exception to the physician self-referral law regardless of the intent of the parties. In addition, other differences between the physician self-referral law and Federal anti-kickback statute could lead to compliance with the physician self-referral law but not with the Federal anti-kickback statute. For example, parties may conclude that there are no “referrals,” as that term is defined for purposes of the physician self-referral law, but such assessment is inconclusive with respect to whether there are referrals, or the requisite intent to induce or reward referrals, for purposes of the Federal anti-kickback statute.

2. Comments Outside the Scope of the Rulemaking

We received some comments that were outside the scope of this rulemaking. In some cases, comments (e.g., a request to update the physician self-referral law’s in-office ancillary services exception) were outside the scope of our authority. Other comments and suggestions were outside the scope of this rulemaking but could be considered for future guidance or rulemaking. For example, some commenters urged OIG to modify existing safe harbors or develop entirely new safe harbors that were not related to the safe harbors and modifications proposed in the OIG Proposed Rule (e.g., an amendment to the referral services safe harbor, new safe harbors specific to Indian health care providers, and a new safe harbor specific to value-based contracting with manufacturers for the purchase of pharmaceutical products). Others requested sub-regulatory guidance outside the rule, such as a Frequently Asked Question feature to respond to specific questions or common scenarios from stakeholders. These or other topics that are outside the scope of this particular rulemaking are not summarized or discussed in detail in this final rule.

In the next sections of this preamble, we summarize each proposal from the OIG Proposed Rule (full detail of the proposals can be found at 84 FR 55694); summarize the final rule, including significant changes from the proposals; and respond to public comments.

B. Federal Anti-Kickback Statute Safe Harbors

1. Value-Based Framework for Value-Based Arrangements

Summary of OIG Proposed Rule: We proposed a set of value-based terminology, detailed in the next section, to describe the universe of value-based arrangements that would, as a threshold matter, be eligible to seek safe harbor protection under three safe harbors specific to value-based arrangements between VBEs and one or more of their VBE participants or between or among VBE participants: (i) The care coordination arrangements to improve quality, health outcomes, and efficiency safe harbor at 42 CFR 1001.952(ee), (ii) the value-based arrangements with substantial downside financial risk safe harbor at 42 CFR 1001.952(ff), (iii) and the full financial risk safe harbor at 42 CFR 1001.952(gg) (collectively referred to as the “value-based safe harbors”). The value-based safe harbors would offer greater flexibilities to parties as they assume more downside financial risk.

We proposed this tiered structure to support the transformation of industry payment systems and in recognition that arrangements involving higher levels of downside financial risk for those in a position to make referrals or order products or services could curb, at least to some degree, FFS incentives to order medically unnecessary or overly costly items and services.

Summary of Final Rule: We are finalizing the tiered value-based framework of three safe harbors that vary based on risk assumption of the parties. Modifications to specific value-based terminology are discussed in the next section.

Comment: Many commenters expressed support for our value-based framework. For example, a commenter stated that OIG had achieved a proper balance between flexibility for beneficial innovation and safeguards to protect patients and Federal health care programs against fraud and abuse risks. Others commended OIG for embracing the transition from no risk to downside financial risk as a central component of the value-based framework. In particular, commenters supported OIG’s proposal under the care coordination arrangements safe harbor to afford protection to value-based arrangements in which parties had yet to take on downside financial risk.

Response: We have finalized the value-based framework of three safe harbors, as proposed. We have made modifications to some of the value-based terminology as discussed in Section III.B.2 below. We explain the specific reasons for the modifications to the value-based terminology in responses to comments in section III.B.2.

Comment: Several commenters expressed general support for the proposed value-based safe harbors, while also recommending that OIG proceed with caution. For example, a payor urged us to maintain in the final rule the level of rigor reflected in the proposed value-based safe harbor and not increase the leniency provided under the proposed regulations. Similarly, a trade association suggested that OIG take a limited “phased-in” approach to the safe harbors to facilitate identification of appropriate patient protection and program integrity guardrails. Another commenter recommended that, at least once every 3 years, OIG assess and report on the effects of the value-based safe harbors, e.g., review clinical benefits, analyze cost savings, and solicit stakeholder input. A commenter also cautioned that giving more flexible safe harbor protection to value-based arrangements that include greater risk may push providers into assuming risk before they are ready to do so.

Response: With this final rule, we have sought to find the appropriate balance between the policy goals of the Regulatory Sprint and the need to protect both patients and Federal health care programs. We decline to adopt the commenters’ specific recommendations related to a potential phased-in approach or the regular publication of related reports, but we note that we may undertake future reviews of value-based arrangements in Federal health care programs as part of our oversight mission. We have included robust safeguards in the value-based safe harbors to address the commenters’ concerns. We note that we are affording greater flexibilities under the substantial downside and full financial risk safe harbors in recognition of parties’ assumption of the requisite level of downside financial risk. Others who may not be ready or willing to assume risk, or who are only ready or willing to assume risk at a level below that required by the substantial downside financial risk or full financial risk safe harbors, may look to the care coordination arrangements safe harbor, which does not require the assumption of risk, structure arrangements to fit in another safe harbor that might apply, or enter into arrangements that are not protected by a safe harbor, given that structuring an arrangement to satisfy a safe harbor is voluntary.

Comment: Other commenters expressed concerns about potential fraud and abuse, with several asserting that the value-based safe harbors would foster an environment vulnerable to fraud and anticompetitive effects. Commenters had varying rationales for their position, including, for example, that existing safe harbors would be sufficient to advance value-based models; evaluation was warranted before finalizing these safe harbors; and the care coordination focus of the value-based safe harbors would lead to further industry consolidation. A state health department broadly asserted that the proposals lacked sufficient detail and, if finalized, would pose enforcement challenges. That commenter requested that we add more detail in our rulemaking, rather than through sub-regulatory guidance, to assist the state with developing comprehensive policies to support the rule.

Several radiology trade associations expressed concern that the safe harbors omitted the guiding principle of fair market value and the restriction on determining the amount or nature of the remuneration based on the volume or value of referrals, and consequently, the value-based arrangements could be abused or used as a means for referring providers to pay less for radiology or imaging services. Generally, these commenters supported the creation of value-based safe harbors only to the extent parties to a value-based arrangement had assumed significant downside financial risk. They recommended that each value-based safe harbor include provisions prohibiting referring VBE participants from underpaying for radiology and imaging services within a VBE or otherwise leveraging their ability to direct referrals.

Response: The commenters raise important concerns about potential harms resulting from fraud and abuse; we considered these harms carefully in developing the final rule. In response to comments, throughout this final rule we have clarified regulatory text to minimize confusion; offered additional explanations in preamble to expound upon OIG’s interpretation of provisions in the value-based safe harbors; and provided illustrative examples for the value-based terminology, which we believe will aid in both enforcement and compliance. Parties also may request an advisory opinion from OIG to determine whether an arrangement meets the conditions of a safe harbor or is otherwise sufficiently low risk under the Federal anti-kickback statute to receive prospective immunity from administrative sanctions by OIG.

This final rule aims to protect value-based arrangements that enhance patient care and deliver value, and we have included safeguards designed to preclude from protection arrangements that lead to medically unnecessary care, might involve coercive marketing, or limit clinical decision-making. These safeguards are described in greater detail below and throughout this preamble. In addition, certain entities that present heightened program integrity risk and are less likely to be at the front lines of care coordination are not eligible to rely on the value-based safe harbors or subject to additional safeguards. We believe the potential benefits of the final value-based safe harbors (e.g., facilitating the transition to value-based care and encouraging greater care coordination) outweigh the potential risks related to fraud and competition.

The value-based safe harbors, as finalized, do not include the traditional fraud and abuse safeguards of fair market value or a broad prohibition on taking into account the volume or value of any referrals. However, we have included other safeguards in each of the value-based safe harbors that are intended to address potential fraud and abuse risks, e.g., a prohibition on taking into account the volume or value of referrals outside the target patient population, limits on directed referrals, and others described elsewhere in this preamble. The risk sharing required by the substantial downside financial risk and full financial risk safe harbors reduces some fraud and abuse concerns associated with a traditional fee-for-service payment system. We also included safeguards specific to the care coordination arrangements safe harbor, e.g., a contribution requirement for recipients, in recognition, in part, of the fact that this value-based safe harbor does not require parties to assume financial risk or meet certain traditional safeguards, such as a fair market value requirement. The care coordination arrangements safe harbor does not protect monetary payments, including payments for services such as radiology or imaging. Nothing in the risk-based safe harbors prevents parties from negotiating fair market value arrangements for services or from using the personal services and management contracts and outcomes-based payments safe harbor at paragraph 1001.952(d), which includes fair market value requirements.

While existing safe harbors could protect many care coordination arrangements, comments we received in response to the OIG RFI reflected that existing safe harbors are insufficient to protect the range of care coordination arrangements envisioned by the Regulatory Sprint. For example, apart from employment, there is no existing safe harbor protection for the sharing of personnel or infrastructure at below-market-value rates. Thus, the value-based safe harbors will provide protection to a broader range of care coordination arrangements than is presently available under existing safe harbors. With respect to the commenter that suggested evaluation was warranted prior to implementing the value-based safe harbors, we solicited feedback on the anticipated approach for rulemaking in the RFI and solicited comments on specific safe harbors, an exception, and relevant considerations in the OIG Proposed Rule. We do not believe further evaluation is needed to inform the issuance of this final rule; indeed, further formal evaluation could delay regulatory flexibilities designed to facilitate innovative value-based care and care coordination arrangements.

With respect to concerns regarding industry consolidation, it is not the intent of this final rule to foster industry consolidation. The rule aims to increase options for parties to create a range of care coordination and value-based arrangements eligible for safe harbor protection, whether through employment, ownership, or contracts among otherwise unaffiliated, independent entities that wish to coordinate care. As explained elsewhere, the definition of a “value-based enterprise” is flexible, allowing for a broad range of participation and business structures. In addition, “value-based arrangements” are defined such that they can be among many participants or as few as two. The safe harbors are available to large and small systems and to rural and urban providers. We intend for this flexibility to ensure that smaller providers still have the opportunity to develop and enter into care coordination arrangements.

Comment: Several commenters highlighted the potential harms the proposed value-based safe harbors could pose to patients, e.g., cherry-picking, provision of medically unnecessary care, or stinting on care. Commenters also expressed concern that the safe harbors could negatively impact patient freedom of choice or impinge on the patient-physician relationship. To address these concerns, commenters had varying suggestions. For example, some commenters urged OIG to insert patient transparency requirements in the value-based safe harbor that would mirror similar requirements in the Medicare Shared Savings Program. One such commenter stated transparency is necessary to ensure public confidence that the benefits of a value-based arrangement would not be exclusive to those party to the agreement.

Response: We share the commenters’ interests in protecting patients against cherry-picking, the provision of medically unnecessary care, stinting on care, patient steering, and any inappropriate infringement on the patient-doctor relationship. Accordingly, we have finalized safeguards in each of the three value-based safe harbors related to these issues. We did not propose patient transparency or notice requirements in the OIG Proposed Rule for the value-based safe harbors because we believed it potentially would impose undue administrative burden on providers, and we are not including any such condition in this final rule.

Comment: We received a number of comments stating that our approach to the value-based safe harbors was not bold enough and would act as a barrier to advancing the coordination and management of care. For example, a commenter stated that the proposals, as drafted, would not advance care coordination and better quality outcomes because the OIG sets too many limits and boundaries within the value-based safe harbors. In addition, several commenters asserted that our definitions of certain key terms, such as value-based enterprise and VBE participant, were overly prescriptive. Other commenters asserted that our view of financial risk was too narrow and failed to recognize, among other things, that providers are already at substantial financial risk under existing financial incentives and penalties created by payment structures.

Response: We disagree with those commenters who stated that our definitions are too narrow or prescriptive and that the proposed value-based safe harbors are not bold enough because they would impose limits on the types of arrangements that are protected.

As discussed in section III.B.2, we have defined the value-based terminology to allow for a wide range of individuals and entities to participate in value-based arrangements. The value-based safe harbors do not attempt to cover the entire universe of potentially beneficial arrangements, nor the entire universe of what may constitute risk. Indeed, we acknowledged in the OIG Proposed Rule, and confirm here, that we understood that participants in value-based arrangements might assume certain types of risk other than downside financial risk for items and services furnished to a target patient population (e.g., upside risk, clinical risk, operational risk, contractual risk, or investment risk).^[12] We continue to believe our focus on downside financial risk is warranted because the assumption of downside financial risk incentivizes those making the referral and ordering decisions to control costs and deliver efficient care in a way the other types of risk may not.

Further, the care coordination arrangements safe harbor requires no assumption of downside risk by parties to a value-based arrangement. Accordingly, parties that do not meet the definition of taking on “substantial downside financial risk” or “full financial risk” may seek protection for certain value-based arrangements under the care coordination arrangements safe harbor. They may also look to the new safe harbor protection for outcomes-based payments at paragraph 1001.952(d)(2).

We have included parameters in the value-based safe harbors to protect against risks of fraud and abuse, such as overutilization, inappropriate patient steering, or stinting on care. Nothing in the rulemaking changes the premise of safe harbors themselves: They offer protection to certain arrangements that meet safe harbor conditions, but they do not purport to define all lawful arrangements. Parties with arrangements that do not fit in a value-based safe harbor may look to other safe harbors or the language of the statute itself. Parties also may request an advisory opinion from OIG to determine whether an arrangement meets the conditions of a safe harbor or is otherwise sufficiently low risk under the Federal anti-kickback statute to receive prospective immunity from administrative sanctions by OIG.

Comment: Multiple commenters recommended that, in lieu of a tiered approach to the value-based framework (i.e., three value-based safe harbors, based upon the level of risk assumed by parties), OIG should create a single value-based arrangements safe harbor. The commenters asserted that such an approach would reduce the complexity of the value-based safe harbors.

Response: We appreciate the commenters’ suggestion regarding ways to reduce complexity; however, we disagree with the commenters’ recommendations to develop a single value-based arrangements safe harbor. The tiered approach we are finalizing in this rule supports the policy goals of the Regulatory Sprint regarding the transformation to value and offers parties flexibility to undertake arrangements that suit their needs. We do not believe that a one-size-fits-all approach would be feasible or effective to promote the transformation to value because we recognize there are many dimensions of value in health care that may look different for various stakeholders. To support the transformation to value, reflect that program integrity vulnerabilities change as parties assume more risk, and prevent unscrupulous behavior, we have adopted a tiered approach where the safeguards included in each of the value-based safe harbors are tailored according to, among other things, the degree of downside financial risk assumed by the parties.

Comment: In response to our solicitation of comments on whether to define the term “value,” we received varying comments. Some commenters supported our proposal to use the term in a non-technical way, with one asserting the term “value” is not a one-size-fits-all term of art. Others suggested that we reference—in the final definitions or otherwise—financial arrangements under advanced alternative payment models (APMs) to make clear that value-based arrangements in CMS-sponsored programs would receive protection under the value-based safe harbors.

Response: We agree with those commenters that noted that “value” is not a one-size-fits all term. We decline to use or define the term “value” for the purposes of these safe harbors because we believe industry stakeholders and those participating in value-based arrangements potentially protected by these safe harbors are best-positioned to determine value. Notably, however, we define other terms critical to the value-based safe harbors, including “value-based purpose,” “value-based activity,” and “value-based arrangement.” These defined terms adequately capture the concept of value without prescriptively defining “value,” which could inhibit flexibility and innovation. We also are not adopting the commenters’ suggestion to define any term by referencing financial arrangements under advanced APMs. Financial arrangements under CMS-sponsored APMs may satisfy the definition of “value-based arrangement” and may serve as one of many sources for considering value in the delivery of care. In addition, organizations already participating in CMS-sponsored models may wish to look to the new safe harbor for those models at paragraph 1001.952(ii).

Comment: Several commenters requested that we offer additional clarity on key terms and concepts used throughout the value-based framework. For example, some commenters encouraged OIG to issue sub-regulatory guidance with respect to the value-based safe harbors, while others requested specific examples of the types of value-based arrangements that could be protected. Another commenter suggested that, in order to avoid confusion, OIG more closely align its value-based safe harbors with the requirements in the Medicare Shared Savings Program fraud and abuse waivers (e.g., governing body approval of protected arrangements). Collectively, these commenters expressed concern that without further guidance from OIG, individuals and entities would remain too risk-averse to leverage the new safe harbors for value-based arrangements or would incur significant time and expense in creating a value-based enterprise that might not meet the required standards.

Response: Based on these comments, throughout this final rule, we have endeavored to provide additional clarity and examples of key terms and concepts. Parties also may use OIG’s advisory opinion process to obtain a legal opinion on the application of OIG’s fraud and abuse authorities to a particular arrangement. Regarding the request for greater alignment with the Medicare Shared Savings Program, we note that we drew from our experience with the waivers issued for the Medicare Shared Savings Program in drafting the value-based safe harbors, but we do not believe alignment with the waiver conditions would be appropriate for a number of reasons. First, CMS provides programmatic oversight of the Medicare Shared Savings Program that it would not provide to all value-based enterprises under this final rule. In addition, the waivers apply to certain remuneration related to one type of alternative payment model, whereas the safe harbors finalized in this final rule apply to a broader range of arrangements focused on value-based care. Finally, as discussed in more detail below, all individuals and entities can be VBE participants, whereas participation in the Medicare Shared Savings Program is more limited. Parties participating in CMS-sponsored models may wish to look at the new safe harbor for those models at paragraph 1001.952(ii), which is closely aligned with model requirements and takes into account CMS’s oversight of those models and the Medicare Shared Savings Program.

Comment: Multiple commenters requested that OIG speak to the intersection of the proposed value-based safe-harbors with existing: (i) Financial arrangements that may not meet the four corners of the value-based safe harbors, despite otherwise being similar in concept; (ii) safe harbors; and (iii) state law and corporate practice of medicine requirements.

Response: By promulgating value-based safe harbors, we are not opining, directly or indirectly, on the legality of existing financial arrangements that may be similar in concept to value-based arrangements that may be protected under the new value-based safe harbors. Arrangements that do not meet all conditions of an applicable safe harbor are not protected by that safe harbor. Whether such an arrangement violates the Federal anti-kickback statute is a fact-specific inquiry. In addition, and as stated in the OIG Proposed Rule, parties to value-based arrangements may choose whether to protect such arrangements under existing safe harbors or under the new value-based safe harbors finalized in this final rule.

We have attempted to create significant flexibility under the Federal anti-kickback statute while recognizing that parties still must comply with applicable State laws. Nothing in these safe harbors preempts any applicable State law (unless such State law incorporates the Federal law by reference).

Comment: We received several comments that touched upon the applicability of the value-based safe harbors to commercial arrangements. For example, at least two commenters expressed support for extending the value-based safe harbor protections to participants in arrangements involving only commercial payor patients. Another commenter strongly recommended that OIG clarify in the final rule that the Federal anti-kickback statute is not implicated if a financial arrangement is strictly limited to commercial payor patients.

Response: Generally speaking, the Federal anti-kickback statute is not implicated for financial arrangements limited solely to patients who are not Federal health care program beneficiaries. However, to the extent the offer of remuneration pursuant to an arrangement involving only non-Federal health care program beneficiaries is intended to pull through referrals of Federal health care program beneficiaries or business, the Federal anti-kickback statute would be implicated and potentially violated. While nothing in the value-based safe harbors precludes financial arrangements limited solely to patients who are not Federal health care program beneficiaries, the parties would need to meet all requirements of the applicable value-based safe harbor, and a pull-through arrangement would not meet the requirement, in each value-based safe harbor found at (ee), (ff), and (gg), that the offeror of remuneration does not take into account the volume or value of, or condition the remuneration of referrals of, patients who are not part of the target patient population, or business not covered under the value-based arrangement.

Comment: A commenter recommended that OIG apply the value-based safe harbors retrospectively.

Response: As stated in the OIG Proposed Rule, the value-based safe harbors will be prospective only and will be effective as of 60 days from the date this rule is published in the Federal Register. It is neither feasible nor desirable to confer safe harbor protection retrospectively under a criminal statute. Conduct is evaluated under the statute and regulations in place at the time of the conduct.

Comment: A commenter supported OIG addressing value-based contracting and outcomes-based contracting for the purchase of pharmaceutical products in future rulemaking, including rules around medication adherence. Another commenter urged OIG to promulgate a safe harbor in this final rule specific to value-based arrangements with manufacturers for the purchase of pharmaceutical products (as well as medical devices and related services).

Response: We did not propose, and thus are not finalizing, a safe harbor specifically for value-based arrangements with manufacturers for the purchase of their products. We may consider this topic, along with value-based contracting and outcomes-based contracting, for future rulemaking.

Comment: Separate and apart from outcomes-based contracting, a handful of commenters requested that we create new safe harbors or issue certain guidance. For example, a hospital association urged us to create a safe harbor to facilitate non-CMS advanced payment models. Another commenter suggested we issue guidance affording parties additional regulatory flexibility to the extent their financial arrangements are consistent with the goals of the value-based safe harbors but do not otherwise satisfy all conditions.

Response: We did not propose and are not finalizing a safe harbor specific to non-CMS advanced payment models. However, we refer the commenter to our substantial downside financial risk safe harbor at paragraph 1001.952(ff), as remuneration exchanged by the parties to the advanced payment model arrangement may be eligible for protection under that safe harbor.

We likewise are not issuing guidance to provide parties with additional regulatory flexibility to protect financial arrangements that are consistent with the goals of, but do not meet the requirements of, a value-based safe harbor. An arrangement must meet all conditions of the applicable value-based safe harbor for remuneration exchanged pursuant to the arrangement to receive protection.

Comment: A commenter asserted that the value-based safe harbors do not satisfy the requirements set forth in section 1128D of the Act for the promulgation of new safe harbors. Specifically, the commenter asserted that the value-based safe harbors do not specify payment practices that are protected under the Federal anti-kickback statute, as required by section 1128D, because they only outline a set of general principles.

Response: We disagree with the commenter. Section 1128D of the Act requires the Secretary to publish a notice soliciting proposals for, among other things, additional safe harbors specifying payment practices that shall not be treated as a criminal offense under section 1128B(b) and shall not serve as the basis for an exclusion under section 1128(b)(7) and to publish proposed additional safe harbors, if appropriate, after considering such proposals. Consistent with that authority, the value-based safe harbors specify payment practices that will be protected if they meet a series of specific, enumerated requirements. Although a value-based safe harbor may protect remuneration exchanged pursuant to a diverse universe of value-based arrangements, all value-based arrangements within that universe share the features required by the applicable safe harbor.

For example, the payment practice specified in the care coordination arrangements safe harbor is the exchange of in-kind remuneration pursuant to value-based arrangement, where, among several other requirements, the parties establish legitimate outcome measures to advance the coordination and management of care for the target patient population; the arrangement is commercially reasonable; and the recipient contributes at least 15 percent of either the offeror’s cost or the fair market value of the remuneration. If an arrangement fails to meet any one of the safe harbor’s requirements, it cannot receive protection under the safe harbor. This approach is consistent with the approach taken in other safe harbors that are not specific as to the type of arrangement. For example, the personal services and management contracts safe harbor protects any payments from a principal to an agent, as long as a series of standards are met.

Comment: Numerous commenters requested that OIG and CMS seek greater alignment across their respective value-based rules. According to some of these commenters, further alignment would reduce administrative burden, confusion, and regulatory uncertainty. Commenters were generally in favor of OIG revising its proposed value-based safe harbors to more closely parallel CMS’s proposed value-based exceptions to the physician self-referral law. Commenters suggested that CMS’s proposed value-based exceptions would protect a broader universe of beneficial innovative arrangements, without greater fraud and abuse risk. Accordingly, commenters urged OIG to create a safe harbor for any value-based arrangement that otherwise met a physician self-referral law exception or, alternatively, state that compliance with the physician self-referral law would rebut any implication of intent under the Federal anti-kickback statute. Commenters also advocated that OIG adopt certain CMS proposed definitions, e.g., CMS’s “volume or value” definition.

Response: As explained in more detail in section III.A.1 of this preamble, we are mindful of reducing burden on providers and other industry stakeholders, and we have sought to align value-based terminology and safe harbor conditions with those being adopted by CMS as part of the Regulatory Sprint wherever possible. However, complete alignment is not feasible because of fundamental differences in statutory structures and penalties across the two laws, as well as differences in how anti-kickback statute safe harbors and physician self-referral law exceptions operate. For example, the physician self-referral law applies to referrals by physicians for specified designated health services, whereas the anti-kickback statute applies to referrals by anyone of any Federal health care program business. Fitting in an exception to the physician self-referral law is mandatory, whereas using safe harbors is voluntary. In designing our safe harbors, we have included conditions designed to ensure that protected arrangements are not disguised kickback schemes, and we recognize that, for purposes of those arrangements that implicate both the physician self-referral law and the Federal anti-kickback statute, the value-based safe harbors may therefore protect a narrower universe of arrangements than CMS’s exceptions.

We do not agree as a matter of law that compliance with the physician self-referral law would rebut any implication of intent under the Federal anti-kickback statute. We did not propose to, and do not, adopt CMS’s proposed interpretation of the term “takes into account the volume or value of referrals or other business generated.” We have aligned terminology used in the value-based framework and set forth at paragraph 1001.952(ee) in our rule, as described below.

2. Value-Based Terminology (42 CFR 1001.952(ee))

We proposed to define at paragraph 1001.952(ee)(12) the following terms: “value-based enterprise” (“VBE”), “value-based arrangement,” “target patient population,” “value-based activity,” “VBE participant,” “value-based purpose,” and “coordination and management of patient care.” We summarize the proposal for each of these definitions and the final rule in turn below. These definitions are now located at paragraph 1001.952(ee)(14) of the final rule and cross-referenced in the safe harbors at paragraphs 1001.952(ff), (gg), and (hh). In this final rule, we have added definitions at paragraph 1001.952(ee)(14) for the following terms that are used in connection with determining eligibility of certain types of entities to use the safe harbors at paragraphs 1001.952(d)(2), (ee), (ff), (gg), and (hh): “limited technology participant,” “digital health technology,” and “manufacturer of a device or medical supply.” These definitions are discussed in section III.B.2.e.

a. Value-Based Enterprise (VBE)

Summary of OIG Proposed Rule: We proposed to define the term “value-based enterprise” or “VBE” as two or more VBE participants: (i) Collaborating to achieve at least one value-based purpose; (ii) each of which is a party to a value-based arrangement with the other or at least one other VBE participant in the value-based enterprise; (iii) that have an accountable body or person responsible for financial and operational oversight of the value-based enterprise; and (iv) that have a governing document that describes the value-based enterprise and how the VBE participants intend to achieve its value-based purpose(s).

Summary of Final Rule: We are finalizing, with modification, the definition of “value-based enterprise.”

i. General

Comment: Multiple commenters supported the definition of “value-based enterprise,” as proposed, and the flexibility the definition offers. A commenter appeared to ask OIG to revise the definitions of “value-based enterprise,” “value-based arrangement,” and “value-based activity” so that they do not incorporate and rely on other defined terms. Another commenter suggested a broader definition of “VBE” that would allow affiliates of a VBE to participate within the VBE without becoming VBE participants.

Response: The definition of “value-based enterprise” is intended to be broad and flexible to encompass a wide range of VBEs, from smaller VBEs comprised of only two or three parties to large VBEs, such as entities that function similar to ACOs. We decline to expand the definition further to allow affiliates of VBE participants to participate in a VBE without becoming VBE participants. We designed the value-based framework, including the requirement for parties to be either a VBE or a VBE participant, to ensure the remuneration that the safe harbors protect is exchanged pursuant to a value-based arrangement where all parties are striving to achieve value-based purposes. VBE participants can continue to enter into arrangements with affiliates and other non-VBE participants and may look to other available safe harbors for potential protection for those arrangements.

We also decline to revise the definitions of “value-based enterprise,” “value-based arrangement,” and “value-based activity” to omit references to other defined terms. The value-based terminology we are finalizing works in concert to explain the universe of value-based arrangements under which the exchange of remuneration may receive safe harbor protection. For example, because the terms “VBE participant,” “value-based purpose,” and “value-based arrangement” are fundamental to the definition of “value-based enterprise,” we are finalizing a definition of “value-based enterprise” that references those terms.

Comment: A commenter asked whether parties could prove collaboration to achieve one or more value-based purposes by measuring the amount of time a VBE participant has been taking part in a value-based activity.

Response: To accommodate a broad range of VBEs, from small to large, this final rule does not prescribe how VBE participants prove that they are collaborating to achieve at least one value-based purpose, as required by the definition of “value-based enterprise”; it is incumbent on the VBE participants to demonstrate that they are meeting this requirement. For example, time spent on value-based activities, records of collaboration between parties, and participation in applicable meetings, could all be relevant factors, depending on the unique nature and circumstance of the VBE and the arrangements among the VBE participants.

Comment: A commenter expressed concern that the costs of forming a VBE could be prohibitive for small and rural providers and providers serving underserved populations, and it appeared to ask OIG to create an online portal that parties could use to create VBEs. Another commenter asked OIG to state expressly that a VBE may add individual physicians and other clinicians as VBE participants on an ongoing basis and still meet the definition of “VBE.”

Response: The definition of “VBE” is intended to be both broad and flexible to accommodate providers, suppliers, and other entities of varying sizes and financial means seeking to participate in value-based arrangements. The definition, as finalized, will allow small and rural providers and providers serving underserved populations to form VBEs that correspond in scope and design with the VBE participants’ resources. For example, we anticipate that parties could form a VBE with a single value-based arrangement, and a VBE could be comprised of only two VBE participants. We did not propose to create an online portal for the creation of VBEs, and we are therefore not establishing an online portal in this final rule. We also confirm that VBE participants may join and leave a VBE throughout the existence of the VBE, but we note that a VBE always must have two or more VBE participants to meet the definition of “value-based enterprise.”

Comment: A commenter recommended that we require a value-based enterprise to utilize electronic health records so that each entity participating in the value-based enterprise has a strong data platform to track and evaluate the VBE’s inputs and outcomes. According to the commenter, data from the EHR systems is critical to care delivery and care coordination.

Response: We agree that EHR systems can help individuals and entities within the VBE facilitate the coordination and management of care but did not propose to require, and thus are not requiring, VBEs or VBE participants to use them. Moreover, we intend for entities of varying sizes and with different levels of funding and access to technology to be able to utilize the value-based safe harbors. While we continue to support the Department’s goal of continued adoption and use of interoperable EHR technology that benefits patient care, we are concerned that requiring utilization of EHR may unduly limit the ability of some entities to form a VBE. Donations of EHR by VBEs to VBE participants can be protected by the value-based safe harbors if all conditions are met. Alternatively, VBE and VBE participants may use the EHR safe harbor that this final rule makes permanent.

Comment: Commenters asked how the definition of “value-based enterprise” would apply to integrated delivery systems, with a commenter specifically inquiring as to how entities within a larger integrated delivery system that enter into arrangements with a payor for shared savings and losses could subsequently share such savings or losses with downstream contracted or employed physicians. The commenter asked whether each party offering or receiving remuneration would be required to be a party to an agreement with the payor or if separate agreements between the downstream entities would suffice. Another commenter asked OIG to confirm whether an already existing integrated delivery system, ACO, or similar entity could meet the requirements of a VBE or whether that entity must establish a new value-based enterprise to use the value-based safe harbors. A commenter asserted that the value-based definitions and safe harbors should include integrated delivery systems, accountable care, team-based care, coordinated care (including for dual eligible beneficiaries), bundled payments, payments linked to quality or outcomes, Medicaid waiver programs, and Medicare managed care, value-based, or delivery system reform directed payments. A commenter recommended that the final rule deem an existing ACO to be compliant with the requirements of an applicable safe harbor to help retain ACOs as a central organizational structure, reduce regulatory burden, reduce risk of whistleblower or regulatory challenges, and minimize the need for creation of arrangements outside the ACOs. For each value-based safe harbor the commenter made specific suggestions: That OIG deem ACO outcome measures to meet the outcome measures requirement for care coordination arrangements; and for the substantial downside financial risk and full financial risk safe harbors, that all safe harbor conditions would be deemed met if the requisite level of downside financial risk were present.

Response: The final rule, including the value-based terminology, value-based safe harbors, and other safe harbors we are finalizing, offers several potential pathways for protection for the types of arrangements noted by the commenters, provided all applicable definitions and safe harbor conditions are satisfied. An existing integrated delivery system, ACO, or comparable entity could potentially qualify as a “value-based enterprise” and meet all of the requirements of the definition to use the value-based safe harbors we are finalizing. Arrangements for shared savings or losses and certain bundled payments could be protected under the substantial downside and full financial risk safe harbors, which protect in-kind and monetary remuneration exchanged between a VBE and a VBE participant. Under these safe harbors, a hospital that is a VBE participant could enter into a value-based arrangement with a VBE, pursuant to which the VBE shares savings or losses with the hospital VBE participant. However, this arrangement could not be protected under the care coordination arrangements safe harbor, which does not protect the exchange of monetary remuneration. Monetary remuneration, including payments linked to outcomes, could qualify for protection under the safe harbor for personal services and management contracts and outcomes-based payments at paragraph 1001.952(d)(2). Neither the substantial downside financial risk safe harbor nor the full financial risk safe harbor protects the exchange of remuneration between entities downstream of the VBE (i.e., between VBE participants, a VBE participant and a downstream contractor, or downstream contractors). Apart from the value-based safe harbors, some managed care arrangements could be structured to fit in the existing managed care safe harbors at paragraphs 1001.952(t) and 1001.952(u). ACOs and others in CMS-sponsored models could use the new safe harbor at paragraph 1001.952(ii).

We did not propose and are not adopting a deeming provision for ACOs, as recommended by the commenter. Under the final value-based safe harbors, ACOs would need to meet all applicable safe harbor conditions. We have designed the value-based terminology and safe harbors to be flexible to accommodate a range of VBE types, structures, and arrangements, including ACOs. Moreover, when participating in a CMS-sponsored model, an ACO might rely on an existing fraud and abuse waiver or the new safe harbor for CMS-sponsored models at paragraph 1001.952(ii), rather than a value-based safe harbor.

To the commenter’s question regarding separate agreements, although the substantial downside financial risk and full financial risk safe harbors would not protect any shared savings or losses (or other remuneration) between the hospital VBE participant and its downstream employed or contracted physicians, the VBE could enter into value-based arrangements directly with physicians who are VBE participants in order to share savings or losses with the physicians. We note, however, that, consistent with all other safe harbors, compliance with the value-based safe harbors is not compulsory. Parties may enter into lawful arrangements for value-based care that do not meet a safe harbor. Other safe harbors may be relevant to protect remuneration exchanged in a value-based arrangement, such as the personal services and management contracts safe harbor or a managed care safe harbor, depending on the circumstances. The OIG advisory opinion process also remains available.

Comment: A commenter asked whether VBEs must undergo a formal process to receive protection under the new safe harbors.

Response: All safe harbors to the Federal anti-kickback statute, including the new safe harbors we are finalizing in this final rule, are voluntary, and parties do not need to undergo any process or receive any affirmation from the Federal Government in order to receive protection. We note that qualifying as a value-based enterprise is not sufficient to obtain protection under the value-based safe harbors. To be protected, the remuneration exchanged between or among parties to the VBE must squarely meet all conditions of an available safe harbor. Parties that wish for OIG to opine on whether an arrangement satisfies the criteria of a safe harbor may submit an advisory opinion request.

Comment: A commenter stated that an entity that qualifies as a VBE should be deemed to meet the Federal Trade Commission (FTC) and Department of Justice (DOJ) requirements for clinical integration.

Response: Whether a value-based enterprise meets the FTC and DOJ requirements for clinical integration is outside the scope of this rulemaking and thus the issue raised by the commenter is not addressed in this rule.

Comment: Several commenters asked OIG to include references to free clinics, charitable clinics, and charitable pharmacies in the definition of “value-based enterprise,” stating that hospitals otherwise will remain risk averse to establishing or continuing partnerships with such entities. Another commenter asked OIG to confirm that the terms “value-based enterprise,” “value-based arrangement,” and “value-based activity” apply exclusively to the new safe harbors and not in other contexts, such as state Medicaid programs, to ensure the new value-based terminology does not disrupt the administration of existing value-based arrangements.

Response: We do not believe it is necessary to include references to any specific entities in the definition of “value-based enterprise.” While the commenter requested that we reference these entities in the definition of “VBE,” we note that under this final rule all individuals and entities are eligible to be VBE participants (other than a patient acting in their capacity as a patient). The definitions we are finalizing for the value-based terminology, including the terms “value-based enterprise,” “value-based arrangement,” and “value-based activity,” do not apply outside of the safe harbors being finalized in this rule. Given OIG’s limited authority in the context of this rulemaking, we do not purport to define these terms for other purposes, including for State Medicaid programs; however, the safe harbors could protect remuneration resulting from value-based arrangements involving Medicaid beneficiaries (to the extent that all applicable safe harbor conditions are satisfied). CMS is using the same terminology for its new value-based exceptions under the physician self-referral law.

Comment: A commenter asserted that the proposed definitions of “value-based enterprise,” “value-based arrangement,” “value-based activity,” and “VBE participant” apply only to the care coordination arrangements safe harbor and not to the substantial downside financial risk safe harbor or the full financial risk safe harbor.

Response: The commenter’s apparent confusion arises from the language in proposed paragraph 1001.952(ee) that states, “[f]or purposes of this paragraph (ee), the following definitions apply.” Notwithstanding this language, the substantial downside financial risk safe harbor and the full financial risk safe harbor expressly incorporate the definitions of “value-based enterprise,” “value-based arrangement,” “value-based activity,” and “VBE participant” set forth in paragraph 1001.952(ee).

Comment: While supporting the proposed definition of “value-based enterprise,” several commenters requested that OIG and CMS align any modifications to the final definition of “VBE.” According to the commenter, identical definitions would allow stakeholders to place more focus on the delivery of value-based care because they would not need to navigate different legal frameworks under the Federal anti-kickback statute and the physician self-referral law.

Response: We are finalizing a definition of “value-based enterprise” that remains aligned with the definition finalized by CMS.

Comment: Some commenters asserted that Indian health programs should be deemed to meet the definition of “value-based enterprise” even if they do not meet each requirement of the definition because Tribes, as sovereign governments, do not enter into agreements in which another entity has governing authority or control over any part of the Tribe. In addition, they explained that Indian health programs have several features of the proposed definition (e.g., Indian health programs are held accountable by the governing body of the Tribe or the United States Congress, in the case of IHS-run programs). Such commenters asserted that requiring Indian health programs to meet any additional requirements would exclude or unnecessarily burden those programs.

Similarly, several commenters requested that OIG address whether Indian health programs could be a VBE participant and recommended that the definition expressly state that Indian health programs may be VBE participants. Another commenter expressed concern that Indian health programs may not meet the proposed definition of VBE participant because Tribes are sovereign nations that will not enter into agreements with another entity with authority over the Tribe.

Response: Indian health programs, as well as other individuals and entities, may themselves constitute VBEs or may form VBEs if they meet all requirements in the definition of such term. We are not promulgating any exceptions to the requirement that parties form a VBE in order to use one of the value-based safe harbors or the patient engagement and support safe harbor because we believe the definition of “value-based enterprise” is sufficiently broad and flexible to allow Indian health programs to qualify as or form VBEs.

In addition, under our revised definition of a “VBE participant,” all types of entities can be VBE participants, including Indian health programs and Indian health care providers that engage in at least one value-based activity as part of a VBE.

ii. Accountable Body

Comment: Multiple commenters supported the proposed requirement that a VBE have an accountable body that is responsible for financial and operational oversight of the VBE, while some expressed concerns regarding the requirement. For example, some commenters asserted that parties would incur significant legal expenses to create an accountable body, which could discourage participation in VBEs, and questioned whether small or rural practices have the resources necessary to implement an accountable body. A commenter suggested OIG exempt smaller VBEs from the requirement to have an accountable body, particularly where the VBE is comprised only of individuals or small physician practices. Another noted that the requirement to have an accountable body could create tension between VBE participants when determining who will assume such role.

Response: We do not believe the requirement for a VBE to have an accountable body or responsible person places an undue financial or administrative burden on VBEs or VBE participants, particularly because the definition of “value-based enterprise” affords parties the flexibility to create VBEs and accountable bodies that range in scope and complexity. We are not exempting small or other VBEs from the requirement to have an accountable body or responsible person. We do not expect that small VBEs would have the same resources as larger VBEs for this function or would structure the function in the same way. A VBE should have an accountable body or responsible person that is appropriate for its size and resource and is capable of carrying out the associated responsibilities. Any potential for conflict among VBE participants is a matter for the parties to address in their private contractual or other arrangements and does not warrant an exception to the accountable body requirement, which serves an important oversight and accountability function in the VBE.

Comment: Commenters generally supported the flexibility for parties to tailor the accountable body to the complexity and sophistication of the VBE. Multiple commenters requested additional clarification on the nature and composition of the accountable body, including how and by whom the accountable body would be organized and whether the accountable body must be comprised of at least one representative from each VBE participant.

A commenter asked OIG to clarify whether ACOs that already have governing bodies in place need to establish an additional accountable body or responsible person to meet the definition of “VBE.” Another commenter asked whether the safe harbor conditions applicable to accountable bodies are at least as rigorous as the conditions applicable to governing bodies in the fraud and abuse waivers issued for purposes of the Medicare Shared Savings Program.

Response: We are not prescribing how VBE participants or VBEs form or otherwise designate an accountable body or responsible person in order to give parties flexibility to do so in a manner conducive to the scope and objectives of the VBE and its resources. For instance, a representative from each VBE participant in a VBE could, but is not required to, be part of the VBE’s accountable body. Where parties already have a governing body that constitutes an accountable body or responsible person, such parties are not required to form a new accountable body or designate a responsible person for purposes of creating a VBE. While the requirements for the accountable body or responsible person are not as stringent as the requirements for an ACO’s governing body in the fraud and abuse waivers issued for purposes of the Medicare Shared Savings Program, we have concluded that the safe harbor requirements for the accountable body strike the right balance between allowing for needed flexibility for parties wanting to form and operate VBEs and providing for appropriate VBE oversight and accountability.

Comment: Multiple commenters supported a range of additional requirements for VBE participants related to the accountable body, including requirements to: (i) Recognize the oversight role of the accountable body affirmatively; (ii) agree in writing to cooperate with the accountable body’s oversight efforts; and (iii) report data to the accountable body to enable it to access and verify VBE participant data related to performance under value-based arrangements. Another commenter opposed additional requirements on VBE participants, stating that they would be unnecessary formalities that would constrain use of the value-based safe harbors for existing arrangements that might otherwise meet a value-based safe harbor’s terms. Other commenters also asked what, if any, oversight OIG would expect from VBE participants, themselves, in addition to the oversight conducted by the accountable body.

Response: It is important for the parties to a value-based arrangement to support and cooperate with the accountable body or responsible person. However, we are not finalizing requirements for VBE participants to recognize affirmatively the oversight role of the accountable body, agree in writing to cooperate with its oversight efforts, or report data. On balance, such requirements would introduce a level of unnecessary administrative detail and impose unnecessary administrative burden on many VBEs, particularly small or rural entities. Parties can themselves establish mechanisms to ensure the ability of the accountable body or responsible person to fulfill its obligations through, by way of example only, a term in arrangements between the VBE and its VBE participants that requires VBE participants to cooperate with the accountable body or responsible person’s oversight efforts.

Whether VBE participants must conduct additional oversight depends on the applicable safe harbor. Parties relying on safe harbor protection may want to ensure all applicable safe harbor requirements, including those related to oversight, are met because failure to satisfy these requirements would result in the loss of safe harbor protection for the remuneration at issue. Notwithstanding this fact, where a VBE participant or VBE has done everything that it reasonably could to comply with the safe harbor requirements applicable to that party but the remuneration exchanged loses safe harbor protection as a result of another party’s noncompliance, the compliant party’s efforts to take all reasonable steps would be relevant in a determination of whether such party had the requisite intent to violate the Federal anti-kickback statute.

Comment: We received support for, and opposition to, a requirement for the accountable body to have more specific responsibilities for overseeing certain aspects of the VBE, including utilization of items and services; cost; quality of care; patient experience; adoption of technology; and quality, integrity, privacy, and accuracy of data related to each value-based arrangement. However, several commenters cautioned against overly prescriptive oversight obligations, with many commenters noting that the appropriate scope, methodology, and risk areas for monitoring and oversight will vary significantly based on the activities an entity is undertaking. According to several commenters, the program integrity benefits of any additional requirements on the accountable body would be outweighed by increased administrative burden.

Response: We are not requiring more specific oversight responsibilities for the accountable body. The type of data the accountable body should monitor and assess could vary by VBE and by value-based arrangement, and therefore we are not imposing more prescriptive requirements on the accountable body with respect to its oversight responsibilities. However, in the full financial risk safe harbor, we are finalizing a requirement that the VBE provide or arrange for a quality assurance program for services furnished to the target patient population that protects against underutilization and assesses the quality of care furnished to the target patient population.

Comment: Multiple commenters supported a requirement for VBEs to institute a compliance program to facilitate the accountable body’s or responsible person’s obligation to identify program integrity issues, with some also favoring requirements for periodic review of patient medical records to ensure compliance with clinical standards or for the designation of a compliance officer to oversee the VBE and its value-based arrangements. One commenter recommended that VBE participants agree to a code of ethics related to compliance oversight.

In contrast, multiple commenters opposed a requirement for the VBE to have a compliance program. Some asserted it would create an additional burden on VBEs without substantially reducing the risk of fraud and abuse. Commenters expressed concern that a compliance program requirement could result in inconsistent policies or duplicative administrative obligations if VBE participants already have compliance programs in place. Another commenter stated that such a requirement is unnecessary because VBEs are independently at risk for safe harbor compliance. A commenter recommended that, if OIG requires a VBE to have a compliance program, OIG should permit the VBE to meet such a requirement by: (i) Developing a compliance program specific to the VBE and its VBE participants, (ii) adopting an existing compliance program held by one of the VBE participants, or (iii) requiring an attestation from each VBE participant that it has a compliance program and conducts annual compliance reviews. Another commenter recommended that OIG provide model compliance provisions that could be included in agreements between parties in a VBE.

Response: For purposes of these safe harbors, we are not requiring the VBE or its accountable body or responsible person to have a compliance program or to review patient medical records periodically. We also are not requiring an attestation or other agreements from each VBE participant that it has a compliance program and conducts annual compliance reviews. Compliance programs are an important tool for, among other things, monitoring arrangements, identifying fraud and abuse risks, and, where necessary, implementing corrective action plans. While it is our view that robust compliance programs are a best practice for all VBEs and VBE participants, we are not including specific compliance program requirements or providing model compliance provisions because VBEs of varying sizes and scopes may have and need different types of compliance programs. We anticipate many VBE participants already have compliance programs and may want to consider updating these programs to reflect any new arrangements entered into as part of the VBE.

A compliance program requirement for VBEs would necessitate that we articulate specific compliance program criteria, which we do not believe would be feasible or desirable, particularly in light of the expected variation of VBEs. We also are not requiring the VBE to designate an individual to serve as a compliance officer. For purposes of this rule, the accountable body or responsible person acts as an oversight body that performs a compliance function. In this respect, and as we stated in the OIG Proposed Rule, we believe the accountable body or responsible person would be well-positioned to identify program integrity issues and to initiate action to address them, as necessary and appropriate. VBEs may elect to have designated compliance officers if they so wish.

Comment: A commenter asked whether the accountable body and VBE participants should expect a higher degree of auditing and oversight from OIG than entities not involved in a value-based enterprise.

Response: OIG provides independent and objective oversight of the programs and operations of the Department. We anticipate that individuals and entities that are part of a value-based enterprise will be subject to OIG’s program integrity and oversight activities to the same extent as other individuals and entities that receive Federal health care program funds or treat Federal health care program beneficiaries.

Comment: Some commenters supported a requirement for the accountable body or responsible person to have a duty of loyalty to the VBE, particularly for accountable bodies serving larger VBEs. The commenters asserted that a duty of loyalty would be appropriate given the lack of programmatic oversight as compared to CMS-sponsored models and would help reduce certain risks (e.g., stinting on care or providing medically unnecessary care). Other commenters suggested that the accountable body should have a duty of loyalty to the patients within the VBE.

Multiple commenters opposed requiring the accountable body or responsible person to have a duty of loyalty to the VBE, stating that it would create conflicts of interest for accountable body members that are, or are employed by, a VBE participant. Some commenters asserted that a duty of loyalty would necessitate the use of a third-party entity to serve as the accountable body, which could be cost prohibitive for small and rural providers, while others noted that large VBE participants may be unwilling to cede oversight responsibilities to an independent third party. A commenter proposed an alternative requirement for the accountable body or responsible person to act in furtherance of the VBE’s value-based purpose(s).

Response: We are not requiring the accountable body or responsible person to have a duty of loyalty to the VBE because we agree with commenters that a duty of loyalty often could create conflicts of interest for VBE participants and employees of VBE participants who otherwise would serve as members of the accountable body. We also agree that a duty of loyalty requirement could necessitate the use of independent third parties to serve as the accountable body, which could be cost prohibitive for smaller VBEs. While we are not implementing a requirement for the accountable body or responsible person to have a duty of loyalty or to act in furtherance of the VBE’s value-based purpose(s), we believe the accountable body or responsible person necessarily must act in furtherance of the VBE’s value-based purpose(s) to fulfill its oversight responsibilities. Parties are free to include this duty in their contractual arrangements.

Comment: A commenter asked OIG to require the accountable body to submit data to the Department to demonstrate continued compliance with the applicable safe harbor and progress in improving outcomes and reducing costs. A commenter also asserted that OIG should require the accountable body or responsible person to implement a process for patients to express concerns and for the VBE to resolve such concerns, and others recommended that OIG ensure that VBE participants secure informed consent for each patient treated within a VBE.

Response: We are not requiring accountable bodies or responsible persons to submit data to the Department for purposes of safe harbor compliance because we do not think the program integrity benefits of requiring data submission for safe harbor compliance would outweigh the administrative burden on both the government and the individuals and entities serving as accountable bodies or responsible persons. Notwithstanding the foregoing, we remind readers that OIG provides independent, objective oversight of HHS programs. Nothing in this rule changes OIG’s authorities to request data for its oversight purposes. In addition, and as explained further below in section III.3.n.v, OIG will continue to evaluate whether to modify the care coordination arrangements safe harbor in the future to include a requirement that the VBE affirmatively submit certain data or information.

Due to administrative burden concerns, we are not requiring the accountable body or responsible person to implement a process for patients to express concerns or ensure that VBE participants secure informed consent for each patient treated within a VBE. Such requirements may be useful processes for VBEs to consider in ensuring safe harbor compliance.

iii. Governing Document

Comment: Commenters expressed general support for a governing document requirement. Some commenters asked whether the written document forming the value-based arrangement could also constitute the governing document, and another commenter questioned whether an existing payor contract could serve as a governing document. Another commenter requested that OIG permit a collection of documents to constitute a governing document.

Response: A single document could constitute both the VBE’s governing document and the writing required for a value-based arrangement so long as it includes all of the requisite requirements for each writing. In addition, an existing payor contract could qualify as a governing document so long as it describes the value-based enterprise and how the VBE participants intend to achieve the VBE’s value-based purpose(s). However, we decline to permit a governing document for a VBE to be set forth in multiple writings. We permit the writing requirement in each new value-based safe harbor to be satisfied by a collection of writings because each party to a value-based arrangement must sign the writing; in contrast, the governing document of the VBE does not require any signatures. Creation of one governing document, that may be amended over time as the value-based activities, VBE participants, or other features of the VBE evolve, will help ensure that there is a clearly identifiable governance structure for the VBE.

Comment: Some commenters expressed concern that the requirement for a VBE to have a governing document could be burdensome, particularly for small and rural practices and practices serving underserved areas. Another commenter requested a checklist or model terms for a governing document, and another commenter asked for clarification of requirements for the document.

Response: We appreciate commenters’ concerns regarding the burden that developing a governing document may place on certain individuals or entities. We are finalizing the proposed definition of “value-based enterprise,” which does not prescribe a specific format or content for the governing document, other than it must describe the VBE and how the VBE participants intend to achieve its value-based purpose(s). This definition is designed to be flexible so that small and rural practices and practices serving underserved areas wishing to establish VBEs can craft governing documents appropriate to their size and the nature of their VBE. We anticipate that VBEs of different sizes and purposes will have different types of governing documents with different terms. The core requirement is that the governing document must describe the value-based enterprise and how the VBE participants intend to achieve the VBE’s value-based purpose(s), regardless of the format of the document. This definition offers parties significant flexibility to craft a value-based enterprise and a governing document commensurate with the scope and sophistication of the VBE.

As we stated in the preamble to the OIG Proposed Rule, the governing document requirement provides transparency regarding the structure of the VBE, the VBE’s value-based purpose(s), and the VBE participants’ roadmap for achieving the purpose(s). We do not believe a checklist for creating a governing document is necessary because the requirements for the governing document are set forth in the definition of “value-based enterprise,” itself. In addition, we decline to provide model terms because they could inhibit parties from developing terms that appropriately reflect the unique nature and circumstances of their value-based enterprises.

b. Value-Based Arrangement

Summary of OIG Proposed Rule: We proposed to define the term “value-based arrangement” to mean an arrangement for the provision of at least one value-based activity for a target patient population between or among: (i) The value-based enterprise and one or more of its VBE participants; or (ii) VBE participants in the same value-based enterprise. This proposed definition reflected our intent to ensure that each value-based arrangement is aligned with the VBE’s value-based purpose(s) and is subject to its financial and operational oversight. It further reflected our intent for the value-based arrangement’s value-based activities to be undertaken with respect to a target patient population.

We noted in the OIG Proposed Rule that we were considering whether to address a concern about potentially abusive practices that could be characterized as the coordination and management of care by precluding some or all protection under the proposed value-based safe harbors for arrangements between entities that have common ownership, either through refinements to the definition of “value-based arrangement” or by adding restrictions on common ownership to one or more of the proposed safe harbors at paragraphs 1001.952(ee), (ff), or (hh).

Summary of Final Rule: We are finalizing, with modification, the definition of “value-based arrangement.” We are modifying the regulatory text to clarify that only the value-based enterprise and one or more of its VBE participants, or VBE participants in the same value-based enterprise, may be parties to a value-based arrangement. We are not precluding protection for arrangements between entities that have common ownership in the definition of “value-based arrangement,” nor in the individual safe harbors.

Comment: Many commenters supported the proposed definition of “value-based arrangement” and, in particular, appreciated the flexibility afforded by the definition, which the commenters posited will allow parties to design a range of arrangements that may qualify for protection under the value-based safe harbors, including arrangements between two providers that include only a single value-based activity. Commenters also supported our proposal in the OIG Proposed Rule that the definition covers commercial and private insurer arrangements.

Response: We reiterate in this final rule that the definition of “value-based arrangement” is broad enough to capture commercial and private insurer arrangements. The definition is intended to afford parties significant flexibility. In addition, in response to comments, we are modifying the definition text to clarify our intent that “value-based arrangement” capture arrangements for care coordination and certain other value-based activities among VBE participants within the same VBE, as indicated in the OIG Proposed Rule,^[13] by revising the definition so that the value-based arrangement may only be between: (i) The value-based enterprise and one or more of its VBE participants; or (ii) VBE participants in the same value-based enterprise.

We emphasize that qualification as a value-based arrangement is necessary, but not sufficient, to protect remuneration exchanged pursuant to that arrangement; all conditions of an applicable safe harbor must be met.

Comment: A commenter opposed the definition of “value-based arrangement,” expressing concern that it is too broad and vague and could be used as a mechanism to force the exclusive use of a particular product or particular provider. In addition, the commenter believed the definition could allow health care entities to engage in abusive practices by using a value-based safe harbor to funnel remuneration under the guise of a value-based arrangement.

Response: We have addressed the commenter’s concern with respect to exclusive use through a condition in the care coordination arrangements safe harbor at paragraph 1001.952(ee). We acknowledge and agree with the commenter’s concern that parties might engage in abusive practices under the guise of a value-based arrangement; to that end, we have included robust safeguards in each value-based safe harbor to mitigate these concerns.

Comment: A commenter requested clarification as to whether current arrangements would be affected and would need to be restructured to meet the definition of a “value-based arrangement.”

Response: There is nothing in this final rule that requires parties to an existing arrangement to restructure that arrangement to meet the new definition of a “value-based arrangement.” Parties to an existing arrangement that wish to rely on the protection of one of the value-based safe harbors may want to review their arrangement to assess whether it fully meets the definition of a “value-based arrangement” and, thus, could be eligible for protection under a value-based safe harbor if all safe harbor conditions are met.

Comment: Several commenters requested clarification regarding the statement in the OIG Proposed Rule that the definition of “value-based arrangement” is intended to capture arrangements for care coordination and certain other value-based activities among VBE participants within the same VBE.^[14] Specifically, commenters requested clarification regarding how this statement corresponds with the requirement in each proposed value-based safe harbor that the value-based arrangement have as a value-based purpose the coordination and management of care.

Response: The definition of “value-based arrangement” and the requirements for protection under the value-based safe harbors are consistent when read together. The term “value-based arrangement” means an arrangement for the provision of at least one “value-based activity” for a target patient population. The definition does not specify which value-based purpose(s) the value-based activity (or activities) must be designed to achieve. In this respect, the definition of “value-based arrangement” is broader than the requirements of some of the value-based safe harbors.

Value-based arrangements are not de facto safe harbor protected. Rather, an arrangement that meets the definition of a “value-based arrangement” is eligible to seek protection in a value-based safe harbor. For safe harbor protection, it must squarely satisfy all safe harbor conditions. For reasons explained elsewhere in this preamble, the care coordination arrangements safe harbor requires a direct connection to the first value-based purpose, the coordination and management of patient care, which is a central focus of this rulemaking. The substantial downside financial risk arrangements safe harbor requires a direct connection to any one of the first three value-based purposes, and the full financial risk arrangements safe harbor requires a connection to any one of the four value-based purposes, in recognition of the parties’ assumption of risk and the lower risk of traditional fee-for-service fraud. The substantial downside financial risk safe harbor and the full financial risk safe harbor, as finalized, do not require a direct connection to the coordination and management of care for the target patient population.

In addition, the definition of “value-based arrangement” is consistent with the definition used in CMS’s final rule. We anticipate this alignment may ease compliance burden for parties.

Comment: A commenter asserted that neither VBEs nor VBE participants should be prohibited from entering into non-disclosure agreements with parties to a value-based arrangement because otherwise parties could use information learned in an arrangement against another party in an anticompetitive manner.

Response: Neither the definition of “value-based arrangement” nor other safe harbor provisions in this final rule preclude parties to a value-based arrangement from entering into non-disclosure agreements.

Comment: Most commenters opposed our proposal to preclude entities under common ownership from protecting remuneration that they exchange under the value-based safe harbors, whether through a change to the definition of “value-based arrangement” or by adding restrictions to one or more of the value-based safe harbors. Commenters asserted that entities under common ownership (e.g., through an integrated delivery system) are often best positioned to improve health outcomes and lower costs through coordinated care. Several commenters also asserted that such a requirement may preclude protection for entities participating in large value-based models, like clinically integrated networks or accountable care organizations. Some commenters also explained that rural and Indian health care providers are frequently operated through common ownership models. Others noted that hospitals in states that restrict direct physician employment often have arrangements with medical groups under common ownership, and another commenter raised concerns about the impact on physician-owned hospitals.

Response: We appreciate commenters’ responses. To address commenters’ concerns, we are not limiting protection for entities under common ownership in this final rule. We continue to be concerned that there is potential for entities under common ownership to use value-based arrangements to effectuate payment-for-referral schemes, but we also believe that the combinations of safeguards we are adopting in the safe harbors should mitigate these risks. For example, the requirement in the care coordination arrangements safe harbor that the value-based arrangement is commercially reasonable, considering both the arrangement itself and all value-based arrangements within the VBE, helps to ensure that the arrangements, taken as a whole, are calibrated to achieve the parties’ legitimate business purposes.

Comment: A commenter raised concerns about the timing of VBE participants entering into value-based arrangements and recommended that VBE participants not be prevented from providing value-based care to patients before a formal value-based arrangement has been executed. The same commenter recommended that we adopt a 90-day grace period for situations of technical non-compliance related to the timing of VBE participants entering into value-based arrangements.

Response: First, we remind readers that failure to comply with a safe harbor provision (or any attendant, defined term) does not mean that an arrangement is per se illegal. Consequently, the value-based safe harbors do not prevent a physician, clinician, or other VBE participant from providing value-based care to patients prior to entering into a value-based arrangement, or at any other time. In addition, the Federal anti-kickback statute, which focuses on the knowing and willful offer, solicitation, payment, or receipt of remuneration in exchange for Federal health care program business, likely would not be implicated by the provision of only clinical care to patients. OIG appreciates that many physicians and others currently furnish value-based care to patients, and nothing in this rule changes their ability to do so. Stakeholders should assess whether arrangements that do not satisfy the definition of “value-based arrangement,” as defined in paragraph 1001.952(ee), implicate the statute. Any arrangements that are not value-based arrangements, as defined, would not qualify for protection under the value-based safe harbors, but could qualify under other safe harbors, depending on the facts and circumstances, or they might not need safe harbor protection. As finalized in this rule, a provider or other individual or entity furnishing value-based care may also become a VBE participant, but the value-based arrangements in which it participates might not need safe harbor protection if they do not implicate the statute.

We are not adopting a 90-day grace period to execute value-based arrangements because it is our belief that it is not necessary. When a VBE participant must execute a value-based arrangement to receive safe harbor protection is based on the writing requirements of each safe harbor. For example, in the care coordination arrangements safe harbor as finalized at paragraph 1001.952(ee), the writing that documents the value-based arrangement must be set forth in advance of, or contemporaneous with, the commencement of the value-based arrangement and any material change to the value-based arrangement. Additionally, the writing may be a collection of documents. These flexibilities allow VBE participants to document their participation in a value-based arrangement with minimal burden. A VBE can add a new VBE participant to an existing arrangement in a separate document that becomes part of the collection of documents for that value-based arrangement.

c. Target Patient Population

Summary of OIG Proposed Rule: We proposed to define “target patient population” as an identified patient population selected by the VBE or its VBE participants using legitimate and verifiable criteria that: (i) Are set out in writing in advance of the commencement of the value-based arrangement; and (ii) further the value-based enterprise’s value-based purpose(s). The proposal would protect only those value-based arrangements that serve an identifiable patient population for whom the value-based activities likely would improve health outcomes or lower costs (or both). In the OIG Proposed Rule, we noted that the definition was not limited to Federal health care program beneficiaries but could encompass, for example, all patients with a particular disease state.

Summary of Final Rule: We are finalizing, without modification, the definition of “target patient population.”

Comment: Many commenters supported our proposed definition of “target patient population,” including our requirement that the identified patient population be selected by the VBE or its VBE participants using “legitimate and verifiable criteria.” However, we received numerous comments about the use of the term “legitimate” to describe the criteria used to identify the target patient population in the proposed regulatory text, as well as the alternative proposal in the preamble to use the term “evidence-based.” Some commenters expressed support for the legitimate criteria standard and stated, for example, that it facilitated a holistic focus on patients’ health. This category of commenters generally expressed opposition to the alternative evidence-based standard, arguing that it is too restrictive and would chill innovative value-based arrangements.

Other commenters opposed the use of the term “legitimate,” stating that the term is ambiguous. Another commenter suggested that OIG enumerate the types of specific behavior that it wishes to preclude in lieu of using the term “legitimate”; as an example, the commenter recommended that we state expressly in the definition of “target patient population” that it would preclude selection criteria designed to avoid costly or non-compliant patients. Multiple commenters requested that OIG provide additional clarification on the scope and application of the term, such as whether it could encompass criteria based on social determinants of health.

Response: We are finalizing the definition of “target patient population,” as proposed, including the “legitimate and verifiable criteria” standard. As stated in the OIG Proposed Rule, we used this standard, and in particular, the term “legitimate,” to ensure the target patient population selection process is based upon bona fide criteria that further a value-based arrangement’s value-based purpose(s), and we confirm that, depending on the facts and circumstances, legitimate criteria could be based on social determinants of health, such as safe housing or transportation needs. We are not including an exhaustive list of legitimate or non-legitimate selection criteria because there are various types of criteria that parties could use to select a target patient population; moreover, some criteria may be legitimate for some value-based arrangements but not for others. For example, as we stated in the OIG Proposed Rule, VBE participants seeking to enhance access to, and usage of, primary care services for patients concentrated in a certain geographic region might base the target patient population on ZIP Code or county of residence. In contrast, a value-based arrangement focused on enhancing care coordination for patients with a particular chronic disease might identify the target patient population based on patients who have been diagnosed with that disease. Other VBE participants, such as a social service organization working in conjunction with a pediatric practice, may identify their target patient population using income and age criteria, e.g., pediatric patients who have a household income below 200 percent of the Federal poverty level and who are below the age of 18, in an effort to boost pediatric vaccination rates in a given community.

We are adopting the proposed “legitimate and verifiable” standard in lieu of the alternative we proposed, which would have required the use of “evidence based” criteria, because we believe requiring “legitimate and verifiable” criteria will afford parties comparatively greater flexibility in determining the target patient population and aligns with CMS’s definition of the same term.

Comment: We received at least two comments requesting that we expressly state in regulatory text that establishing criteria in a manner that leads to cherry-picking or lemon-dropping would not constitute “legitimate and verifiable” selection criteria. These commenters expressed concern that the mere promise by VBE participants not to engage in such behavior would be sufficient to meet the definition of “target patient population” and receive safe harbor protection. Another commenter urged that OIG clarify the regulatory language to directly address concerns about cherry-picking or lemon-dropping certain patient populations, in order to avoid unnecessary litigation and legal expense.

Response: In response to the commenters’ concerns, we confirm that if VBE participants establish criteria to target particularly lucrative patients (“cherry-picking”) or avoid high-cost or unprofitable patients (“lemon-dropping”), such criteria would not be legitimate for purposes of the target patient population definition. As we stated in the OIG Proposed Rule, if VBE participants selectively include patients in a target patient population for purposes inconsistent with the objectives of a properly structured value-based arrangement, we would not consider such a selection process to be based on legitimate and verifiable criteria that further the VBE’s value-based purposes, as required by the definition.^[15] We are not adopting further modifications to the proposed definition because the definition’s requirement that the criteria be legitimate and verifiable is clear and would not include VBE participants that establish criteria to cherry-pick or lemon-drop patients.

Comment: The vast majority of commenters on this topic opposed our statement in the OIG Proposed Rule that we were considering narrowing the definition of “target patient population” to patients with a chronic condition, patients with a shared disease state, or both. Commenters stated that such an approach would restrict the ability of value-based arrangements to adapt to different communities and patient needs and would ignore the importance of preventive care interventions. For example, a commenter highlighted the fact that many underserved and at-risk patient populations are defined not by chronic conditions or shared disease states but instead are identified by socio-economic, geographic, and other demographic parameters that are synonymous with need, poor outcomes, or increased cost.

Response: We are retaining our proposed definition of “target patient population” and are not narrowing the definition to include only individuals with chronic conditions or shared disease states. We agree with commenters that were we to narrow the definition, we might exclude underserved and at-risk patient populations who would likely benefit from care coordination and management activities. We also recognize and acknowledge that finalizing our proposed definition will allow for value-based arrangements that focus on important preventive care interventions.

Comment: We received a variety of comments on the role of payors in identifying or selecting a target patient population. While some commenters supported requiring payors to select the target patient population, the majority of commenters urged OIG to make their involvement optional. For example, a commenter expressed concern that if OIG were to make payor involvement a requirement, it would impede collaboration between payors and providers. Others expressed uncertainty as to how a requirement that payors select or approve the target patient population would be implemented for Medicare fee-for-service patients and questioned whether CMS would need to affirmatively approve each VBE’s or value-based arrangement’s target patient population selection criteria.

Response: We are persuaded by commenters that it would not be operationally feasible to require payor involvement in the target patient population selection process. Not all value-based enterprises will include a payor as a VBE participant. Accordingly, while we encourage payor involvement in the target patient population selection process, it is not a requirement in this final rule. It is a requirement that the target patient population be selected by a VBE or its VBE participant.

Comment: We received comments requesting wholesale changes to our proposed definition. For example, a commenter recommended that “target patient population” be defined as any set or subset of patients in which the accountable party of a VBE takes significant or full downside risk and is focusing efforts to improve their health and well-being. Another suggested that we eliminate the “target patient population” definition altogether and make the value-based safe harbors provider-, not patient-population-, specific.

Response: We are not adopting the commenter’s alternative definition of “target patient population,” which we did not propose and which would be too narrow to address the use of the term across all of our value-based safe harbors, one of which does not require the VBE participants to take on, or meaningfully share in, any risk. We are also not eliminating the “target patient population” definition in favor of making the value-based safe harbors provider-, not patient-population-, specific because orienting the value-based safe harbors around patients is consistent with the goals of value-based care.

Comment: At least two commenters requested that the definition of “target patient population” afford parties the flexibility to modify the target patient population over time. Another commenter sought clarification that the definition could include patients retroactively attributed to the target patient population. Another commenter urged OIG to adopt a flexible definition but suggested that if OIG narrows its definition, the term should include underserved patients, such as uninsured and low-income patients; patients with social risk factors; and those with limited English proficiency.

Response: The definition of “target patient population” requires, among other criteria, that parties identify a patient population using legitimate and verifiable criteria in advance of the commencement of the value-based arrangement. The selection criteria—not the individual patients—must be identified in advance. Whereas parties seeking to modify their selection criteria may only make such modifications prospectively (and upon amending their existing value-based arrangement), no amendment would be required to attribute patients retroactively to the target patient population, provided such patients meet the selection criteria established prior to the commencement of the value-based arrangement.

Comment: Several commenters sought clarification as to whether a VBE participant’s entire patient population could meet the definition of “target patient population.”

Response: Nothing in the definition precludes the parties to a value-based arrangement from identifying the target patient population as the entire patient population that a VBE participant serves. We recognize that, in limited cases, such broad selection criteria may be appropriate. For example, a VBE may identify all patients in a ZIP Code in order to address an identified population health need specific to that ZIP Code, and it may be that a practice also draws most or all patients from that ZIP Code. Certain specialists, such as geriatricians, might also identify all or most of their patients as needing improved care coordination and management due to their multiple comorbidities and complex care needs. In circumstances where a VBE has assumed full financial risk, as defined in paragraph 1001.952(gg), a VBE might select an even broader target patient population comprised of all patients served by its VBE participants in an effort to more meaningfully control payor costs.

However, we caution that, depending on the value-based arrangement, selecting a target patient population by selecting the parties’ entire patient population would need to be closely scrutinized for compliance with the definition to ensure that such broad selection criteria is “legitimate” and necessary to achieve the arrangement’s value-based purpose.

Comment: Multiple commenters requested that OIG address whether specific categories of patients would be covered by the definition of “target patient population” or provide examples of permissible target patient populations. For example, commenters requested confirmation that a target patient population could include all patients covered by a certain payor, such as Medicare. Another commenter expressed concern that transient patient populations who may have different providers in different geographic locations would not be covered by the definition.

Response: As described above, a target patient population based on patients who have been diagnosed with a particular disease could, based on the specific selection criteria, be a permissible target patient population. Whether a particular patient population, including transient patient populations with different providers in different geographic locations, meets the definition of “target patient population” is a fact-specific determination that turns on whether the VBE participants used legitimate and verifiable selection criteria and met the other requirements set forth in the definition. While there may be circumstances, e.g., the assumption of full financial risk (as defined in paragraph 1001.952(gg)), where a VBE identifies all of the patients of a particular payor as the target patient population, we caution that relying on this criterion, without sufficient justification for such a broad approach, could raise questions regarding whether it is legitimate or, instead, is a way to capture referrals of, for example, Medicare business.

d. Value-Based Activity

Summary of OIG Proposed Rule: We proposed to define “value-based activity” as any of the following activities, provided that the activity is reasonably designed to achieve at least one value-based purpose of the value-based enterprise: (i) The provision of an item or service; (ii) the taking of an action; or (iii) the refraining from taking an action. We further proposed that the making of a referral is not a value-based activity.

Summary of Final Rule: We are finalizing, without modification, the definition of “value-based activity.” OIG’s final definition of “value-based activity” differs from the definition in the CMS Final Rule because CMS does not specify that the making of a referral is not a value-based activity. As explained in CMS’s final rule, CMS has not included a comparable restriction because of the physician self-referral law’s separate definition of referral.

Comment: Many commenters supported the definition of “value-based activity,” as proposed. Several commenters asked OIG to clarify the definition of “value-based activity” further by specifying what activities would or would not qualify as value-based; how VBEs would demonstrate that the activities they select are reasonably designed to achieve a value-based purpose; and what it means to refrain from taking an action. A few commenters asked whether providing services to patients constitutes a value-based activity.

Response: The term “value-based activity” is intended to be broad and to include the actions parties take or refrain from taking pursuant to a value-based arrangement and in furtherance of a value-based purpose. By way of example, where a VBE participant offeror provides a type of health technology under a value-based arrangement for the recipient to use to track patient data in order to spot trends in health care needs and to improve patient care planning, the provision of the health technology by the offeror would constitute a value-based activity, and the use of the health technology by the recipient to track patient data would constitute a value-based activity. If the remuneration a VBE participant offeror provides is care coordination services, a value-based activity might be the recipient working with a care coordinator provided by the offeror to help transition certain patients between care settings. Giving something of value to patients, such as a fitness tracker, also may constitute a value-based activity if doing so is reasonably designed to achieve a value-based purpose. However, we note that, where VBE participants exchange remuneration that the recipient VBE participant then transfers to its patients (for example, where one VBE participant provides fitness trackers to another VBE participant, who in turn furnishes the fitness tracker to the patient), the care coordination arrangements safe harbor would be available only to protect the remuneration exchanged between the VBE participants. The parties may look to the patient engagement and support safe harbor to protect the remuneration from the VBE participant to the patient. An inaction that constitutes a value-based activity might be refraining from ordering certain items or services in accordance with a medically appropriate care protocol that reduces the number of required steps in a given procedure. This final rule does not prescribe how parties prove that a particular action or inaction constitutes a value-based activity. Similarly, it is incumbent on the parties to demonstrate that they selected value-based activities that are reasonably designed to achieve a value-based purpose. Both of these analyses would be fact-specific determinations.

Comment: A commenter asked whether this definition could be combined with the definition of “value-based purpose” to reduce administrative complexity. Another commenter asserted that the definition of “value-based activity” should recognize the importance of maintaining patient care and outcomes at an acceptable level.

Response: We are finalizing the definition of “value-based activity,” as proposed, and are not combining it with the definition of value-based purpose. In our view, separate definitions do not increase administrative complexity, and we have coordinated terminology with CMS to reduce complexity. We are not changing the definition of “value-based activity” to include the maintenance of patient care and outcomes at an acceptable level because the definition of “value-based activity” is tied to the definition of “value-based purpose,” which sets forth four purposes toward which parties may be striving pursuant to value-based arrangements. While maintaining patient care and outcomes at an acceptable level is clearly desirable, we note that doing so, without more, is not one of the four value-based purposes needed to establish a VBE for this rulemaking.

Comment: Many commenters supported the alternate proposal to expressly exclude any activity that results in information blocking from the definition of “value-based activity.” A commenter recommended that, if OIG expressly excludes information blocking from the definition of “value-based activity,” OIG should do so by referencing only statutory definitions and requirements in the Cures Act and not those set forth in ONC’s proposed rule, whereas another commenter noted that, as an alternative to expressly excluding information blocking activities in the definition of “value-based activity,” OIG could assume that information blocking will no longer be tolerated and leave the enforcement of information blocking restrictions to the regulation finalized in 45 CFR part 171.

Response: The final rule does not include the proposed language regarding information blocking. Regardless of whether parties seek safe harbor protection, if parties to value-based arrangement are subject to the regulations prohibiting information blocking, they must comply with those regulations. This final rule does not change the individuals and entities subject to the information blocking prohibition in 45 CFR part 171.

Comment: A commenter expressed concern that the definition of “value-based activity” is too broad and vague and that VBE participants will characterize abusive remuneration-for-referral arrangements as value-based activities. The commenter suggested requiring that an activity achieve a value-based purpose, as opposed to requiring that an activity be reasonably designed to achieve a value-based purpose.

Comments varied regarding how to interpret whether an activity is “reasonably designed” to achieve a value-based purpose. While a commenter supported interpreting “reasonably designed” to mean that the value-based activities are expected to further one or more value-based purposes, another commenter suggested that such a determination be based on all relevant facts and circumstances. Other commenters recommended establishing a rebuttable presumption that value-based activities are reasonably designed to meet their stated value-based purpose. Another commenter urged OIG to require that value-based activities be directly connected to and directly further the coordination and management of care; not interfere with the professional judgment of health care providers; not induce stinting on care; and not incentivize cherry-picking lucrative or adherent patients or lemon-dropping costly or noncompliant patients.

Lastly, while at least one commenter supported a requirement for parties to use an evidence-based process to design value-based activities, several commenters opposed this requirement, stating that such a standard would be too rigorous and would restrict innovative activities.

Response: We are finalizing our definition as proposed. We intentionally crafted a broad definition of “value-based activity” to encourage parties to innovate when developing these activities. For that reason, we are not requiring that an activity achieve a value-based purpose but rather are requiring that a value-based activity be reasonably designed to achieve a value-based purpose. By “reasonably designed,” we mean that parties should fully expect the value-based activities they develop to further one or more value-based purposes. Because any such determination would be fact specific, we do not believe it is appropriate to establish a rebuttable presumption that value-based activities are reasonably designed to meet their stated value-based purpose, as suggested by a commenter.

We note that, while this definition offers parties significant flexibility, it is not intended to facilitate parties’ attempts to mask fraudulent referral schemes presented under the guise of a value-based activity. We highlight that the definition provides that merely making a referral, without more, is not a value-based activity for purposes of this rule.

Lastly, we do not intend for the value-based safe harbors to protect activities that inappropriately influence clinical decision-making, induce stinting on care, or lead to targeting particularly lucrative patients or avoiding high-cost or unprofitable patients. We have incorporated a range of safeguards in the safe harbors that are designed to guard against these abusive practices. In light of these safeguards, we do not believe that revisions to the definition of “value-based activity” are necessary.

Comment: Several commenters asked OIG to clarify what differentiates care coordination services from inappropriate referrals and to modify the definition to make clear that a referral could be one part of a broader value-based activity. Some commenters expressed concern that the definition of “value-based activity” prohibits safe harbor protection for value-based arrangements in which payments or other remuneration depend, in part, on referrals made within a preferred provider network. A commenter asked whether documenting that a referral was made and the reason for the referral would constitute a “value-based activity.”

Response: Making referrals, or documenting reasons for referrals, would not constitute value-based activities. Parties to a value-based arrangement may make referrals and document the reasons for the referrals as part of a value-based arrangement without losing safe harbor protection under an applicable safe harbor, but the parties also must be performing one or more value-based activities. Thus, making referrals or documenting reasons for referrals, without also engaging in a value-based activity, would not be sufficient to meet the requirements of the definition because making referrals is not itself a value-based activity. Absent at least one value-based activity, parties would not have a viable value-based arrangement and would thus not be eligible for any of the value-based safe harbors.

The provision excluding referrals from the scope of value-based activities is not intended to interfere with preferred provider networks; rather, we intend to require parties to engage in activities other than making referrals, such as coordinating care plans across providers for a target patient population, to be eligible for safe harbor protection.

e. VBE Participant

Summary of OIG Proposed Rule: We proposed to define “value-based enterprise participant” or “VBE participant” as an individual or entity that engages in at least one value-based activity as part of a value-based enterprise. Based on historical concerns regarding fraud and abuse risk and our understanding that certain types of entities were less critical to coordinated care, we proposed that the term “VBE participant” would not include a pharmaceutical manufacturer; a manufacturer, distributor, or supplier of durable medical equipment, prosthetics, orthotics, or supplies; or a laboratory. We stated that we were considering and thus seeking comments as to whether other types of entities should also be ineligible, including pharmacies (including compounding pharmacies), PBMs, wholesalers, distributors, and medical device manufacturers. As a result of this proposed definition, these entities would not be able to participate in VBEs or seek protection under the value-based safe harbors or the patient engagement and support safe harbor.

We stated our intent to offer safe harbor protection for remuneration exchanged by companies that offer digital technologies to physicians, hospitals, patients, and others for the coordination and management of patients and their health care. We recognized that companies providing these technologies may be new entrants to the health care marketplace or may be existing companies such as medical device manufacturers. We explained that we would consider for the final rule several ways to effectuate our desire to ensure safe harbor protection for remuneration exchanged by health technology companies, including through modifications to the value-based terminology; distinctions drawn among entities based on product-types or other characteristics; or modifications to the safe harbors themselves.

In the OIG Proposed Rule, we considered and solicited comments on potential additional safeguards to incorporate into the value-based safe harbors to mitigate risks of abuse that might be presented should a broader range of entities be eligible to enter into value-based arrangements, including restrictions on the parties’ use of exclusivity and minimum purchase requirements.

For additional background and rationale for our proposals, we refer readers to the discussion of the definition of “VBE participant” in the OIG Proposed Rule.^[16]

Summary of Final Rule: We are finalizing, with modifications, the definition of “VBE participant.” We are finalizing our proposed policy that a “VBE participant” is an individual or entity that engages in at least one value-based activity as part of a value-based enterprise. We are not finalizing our proposed regulatory text to make certain entity types ineligible under the definition of “VBE participant.” However, we are finalizing our proposed policy to make certain entities ineligible for safe harbor protection under the value-based safe harbors and the patient engagement and support safe harbor (see section III.B.e.ii for details). We are also finalizing our proposed policy to protect some arrangements involving digital health technologies provided by certain entities that would otherwise be ineligible for safe harbor protection (see section III.B.e.iii).

To effectuate these objectives, we are finalizing a different approach to the definition of “VBE participant” in the following four respects.

First, we are revising the definition of “VBE participant” to allow all types of individuals (other than patients) and entities to be VBE participants. This revision makes our definition more similar to CMS’s corresponding definition and removes a potential impediment to existing organizations that wish to qualify as VBEs but may include types of entities we proposed to disallow as VBE participants. We now define the term “VBE participant” to mean an individual or entity that engages in at least one value-based activity as part of a value-based enterprise, other than a patient when acting in their capacity as a patient. This does not, however, mean that every VBE participant will receive protection under the applicable safe harbors; it is intended to avoid a barrier to the formation and operation of the VBE itself. The new definition also makes clear that patients cannot be VBE participants, consistent with our intent in the OIG Proposed Rule. Entities seeking safe harbor protection for remuneration provided to patients should look to the patient engagement and support safe harbor for protection, not to the value-based safe harbors.

Second, rather than making certain entities ineligible under the definition of “VBE participant,” as described in the OIG Proposed Rule, the final rule takes a different approach to achieve the proposed policy to make some entities ineligible for safe harbor protections. In the final rule, within each value-based safe harbor (and the patient engagement and support safe harbor, as discussed further at section III.B.6), we identify entities that are not eligible to rely on the safe harbor to protect remuneration exchanged with a VBE or other VBE participants. Specifically, the value-based safe harbors each include an ineligible entity list. Remuneration exchanged by entities on the list in each safe harbor is not eligible for protection under the safe harbor.

The following entities are included on the ineligible entity lists in all of the value-based safe harbors: (i) Pharmaceutical manufacturers, distributors, and wholesalers (referred to generally throughout this preamble as “pharmaceutical companies”); (ii) PBMs; (iii) laboratory companies; (iv) pharmacies that primarily compound drugs or primarily dispense compounded drugs (sometimes referred to generally in this rule as “compounding pharmacies”); (v) manufacturers of devices or medical supplies; (vi) entities or individuals that sell or rent DMEPOS, other than a pharmacy or a physician, provider, or other entity that primarily furnishes services, all of which remain eligible (referred to generally throughout this preamble as “DMEPOS companies”); and (vii) medical device distributors or wholesalers that are not otherwise manufacturers of devices or medical supplies (for example, some physician-owned distributors).

Third, we proposed to address safe harbor protection for technology companies by considering how and whether they could fit in the definition of a VBE participant. In the final rule, we instead focus on safe harbor protection for the remuneration exchanged with or by them. Specifically, the care coordination arrangements safe harbor at paragraph 1001.952(ee) permits protected remuneration in the form of digital health technology (or other technologies) exchanged between VBE participants eligible to use the safe harbor. To address protection under this safe harbor for arrangements with manufacturers of devices and medical supplies and DMEPOS companies that involve digital health technology, we have taken a tailored, risk-based approach. Manufacturers of devices and medical supplies and DMEPOS companies that are otherwise ineligible for the value-based safe harbors are nonetheless eligible to rely on the care coordination arrangements safe harbor for digital health technology arrangements that meet all safe harbor conditions, including an additional one. Under this pathway, we define “limited technology participant” to include, as further discussed below, a manufacturer of a device or medical supply or a DMEPOS company that is a VBE participant that exchanges digital health technology with another VBE participant or a VBE.

Our revised approach effectively divides the universe of VBE participants into three categories: (i) VBE participants that are eligible to rely on the value-based safe harbors for all types of arrangements that meet safe harbor conditions; (ii) limited technology participants that are only eligible to rely on the care coordination arrangements safe harbor for arrangements involving digital health technology; and (iii) VBE participants that are ineligible to rely on any of the value-based safe harbors for any types of arrangements. The first category is the default category, capturing all entities and individuals who are not expressly included in the second and third categories. For a discussion of ineligible entities and the treatment of digital health technology under the patient engagement and support safe harbor, see the discussion in section III.B.6.b and f. For a discussion of ineligible entities under the personal services and management contracts and outcomes-based payments safe harbor, see sections III.B.10.c and d.

Fourth, to address heightened risk of fraud and abuse and to help ensure that protected remuneration meets the policy goals of this rulemaking, we require that the exchange of digital health technology by a limited technology participant is not conditioned on any recipient’s exclusive use of, or minimum purchase of, any item or service manufactured, distributed, or sold by the limited technology participant. Rather than finalizing this condition in the definition of a VBE participant as contemplated in the OIG Proposed Rule, this is now a separate condition at paragraph 1001.952(ee)(8).

i. Approach To Defining “VBE Participant”

Comment: While we received some support for our proposed definition of “VBE participant,” many commenters expressed concerns regarding the proposed categorical exclusion of certain entities. Several commenters asserted that no entities should be precluded from participating in value-based arrangements, and many encouraged us to adopt an alternative approach based on product type, company structure, fraud risk, the legitimacy of the party’s objectives and deliverables, or other features. Commenters also noted that many existing value-based arrangements include entities that we were considering making ineligible to be a VBE participant. Another commenter asserted that allowing entities to participate as VBE participants will incentivize them to understand and expand cost mitigation strategies, which will help lower the cost of care. Others emphasized that the health care industry is highly dynamic, with frequent corporate transactions. They expressed concern that an entire value-based arrangement may inadvertently fall out of compliance with a safe harbor because one VBE participant acquires an entity that is not eligible to be a VBE participant. Other commenters supported placing exclusions directly in the safe harbor, rather than in the definition, to create greater flexibility. A commenter recommended that OIG create a new defined term, “VBE partner,” to designate individuals and entities that provide social determinants of health support and services at the direction of a VBE or VBE participant but are not themselves part of the VBE. According to the commenter, this would allow many services providers, such as rideshare companies, social service organizations, and foodbanks that already have direct partnerships with a VBE participant to participate in protected arrangements without having to become full participants in a VBE.

Response: We recognize that there may be benefits to allowing all entities to participate as VBE participants, and we also appreciate the concerns raised by these commenters. In response to comments, our revised approach, in which any individual (other than a patient) or entity is eligible to be a VBE participant, will alleviate many of them.

In the OIG Proposed Rule, we described several approaches we were considering for determining entities that could be VBE participants in the final rule and, as such, able to rely on the value-based safe harbors. We are adopting the approach of making entities ineligible under the value-based safe harbors rather than through the definition of “VBE participant.” This approach allows for closer alignment with CMS’s terminology, addresses concerns about unintended impacts of otherwise ineligible VBE participants on the makeup of a VBE, and does not impede VBEs from engaging in a wide range of value-based payment and delivery arrangements, regardless of whether those arrangements qualify for safe harbor protection. By addressing eligibility in specific safe harbors rather than through the VBE participant definition, the final rule creates flexibility for all health care stakeholders to be part of a VBE and reduces any need for parties to form VBEs structured solely for purposes of using the new safe harbors. This approach also facilities our final policy on providing safe harbor protection for digital health technology arrangements with limited technology participants (described in more detail later).

While all entities are eligible to be VBE participants, each value-based safe harbor and the patient engagement and support safe harbor incorporates a list of entities that are ineligible for safe harbor protection. As discussed in greater detail below, we determined which entities should be ineligible based on multiple factors, including the extent to which the entities are involved in front line care coordination and program integrity concerns.

Under this final rule, a VBE will not cease to meet the definition of a “VBE” solely because a VBE participant merges with or acquires a different type of entity or develops a new business line. Nor would a VBE participant necessarily cease to be eligible to use a value-based safe harbor solely because it acquires an entity that is not eligible. To the extent a transaction causes a VBE participant to become an ineligible entity, the safe harbor would no longer be available to protect any remuneration exchanged by that entity under a value-based arrangement.

Consistent with the OIG Proposed Rule discussion of alternatives for determining which entities are eligible and ineligible for safe harbor protection, we have adopted a risk-based, policy-focused approach to determine the scope and applicability of the final safe harbors. With respect to the ineligible entities in the value-based safe harbors, those entities are identified based on a number of attributes, including the products and services they offer, how they structure their business, and the extent to which they are on the front line of care coordination and treatment decisions. In the care coordination arrangements safe harbor, we further distinguish among entities in part on the basis of product or arrangement type. These considerations are directly related to the goals of the Regulatory Sprint and the design of the conditions in each safe harbor to protect against fraud and abuse.

With respect to the recommendation that we create a new category of “VBE partners,” we are not adopting this suggestion. The proposed and final value-based safe harbors were and are designed for value-based arrangements between VBEs and one or more of their VBE participants or between or among VBE participants in the same VBE. The ability to determine with specificity which individuals and entities are in a VBE and which are not enhances transparency, certainty, and accountability for arrangements seeking safe harbor protection. Social services agencies, rideshare companies, foodbanks, and others are eligible to be VBE participants if they wish for their arrangements to be eligible for protection under the value-based safe harbors. If for any reason they do not wish to be VBE participants or cannot become VBE participants, nothing in this rule would prevent them from engaging in care coordination or other arrangements that do not fit in these new safe harbors. In some cases, the arrangements might fit in other safe harbors, such as the local transportation safe harbor (e.g., for rideshare arrangements). For other arrangements, the parties would need to review the specific facts of the arrangement, including the intent of the parties, to ensure compliance with the Federal anti-kickback statute.

Notably, if there is nothing of value given by a social services agency or foodbank, for example, to an individual or entity in exchange for or to induce or reward referrals of items or services for which payment may be made under a Federal health care program, the statute would not be implicated. We would expect this to be the case for many social services agencies, foodbanks, and other entities that provide social services, food, or other supports to patients and (1) do not bill Federal health care programs and (2) do not refer Federal health care patients to health care providers for reimbursable services or otherwise recommend or arrange for such services.

Comment: Several commenters requested that we either confirm in the preamble, or revise the definition of “VBE participant” to state expressly, that certain types of entities or providers, such as retail health clinics, charitable clinics and pharmacies, federally qualified health centers, credentialed orthotists and prosthetists, payors, physician shareholders and employees of medical groups, and non-traditional health care entities, among others, qualify as VBE participants.

Response: Under our revised definition of a “VBE participant,” all types of entities can be VBE participants. Entities would need to refer to the specific safe harbors to determine whether they are eligible to rely on the safe harbor.

Comment: Some commenters noted that CMS’s proposed value-based terminology does not make any entities ineligible to be a VBE participant.

Response: Our final definition of “VBE participant” is aligned with CMS’s definition, with the exception of a detail around the use of the term “individual” in our rule and “person” in CMS’s rule and our policy that patients may not be VBE participants. The “individual” versus “person” verbiage relates to the difference in language used elsewhere in the two regulatory schemes and promotes overall consistency across safe harbors for OIG and exceptions for CMS.

For clarity, we have included an express statement in regulatory text, not included in CMS’s definition, carving patients out of the definition of “VBE participant.” This carve out would extend to the patient’s family members or others acting on the patient’s behalf, consistent with the approach we take elsewhere in this final rule with respect to the coordination and management of care with patients. The context and framework of the value-based provisions in the OIG Proposed Rule made clear that we did not intend patients to be VBE participants who could engage in value-based arrangements under the value-based safe harbors. In the proposed regulations, we described VBE participants as engaging in at least one value-based activity as part of a VBE and being part of at least one value-based arrangement to provide at least one value-based activity for a target patient population. The role of VBE participants in health care business activities of VBEs is not a role assumed by patients and families, who play a critical role in patient care in other ways. Our modification in the final rule clarifies this point.

Under our proposed rule and this final rule, VBE participants providing remuneration to patients would look to the patient engagement and support safe harbor for protection, not to the value-based safe harbors. Our reference to “individuals” in the proposed definition was meant to capture physicians, nurses, and other practitioners, providers, and suppliers in the health care ecosystem involved in caring for patients. Our revised regulatory text recognizes that all individuals will likely be a patient at one point or another and that our carve-out of patients is limited to patients when acting in their capacity as patients. In other words, a physician remains eligible to be a VBE participant even if he or she is also sometimes a patient.

Comment: Several commenters encouraged us to consider requiring additional safeguards within each safe harbor to address concerns regarding particular types of entities, rather than categorical exclusions from the definition of “VBE participant.” Others opposed applying additional safeguards, believing the existing safeguards in the OIG Proposed Rule were sufficient for all types of entities.

Response: For reasons noted above, including input from comments, we are not adopting categorical exclusions from the definition of “VBE participant.” Instead, relying on factors such as fraud and abuse risk and level of participation in front line care of patients, we identify certain entities as ineligible for protection in specified safe harbors, and include a tailored additional condition for certain high-risk entities engaged in arrangements involving digital health technology. The entities that are ineligible for protection and the rationale for carving them out are addressed in greater detail below in response to comments specific to these entities. We also provide greater detail below regarding the entity-specific safeguard we are adopting in the care coordination arrangements safe harbor for arrangements involving digital health technology.

Comment: Several commenters challenged OIG’s assertion that its history of law enforcement activities involving certain types of entities should form the basis for whether entities are entitled to protection under the value-based safe harbors. Some of these commenters noted that many other types of parties, including hospitals and physicians, have likewise been the subject of enforcement actions. Others asserted that the past bad acts of a few should not dictate the future compliance risks of the many, particularly where many of the historic enforcement actions resulted in settlements without admission of guilt, rather than actual convictions.

Response: We agree with the commenters that the bad acts of the few should not dictate the compliance risks of the many. We proposed and are finalizing new safe harbors intended to aid the majority of stakeholders that are honest and trying to do the right thing for patients and the health care system. The fact that an entity type is categorically ineligible for safe harbor protection does not mean that all entities in the category are bad actors. In crafting the value-based safe harbors, we have balanced new flexibility under a criminal statute with protections where we identified elevated risk of fraud and abuse. Our experience investigating fraud and enforcing the anti-kickback statute necessarily informs our approach to establishing safe harbors for specific payment practices consistent with the criteria set forth at section 1128D(a)(2) of the Act (safe harbor authority under the Federal anti-kickback statute). Our enforcement and oversight work offer insights into common fraud schemes, trends, and methods used by bad actors to circumvent rules. In bringing this experience to bear, we considered multiple types of entities and arrangements that have been the subject of our work. The risk of fraud and abuse is one factor in determining the types of entities eligible for protection under the safe harbors. Others include, for example, the degree of participation of the entity type in the care coordination arrangements that are central to this rulemaking and the level of need for the entity type to have safe harbor protection to effectuate the policy goals of the Regulatory Sprint. We acknowledged in the OIG Proposed Rule and reiterate here that the new safe harbors do not address all beneficial value-based arrangements.

Comment: A commenter requested confirmation that the definition of “VBE participant” would not bar an integrated delivery system from creating a value-based arrangement within its own system.

Response: There is nothing in the definition of “VBE participant” that would preclude an integrated delivery system from creating a value-based arrangement within its own system.

Comment: A commenter requested that OIG make clear that the safe harbors do not preclude entities that are ineligible to be VBE participants from contributing to value-based activities or contracting with VBEs.

Response: We believe our revised approach, where all entities are eligible to be a VBE participant, addresses the commenter’s concern. We wish to clarify further that the value-based safe harbors do not prohibit the VBE from entering into contractual arrangements with any type of entity, including an entity that is not a VBE participant. However, an entity that is not a VBE participant will not be eligible for safe harbor protection. Remuneration exchanged by certain types of entities, including non-VBE participants and VBE participants on the carve-out list, will not be protected by a value-based safe harbor, and parties would need to look to other safe harbors to the extent they want to protect it.

Comment: A commenter supported the fact that the proposed definition of “VBE participant” did not require VBE participants to be equity owners of the VBE.

Response: We did not propose requirements related to equity ownership of VBEs. However, we note that the value-based safe harbors do not protect remuneration in the form of ownership interests or returns on those interests.

Comment: A commenter recommended that, if OIG finalizes the definition of “VBE participant” as proposed, it also modify the advisory opinion process so that opinions may be relied upon by parties other than just the requesting party.

Response: Modifying the OIG advisory opinion process is beyond the scope of this rulemaking.

ii. Entities Ineligible for Safe Harbor Protection

The value-based safe harbors deem certain entities ineligible for safe harbor protection. Those entities are: Pharmaceutical companies; PBMs; laboratory companies; compounding pharmacies; manufacturers of devices or medical supplies; DMEPOS companies; and medical device distributors and wholesalers. Notwithstanding, under the care coordination arrangements safe harbor (paragraph 1001.952(ee)), manufacturers of devices and medical supplies and DMEPOS companies are eligible as limited technology participants to protect certain digital health technology arrangements to allow them to participate in such arrangements, along with other types of eligible VBE participants. As explained in more detail below, these distinctions are rooted in a functional approach focusing on the items, services, and products furnished by the different entity types and their roles in care coordination, along with assessment of program integrity risk based on enforcement experience. We aim to balance flexibility to achieve the Regulatory Sprint goals with protection against fraud and abuse.

This preamble section responds to comments about each of these entity types in turn. The outcomes-based payments safe harbor at paragraph (d)(2) and the patient engagement and support safe harbor at paragraph 1001.952(hh) reference these same entities and rely on the same definitions when doing so.

(a) Pharmaceutical Manufacturers, Wholesalers, and Distributors

Comment: Many commenters agreed with our proposal not to include pharmaceutical manufacturers in the definition of “VBE participant.” These commenters articulated a variety of supporting rationales, including that manufacturers are less involved in care coordination and present an increased risk of abusive arrangements. Many other commenters encouraged OIG to allow pharmaceutical manufacturers to participate as VBE participants, arguing, among other things, that manufacturers are well-positioned to contribute to value-based arrangements and that their participation is essential given the role of medications in improving care. For example, commenters noted that manufacturers can leverage data analytics and technology to improve both outcomes measurement and care management. Several commenters also emphasized that manufacturers can provide a variety of services relating to medication adherence, which may play a central role in value-based arrangements by managing care and reducing costs. Commenters also emphasized that manufacturers often know their product best and are thus in an ideal position to bring value through continued involvement.

Response: Under the revised framework we are adopting in this final rule, pharmaceutical companies can be VBE participants, and existing VBEs that include pharmaceutical companies do not need to be restructured for purposes of this rulemaking. However, we are effectuating our intent that pharmaceutical companies would not be eligible to use the value-based safe harbors by including pharmaceutical companies on the ineligible entity list in each safe harbor. We agree with the commenters that pharmaceutical manufacturers are not as likely as other entities to be involved with front line care coordination, and we remain concerned, as noted in the OIG Proposed Rule, about the potential for pharmaceutical manufacturers to use the value-based safe harbors to protect arrangements that are intended to market their products or inappropriately tether clinicians to the use of a particular product rather than as a means to create value by improving the coordination and management of patient care. As a result, protection under the value-based safe harbors does not extend to remuneration that pharmaceutical manufacturers exchange with other VBE participants.

We recognize that pharmaceutical manufacturers can play important roles in delivering efficient, high quality care to patients, including, for example, through medication adherence programs and data sharing. However, like any arrangement that does not qualify for a safe harbor, such arrangements would need to be analyzed for compliance with the anti-kickback statute based on their specific facts, including the intent of the parties. They are not eligible for protection under these new safe harbors.

As noted in the OIG Proposed Rule, we continue to consider the role of pharmaceutical manufacturers in coordinating and managing care as well as how to address value-based contracting and outcomes-based contracting for pharmaceutical products and medical devices, including devices that do not meet the definition of “digital health technology” under this rule.

Comment: Many commenters encouraged OIG to allow pharmaceutical manufacturers to participate in value-based contracting arrangements where they take on financial risk. Several of these commenters specifically supported arrangements where payment for prescription drugs is tied to clinical endpoints or patient outcomes, such as where a manufacturer agrees to provide a full or partial refund on a product if a course of treatment fails to achieve the desired outcome. Other commenters expressed skepticism about value-based contracting and encouraged OIG to adopt safeguards to protect against potentially abusive arrangements. Another commenter suggested that OIG adopt manufacturer-specific safe harbors with a sliding scale of risk. Among commenters who supported protecting value-based contracting, many raised concerns that existing best price requirements in the Medicaid Drug Rebate Program operate as an actual or perceived impediment to these types of arrangements and encouraged OIG to work with CMS to resolve these issues.

Response: We did not propose either a value-based contracting safe harbor or pharmaceutical manufacturer-specific safe harbors with a sliding scale of risk in this rulemaking. With respect to commenters’ concerns regarding the potential impact of value-based contracting on Medicaid best price reporting obligations, those issues are outside the scope of this rulemaking.

Comment: A trade association representing pharmaceutical manufacturers requested that OIG clarify that any exclusion of pharmaceutical manufacturers from the value-based safe harbors is not intended to discourage manufacturers from participating in arrangements for value-based care. Another commenter asserted that pharmaceutical manufacturers’ participation in care coordination may be necessary with the advancement of therapies like personalized cell therapies, which use a modified version of the patient’s own cells to treat disease. A commenter recommended that a nonprofit generic drug company that addresses drug shortages in the marketplace be permitted to participate as a VBE participant, even if pharmaceutical manufacturers are not eligible.

Response: Nothing in this final rule is intended to discourage pharmaceutical manufacturers from participating in arrangements for value-based care. Under this rule as finalized, a pharmaceutical company can be a VBE participant collaborating with others in a VBE. Nothing prevents a pharmaceutical company (or any other type of entity) from participating in care coordination arrangements, but remuneration exchanged by the pharmaceutical company under those arrangements would not qualify for protection under the value-based safe harbors. For example, we appreciate that pharmaceutical companies can work to address shortages in the marketplace and could enter into arrangements with a VBE and VBE participants to address those issues. Those arrangements would need to be analyzed based on their specific facts for compliance with the anti-kickback statute. The failure to fit in a safe harbor does not mean an arrangement is unlawful under the anti-kickback statute. Moreover, safe harbor protection is irrelevant to the extent that an arrangement does not implicate the anti-kickback statute. We reiterate that parties may structure arrangements to meet other safe harbors, such as the safe harbor for personal services arrangements or the warranties safe harbor and may also use OIG’s advisory opinion process to the extent they want prospective protection for arrangements they wish to undertake.

Comment: Commenters were divided on whether pharmaceutical wholesalers and distributors should be eligible to be VBE participants. Some stated that these entities present the same types of risks and concerns that manufacturers present (e.g., inappropriately increased costs to Federal health care programs) and should be ineligible for the same reasons. Many commenters who supported allowing manufacturers to be VBE participants also supported allowing wholesalers and distributors to be VBE participants.

Response: All entities are permitted to be VBE participants under this final rule. However, remuneration exchanged by pharmaceutical companies, including distributors and wholesalers, is not protected by the value-based safe harbors, consistent with our proposal to make them ineligible. We adopt this policy for reasons comparable to those for making manufacturers ineligible, including that wholesalers and distributors are less likely to have a direct role in front line patient care coordination. We are not persuaded that pharmaceutical distributors’ and wholesalers’ indirect role in support of coordinating care warrants protection under the value-based safe harbors.

(b) Pharmacy Benefit Managers

Comment: In response to our consideration in the OIG Proposed Rule related to PBMs, several commenters urged us to make PBMs ineligible to be VBE participants. A few of these commenters supported making PBMs ineligible based on concerns about potentially abusive PBM practices that they believe affect drug prices and limit treatment options for patients. Other reasons that commenters provided include that PBMs are not front-line health providers and protecting arrangements involving PBMs in the value-based safe harbors may inappropriately affect treatment decisions by health care practitioners. A commenter also suggested we require VBEs that establish relationships with PBMs to include information regarding such relationships in relevant VBE documents and reports.

Conversely, many commenters urged us to allow PBMs to be eligible to be VBE participants. Commenters asserted that PBMs are engaged in a number of activities that relate to care coordination and the value-based purposes we proposed, including, for example, developing formularies to select drugs based on relative value, leveraging health information technology to assist in coordinating care and managing benefits, and operating a variety of care coordination programs, such as medication adherence, medication therapy management, and chronic condition education. Commenters emphasized the role that PBMs play with respect to controlling pharmaceutical costs and promoting quality by ensuring clinical efficacy. Several commenters sought to distinguish PBMs from pharmaceutical manufacturers, noting that pharmacy benefit managers have no connection to any particular drug product and do not rely on prescriptions or referrals for any particular product. Another commenter asserted that PBMs are well-suited to enter into risk bearing arrangements because their business model already involves helping their clients manage insurance risk.

Response: As described above, all types of entities are eligible to be VBE participants under this final rule. However, we are finalizing our proposal for PBMs to be ineligible to rely on the value-based safe harbors to protect remuneration.

PBMs are less likely to be on the front line of care coordination and treatment decisions in the same way as other types of VBE participants eligible to use the value-based safe harbors. We recognize and appreciate the information that commenters provided on the role that PBMs serve in supporting value-based care and coordinating care, for example, by designing formularies based on relative value, using their expertise to improve medication adherence, and managing insurance risk. However, we are not persuaded that PBM’s indirect role in support of coordinating care or managing risk warrants protection under the value-based safe harbors, which focus significantly on the coordination and management of patient care. PBMs play a unique role in establishing benefit networks and associated management services connected to payors, pharmaceutical manufacturers, and pharmacies. As a result, PBM arrangements raise different program integrity issues from the types of value-based arrangements contemplated by this rulemaking and would likely require different safeguards.

Under the final rule, PBMs, as with all individuals (except for patients) and entities, are eligible to be VBE Participants. This will allow PBMs to continue supporting value-based care, even though they are not eligible to rely on the value-based care safe harbors. We note that some PBMs’ value-based activities may not implicate the Federal anti-kickback statute, depending on the specific facts and circumstances of each arrangement. Parties may also use OIG’s advisory opinion process to the extent they want prospective protection for arrangements involving the exchange of remuneration with PBMs.

In response to the suggestion that VBEs that have relationships with PBMs be required to document and disclose such relationships, the value-based definitions have relevant documentation and oversight conditions, including a requirement that the VBE governing documentation describe how the VBE participants intend to achieve the VBE’s value-based purpose(s).

We recognize that many PBMs are owned, affiliated with, or under common ownership structures with other entities, particularly payors and health benefit plans. Considering the role that payors have in the substantial downside risk and full financial risk safe harbors, it is important to note that payors would be eligible for safe harbor protection even if they own, are affiliated with, or are under common ownership with a PBM. Additionally, a payor would be eligible for safe harbor protection if it does not contract out its pharmacy benefit management services and instead performs those functions as part of its administration of a health benefit plan more broadly. We would consider the PBM functions, in that context, to be ancillary to the payor’s predominant or core business, which is administering a health benefit plan. Thus, such a payor would not be considered to be a PBM for purposes of eligibility for protection under the value-based safe harbors, notwithstanding the fact that it performs some PBM activities. See the discussion at section III.B.2.e.5, below regarding entities with multiple lines of business for further details regarding the predominant or core business standard.

(c) Laboratory Companies

Comment: While some commenters supported our proposal to make clinical laboratories ineligible to be VBE participants or suggested that we only allow them to be VBE participants if we included additional safeguards, many commenters urged OIG to include clinical laboratories as VBE participants. Several commenters noted that laboratories are increasingly providing precision diagnostic services and posited that this type of personalized medicine is the future of both preventive medicine and modern oncology care. Commenters expressed concern that making laboratories ineligible to be VBE participants may inhibit integration of these types of diagnostic services into practice. Others asserted that existing safeguards are sufficient to protect against any risk of fraud and abuse.

Commenters provided various examples of value-based arrangements involving laboratories. A commenter provided one example of a laboratory that entered into an arrangement with a payor under which it reviewed historical test results for a patient population to identify those likely to have a condition such as diabetes or chronic kidney disease so as to facilitate patients’ enrollment in a disease management program.

Response: Under this final rule, laboratory companies may be VBE participants in a VBE and collaborate with other VBE participants without affecting the ability of other VBE participants to be eligible for safe harbor protection. However, laboratory companies are included on the list of carved out entities for which protection is not available under value-based safe harbors. As a result, any remuneration exchanged by a laboratory company will not be protected by a value-based safe harbor. We expressed our intent in the OIG Proposed Rule to make clinical laboratories ineligible for safe harbor protection because of heightened risk of fraud and abuse based on historical enforcement experience and because they are, like pharmaceutical companies and DMEPOS companies, heavily dependent on practitioner prescriptions and referrals. We were, and remain, concerned that these entities might misuse the value-based safe harbors as a means of offering remuneration primarily to market their products rather than as a means to create value for patients, providers, and payors by improving the coordination and management of patient care, reducing inefficiencies, or lowering costs. We also continue to believe that offering protection for remuneration exchanged by a laboratory company under the value-based safe harbors is unnecessary to effectuate the goals of the Regulatory Sprint because, as compared to other types of entities such as hospitals, physicians, and remote patient monitoring companies, laboratory companies are not on the front lines of care coordination.

We appreciate the input from commenters who pointed out various ways in which laboratories may be participating in care coordination. We are not persuaded that these examples warrant revisiting our policy. However, we want to be clear that nothing in this rulemaking is intended to discourage or prevent a laboratory from participating in care coordination arrangements such as those described by the commenters so long as the arrangements comply with the anti-kickback statute. A laboratory may look to other safe harbors, such as the personal services and management contracts safe harbor, as modified in this rule, to protect remuneration, and the advisory opinion process also remains available.

Comment: Several commenters requested that OIG clarify how clinical laboratories that are owned and operated by entities with other regulatory classifications, including hospitals, physician group, and medical device manufacturers, would be treated.

Response: We do not intend for the ineligibility of laboratory companies to extend to clinical laboratories that are owned and operated through other types of entities, such as hospitals and physician practices. Other types of entities, such as hospitals and physician practices, that operate clinical laboratories that are not the entity’s predominant or core line of business are eligible to use the value-based safe harbors. This approach ensures that hospitals, physicians, and other entities with core care coordination roles are not precluded from using the safe harbors because they happen to provide some laboratory services, which we understand to be common in the industry. We also believe that this approach would preclude any suggestion that entities which have a predominant or core line of business other than a clinical laboratory (or other ineligible entity), such as a hospital, need to restructure their operations or corporate structure or otherwise need to modify the manner in which these entities operate.

In this final rule, we use the term “laboratory companies” to describe the intended category of ineligible entities, rather than the term “clinical laboratory” that was proposed, because the term “laboratory company” better describes the types of entities we intend to make ineligible to rely on the value-based safe harbors. We have long used the same terminology in the electronic health records safe harbor at paragraph 1001.952(y), and we intend for the term to have the same meaning here. Specifically, it describes independent companies that operate clinical laboratories and bill for the laboratory services they furnish through their own billing numbers. Thus, for example, if a hospital furnishes laboratory services through a laboratory that is a department of the hospital for Medicare purposes (including cost reporting) and the laboratory services are billed through the hospital’s provider number, then the hospital would not be considered a laboratory company for purposes of determining eligibility to rely on a value-based safe harbor. In contrast, a hospital affiliated or hospital-owned laboratory company with its own supplier number that furnishes laboratory services that are billed using a billing number assigned to the company and not the hospital would not be eligible for safe harbor protection. This approach is consistent with the approach we describe in the discussion on entities with multiple business lines, below, in that it focuses on both the corporate structure and the predominant or core business function of an entity.

(d) Medical Device Manufacturers, Distributors, and Wholesalers

Comment: Many commenters encouraged OIG to allow medical device manufacturers, distributors, and wholesalers to be VBE participants, emphasizing, among other things, the role that these entities play in collecting, aggregating, analyzing, and sharing data to assist clinicians with care coordination and management. Others disagreed with our characterization of medical device manufacturers as not being on the front line of care coordination.

Another commenter asserted that our concerns that manufacturers may use value-based arrangements to tether clinicians or patients to a particular product are misplaced and disregard the improved cost and clinical outcomes that derive from standardizing the use of a superior product. Similarly, a commenter objected to the suggestion that manufacturers’ participation in value-based arrangements is driven by marketing objectives. An integrated delivery system described existing value-based partnerships with medical device companies that it believes foster value by optimizing care pathways, improving patient experience, and sharing accountability for the results; according to this commenter, the medical device companies have been responsible, effective, and essential in providing high quality care at a low cost.

Response: We appreciate commenters’ perspectives, and we recognize that manufacturers of devices and medical supplies may play an important role in some value-based arrangements, including by offering digital health technologies that can improve coordination and management of care. However, we continue to believe, as a general matter, that they are not as directly engaged in care coordination as other entities, such as providers and clinicians. We continue to have concerns, as described in the OIG Proposed Rule, based on our historical law enforcement experience, that manufacturers of devices and medical supplies could misuse the flexibilities afforded by the value-based safe harbors to offer kickbacks under the guise of care coordination activities or to tether a clinician to a particular product. Further, we believe there is a risk that these arrangements could result in providers selecting products that may not be clinically appropriate for, or in the best interest of, a patient. Based on our enforcement experience, these concerns are heightened with respect to implantable devices used in a hospital or ambulatory surgical care setting, for which there is an elevated risk for patients undergoing implant surgery if devices are selected because of financial incentives rather than patients’ best interests.

As discussed at section III.B.2.e.iii, we are adopting a pathway to protect the exchange of digital health technologies by manufacturers of devices and medical supplies under the care coordination arrangements safe harbor, which addresses some of the commenters’ concerns. This pathway, which imposes an additional safeguard that applies only to manufacturers of devices and medical supplies and DMEPOS companies, balances our program integrity concerns with our interest in facilitating the deployment of health technologies for care coordination.

Comment: Many commenters encouraged OIG not to include device manufacturers, distributors, and wholesalers as VBE participants. Several of these commenters asserted that medical device manufacturers are not on the front line of care coordination. Another commenter asserted that, while larger companies may be well-positioned to engage in data-driven care coordination activities, most device manufacturers do not offer these types of services. The commenter was concerned that allowing medical device manufacturers to engage as VBE participants would unfairly advantage large manufacturers over smaller manufacturers, with larger companies using their size and scale to leverage their care coordination capabilities in a manner that disincentivizes purchasers from considering competing products. The commenter expressed concern that this dynamic may suppress medical innovation by smaller companies and encouraged OIG to consider a pilot program to assess potential impacts on smaller manufacturers.

Response: We appreciate the concerns raised by commenters, and, as we have explained, we share some of them. However, we also believe that digital health technologies hold great promise for improving coordination and management of care and achieving the goals of the Regulatory Sprint, and we believe that many of these promising technologies are either currently being developed, or will in the future be developed, by manufacturers of devices and medical supplies. We also believe that there will be instances where these digital health technologies are inextricably linked to a medical device. To that end, we are affording safe harbor protection to the exchange of digital health technologies by manufacturers of medical devices under the care coordination arrangements safe harbor.

With respect to the commenter’s concerns about potential anticompetitive effects from allowing manufacturers of devices and medical supplies to participate, we are adopting a safeguard in the care coordination arrangements safe harbor that applies to manufacturers of devices and medical supplies, as limited technology participants, that prohibits exclusivity provisions and minimum purchase requirements. We designed this condition to prevent limited technology participants from locking-in use of their digital health technology, which may have beneficial effects for competition. For example, VBE participants may have increased opportunities to use multiple of types of digital health technology that best fits their needs.

In response to the commenter’s concern about competition between large manufacturers and small manufacturers, nothing in this safe harbor is intended to favor large entities over small entities. We recognize that large manufacturers are likely to have additional resources to assess arrangements and determine whether they meet this safe harbor. We have strived to limit potential administrative burden as much as possible, while also including necessary safeguards against fraud and abuse. We believe that this safe harbor and the limited technology participant pathway will not require significant resources to ensure an arrangement meets all applicable conditions. Furthermore, use of these safe harbors and associated compliance is only one factor that may affect competition and innovation. There are several other factors that impact competition and innovation, but are not subject to the Federal anti-kickback statute and thus are outside the scope of this rulemaking.

Comment: With respect to adopting a definition for purposes of identifying the category of entities not eligible to be VBE participants, several commenters cautioned that it would be virtually impossible to define device manufacturers in a manner that would not preclude the types of digital health technologies that we stated we wished to include. Some commenters recommended that any definition that OIG adopts be limited to devices that are separately reimbursed by Medicare and not include companies that incorporate medical devices as part of their service offerings.

Many commenters encouraged us not to adopt a new definition, but instead to rely on existing definitions adopted by other divisions within the Department of Health and Human Services. However, a commenter asserted that OIG should not use CMS’s definition of “applicable manufacturer” in 42 CFR 403.902, which relates to the Open Payments provisions of the Patient Protection and Affordable Care Act ^[17] (ACA), because that definition would not include manufacturers that do not have operations in the United States and reliance on this definition would be confusing because it includes manufacturers of durable medical equipment, which we proposed not to include in the definition of “VBE participant.”

Response: Notwithstanding the changes to the definition of “VBE participant,” it remains necessary for us to adopt a definition of “manufacturer of a device or medical supply” to identify entities that are limited technology participants for purposes of the care coordination arrangements safe harbor.

The definition we are adopting at paragraph 1001.952(ee)(14)(iv) provides that “manufacturer of a device or medical supply” means an entity that meets the definition of applicable manufacturer in 42 CFR 403.902 because it is engaged in the production, preparation, propagation, compounding, or conversion of a device or medical supply that meets the definition of covered drug, device, biological, or medical supply in 42 CFR 403.902, but not including entities under common ownership with such entity. For purposes of this definition, we incorporate and adopt all of the related terminology in 42 CFR 403.902. We opted to rely on the “applicable manufacturer” terminology described in the Open Payments program and its implementing regulations because it effectively captures the universe of entities we designate as limited technology participants and those that will otherwise be carved out of safe harbor protection. Similarly, we opted to rely on this terminology because relying on an existing regulatory definition promotes consistency across the Department and minimizes additional potential regulatory burden. We are not adopting the alternative proposed definition that would include any entity that manufacturers any item that requires premarket approval by, or premarket notification to, the FDA, or that is classified by the FDA as a medical device because we believe the “applicable manufacturer” terminology used in the Open Payments program provides a more fulsome definition that addresses not only the nature of the product (i.e., whether it is regulated by the FDA as a device) but also the nature of the entity’s functions vis a vis that product (e.g., production, preparation, propagation, compounding, or conversion). We also intend to include medical device distributors or wholesalers on the list of ineligible entities because they are less likely to have a direct role in front line patient care coordination, and the “applicable manufacturer” definition at 42 CFR 403.902 includes distributors and wholesalers that hold title to the device or medical supply. Thus, it is a more comprehensive definition that aligns with our objectives. In order to capture distributors and wholesalers that do not hold title to the device or medical supply on the ineligible entity list, the ineligible entity list in each value-based safe harbor includes a separate category for “a medical device distributor or wholesaler that is not otherwise a manufacturer of a device or medical supplies.”

With respect to the commenter who cautioned that reliance on the definitions from the Open Payments program would not include manufacturers that do not have operations in the United States, we refer the commenter to CMS regulations and guidance regarding how foreign companies can become subject to reporting obligations under section 1128G of the Act.

Comment: Many commenters shared our concerns regarding physician-owned distributorships and encouraged us to make them ineligible to be VBE participants. A commenter suggested that an entity that generates more than forty percent of its business from its physician owners should be not be eligible to be a VBE participant. Another commenter suggested that we require all VBE participants—regardless of whether or not they meet the definition of “applicable manufacturer”—to meet the reporting obligations under section 1128G of the Act.

Response: We are adopting our proposed policy that physician-owned distributorships would not be eligible for safe harbor protection. Physician-owned distributors will be captured by one of two categories on the ineligible entity lists in each of the value-based safe harbors: Manufacturers of devices or medical supplies or medical device distributors or wholesalers that are not otherwise manufacturers of devices or medical supplies. As described above, the term “manufacturer of devices or medical supplies” is defined in paragraph 1001.952(ee).

As we stated in the OIG Proposed rule, physician-owned distributorships are inherently suspect under the anti-kickback statute because the financial incentives these companies offer their physician owners may induce physician owners to perform more procedures (or more extensive procedures) and to use the devices the physician-owned distributorships sell in lieu of other, potentially more clinically appropriate devices. Therefore, as described in greater detail below, physician-owned distributorships are also ineligible to rely on the care coordination arrangements safe harbor to protect digital health technology arrangements, even if they otherwise fit the definition of a manufacturer of a device or medical supply.

With respect to the commenter that suggested that we require all VBE participants to meet the reporting obligations under section 1128G of the Act, such a requirement is outside the scope of this rulemaking.

(e) DMEPOS Companies

Comment: Many commenters encouraged us to include DMEPOS companies in the definition of “VBE participant.” Commenters asserted that DMEPOS companies are on the front line of care coordination. Many commenters highlighted, for example, the role of DMEPOS companies in supporting care coordination through home infusion, home respiratory, and diabetes management services; others stated that DMEPOS companies engage directly with patients in a variety of ways, including visiting patients in their home. Commenters emphasized that DMEPOS companies are particularly critical in facilitating transitions from one care setting to another. Commenters also noted that the expansion of remote monitoring technologies has enhanced the role that DMEPOS companies play in care coordination and that device manufacturers are increasingly integrating digital technologies into medical devices that are classified as DMEPOS. With respect to these and other technologies, commenters noted that DMEPOS companies may provide useful data to support care coordination. Other commenters encouraged us to make DMEPOS companies ineligible for protection under the value-based safe harbors because they are not involved in front line patient care coordination. Others encouraged us to adopt additional safeguards specific to DMEPOS companies.

Response: We are persuaded by commenters that DMEPOS companies may have an important role in value-based arrangements, particularly in the context of post-acute care, and that they provide an array of health technology services, such as remote patient monitoring, that may facilitate the coordination and management of patient care. We believe that we must balance the role of these DMEPOS companies with our continued concerns, informed by our historical law enforcement experience, that some of these entities might misuse the protections afforded in the value-based safe harbors as a way to offer kickbacks under the guise of care coordination.

Given our stated interest in the deployment of digital health technologies to enhance coordination and management of care and consistent with the OIG Proposed Rule as explained elsewhere, we have defined the term limited technology participant to include manufacturers of medical supplies and entities or individuals that sell or rent DMEPOS. Limited technology participants, such as DMEPOS companies, may rely on the care coordination arrangements safe harbor to protect digital health technologies that they exchange with another VBE participant or the VBE, provided the arrangement satisfies an additional safe harbor condition that does not apply to other VBE participants, discussed in greater detail below. Our approach to DMEPOS in the final rule strikes a balance between encouraging the use of beneficial digital health technology, which may be offered by DMEPOS companies, for care coordination and protecting programs from potential fraud and abuse.

Comment: Some commenters asserted that DMEPOS companies would be willing to enter into risk-based arrangements and encouraged OIG to provide safe harbor protection for these types of arrangements.

Response: We believe the commenter is inquiring as to whether risk-based arrangements involving DMEPOS companies could satisfy the conditions of a value-based safe harbor. For the reasons described above and in the OIG Proposed Rule, DMEPOS companies are not eligible to rely on the value-based safe harbors, except under the limited technology participant pathway we have created in the care coordination arrangements safe harbor.

Comment: A commenter recommended that “distribution vendors” not be considered DMEPOS companies for purpose of any exclusion. The commenter argued that these vendors are needed to deploy digital medicine programs effectively by directly supporting patients through home delivery of digital medical program items.

Response: All entities can be VBE participants under our revised approach, but entities that sell or rent covered DMEPOS are included in the ineligible entity lists in each value-based safe harbor and are thus ineligible to rely on those safe harbors, except under the limited technology participant pathway in the care coordination arrangements safe harbor. In the OIG Proposed Rule we listed manufacturer, distributor, or supplier of DMEPOS as an ineligible entity type. The final rule instead lists an entity or individual that sells or rents DMEPOS as ineligible for safe harbor protection (except that a limited technology participant is eligible under the care coordination arrangements safe harbor). The language in the final rule focuses on the nature of an entity’s business—selling and renting DMEPOS—to better capture the higher risk entities that cannot use the safe harbors, and avoids potentially broad terms, such as “supplier,” that are defined elsewhere in Medicare regulations for different purposes. The language “sells or rents” is derived from a CMS definition of DMEPOS supplier.^[18]

We removed the reference to DMEPOS manufacturers because entities that manufacture DMEPOS would fall under the final rule’s definition of “manufacturer of a device or medical supply,” and it would have been duplicative to include these entities under both definitions. Some DMEPOS distributors will also be captured by the definition of “manufacturer of a device or medical supply” and would similarly be ineligible on that basis. We believe that the universe of entities that we intended to capture under the “manufacturer, distributor, or supplier of DMEPOS” terminology used in the OIG Proposed Rule will now be captured by one or both of the categories “manufacturer of a device or medical supply” and “an entity that sells or rents [DMEPOS].”

Comment: Several commenters noted that many types of providers and entities, including physician practices, dentists, hospitals, and pharmacies, may be enrolled in the Medicare program as DMEPOS suppliers and questioned how an exclusion of DMEPOS companies, or requirements specific to DMEPOS companies, would apply to them. A commenter suggested that OIG should distinguish DMEPOS companies who derive only a small portion of their revenues from furnishing DMEPOS.

Response: In the final rule, the carve-out for DMEPOS companies in each of the value-based safe harbors does not apply to a pharmacy or to a physician, provider, or other entity that primarily furnishes services. In the OIG Proposed Rule, we sought comments on how to ensure that these types of entities would remain eligible for safe harbor protection even if they own or operate an entity that is ineligible, such as a DMEPOS company.^[19] By specifically carving these entities out of the definition of DMEPOS companies, we ensure that these entities will not become ineligible for safe harbor protection. These entities and individuals are likewise not treated as “limited technology participants.” Thus, physicians, dentists, physician practices, and other providers (including, for example, hospitals), who primarily furnish services, as well as pharmacies, would not be considered DMEPOS companies for purposes of either the ineligible entities list or the “limited technology participant” definition. These parties are therefore able to rely on the three value-based safe harbors to the same extent as all other eligible VBE participants (including for arrangements involving digital health technologies), and they are not required to satisfy the additional condition that applies only to limited technology participants.

(f) Compounding Pharmacies

Comment: Several commenters responded to our solicitation of comments regarding the treatment of compounding pharmacies in the rule. Some commenters encouraged OIG not to distinguish between retail pharmacies, specialty pharmacies, and compounding pharmacies. One commenter expressed concern about generally offering protections to all compounding pharmacies, stating that ongoing vigilance for fraud and abuse is warranted for the compounding pharmacy industry. The commenter added that a more nuanced approach that screens for and offers protections in value-based arrangements for demonstrably good actors may further access to customized treatments, particularly for patients with rare diseases as well as pediatric patients. The commenter also described the risks of compounding without rigorous safety and quality practices. The commenter suggested that, to address quality, safety, and program integrity concerns with compounding pharmacies, OIG could limit participation to compounding pharmacies that exemplify good compounding practices through adherence to the U.S. Pharmacopeia (USP) Chapter 795 and attainment of Pharmacy Compounding Accreditation Board (PCAB) accreditation from the Accreditation Commission for Health Care (ACHC).

Other commenters believed that compounding is an essential part of patient care, including for specialty pharmacies such as infusion pharmacies that treat patients with severe conditions. Commenters suggested that pharmacists at compounding pharmacies may play a key role in helping coordinate individualized patient care. Commenters urged OIG to not exclude pharmacies from the proposed safe harbor based on the compounding services they provide. Some commenters raised concerns that excluding compounding pharmacies from the value-based safe harbors would expose the pharmacies to liability under the Federal anti-kickback statute for any remuneration they receive for providing prescription compounded medications or pharmacist-approved care services.

Some commenters explained their understanding that compounding is the preparation of a specific medication to meet the prescriber’s exact specifications and to be dispensed directly to an individual patient, pursuant to a valid prescription for that patient. Such drugs are prescribed when commercially available products do not meet patient needs. Commenters noted that compounding should not be confused with manufacturing or the mass production of drug products, nor should it be confused with making copies of commercially available drug products, which is not allowed by law under section 503A(b)(1)(D) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 353a(b)(1)(D)).

Response: We agree that pharmacists, including pharmacists at compounding pharmacies, can play important roles in coordinating and managing patient care and as members of care teams, including for patients with rare and serious conditions. Under the final rule, all pharmacies and pharmacists can participate in VBEs. As explained further below, most pharmacies and pharmacists will be eligible to rely on the value-based safe harbors to protect remuneration, even if the pharmacy engages in some compounding of drugs.

However, under the final rule, for reasons explained below, pharmacies that primarily compound drugs or primarily dispense compounded drugs are ineligible to protect remuneration under the value-based safe harbors, as well as the safe harbor protections for patient engagement tools and supports (paragraph 1001.952(hh)) and outcomes-based payments (amended paragraph 1001.952(d)). When we refer to compounded drugs in this rule, we refer to the common industry understanding of them as drugs that are specifically combined, mixed, or altered and prepared for individual patients, or that purport to be such drugs. As noted by the commenters, compounded drugs are often prescribed or dispensed for patients for whom commercially available products are not clinically suitable.^[20] We are not defining “compounding” or “compounded drugs” in regulatory text in this rule. For purposes of this rule, compounding pharmacies include entities that primarily compound drugs or primarily dispense compounded drugs, such as topical pain creams, with or without licensure or valid prescriptions. Accordingly, we are not adopting the narrower definitional suggestions made by commenters.

We explained in the OIG Proposed Rule that we were considering whether specific types of pharmacies, such as compounding pharmacies, should be carved out of safe harbor protection even if others, such as retail and community pharmacies, are eligible for safe harbor protection. The OIG Proposed Rule states that pharmacies that specialize in compounding pharmaceuticals may pose a heightened risk of fraud and abuse, as evidenced by our enforcement experience, and may not play a direct role in patient care coordination.^[21] We remain deeply concerned about fraud and abuse in the compounding pharmacy industry.

Our recent criminal, civil, and administrative enforcement history shows an increasing number of fraud allegations, investigations, and cases related to compounded drugs, including topical compounded drugs such as creams, gels, and ointments to relieve pain.^[22] OIG’s oversight experience also has found that Medicare Part D spending for compounded topical drugs was 24 times higher in 2016 than it was in 2010, which raises concerns about fraud and abuse.^[23] According to the FDA, there are also safety and effectiveness concerns related to compounded drugs, which are not FDA approved.^[24] This is also an area of significant growth in Medicare Part D spending; spending for compounded topical drugs was 24 times higher in 2016 than it was in 2010, some of which may be attributed to suspect billing practices. In 2016, OIG found that about 550 pharmacies had engaged in questionable Part D billing practices for compounded topical drugs and warranted further scrutiny. Each pharmacy billed extremely high amounts for at least one of five measures that OIG has developed as indicators of possible fraud, waste, and abuse.^[25] In light of this enforcement and oversight experience, we conclude that the risks of allowing pharmacies that primarily compound drugs or primarily dispense compounded drugs to rely on the value-based arrangements, patient engagement tools and supports, and outcomes-based payments safe harbors outweigh the potential benefits. As explained further below, other pharmacies are eligible to rely on the safe harbors. As with other entities ineligible for protection under the value-based, patient engagement tools and supports, and outcomes-based payments safe harbors, compounding pharmacies can still be VBE participants.

We recognize that many pharmacies may dispense some compounded drugs. For purposes of this rule, a pharmacy is only considered to be a compounding pharmacy (and ineligible for protection under certain safe harbors) if it primarily compounds drugs or primarily dispenses compounded drugs. We anticipate that most retail pharmacies and community pharmacies that offer care coordination and management services will not be covered by this category and will be eligible to rely on the safe harbors.

We are not adopting the commenters’ suggestions to provide safe harbor protection for remuneration exchanged by compounding pharmacies that demonstrate that they are good actors or that exemplify good compounding practices through adherence to USP Chapter 795 and attainment of PCAB accreditation from ACHC. We believe the suggested approaches would introduce additional complexity and uncertainty into the safe harbors by further attempting to distinguish among different types of compounding pharmacies.

We do not prescribe a specific standard or test for assessing whether a pharmacy primarily compounds drugs or primarily dispenses compounded drugs. Entities may use a variety of different methodologies, depending on their circumstances. We expect parties to use a reasonable methodology, which they may wish to document. If an entity has multiple lines of business, with one line of business being a compounding pharmacy, the entity should use the multiple lines of business test as laid out in section III.B.2.e.v of this preamble to determine whether it is eligible to rely on the safe harbors or a compounding pharmacy ineligible to rely on the safe harbors.

Entities seeking safe harbor protection that are uncertain as to whether they are eligible to rely on the value-based safe harbors or any other safe harbor for a particular arrangement may wish to use the OIG advisory opinion process.

Finally, we want to clarify that nothing in this rulemaking should affect patients’ access to medically necessary compounded drugs. The dispensing of compounded drugs pursuant to applicable coverage and billing rules does not implicate the Federal anti-kickback statute. Nor does this rule speak to the pricing of such products. With respect to remuneration paid to compounding pharmacies or pharmacists for services furnished to patients, whether such payments implicate the statute is a case-by-case determination and the safe harbors for employment and personal services and management contracts remain available. As noted elsewhere, with respect to value-based contracting with pharmaceutical manufacturers, we may consider safe harbor protection for such arrangements in future rulemaking.

iii. Digital Health Technologies and Limited Technology Participants

As explained in more detail below, the final rule includes a pathway for protection of “digital health technology” arrangements involving “limited technology participants,” as those terms are defined under the care coordination arrangements safe harbor. This pathway responds to comments supporting protection of digital technology arrangements involving medical device manufacturers and DMEPOS companies. VBE participants that are not on the ineligible entity list may exchange digital health technologies (and any other technologies) under the care coordination arrangements safe harbor, and they are not subject to the additional safe harbor condition that applies to limited technology participants. Further, the pathway for limited technology participants does not apply to the substantial downside risk and full financial risk safe harbors. The care coordination arrangements safe harbor is available for digital health technology arrangements between limited technology participants and VBE participants in risk-based arrangements.

For purposes of the pathway for limited technology participants, we are defining the term “limited technology participant” at paragraph 1001.952(ee)(14)(iii) to mean a VBE participant that exchanges digital health technology with another VBE participant or a VBE and that is: (A) A manufacturer of a device or medical supply, but not including a manufacturer of a device or medical supply that was obligated under 42 CFR 403.906 to report one or more ownership or investment interests held by a physician or an immediate family member during the preceding calendar year, or that reasonably anticipates that it will be obligated to report one or more ownership or investment interests held by a physician or an immediate family member during the present calendar year (for purposes of this paragraph, the terms “ownership or investment interest,” “physician,” and “immediate family member” have the same meaning as set forth in 42 CFR 403.902); or (B) an entity or individual that sells or rents durable medical equipment, prosthetics, orthotics, or supplies covered by a Federal health care program (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services). In short, many manufacturers of medical devices and supplies (but not physician-owned distributors) and DMEPOS companies are eligible to be limited technology participants if they fit in this definition.

We are defining “digital health technology” at paragraph 1001.952(ee)(14)(ii) broadly to mean hardware, software, or services that electronically capture, transmit, aggregate, or analyze data and that are used for the purpose of coordinating and managing care; such term includes any internet or other connectivity service that is necessary and used to enable the operation of the item or service for that purpose. Importantly, this definition specifies the types of technology a limited technology participant can exchange under the safe harbor. It does not constrain the types of technology that can be exchanged by other VBE participants eligible to use the safe harbor.

Comment: Several commenters emphasized the importance of allowing health technology companies to participate as VBE participants and asserted that making medical device manufacturers ineligible to be VBE participants may impact the availability of digital technologies for purposes of coordinating and managing care because no meaningful line can be drawn between medical device companies and health technology companies. For example, a commenter explained that they offer both traditional medical devices and other digital health technologies, the latter of which includes clinical decision support tools and artificial intelligence-assisted diagnostic support tools. Another commenter noted that manufacturers of implantable devices often pair their products with software solutions to support patient diagnosis and treatment. A trade association representing device manufacturers described a program where a manufacturer of automated external defibrillators and cardiac monitoring devices with transmitting capabilities offers a device-agnostic software solution that permits coordination between EMS providers and hospitals. According to the commenter, the software enables receiving hospitals to access cardiac data in real time so they can have advance notice of patients en route and provide consultation back to EMS personnel to direct the patient to the appropriate treatment location (e.g., community hospital, hospital with specialized services). Another commenter explained how digital health technology is integrated with medical devices used by patients to provide data to patients and providers for patient engagement and treatment adherence purposes. Other commenters emphasized the difficulty of clearly distinguishing between device manufacturers and digital health technology companies, and that both may provide a mix of traditional medical devices and digital health technology. Commenters supported an approach that would not unintentionally exclude beneficial digital health technology from protection under the safe harbor.

Response: In the OIG Proposed Rule, we expressed interest in protecting remuneration in the form of a wide range of mobile and digital technologies for the coordination and management of patient care, including, by way of example, remote monitoring, predictive analytics, data analytics, care consultations, patient portals, telehealth and other communications, and software and applications that support services to coordinate and monitor patient care and health outcomes (for individuals and populations). We noted diabetes management services that leverage devices and cloud storage services to monitor blood sugar levels and transmit data as an example.

While recognizing the promise that digital health technologies have for improving care coordination and health outcomes, in the OIG Proposed Rule we also raised fraud and abuse concerns associated with medical device manufacturers based on our historical law enforcement experience. Section III.B.2.e.d. explains those concerns in more detail. Recognizing these factors, we solicited comments generally on how best to protect beneficial digital technologies and mitigate fraud and abuse risks. This included requesting comment on definitions and factors to consider for specific types of entities that would protect digital technology and not be too narrow or broad.

Consistent with this request for comments, the intent in the OIG Proposed Rule, and to address comments received, we define the term “digital health technology” at paragraph 1001.952(ee)(14)(ii) and we define “limited technology participant” at paragraph 1001.952(ee)(14)(iii). These definitions balance the interests we raised in the OIG Proposed Rule by protecting beneficial digital health technology and mitigating the fraud and abuse risks by specifying the types of technology that limited technology participants can furnish under the care coordination arrangements safe harbor. This approach also addresses concerns raised by commenters regarding unintentionally excluding beneficial digital health technology from safe harbor protection. We discuss each definition in more detail below in this section.

Digital health technology is defined as hardware, software, or services that electronically capture, transmit, aggregate, or analyze data and that are used for the purpose of coordinating and managing care; such term includes any internet or other connectivity service that is necessary and used to enable the operation of the item or service for that purpose. We intend for this term to encompass a wide range of digital health technologies, including technologies that are not yet developed or available. It also includes associated internet or other connectivity services, including dial-up, that are necessary and used to enable the operation of the item or service for the purpose of coordinating and managing care. The term “digital health technology” includes, for example, the software solution described by the commenter that enables hospitals to access data from cardiac devices used by EMS providers in the field so that they can coordinate and manage the care of patients undergoing a cardiac emergency, including connectivity services, such as mobile hotspots and plans, necessary to enable the EMS providers to transmit data from the field to the hospital.

Only limited technology participants are limited to the types of technology set out in the definition of “digital health technology.” Other VBE participants eligible for the safe harbor may provide additional types of technology so long as the value-based arrangement squarely meets all safe harbor conditions.

We share commenters’ views regarding the desirability of enabling VBE and VBE participants to leverage digital health tools to support the coordination and management of care. All individuals (except for patients) and entities are eligible to be VBE Participants, and this includes health technology companies, including those that are not traditionally involved in health care or may be new entrants to health care. Except as otherwise provided in the safe harbor regulations, health technology companies are eligible to rely on the protection of the safe harbors for value-based arrangements with other VBE participants, provided that their arrangements squarely meet all applicable safe harbor conditions.

The question arose in the OIG Proposed Rule, and remains relevant here, whether manufacturers of devices and medical supplies and DMEPOS companies are health technology companies. For most purposes, as described above, these entities are carved out of the value-based safe harbors and are ineligible to rely on them. However, we are creating a pathway to enable these entities to deploy digital health technologies under the care coordination arrangements safe harbor at paragraph 1001.952(ee). For purposes of this safe harbor, manufacturers of devices or medical supplies (as defined in paragraph 1001.952(ee)) and DMEPOS companies (i.e., entities or individuals that sell or rent covered DMEPOS, not including physicians or providers that primarily furnish services and pharmacies) that exchange digital health technologies with another VBE participant or the VBE are collectively termed “limited technology participants” in paragraph 1001.952(ee).

Limited technology participants may use the care coordination arrangements safe harbor to protect the exchange of digital health technologies with other VBE participants or the VBE if the arrangement meets an additional safe harbor condition, described below. Limited technology participants may not, by definition, rely on the care coordination arrangements safe harbor to exchange other forms of remuneration. All other entities eligible to use the safe harbor can also exchange remuneration in the form of digital health technology, and they do not have to meet the additional safe harbor conditions that apply only to limited technology participants at paragraph 1001.952(ee)(8). For example, physicians and providers that primarily furnish services are not treated as limited technology participants and are therefore not obligated to meet the additional conditions that apply to limited technology participants.

In short, remuneration in the form of digital health technology may be exchanged under the care coordination arrangements safe harbor by all entities that are not carved out of the safe harbor, as well as limited technology participants.

Consistent with our statements in the OIG Proposed Rule reflecting our intent that physician-owned distributorships not be eligible to rely on the value-based safe harbors, we do not intend for physician-owned distributorships to be able to use the limited technology participant pathway in the care coordination arrangements safe harbor. To foreclose this possibility, we clarify in paragraph 1001.952(ee)(14) that the term “limited technology participant” does not include manufacturers of devices or medical supplies that were obligated under 42 CFR 403.906 to report one or more ownership or investment interests held by a physician or an immediate family member during the preceding calendar year, or that reasonably anticipate that they will be obligated to report one or more ownership or investment interests held by a physician or an immediate family member during the present calendar year. For purposes of this definition, the term “manufacturer of a device or medical supply” has the meaning set forth in paragraph 1001.952(ee)(14), and the terms “ownership or investment interest,” “physician,” and “immediate family member” have the meaning set forth in 42 CFR 403.902. We take this opportunity to make clear that this regulatory provision should not be construed as an official definition of unlawful physician-owned distributorships or physician-owned entities more broadly. This regulation does not alter our long-standing guidance regarding physician-owned distributorships, and we specifically reaffirm the guidance in our 2013 Special Fraud Alert on Physician-Owned Entities.^[26]

iv. Pharmacies Other Than Compounding Pharmacies

Comment: The overwhelming majority of commenters on this topic supported allowing pharmacies to be VBE participants. Commenters cited a wide range of reasons, including that pharmacies and pharmacists are already involved in many aspects of care coordination and management and that they are on the front line of care coordination because they often serve as the key point of contact between patients and the health care system due to their geographic proximity to patients. Commenters emphasized that pharmacies provide many services to patients, not just items. A commenter also noted that an ACO may be a VBE and that a number of ACOs currently integrate pharmacists for medication management and other services. Conversely, another commenter suggested that pharmacies should not be eligible because they present many of the same concerns as pharmaceutical manufacturers, wholesalers, and distributors.

Response: With the exception of compounding pharmacies (as explained in section III.2.e.ii.f of this preamble), pharmacies can utilize each of the final value-based safe harbors for value-based arrangements and are not subject to any pharmacy-specific restrictions or limitations. Pharmacies other than compounding pharmacies also are eligible for safe harbor protection under the safe harbors for patient engagement tools and supports (paragraph 1001.952(hh)) and outcomes-based payments (amended paragraph 1001.952(d)). We are persuaded that many pharmacies and pharmacists have the potential to facilitate coordination and management of care for patients and that their participation in value-based arrangements may further the purposes of this final rulemaking. Except in the case of compounding pharmacies, these potential benefits outweigh our program integrity concerns, which are adequately addressed by the requirements of the value-based safe harbors.

v. Entities With Multiple Business Lines

Comment: We received several comments seeking guidance on how entities with multiple business lines or with multiple regulatory classifications would be viewed for purposes of safe harbor eligibility. Some commenters requested clarification on how the eligibility standards would be impacted by corporate affiliations or shared ownership. Another commenter noted that some health systems are involved in device and technology development.

Some questioned how OIG would view an entity that operates both eligible and ineligible business lines through separate business units, with certain commenters suggesting that it would be impossible to distinguish between types of entities because the health care industry is not siloed in this manner. Others asserted that the fact that many companies have multiple business lines is reason enough for OIG not to make any types of business lines ineligible to be VBE participants. Another commenter requested that clinical quality improvement and data registries be eligible to be VBE participants, regardless of their ownership or other status.

Response: Under the final rule, the question of whether a particular entity is eligible to rely on a safe harbor, or whether an entity fits the definition of a limited technology participant, is assessed at the corporate entity level by considering the corporate entity’s predominant or core line of business. We did not propose, and we are not finalizing, standards relating to common ownership or corporate affiliation. Corporate affiliation, whether by majority ownership, common ownership, or another structure, has no bearing on eligibility.

For example, a pharmacy (other than a compounding pharmacy as explained in section III.2.e.ii.f) that is under common ownership with a PBM would be eligible to rely on the value-based safe harbors, notwithstanding the fact that the pharmacy is related to a PBM, which is ineligible to rely on those safe harbors. Likewise, within a health system that is comprised of multiple corporate entities, the fact that one or more of those entities might engage in activities that make it a manufacturer of devices or medical supplies would not impact the availability of the safe harbor to other corporate entities in the health system that do not engage in such activities.

Where a single corporate entity operates multiple business lines, eligibility turns on the entity’s predominant or core business. For example, a pharmacy that is operated within the same corporate entity as a pharmaceutical manufacturer would not be eligible to rely on these safe harbors to the extent the corporate entity’s core function is the manufacturing of pharmaceuticals and the pharmacy operation merely supports the manufacturing line of business. Similarly, where a single corporate entity manufactures both pharmaceuticals and medical devices, the question of eligibility would focus on which line of business is the predominant or core line of business of that corporate entity. For example, if a corporation’s predominant function is the manufacturing of devices (including, for example, preparation, propagation, assembly, and processing of devices) and it also manufactures a pharmaceutical product that is incorporated into and integral to a medical device (for example, a drug-eluting medical device), the entity would be treated as a manufacturer of devices or medical supplies because that remains its core business and function. The question of whether a quality improvement or data registry will be eligible will similarly turn on whether it is housed within a corporate entity whose predominant function places it on the carve-out list.

Large corporations that are organized with multiple business lines within a single corporate entity will need to assess whether they have a predominant or core business. We do not prescribe a specific standard or test for assessing an entity’s predominant or core business function, and we expect that entities may use a variety of different methodologies, depending on their circumstances. We would expect parties to use a reasonable methodology, which they may wish to document. For example, share of revenues may be a relevant metric for some entities, but for others where one or more products are still in development, revenues may not be an appropriate metric. Entities seeking safe harbor protection that are uncertain as to whether they are eligible to rely on the value-based safe harbors for a particular arrangement may wish to use the OIG advisory opinion process.

Parties seeking protection under the safe harbors may first need to assess the regulatory text for ineligible entities in the specific safe harbor of interest. For example, where an entity’s business includes the sale or rental of DMEPOS covered by a Federal health care program, the question of eligibility is addressed by the regulatory text, which specifies that the ineligibility of DMEPOS companies does not apply to a pharmacy or a physician, provider, or other entity that primarily furnishes services. Thus, for example, a disease management company that primarily furnishes a suite of disease management services (e.g., wellness coaching, patient education, health technology tools to promote medication adherence) and also sells or rents DMEPOS in support of these services would be eligible to rely on the value-based safe harbors and would not be subject to the constraints imposed on limited technology participants. Conversely, an entity that sells or rents covered DMEPOS and does not primarily furnish services would be ineligible, except as a potential limited technology participant under the care coordination arrangements safe harbor.

We also note that, wholly apart from any value-based arrangement, transfers of remuneration from one entity to another may implicate the Federal anti-kickback statute if those transfers of remuneration are intended to induce or reward referrals for items and services covered by a Federal health care program. This potential liability arises even where the recipient subsequently uses the remuneration in a manner that is protected by a safe harbor. Thus, for example, if an ineligible entity transferred remuneration to a VBE participant in order for the recipient VBE participant to induce or reward referrals back to the ineligible entity, the initial transfer may result in liability under the Federal anti-kickback statute, even if the recipient VBE participant’s subsequent transfer of the remuneration to other VBE participants or to patients is protected under a safe harbor.

Comment: Several commenters noted that many providers, including hospitals and health systems, often own or operate pharmacies and questioned how an exclusion of pharmacies would apply to them.

Response: Other than pharmacies that primarily compound drugs or primarily dispense compounded drugs, pharmacies are not subject to any limitations or restrictions under this final rule, and thus ownership or operation of many pharmacies by another provider would have no impact on eligibility. Should a compounding pharmacy exist within a health system that is comprised of multiple corporate entities, the fact that one of the entities may be a pharmacy that primarily compounds drugs or primarily dispenses compounded drugs would not impact the availability of the safe harbor to other corporate entities in the health system. Moreover, should a compounding pharmacy exist within a single entity that also furnishes other services, such as health clinic that furnishes physician services, the entity would apply the multiple lines of business test to determine whether or not the entity would be characterized as a compounding pharmacy.

Comment: Some commenters described companies that are regulated as both CLIA laboratories and manufacturers of devices or medical supplies because they perform their own FDA-regulated in-vitro diagnostic tests at their own CLIA-certified laboratories and sought clarification regarding how they would be viewed.

Response: We have replaced the term “clinical laboratory” with the term “laboratory company” in this final rule to clarify the type of entities that we intend to make ineligible to rely on the value-based safe harbors. The term “laboratory company” refers to independent companies that operate clinical laboratories and bill for the laboratory services they furnish through their own billing numbers. Consistent with the approach described above, the entity would need to consider what its predominant or core business function is—manufacturing (e.g., preparation, propagation, assembly, processing) a medical device or furnishing laboratory services. Without further details regarding the commenters’ specific business operations, we are unable to provide a precise response here.

Comment: A commenter noted that a pharmacy is included as a “laboratory” under CLIA. Other commenters noted that pharmacies may be co-located with health clinics or owned and operated by other types of providers. The commenters sought guidance on how these relationships between entity types would impact eligibility for protection under the safe harbors.

Response: As discussed above, and based upon the comments, we have revised the terminology in this final rule to refer to laboratory companies rather than clinical laboratories, and we intend for “laboratory companies” to mean independent companies that operate clinical laboratories and bill for the laboratory services they furnish through their own billing numbers. Consistent with the approach set forth above, because a pharmacy’s predominant or core business function is to provide pharmacy services, not laboratory services, we would not consider the fact that pharmacies are treated as laboratories for other regulatory purposes to impact their eligibility to rely on the value-based safe harbors. As noted previously, pharmacies that primarily compound drugs or primarily dispense compounded drugs would not be eligible for safe harbor protection.

vi. New Safe Harbor Conditions

Comment: With respect to potential additional safeguards for VBE participants generally, commenters suggested a wide range of options, some of which we stated that we were considering in the OIG Proposed Rule (e.g., prohibitions on exclusivity, required data reporting or monitoring). Some commenters also recommended that we implement these additional safeguards for certain types of entities (e.g., medical device manufacturers).

Response: Consistent with the proposal within the OIG Proposed Rule, we are adopting an additional safeguard in the care coordination arrangements safe harbor targeted to manufacturers of devices and medical supplies and DMEPOS companies that exchange digital health technologies to mitigate the increased risk of abuse presented by allowing these entities to use this safe harbor.

As discussed above, we have created a new category of VBE participants, “limited technology participants,” which is comprised of manufacturers of devices and medical supplies and DMEPOS companies that exchange digital health technology with another VBE participant or the VBE. Consistent with our proposal in the OIG Proposed Rule, we are adopting a requirement in the care coordination arrangements safe harbor that the exchange of digital health technologies by limited technology participants may not be conditioned on any recipient’s exclusive use, or minimum purchase, of any item or service manufactured, distributed, or sold by the limited technology participant. This additional safeguard addresses the specific program integrity concerns presented by manufacturers of devices and medical supplies and DMEPOS companies, which are heavily dependent on practitioner referrals and who might use value-based arrangements to tether clinicians to their products or to secure guaranteed referral streams.

Comment: Some commenters suggested that applying safeguards to specific types of entities, and not others, might deter those entities from participating in value-based arrangements.

Response: First, we note that we have not imposed any additional conditions on specific types of entities in the substantial downside financial risk safe harbor or the full financial risk safe harbor. Second, we do not concur with the commenter’s assertion that the limited technology participant pathway will disincentivize participation in value-based arrangements; this framework allows manufacturers of devices and medical supplies and DMEPOS companies to participate in value-based arrangements involving digital health technology and benefit from protection under the care coordination arrangements safe harbor if they satisfy all safe harbor conditions.

Comment: In response to our proposal to include a safeguard that prohibits exclusivity provisions, many commenters expressed support for such a safeguard. Others cautioned that exclusivity provisions in contractual arrangements can be appropriate in certain situations, such as where substantial financial investments are required or where exclusivity is consistent with intellectual property rights and protections. Some commenters encouraged us to investigate the pros and cons of prohibiting exclusivity provisions before adopting this safeguard. At least two commenters opposed any potential prohibition of exclusivity requirements. One commenter asserted that no manufacturer has the capability or resources to ensure that all of its value-based arrangement offerings always operate as a “plug and play,” always interchangeable, product agnostic system. Another commenter stated that parties to value-based arrangements should have flexibility to require use of a medical device where clinical evidence dictates that a particular practice not currently in use would vastly improve outcomes.

Response: We are adopting our proposal to preclude protection for the exchange of remuneration conditioned on a recipient’s exclusive use, or minimum purchase, of any item or service manufactured, distributed, or sold by a limited technology participant in the care coordination arrangements safe harbor. We are only applying this condition to remuneration exchanged by limited technology participants; it does not apply to any other VBE participants. We are only adopting this condition in the care coordination arrangements safe harbor, not the other value-based safe harbors. We recognize that exclusivity provisions may be appropriate business terms in certain contexts. However, precluding safe harbor protection for arrangements that include exclusivity provisions tied to products offered by limited technology participants is an important safeguard. This safeguard mitigates risk that these entities, which are heavily dependent on practitioner referrals to sell their products, will attempt to use the care coordination arrangements safe harbor to protect arrangements intended to generate product sales or arrangements that lock practitioners and patients into using products that may not be in the patients’ best interests in the clinical judgment of the practitioners.

The safe harbor requirement that remuneration exchanged by limited technology participants may not be conditioned on any recipient’s exclusive use or minimum purchase of the limited technology participant’s products does not prevent use of products based on clinical best evidence. Nor does it prevent requirements in value-based arrangements that providers use products based on clinical evidence showing improved outcomes, when those products are in a patient’s best interests in the judgment of their practitioners. Nor does the provision require that all value-based arrangements be product-agnostic or that the digital technology provided under such an arrangement be fully interchangeable with other products. The provision does mean that, where remuneration is exchanged by a limited technology participant, the VBE participants will not be entitled to safe harbor protection under the care coordination arrangements safe harbor if the limited technology participant conditions the remuneration on the exclusive use of its product or a minimum purchase amount. This safe harbor requirement does not apply to remuneration exchanged by VBE participants that are not limited technology participants.

f. Value-Based Purpose

Summary of OIG Proposed Rule: We proposed to define a ”value-based purpose” as: (i) Coordinating and managing the care of a target patient population; (ii) improving the quality of care for a target patient population; (iii) appropriately reducing the costs to, or growth in expenditures of, payors without reducing the quality of care for a target patient population; or (iv) transitioning from health care delivery and payment mechanisms based on the volume of items and services provided to mechanisms based on the quality of care and control of costs of care for a target patient population.

Summary of Final Rule: We are finalizing, without modification, our definition of “value-based purpose.”

Comment: While several commenters expressed support for our proposed definition of “value-based purpose” as drafted, the majority of commenters sought clarification on the term. For example, commenters sought clarification on how quality would be defined and measured under the value-based purpose and, more specifically, whether certain measures would be seen as reducing quality. Another commenter requested that OIG address how parties to a value-based arrangement would need to document that the arrangement met a value-based purpose. Other commenters sought confirmation that the definition of “value-based purpose” does not require parties to succeed in achieving the applicable purpose.

Response: As a threshold matter, the definition of “value-based purpose” was crafted to provide parties with flexibility to develop innovative care arrangements and strategies specific to the needs of their target patient populations. We are not prescribing how parties define and measure quality to qualify for the definition or how parties document the ways in which they intend to achieve the VBE’s value-based purpose(s). Whether certain measures reduce quality is a fact-specific inquiry. Further, neither the definition of “value-based purpose” nor the value-based safe harbors requires parties to achieve the VBE’s value-based purpose(s); rather, the definition of “value-based purpose” should be read in conjunction with the definition of “value-based activity,” which requires value-based activities to be reasonably designed to achieve the VBE’s value-based purpose(s). Documentation requirements are specified in individual safe harbors.

Comment: Multiple commenters requested further guidance on the fourth value-based purpose of transitioning from health care delivery and payment mechanisms based on the volume of items and services provided to mechanisms based on the quality of care and control of costs of care for a target patient population.

Response: We are finalizing the fourth value-based purpose in recognition that parties transitioning to value-based care may need to provide infrastructure and perform other activities necessary to transition to the assumption of downside financial risk. For example, as discussed in section III.B.5 below, parties to value-based arrangements that meet the requirements of the full financial risk safe harbor may exchange remuneration during a twelve-month phase-in period, where the VBE is contractually obligated to assume full financial risk in the next 12 months but has not yet assumed such risk. During this phase-in period, the parties may have, as a value-based purpose, the purpose of transitioning from health care delivery and payment mechanisms based on the volume of items and services provided to mechanisms based on the quality of care and control of costs of care for a target patient population, and the parties may exchange, among other things, remuneration necessary to enable the VBE to transition to the assumption of full financial risk.

Comment: Other commenters advocated for revisions to the definition of “value-based purpose.” These comments generally focused on two issues related to the value-based purpose of appropriately reducing the costs to, or growth in expenditures of, payors without reducing the quality of care for a target patient population: Whether the definition of “value-based purpose” should protect: (i) Cost-reduction efforts more broadly, rather than only to the benefit of payors; and (ii) cost-reduction efforts only when paired with improved quality or maintenance of already-improved quality of care.

With respect to the first issue, commenters generally were in favor of expanding the third purpose to cover all cost-reduction efforts, not just those that benefit payors. At least two commenters asserted that this expansion would be necessary to protect gainsharing arrangements.

Commenters’ opinions varied on the second issue, related to our proposal that reducing costs to, or the growth in expenditures of, payors must be accomplished without reducing the quality of care for the target patient population, with some expressing support and others opposition. Many commenters opined on our alternative proposal to include the reduction of costs to, or growth in expenditures of, payors in the definition of “value-based purpose” only where there is also an improvement in patient quality of care or the parties are maintaining an improved level of care. On the one hand, certain commenters believed this alternative standard would be overly prescriptive and difficult to measure; others expressed support, with one stating that a reduction in costs alone is not true value and that the improvement of care should be the first priority.

Response: We are finalizing this portion of the definition, as proposed. A goal of this rulemaking is to support quality improvements and cost efficiencies achieved through better care coordination that benefit patients and the health care delivery system. In our view, arrangements that do not result in a reduction in costs to, or growth in expenditures of, payors—such as reductions in surgical suite costs for a hospital—do not further this goal sufficiently to warrant protection under the third value-based purpose definition. The definition of “value-based purpose” that we are finalizing is not intended to foreclose internal-cost savings arrangements, such as gainsharing, in their entirety; however, parties must consider whether such arrangements would further other purposes in the “value-based purpose” definition and the conditions of the applicable value-based safe harbor. We also do not believe a higher standard of improving or maintaining already improved quality of care is necessary. We are persuaded that preventing reductions in quality of care, paired with the safeguards in each of the value-based safe harbors, provides both flexibility and sufficient protection against the potential for patient harm.

Comment: A commenter asserted that VBEs should have at least one value-based purpose related to patient care improvement and expressed concern that allowing VBEs to focus solely on cost reduction would compromise patient care and have a disproportionate impact on patients with rare conditions.

Response: While a VBE or value-based arrangement may, but is not required to, have as a value-based purpose improving the quality of care for a target patient population, none of the value-based purposes protect value-based arrangements that compromise patient quality of care. Of the two value-based purposes that incorporate cost control or cost reduction concepts, one requires the appropriate reduction in costs to, or growth in expenditures of, payors without reducing the quality of care for a target patient population; the other requires the transition of health care delivery and payment mechanisms based on the volume of items and services provided to mechanisms based on the quality of care and control of costs of care to payors for a target patient population. Both of these value-based purposes emphasize the importance of ensuring patient quality of care.

We further highlight that each of the value-based safe harbors includes a safeguard precluding safe harbor protection for value-based arrangements that stint on medically necessary patient care; this safeguard provides that the value-based arrangement may not induce parties to furnish medically unnecessary items or services or reduce or limit medically necessary items or services furnished to any patient.

Comment: A commenter expressed concern that the “value-based purpose” definition may lead to patient harm, fails to protect adequately against abusive cycling of patients for financial gain, and potentially impinges on the professional judgment of health care professionals.

Response: We share the commenter’s concerns about patient harm, abusive cycling of patients for financial gain and compromised professional judgment. We have addressed these concerns through various safeguards and requirements of the value-based safe harbors and the patient engagement and support safe harbor. We note that compliance with the value-based purpose definition does not necessarily qualify parties or arrangements for safe harbor protection.

g. Coordination and Management of Care

Summary of OIG Proposed Rule: We proposed to define “coordination and management of care,” the first of the four value-based purposes, as the deliberate organization of patient care activities and sharing of information between two or more VBE participants or VBE participants and patients, tailored to improving the health outcomes of the target patient population, in order to achieve safer and more effective care for the target patient population. In defining this term, we sought to distinguish between referral arrangements, which would not be protected, and legitimate care coordination arrangements, which naturally involve referrals across provider settings but also include beneficial activities beyond the mere referral of a patient or ordering of an item or service. We expressed particular concern about distinguishing between coordinating and managing patient care transitions for the purpose of improving the quality of patient care or appropriately reducing costs, on one hand, and churning patients through care settings to capitalize on a reimbursement scheme or otherwise generate revenue. We proposed in preamble that we would not consider the provision of billing or administrative services to be the coordination and management of patient care.

Summary of Final Rule: We are finalizing, with modifications, the definition of “care coordination and management.” First, we have revised the definition to clarify that the deliberate organization of patient care activities and sharing of information must occur between two or more VBE participants, one or more VBE participants and the VBE, or one or more VBE participants and patients. Second, in response to comments, we have revised the description of the required goals to state that the parties’ efforts (i.e., the deliberate organization of patient care activities and sharing of information) must be designed to achieve safer, more effective, or more efficient care to improve the health outcomes of the target patient population. These two changes clarify the regulatory language with respect to the parties that engage in the care coordination and management to include the VBE itself, which can be party to a value-based arrangement, and make clear that efforts to improve efficiency can be part of coordination and management of care. Third, also in response to comments, we have revised the definition to clarify that the term does not require achievement of the stated goals, but rather that the efforts must be designed to achieve such goals.

Comment: Commenters on this topic varied in their responses to our proposed definition of “coordinating and managing care.” While we received some comments expressing support, others asserted that the definition was superfluous. A commenter highlighted that existing CMS programs already rely on similar terminology and encouraged OIG to align its definition.

Response: For the reasons stated in the OIG Proposed Rule, we are finalizing a definition of “coordination and management of care.” Among other things, this definition helps ensure that protected arrangements serve patients and the goals of coordinated care. Further, given the importance of this value-based purpose in the safe harbors, the definition provides a standard against which safe harbor compliance can be measured. This is intended to help providers seeking to comply with the safe harbors. As noted in the OIG Proposed Rule, we considered other agency definitions in crafting ours.^[27]

Although other laws and regulations, including the physician self-referral law and associated regulations, may utilize the same or similar terminology, the definition and interpretations we are adopting in this rule would not affect CMS’s (or any other governmental agency’s) interpretation or ability to interpret such term.

Comment: At least two commenters opposed our proposed definition because they believe it would require constant achievement. As an alternative, these commenters proposed revising the definition of “coordination and management of care” from the deliberate organization of patient care activities and sharing of information in order to improve health outcomes, to the deliberate organization of patient care activities and sharing of information in an attempt to improve health outcomes.

Response: We thank commenters for highlighting this issue. It was not our intent for the definition of “coordination and management of care” to require constant achievement of improved health outcomes. To address the issue raised by the commenters and reduce the potential for confusion, we have revised the definition to clarify that the organization of patient care activities and the sharing of information must be designed to achieve safer, more effective, or more efficient care to improve the health outcomes of the target patient population. Actual achievement of safer, more effective, or more efficient care that improves health outcomes is not required. However, the parties must ensure that their efforts (i.e., deliberate organization of patient care activities and sharing of information) are designed to achieve these goals.

Comment: Several commenters questioned whether: (i) Patient monitoring, patient diagnostic activities, patient treatment, and communication related to such patient activities; or (ii) predictive analytics, would constitute the coordination and management of care.

Response: Depending on the facts and circumstances, each of the actions listed above could qualify as the coordination and management of care. We intend for the coordination and management of care to require beneficial activities beyond the mere referral of a patient or ordering of an item or service. Coordination and management of care requires some additional, deliberate effort and sharing of information, across two or more parties, that is designed to augment care delivery to achieve safer, more effective, or more efficient care to improve health outcomes.^[28] For example, the ordering of a diagnostic test, such as an imaging study, by a provider and the sharing of the test results back to the ordering provider would not, without additional beneficial activities, constitute the coordination and management of care under the finalized definition. If, however, the ordering of the imaging study and the sharing of results was part of a more deliberate, organized effort between or among the parties to achieve safer and more effective care and improve health outcomes, such as by implementing protocols to reduce the number of redundant tests or ensuring that test results are readily shared with and available to the patient and all members of the patient’s caregiver team and used to inform care decisions, then the arrangement may constitute coordination and management of care. We also emphasize that the definition requires not only the deliberate organization of patient care activities, but also the sharing of information between (or among) the parties who are coordinating and managing care. This information sharing must be part of a design to achieve safer, more effective, or more efficient care to improve the health outcomes of the target patient population.

Our final rule endeavors to encompass a wide range of beneficial care coordination activities, with limitations. As described in the OIG Proposed Rule, coordination might occur between hospitals and post-acute care providers, specialists and primary care providers, or hospitals and physician practices and patients. It could involve using care managers, providing care or medication management, creating a patient-centered medical home, helping with effective transitions of care, sharing and using health data to improve outcomes, or sharing accountability for the care of a patient across the continuum of care. These arrangements often naturally involve referrals across provider settings but include beneficial activities beyond the mere referral of a patient or ordering of an item or service. We see a clear distinction between coordinating and managing patient care transitions for the purpose of improving the quality of care or improving efficiencies, which would fit in the definition, and churning patients through care settings to capitalize on a reimbursement scheme or otherwise generate revenue, which would not fit in the definition. The OIG Proposed Rule cites a relevant example of cycling patients through skilled nursing facilities (SNFs) to maximize revenue as the kind of arrangement we do not intend to fit in the definition or receive protection under any safe harbor.

Comment: In response to OIG’s solicitation of comments on the intersection of coordination and management of care and cybersecurity, a commenter stated that cybersecurity items or services should meet the definition of “coordination and management of care.” According to the commenter, cybersecurity items or services may be needed to share information between or among VBE participants, and the commenter expressed concern that parties would overlook opportunities to work with small practices that cannot afford proper cybersecurity tools.

Response: We appreciate the commenters’ input; however, we respectfully disagree with their recommendation. As a general matter, the use or sharing of cybersecurity items and services alone would not meet the definition of “coordination and management of care.” Having reviewed the comments and upon further consideration of the issue, we view the use or sharing of such items and services to be focused on ensuring the security of patient care items and related information exchange, rather than the deliberate organization of patient care activities and sharing of information, as required by the definition of “coordination and management of care.” That being said, an arrangement involving the exchange of health information technology that incorporates cybersecurity items and services could meet the definition of “coordination and management of care.” For example, where a VBE participant provides data analytics software to another VBE participant to facilitate the VBE participants’ coordination and management of care, security features to control access to data included within that software would not preclude the data analytics software from meeting the definition of “coordination and management of care.” However, we note that meeting the definition of “coordination and management of care” does not, de facto, afford safe harbor protection; for safe harbor protection, the remuneration exchanged must squarely satisfy all safe harbor conditions.

The use or sharing of cybersecurity items and services alone may meet other value-based purposes, and such remuneration may be eligible for protection under the substantial downside financial risk safe harbor (paragraph 1001.952(ff)) or full financial risk safe harbor (paragraph 1001.952(gg)). The cybersecurity technology and related services safe harbor, paragraph 1001.952(jj), also is available to protect the exchange of cybersecurity items and services, provided all safe harbor requirements are met.

Comment: In lieu of making the coordination and management of patient care a requirement specific to the value-based safe harbors and arrangements for patient engagement and support safe harbor, a commenter requested that OIG revise the definition of “value-based purpose” to reflect that one of the value-based purposes must be the coordination and management of patient care.

Response: We appreciate the commenter’s input; however, we decline to adopt the commenter’s suggestion for two reasons. First, the current structure facilitates alignment between OIG’s and CMS’s value-based terminology to ease burden on providers and others working to comply with both sets of rules. In addition, as finalized, the substantial downside financial risk and full financial risk safe harbors already provide parties with additional flexibility to identify value-based purposes other than the coordination and management of care, in defined circumstances.

Comment: A commenter requested clarification as to the types of activities that constitute the provision of billing or administrative services. This commenter asserted certain administrative services, such as the more effective management of patient records, could improve the coordination and management of patient care and should be not be excluded from the definition of “value-based purpose.”

Response: Administrative services, depending on the facts and circumstances, may meet the definition of “coordination and management of care.” We are clarifying our statement in the OIG Proposed Rule that we would not consider the provision of billing or administrative services to be the management of patient care ^[29] to make clear that we view any billing or financial management services arrangement that is characterized as facilitating the coordination and management of patient care to be outside the scope of this definition for purposes of this rule. By financial management services, we mean services such as bookkeeping operations, contract management, revenue cycle management, or other similar activities. These activities might complement the organization of patient care activities, but they are not the type of care coordination activities contemplated in our proposed rule or covered by the final definition.

We also are mindful that, in certain situations, the remuneration exchanged by the parties might incidentally assist the recipient with performing certain of these administrative functions. However, we believe that any benefit that the remuneration has on the administrative activities of the recipient should be incidental, at most. This approach helps ensure that value-based arrangements eligible for safe harbor protection focus on the delivery of care to patients. Arrangements that focus on billing and financial management services arrangements may be structured to fit in another safe harbor, such as the safe harbor for personal services and management contracts, which includes protections such as a fair market value requirement. The value-based safe harbors are not intended to protect billing and financial management services arrangements, even those that might help support care coordination and management, that are not fair market value under the guise of a value-based arrangement.

We address this issue through a new provision in the care coordination arrangements safe harbor at paragraph 1001.952(ee)(1)(iii)(A), which provides that the remuneration exchanged pursuant to a value-based arrangement may not be exchanged or used more than incidentally by the recipient for the recipient’s billing or financial management services. We are not adopting parallel provisions in the substantial downside financial risk or full financial risk safe harbors because there are circumstances in which billing and financial management services could be included in the remuneration that is protected by those safe harbors. For this same reason, we are not incorporating this limitation into the definition of coordination and management of care, which applies across all of the value-based safe harbors.

Comment: A commenter suggested that we revise this term to require the “coordination or management of care” instead of the “coordination and management of care.”

Response: We appreciate the commenter’s input; however, we are not adopting the commenter’s suggestion. The coordination and management of care reflects an integrated set of activities for patients, as set out in the definition we are finalizing in this rule. We are concerned that management activities, standing alone, would not be appropriately patient-focused to achieve the intent of the value-based safe harbors.

Comment: A commenter appeared to request that OIG revise its definition of “coordination and management of care” to provide that the deliberate organization of patient care activities and sharing of information may be between VBE participants and patients’ family members or caregivers, in addition to those activities being conducted between VBE participants and patients.

Response: We would consider the deliberate organization of patient care activities and sharing of information between VBE participants and patients’ family members or others acting on the patients’ behalf to meet the definition of “coordination and management of care.” This may include, for example, intervening caregivers, and family members, such as for patients who are children. We note that an arrangement that is solely between a VBE participant and a patient might constitute the coordination and management of care, but it would not fit in the value-based safe harbors because those safe harbors do not protect the exchange of remuneration with patients. Other safe harbors may protect the exchange of remuneration with patients, including the patient engagement and support safe harbor at paragraph 1001.952(hh). Arrangements between VBEs and one or more of their VBE participants or between or among VBE participants that engage patients in efforts to coordinate and manage care could qualify under the value-based safe harbors with respect to remuneration flowing between a VBE and VBE participant or between VBE participants if all safe harbor conditions are met. For purposes of the care coordination arrangements safe harbor, parties exchanging remuneration pursuant to the value-based arrangement would need to be part of the coordination and management of care of the target patient population in some fashion, although levels of involvement in care coordination may differ among VBE participants, depending on the scope and nature of the arrangement.

3. Care Coordination Arrangements To Improve Quality, Health Outcomes, and Efficiency Safe Harbor (42 CFR 1001.952(ee))

a. General Comments

Summary of OIG Proposed Rule: We proposed a new safe harbor at proposed paragraph 1001.952(ee) to protect in-kind remuneration exchanged between qualifying VBE participants with value-based arrangements that squarely satisfy all of the proposed safe harbor’s requirements. We developed this safe harbor to facilitate value-based care and improved care coordination for patients by providers and others that may be assuming no or less than substantial downside financial risk.

Proposed conditions included commercial reasonableness (proposed paragraph 1001.952(ee)(2)), written documentation (proposed paragraph 1001.952(ee)(3)), record retention (proposed paragraph 1001.952(ee)(11)), and establishment and monitoring of outcomes measures (proposed paragraph 1001.952(ee)(1)). We proposed that protected remuneration would be used primarily to engage in value-based activities that are directly connected to the coordination and management of patient care for the target patient population (proposed paragraph 1001.952(ee)(4)(ii)). We further proposed that arrangements could not induce VBE participants to furnish medically unnecessary care or reduce or limit medically necessary care (proposed paragraph 1001.952(ee)(4)(iii)); could not be funded by outside sources (proposed paragraph 1001.952(ee)(4)(iv)); could not limit medical decision-making or patient freedom of choice (proposed paragraphs 1001.952(ee)(7)(ii)-(iii)); could not take into account the volume or value of business outside the value-based arrangement (proposed paragraph 1001.952(ee)(5)); and could not include marketing of items or services to patients or patient recruitment activities (proposed paragraph 1001.952(ee)(7)(iv)). We proposed a requirement that the recipient of the remuneration would pay at least 15 percent of the offeror’s cost of the remuneration (proposed paragraph 1001.952(ee)(6)). We also proposed a requirement that arrangements be terminated within 60 days if the VBE’s accountable body or person determined that the arrangements were unlikely to further coordination and management of care, were not achieving the value-based purpose or were resulted in material deficiencies in quality of care (proposed paragraph 1001.952(ee)(9)). In addition, we proposed that an exchange of remuneration would not be protected under the care coordination arrangements safe harbor if the offeror knows or should know that the remuneration is likely to be diverted, resold, or used by the recipient for an unlawful purpose (proposed paragraph 1001.952(ee)(10)). These conditions were proposed to minimize risks of traditional fee-for-service fraud and abuse and pay-for-referral schemes, particularly in arrangements where the parties are not assuming downside risk.

Summary of Final Rule: We are finalizing, with modifications, this safe harbor. The safe harbor continues to protect in-kind remuneration exchanged between a VBE and VBE participant or between VBE participants pursuant to a value-based arrangement that squarely satisfies all of the proposed safe harbor’s requirements. We have modified and clarified many of the safe harbor requirements in response to public comments, as described below. The safe harbor includes conditions related to commercial reasonableness, outcomes measures, written documentation, record retention, monitoring, termination, marketing and patient recruitment, and diversion and reselling of remuneration. The safe harbor requires that protected remuneration be used predominately to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population. Protected arrangements cannot induce VBE participants to furnish medically unnecessary care or reduce or limit medically necessary care; cannot limit medical decision-making or patient freedom of choice; and cannot take into account the volume or value of business outside the value-based arrangement. Under the final rule, all recipients must pay 15 percent of the offeror’s cost or 15 percent of the fair market value of the remuneration. We are not finalizing the proposed condition related to outside funding of the remuneration.

As detailed in section III.B.2.e and III.B.2.g of this preamble relating to the VBE participant definition, we are carving out patients and certain entities from the safe harbor; those entities are listed at paragraph 1001.952(ee)(13). We are finalizing a limited pathway for safe harbor protection in the care coordination arrangements safe harbor for manufacturers of devices and medical supplies and DMEPOS companies participating in digital health technology arrangements at paragraph 1001.952(ee)(13). As discussed in section III.B.2.e.vi of this preamble, we are finalizing a condition in the care coordination arrangements safe harbor that restricts those entities from conditioning the exchange of remuneration on any recipient’s exclusive use, or minimum purchase, of any item or service manufactured, distributed, or sold by those entities.

This safe harbor protects in-kind remuneration only. Some monetary compensation associated with care coordination or value-based activities may be protected under other safe harbors, such as the other value-based safe harbors or the safe harbor for personal services and management contracts and outcomes-based payments at paragraph 1001.952(d).

Comment: Many commenters expressed support for the care coordination arrangements safe harbor and the existence of a value-based safe harbor that did not mandate the assumption of downside financial risk. These commenters stated the safe harbor would facilitate innovative arrangements to improve care coordination and facilitate community partnerships. Other commenters, while generally supportive of the safe harbor, asserted that it included too many burdensome, complex, and subjective conditions; these commenters urged OIG to reduce the number of requirements in the safe harbor. Conversely, some commenters opposed the safe harbor, with their concerns largely falling into two categories: (i) The potential for fraud and abuse because the safe harbor does not require the parties to assume downside risk or that there are not strong enough program integrity guardrails; and (ii) negative effects on competition, i.e., unduly benefiting larger providers.

Response: We thank commenters for their feedback. The safe harbor is intended to protect arrangements by parties who are transitioning to higher levels of risk or who are engaging in care coordination that improves quality and efficiency, without assuming risk. We agree with commenters that there could be increased risk of fraudulent or abusive behavior (e.g., overutilization) where providers who order items or services are not at substantial downside financial risk. We structured the care coordination arrangements safe harbor to reflect and mitigate that increased risk. The safe harbor includes requirements tailored to ensure that arrangements protected by the safe harbor—which could apply to remuneration exchanged between parties who refer Federal health care program business to each other and where both parties are paid by Federal health care programs on a fee-for-service basis—do not result in the traditional FFS fraud and abuse risks. As described in the OIG Proposed Rule, traditional FFS fraud and abuse risks include inappropriately increased costs to the Federal health care programs or patients, corruption of practitioners’ medical judgment, overutilization, inappropriate patient steering, unfair competition, or poor-quality care.^[30]

We aimed to finalize a safe harbor that is not administratively burdensome, overly complex, or subjective, but we acknowledge that parties must satisfy a number of criteria to receive safe harbor protection and that some parties may find the safe harbor administratively burdensome, overly complex, and subjective with respect to their particular arrangements. However, we believe that these conditions, taken together, ensure the safe harbor protects legitimate value-based arrangements, fosters improved care coordination, allows for innovation, adequately addresses the traditional FFS risks described above, and limits potentially problematic referral schemes. We acknowledge that larger entities may be better positioned to afford some types of investments required by value-based activities, but we have intentionally crafted this safe harbor for a wide range of care coordination arrangements, including arrangements between small entities, providers serving rural and underserved communities, or both, that might not require substantial investment. As we describe elsewhere, many of the conditions are flexible (i.e., not one-size-fits-all) and can be satisfied in ways that take into account the size of, and resources available to, VBE participants.

Comment: A commenter proposed that, in lieu of the care coordination arrangements safe harbor, OIG enumerate acceptable value-based arrangements that are of minimal monetary value to the referral source.

Response: We did not propose to adopt a list of acceptable value-based arrangements of minimal monetary value in lieu of the care coordination arrangements safe harbor, and we are not adopting any such list as part of this final rule.

Comment: A primary care provider requested that we address whether or not it would be permissible to waive cost-sharing amounts for select services under the care coordination arrangements safe harbor.

Response: As a threshold matter, whether cost-sharing is owed for a particular service covered by Medicare or Medicaid is programmatic policy under the auspices of CMS and state Medicaid programs. If cost-sharing is owed by the beneficiary under the applicable programmatic rules and a provider or supplier waives any such obligations, then a question arises about whether any benefit stemming from the waiver of the beneficiary’s cost-sharing obligations implicates the Federal anti-kickback statute or the Beneficiary Inducements CMP.

Cost-sharing waivers furnished to patients would not qualify for protection under the care coordination arrangements safe harbor. First, cost-sharing waivers are not in-kind remuneration, and the care coordination arrangements safe harbor is limited to exchanges of in-kind remuneration. Second, as explained further in section III.2.e.i of this preamble, the context and framework of the value-based provisions in the OIG Proposed Rule made clear that we did not intend patients to be VBE participants who could engage in value-based arrangements under the value-based safe harbors. We are finalizing, as proposed, that the care coordination arrangements safe harbor is available to protect only the exchange of in-kind remuneration between parties to a value-based arrangement, not remuneration exchanged with patients. In response to comments and for clarity, we have: (i) Revised the definition of “VBE participant” to expressly exclude patients; and (ii) revised the introductory language of the paragraph to expressly limit protection to exchanges of remuneration between a VBE and VBE participant or between VBE participants.

In some cases, other existing protections may be available for some cost-sharing waivers, including cost-sharing waivers by certain entities that are not offered as part of any advertisement or solicitation; are not routine; and are made following an individual determination of financial need.^[31]

Comment: A hospital association requested that the care coordination arrangements safe harbor include a 12-month preparation period that would be analogous to the ”phase-in” periods in the substantial downside financial risk and full financial risk safe harbors. Similarly, at least two commenters requested that OIG protect initial investments in value-based arrangements or activities by parties exploring the creation of a VBE, with a commenter requesting that OIG protect such remuneration prior to any terms being set forth in a written agreement.

Response: We are not adopting the suggestion for a preparation or “phase-in” period for the care coordination arrangements safe harbor. There may be practical or operational reasons for parties to engage in financial arrangements or make “phase-in” investments as they explore creating a VBE or before committing to a particular value-based arrangement with partners. On balance, however, these considerations do not outweigh the heightened risk of fraud or abuse during a “phase-in” period in advance of the commencement of a value-based arrangement, particularly in situations where parties have not yet created a VBE with its attendant accountability and transparency protections. Moreover, it is OIG’s belief that the need for a “phase-in” period is lower in the context of this safe harbor compared to the risk-based safe harbors because this safe harbor is limited to in-kind remuneration and does not require the assumption of risk. We allow for a preparation or “phase-in” period in the two risk-based safe harbors because we recognize that parties to a value-based arrangement may need to exchange remuneration during a period of time before the VBE formally takes on downside financial risk in order to prepare the VBE and the VBE participants for that assumption of risk. The same context does not exist for the care coordination arrangements safe harbor because it does not require the assumption of risk. We note, however, that parties may be able to structure some preparatory arrangements to fit in this safe harbor, provided that a proper VBE and value-based arrangement have been established and all other safe harbor requirements are met, including the requirement that any exchange of remuneration be used predominantly to engage in value-based activities. Parties may also look to other potentially available safe harbors for preparatory arrangements.

Comment: Multiple commenters requested clarification on, and examples regarding, the types of entities and activities that could qualify for protection under the care coordination arrangements safe harbor. For example, a commenter requested that OIG expressly protect income guarantees for physicians transitioning from traditional compensation schemes to value-based models.

Response: With respect to the question regarding income guarantees, income guarantees are not in-kind remuneration and would therefore not qualify for protection under the care coordination arrangements safe harbor. While neither exhaustive nor sufficiently detailed to allow for a comprehensive analysis of the arrangement under the Federal anti-kickback statute and the care coordination arrangements safe harbor, we provide the following high-level examples to illustrate arrangements that could be structured to satisfy the conditions of the care coordination arrangements safe harbor.

First, to coordinate care and better manage the care of their shared patients, a specialty physician practice may wish to provide data analytics items (e.g., software designed to present certain data) and services (e.g., conducting data analysis) to the primary care physician practice with which it works closely and from which it receives referrals for consultations and federally reimbursable items and services. The data analytics items and services could, for example, identify practice patterns that deviate from evidence-based protocols or confirm whether followup care recommended by the specialty physician practice is being sought by patients or furnished by the primary care physician group. This provision of data analytics items and services could be structured to satisfy the care coordination arrangements safe harbor.

Second, hospitals and physicians could work together in new ways to coordinate and manage care for patients being discharged from the hospital. The hospital might provide a physician group with care managers (who identify the physician group’s high-risk patients and help manage patients’ care transitions, medications, and home-based care) to ensure patients receive appropriate followup care post-discharge; data analytics systems to help the group’s physicians ensure that their patients are achieving better health outcomes; and remote monitoring technology to alert the group’s physicians when a patient needs a health care intervention to prevent unnecessary emergency room visits and readmissions.

Third, a medical technology company could partner with physician practices, to better coordinate and manage care for patients discharged from a hospital with digitally-equipped devices that collect and transmit data to the physicians to help monitor the patients’ recovery and flag the need to intervene in real time (e.g., a device that monitors range of motion that could inform what an appropriate physical therapy intervention may be). The technology company could provide the physician group with necessary digital health technology that improves the physician group’s ability to observe recovery and intervene, as necessary.

We remind parties seeking to structure an arrangement to satisfy the care coordination arrangements safe harbor that compliance with the safe harbor requires a fact-specific assessment. In addition, we remind stakeholders that the advisory opinion process remains available for parties seeking to determine whether a particular arrangement satisfies the care coordination arrangements safe harbor or for parties that would like to request prospective protection for an arrangement that does not squarely satisfy the terms of the safe harbor.

Comment: A commenter appeared to believe that the statement in the OIG Proposed Rule that “each offer of remuneration must be analyzed separately for compliance with the safe harbor” ^[32] requires each value-based arrangement to be reviewed by the Department, with the potential for the Department to deny safe harbor protection for any proposal.

Response: If there are multiple streams of remuneration flowing under a single value-based arrangement, the parties would need to evaluate each such stream separately to assess compliance with the safe harbor (or, as appropriate, other available safe harbors). In the context of an enforcement action, the government would likewise analyze each such stream separately, and consider the totality of the arrangement, to assess potential liability under the Federal anti-kickback statute. The care coordination arrangements safe harbor does not require, nor do any of our other value-based safe harbors require, the submission of the value-based arrangement to the Department for review.

Comment: Many commenters urged OIG to align the care coordination arrangements safe harbor with CMS’s value-based exception to the physician self-referral law, with some asserting that the different requirements in each would increase regulatory complexity and pose a barrier to the advancement of value-based care. To facilitate alignment, commenters suggested that OIG permit monetary remuneration, remove any contribution requirement, or adopt CMS’s definition of “commercial reasonableness.” A commenter appeared to request that OIG and CMS both include a provision requiring a signed agreement.

Response: We aligned our safe harbors with the exceptions being adopted by CMS as part of the Regulatory Sprint wherever possible. For the reasons discussed in greater detail in section III.A.1, complete alignment is not appropriate, including with respect to most of the provisions of the care coordination arrangements safe harbor referenced by commenters. In particular, the contribution and exclusion of monetary remuneration serve to reduce risk of intentional kickback schemes for reasons explained more fully in the preamble discussions of each requirement, sections III.B.3.g (contribution requirement) and III.B.3.e.i (in-kind remuneration). Specific to the recommended expansion of the safe harbor to protect monetary remuneration, we continue to believe that providing safe harbor protection for monetary remuneration presents heightened fraud and abuse risks that outweigh the potential benefits to Federal health care programs and patients. This is particularly true where remuneration is exchanged between parties that are not required to assume substantial financial risk, and the protected remuneration is not required to be fair market value and may take into account the volume or value of referrals for the target patient population. Consistent with this concern, the new safe harbor for outcomes-based payments at paragraph 1001.952(d)(2), which is available for monetary remuneration, includes a fair market value requirement and a limitation on directly taking into account the volume or value of referrals. With respect to the commenter’s request that OIG and CMS align their respective signed writing requirements, we are finalizing a requirement that the terms of the value-based arrangement must be set forth in writing and signed by the parties, and we make clear that the writing requirement can be satisfied by a collection of documents, which aligns with the writing requirement in CMS’s value-based exception.

b. Outcome Measures

Summary of OIG Proposed Rule: We proposed to provide flexibility in selecting outcome measures given the range of arrangements that may be covered by the proposed safe harbor. We proposed in proposed paragraph 1001.952(ee)(1) to require parties to establish one or more specific evidence-based, valid outcome measures to serve as benchmarks for assessing the recipient’s performance under the value-based arrangement and advancement toward achieving the coordination and management of care for the target population. The measures would not include patient satisfaction or convenience measures. We expressed our view that outcome measures should reflect more than maintenance of the status quo and considered requiring that outcomes measures drive meaningful improvements in quality, health outcomes, or efficiencies, whether by driving improvements that are measurable or that are more than nominal in nature. We indicated that we were considering for the final rule and solicited comment on whether we should require rebasing of the outcome measure (e.g., resetting the benchmark).^[33]

Summary of Final Rule: We are finalizing, with modifications, the outcome measures requirement at paragraph 1001.952(ee)(4). The modifications are based on public comments. The final rule requires that the parties to a value-based arrangement establish one or more legitimate outcome or process measures that the parties reasonably anticipate will advance the coordination and management of care for the target patient population based on clinical evidence or credible medical or health science support. The measure(s) must: (i) Include one or more benchmarks related to improving, or maintaining improvement, in the coordination and management of care for the target patient population; (ii) relate to the remuneration exchanged under the value-based arrangement; and (iii) not be based solely on patient satisfaction or patient convenience. The outcome or process measure and its benchmark must be monitored, periodically assessed, and prospectively revised, as necessary, so that working towards the measure continues to advance the coordination and management of care of the target patient population.

Comment: Commenters generally supported the outcome measures requirement, as proposed. However, some commenters opposed requiring the parties to establish outcome measures against which a party would be measured under a value-based arrangement. For example, the commenters asserted that requiring the establishment of outcome measures would be administratively burdensome, would be confusing, and would not reflect the lack of valid outcome measures for many specialty practices. Some commenters asked OIG for an exception to the requirement for small and rural-based VBE participants and Indian health care providers. A commenter representing Indian health care providers requested that they be carved out from the outcome measures requirement because of a concern that the outcome measures would not be aligned with already reported Tribal outcome measures and would become an unnecessary administrative burden on understaffed Indian health care providers. Other commenters suggested that OIG should not finalize the outcome measures requirement because the writing requirement in the care coordination arrangements safe harbor is sufficient to protect against fraud and abuse.

Response: As noted in the OIG Proposed Rule, inclusion of a meaningful outcome measure in a protected value-based arrangement will help ensure that the arrangement is designed to advance care coordination and serves the needs of the target patient population. As explained below, we have revised the requirement in the final rule to increase flexibility, broaden options for meeting the requirement, and reduce administrative burden, including on rural and small providers and on Indian health care providers. Our revised approach also addresses the comment regarding lack of standards for specialty practices because we are not requiring use of industry standard measures. Specialty practices may create measures using a range of data, information, and sources, including internally generated data and information, provided that, among other requirements, the measures are based on clinical evidence, credible medical support, or credible health science support, include an appropriate benchmark, and relate to the remuneration being provided under the arrangement. This last requirement helps ensure, as we explained in the OIG Proposed Rule, that the measure bears a close nexus to the value-based activities in the value-based arrangement and the needs of the target patient population.

We are not aware of any impediment to Indian health care providers using existing outcomes measures that they are already required to report; nothing in the safe harbor requires development of new measures if existing measures meet the final rule requirements.

We do not agree that a writing requirement is a sufficient safeguard against fraud or abuse based on our enforcement experience. While documentation is important for transparency and compliance verification, it does not prevent fraud or abuse or ensure that arrangements are carried out in accordance with their terms or serve their intended purposes.

Comment: Commenters varied in their responses to the terminology we proposed in the outcome measures requirement (“specific evidenced-based, valid outcome measures”). For example, commenters asked OIG to define “outcome measure” and “evidence-based.” A commenter supported the concept of “evidence-based” outcome measures, stating that OIG’s proposal would provide needed flexibility to allow both clinical and non-clinical outcome measures and to allow participants to select up-to-date outcome measures, such as measures related to social determinants of health. Other commenters pointed out the significant time and resources needed, particularly for smaller VBEs and VBE participants, to undertake studies or gather and document evidence for novel interventions and to develop, implement, and monitor evidence-based measures. Some commenters explained that using “evidence-based” as the standard would chill innovation by precluding innovative models for which evidence does not already exist or value-based arrangements that are currently pilots or demonstrations intended to develop evidence. A commenter expressed concern that conditioning safe harbor protection on “valid” outcome measures was too subjective and recommended the outcome measures be “clinically meaningful,” which could be based on measurable data or real-world evidence.

Response: We have reconsidered our use of the term “evidence-based” in this rule. Our use of the term may have indicated a level of scientific rigor and resource investment beyond what we intended for purposes of this safe harbor, which is intended to be available for experienced and new entrants into value-based care, including those not yet ready to assume financial risk, and to promote innovation in care delivery. We intended to include a standard that captured clinical and non-clinical measures (including measures related to quality of care, process improvements, efficiency in care delivery, and social determinants of health), while also allowing for innovation. We did not intend to require that protected arrangements be grounded in experimental research, randomized clinical trials, best available evidence, or other similar characteristics often associated with the term “evidence-based” in common definitions. We did not intend to be overly restrictive or to require strict scientific evidence of the utility of an outcome measure. Having considered the comments, common definitions, and input from Department experts, we are persuaded that the term “evidence-based” was overly restrictive and not the best term to describe the outcome measures we envisioned for purposes of this rule.

We have likewise reconsidered our use of the terms “valid” and “specific” in the OIG Proposed Rule. These terms dovetailed with our use of “evidence-based” and were intended to convey that the selected outcome measures needed to be grounded in legitimate, verifiable data, or other information. That is, we intended that selected measures be legitimate and not sham measures used to justify an illegitimate exchange of remuneration. Our intent is that selected measures be credible and appropriate for the care coordination and management purpose of the arrangement. Upon further consideration, the term “legitimate”—and its common sense meaning—better effectuates our intent, and we use that term in the final rule.

Accordingly, in this final rule, we are revising the requirement that parties establish one or more specific evidence-based, valid outcome measures. Under the final rule, the parties to a value-based arrangement must establish one or more legitimate outcome or process measures that the parties reasonably anticipate will advance the coordination and management of care for the target patient population based on clinical evidence or credible medical or health science support. The terms “clinical evidence or credible medical or health science support,” better reflect our intent to have a reasonable, flexible standard applicable to a wide range of arrangements and to allow selection of measures based on scientific, clinical, medical, social science, or industry quality standards, or other legitimate, verifiable data or information, whether internal to the VBE or externally generated. By use of the term “health science” we intend to include public health, health informatics, research and development, and sciences that look at the treatment and prevention of diseases. Unlike the new protection provided within the personal services and management contracts safe harbor for outcomes-based payments, in this safe harbor parties may rely on credible health science as well as credible medical support, reflecting that this safe harbor covers a wider variety of care coordination arrangements (including remuneration in the form of health technology) and protects only in-kind remuneration, rather than monetary payments, presenting relatively lower overall risk.

The revised requirement continues to encompass both clinical and non-clinical measures, and internal or externally generated measures, and will allow participants to select up-to-date outcome or process measures over time. Under the final rule, parties will be required to document the measures they select and the clinical evidence, credible medical support, or credible health science support upon which they relied in making the selection by providing a description of the measures in a signed writing.

Comment: Some commenters requested clarification from OIG regarding how parties should select outcome measures, and others asked for additional flexibility in the selection of outcome measures. For example, parties asked OIG to permit both internally developed measures, i.e., measures that do not require validation in a medical journal or by another third-party source, and process-based measures, such as providing or not providing a specific treatment to improve patient outcomes or safety. A commenter asserted that outcome measures should be anticipated to advance the coordination or management of care of the target patient population rather than the coordination and management of care of individual patients. Another commenter opposed the requirement for outcome measures to advance the coordination and management of care altogether, stating that care coordination is process-based, not outcomes-based.

Other commenters expressed concern that too much flexibility for parties to select outcome measures could lead parties to use subjective measures that do not improve patient outcomes or are otherwise abusive. A commenter suggested OIG require that: (i) Value-based arrangements advance the coordination and management of care for the target patient population; and (ii) in any dispute concerning the applicability of this safe harbor, the VBE will bear the burden of proving, based upon objective evidence, that the value-based arrangement advanced the coordination and management of care of the target patient population. Some commenters asked OIG to include an express requirement in the final rule that outcome measures be designed to drive meaningful improvements in quality, health outcomes, or efficiencies in care delivery. Others supported a requirement for parties to establish more than one outcome measure or only measures reflecting the outcomes most important to patients.

A commenter recommended that parties be able to assess performance toward achieving outcome measures with respect to the entire patient population of an integrated delivery system instead of a subset of that population. A commenter asked OIG to address issues regarding individual physician participant measurement compared to group measurement. The commenter expressed concern that individual physicians may not have sufficient influence on the development of outcome measures for their target patient population and that physician-level measures can be challenging to develop (including because of small sample size and appropriate accountability of individual physicians).

Response: We are modifying the requirement to clarify that parties must select one or more legitimate outcome or process measures based on clinical evidence, credible medical support, or credible health science support. Parties must reasonably anticipate that the measures they select will advance the coordination and management of the care of the target patient population, which is the focus of this safe harbor. The revised measure selection standard offers greater flexibility and opportunities for innovation over time. The final rule permits clinical and non-clinical measures, internally or externally developed.

Under the final rule, the outcome or process measures do not need to be independently validated by a medical or other journal or another third-party source. They can be process-based, such as, for example, a measurement of the number of patients with diabetes that had their blood pressure tested, and we are modifying the regulatory text to clarify this. Unlike the new protection under the personal services and management contracts safe harbor for outcomes-based payments, which requires parties to achieve an outcome measure to receive payment (the outcome measure may have a process component), the care coordination arrangements safe harbor measure requirement offers greater flexibility. It is broader in recognition that the safe harbor: (i) Protects only in-kind remuneration, such as health technology, for which process measures may be the most legitimate and useful type of measure; and (ii) is available to VBE participants that are not taking on risk for achieving outcomes.

In response to the assertion that outcome measures should be anticipated to advance the coordination or management of care of the target patient population rather than the coordination and management of care, we addressed, and rejected, a similar suggestion in section III.2.B.g regarding changing “and” to “or” in the definition of coordination and management of care. Because the condition requiring parties to establish outcome measures incorporates the definition of “coordination and management of care”, it is appropriate to use that defined term, which, for the reasons offered above, includes an “and” rather than an “or.”

Where available, use of measures validated by a credible third party would be a prudent practice, but this is not required. We confirm that parties can select a measure applicable to the entire target patient population or select a different outcome or process measures for different segments of the target patient population (e.g., the measure for organ transplant patients within a target patient population may differ from the appropriate measure for a non-transplant patient). In such circumstances, the parties must (among other criteria) reasonably anticipate that all such measures collectively will advance the coordination and management of care for the entire target patient population. With respect to selecting the target patient population, we refer readers to that section of this preamble, section III.B.2.c.

We are further modifying our proposed rule to respond to the comments and our own concerns regarding parties selecting measures in a way that does not improve patient care or that could be abusive. In the OIG Proposed Rule, we considered requiring that outcome measures drive meaningful improvements in quality, health outcomes, or efficiencies, whether by driving improvements that are measurable or that are more than nominal in nature. We expressed concern about measures that merely reflected the status quo. Arrangements that merely drive nominal change or reflect only the status quo could be less likely to serve the care coordination aims of this rulemaking and more likely to be vehicles to reward referrals than arrangements in which parties receive remuneration designed to drive meaningful, more than nominal, change in patient care.

Accordingly, under the final rule, the outcome or process measures must include one or more benchmarks related to improvements in, or the maintenance of improvements in, the coordination and management of care for the target patient population. The measures must relate to the remuneration exchanged under the value-based arrangement so that there is a close nexus between the value-based activities under the arrangement and what the parties are measuring. Further, the measures cannot be based solely on patient satisfaction or patient convenience, both of which can be subjective, uninformative with respect to quality or efficiency of care, and gamed with relative ease, including through use of rewards or incentives to patients. On this last point, we are aware that some legitimate patient satisfaction or patient convenience measurement tools provide valuable information to providers and others managing patient care. This safe harbor does not preclude use of such tools (or any other form of measurement) as parties to value-based arrangements see fit and find useful. But patient satisfaction or patient convenience cannot be the only measure for purposes of satisfying the safe harbor. Lastly, we are finalizing a requirement for monitoring, periodically assessing, and prospectively revising an outcome or process measure and its benchmark, as necessary, as described below. This suite of requirements, taken together, is intended to reduce the likelihood of abuses and ensure that the selected measures relate to the protected remuneration and aim to foster meaningful advancements in the coordination and management of care.

Our revisions to the outcomes measure provision should address the concerns raised regarding measurement at the individual or group levels. This rule provides flexibility for parties to design legitimate measures appropriate to the arrangement, using internal or external data, and to account for characteristics such as available sample size and ability of individual physicians to effect change. It is up to the parties to determine which individual or entity that is a party to the arrangement, e.g., a VBE participant, is accountable for assessing progress on measures.

We are not prescribing how many measures parties must use; while we anticipate value-based arrangements often would have more than one outcome or process measure (or measures that include process measures as a component of an outcome measure), some arrangements may lend themselves to only one measure. Additionally, we are not requiring that parties use only measures related to those outcomes or processes most important to patients or that value-based arrangements must, in fact, successfully advance the coordination and management of care for the target patient population. The standard we are finalizing is designed to encourage the selection of outcome and process measures that will result in improved care for patients. To the comment about the VBE’s burden of proof in matters of dispute about the safe harbor, as with all safe harbors in the criminal Federal anti-kickback statute, any party seeking to avail themselves of the protection of a safe harbor generally bears the burden of proof that they meet the requirements of the safe harbor.

Comment: Some commenters expressed concern regarding whether parties must meet the outcome measures in order to have safe harbor protection, with a few commenters stating such a requirement would disadvantage providers treating higher-risk patient populations who may be less likely to meet outcome measures.

Response: We clarify that under the final rule, for purposes of this safe harbor, parties need not successfully achieve the outcome or process measure they select to qualify for safe harbor protection (and if they select more than one, they need not meet any of them). However, parties will need to monitor and periodically assess their arrangements and potentially revise measures and benchmarks, as described below. This will ensure that the selected measures remain a meaningful tool to advance care coordination goals. Without the requirement to establish and track progress toward achieving measures, the risk increases that parties could abuse the care coordination arrangements safe harbor to inappropriately drive referrals rather than patient care improvement.

We recognize that, despite best efforts, parties to a value-based arrangement may not always achieve their selected measures due to a variety of factors, such as uncertainty of patient behavior, lack of control of results by a VBE participant, or misjudgments.

We note a key distinction between this safe harbor and the protection of outcomes-based payments under the personal services and management contracts safe harbor. The personal services and management contracts safe harbor requires that agents achieve the outcome measure established for their payments in order to receive those payments. This is in keeping with a core purpose of the outcomes measure, which is to be the basis for a party to receive a protected outcomes-based payment.

Comment: A commenter supported adding a requirement for parties to make information regarding any outcome measures they establish transparent to the public.

Response: We are not requiring that the outcomes or process measures for value-based arrangements be made public under this safe harbor, although parties are free to do so. We did not propose a public transparency requirement and do not finalize one here. We recognize transparency serves important accountability and integrity goals. Consequently, we have included other conditions in the final safe harbor intended to foster transparency while balancing the potential burden on the parties seeking safe harbor protection. With respect to outcome or process measures, we are finalizing the requirement that parties include a description of the measures in a signed writing and make available to the Secretary, upon request, all materials and records sufficient to establish compliance with the conditions of the care coordination arrangements safe harbor.

Comment: Several commenters stated that OIG should not require the use of measures from CMS’s Quality Payment Program (QPP) in the outcome measure requirement, arguing that existing QPP measures are inadequate for many specialties. Some commenters suggested OIG could encourage, but not require, participants to utilize the criteria for the QPP measures as a framework for establishing outcome measures. Alternatively, some commenters requested that OIG require the use of certain measures, such as measures promulgated by the National Quality Forum, or require all quality and cost measures to be independently assessed and approved by a third-party, multi-stakeholder organization.

Response: To provide flexibility and avoid triggering concerns that any specified measures may be inadequate or inappropriate for certain types of individuals or entities (e.g., specialists), we are not requiring parties to utilize QPP measures or measures developed by any particular organizations or to receive third-party approval for the measures. Parties may use these measures at their discretion for purposes of this safe harbor.

Comment: Several commenters encouraged OIG to allow patient satisfaction and experience of care measures, such as timeliness of care, to qualify as outcome measures under the care coordination arrangements safe harbor. Along these same lines, a commenter suggested that OIG include patient satisfaction and efficiency of care measures, such as creating systems that prevent visits to the emergency room (for example, rapid outpatient testing and evaluation services) that would improve outcomes and reduce costs. This commenter observed that satisfied patients are more likely to keep follow up appointments and be compliant with care. Some commenters asserted that patient satisfaction and experience measures reflect quality of care and noted that CMS recognizes patient satisfaction as a quality measure that affects reimbursement. Other commenters supported using convenience measures, such as the availability of treatment times or timeliness of patient’s access to care, as outcome measures because they asserted that patient adherence to treatment improves when care is convenient. Another commenter stated that, while convenience, alone, may not be a valid measure, OIG should permit parties to use convenience measures when they are tied to other measures, such as utilization. On the other hand, some commenters did not consider patient satisfaction or convenience to be a valid outcome measure, noting a lack of evidence tying patient satisfaction to better clinical outcomes.

Response: The commenters variously describe efficiency of care, patient satisfaction, patient convenience, and patient experience of care measures. As explained elsewhere, we have modified the outcomes measures requirement to include process measures, which addresses the commenters’ suggestions regarding experience of care and efficiency of care measures, such as rapid access to outpatient testing and evaluation services. To assist commenters in appropriately categorizing their outcome or process measures, we provide additional clarification on patient satisfaction, patient convenience, and patient experience measures. For purposes of this rulemaking, patient satisfaction is about whether a patient’s expectations for a health care encounter were met, e.g., a patient’s assessment of the responsiveness of hospital staff. Different patients with different expectations can experience the exact same care but report different degrees of satisfaction.³⁴ Patient convenience could include measures that assess patient access to care and accessibility of care, or the factors involved in arranging for the provision of care, e.g., the distance or proximity to a site of care or the hours during which care can be obtained.

In applying our regulation, patient experience can involve finding out whether something that should happen in a health care setting happened, for example, whether all hospital discharge planning protocols were followed for certain patients. Patient experience measures can overlap with patient satisfaction or convenience measures; in particular, patient satisfaction or patient convenience could be a sub-part of a patient experience measure. Accordingly, whereas patient satisfaction or patient convenience cannot be the sole measure for purposes of the care coordination arrangements safe harbor, the same may not be true for patient experience measures, depending on the facts and circumstances.

As stated in the OIG Proposed Rule, we are concerned that patient satisfaction and patient convenience measures may not reflect actual improvement in the quality of patient care, health outcomes, or efficiency in the delivery of care. In some cases, such measures can be subjective, uninformative with respect to quality or efficiency of care, and potentially gamed with relative ease, including through use of rewards or incentives to patients. That said, some patient satisfaction or patient convenience measurement tools provide valuable information to government programs, providers, and others managing patient care. This safe harbor does not preclude use of such tools (or any other form of measurement) as parties to value-based arrangements see fit and find useful. As noted previously, while patient satisfaction or patient convenience cannot be the sole measure for purposes of the care coordination arrangements safe harbor, patient satisfaction or patient convenience can be tied to other legitimate measures or can exist alongside such other measures.

Comment: Several commenters encouraged OIG not to require regular rebasing of outcome measures, and in particular, they opposed specific timing for when parties must rebase these measures. These commenters asserted that any timing requirement would be arbitrary, might discourage participation in value-based arrangements, or may not be clinically appropriate in all circumstances. A commenter expressed concern that requiring rebased outcome measures could lead to the unintended consequence of providers abandoning proven care coordination programs once they have achieved a maximized performance level. On the other hand, some commenters supported this requirement; for example, a commenter supported rebasing pursuant to a specified timeframe, such as every year, as long as the VBE participants determined that rebasing is feasible.

Response: In the OIG Proposed Rule, we considered whether to require parties to rebase outcomes measures (i.e., reset benchmarks used to determine whether the outcome measure was achieved) where rebasing is feasible. We indicated our intent to consider specifying a timeline for rebasing or requiring that it be done periodically. We solicited comments on whether rebasing should depend on the type of outcome measure or the nature of the arrangement. We also explained in the preamble to the OIG Proposed Rule that revisions to outcomes measures (i.e., modification of outcomes measures) would need to continue to incentivize the recipient of the remuneration to make meaningful improvements. We expressed concern that retrospective revisions could obscure a lack of meaningful improvement.

Upon further consideration of the terminology in the OIG Proposed Rule, we conclude that we can best express our intended policy by using the term “revise” rather than “rebase” in the final rule. The term “revise” has a broader common meaning and better reflects the goal that measures be changed or updated to advance improvements in care coordination. In addition, we view “rebase” as a subcategory of “revise”; in other words, we recognize that the rebasing of benchmarks may be the best way to “revise” the measure. Because we intended for parties to have the flexibility to either “revise” measures, i.e., modify or update measures to advance improvements in care coordination, or “rebase” benchmarks, and because “revise” could serve as an umbrella term which would include “rebase,” we believe “revise” encapsulates our intent.

In practice, parties can meet the requirement by revising the measure itself or by rebasing the benchmarks for the measure. We recognize that rebasing may not be necessary for all legitimate outcome or process measures that advance the coordination and management of care for a target patient population. For the final rule, measures must be monitored, periodically assessed, and prospectively revised as necessary to ensure that the measure and its benchmark continues to advance the coordination and management of care of the target patient population. We emphasize that any revisions must be prospective, not retrospective.

We are requiring a periodic assessment and, as necessary based on such assessment, revision of outcome or process measures and benchmarks. Recognizing that different measures should be assessed on different timelines, we are not implementing a specific timeframe for assessing or revising measures, as in some cases, outcome measures could be reviewed annually, whereas for others significant benefits to patients could reasonably take 2 to 3 years to achieve.

As evidenced by the above discussion, we are also finalizing a requirement for parties to a care coordination arrangement to have one or more benchmarks for each outcome or process measure that are related to improving or maintaining improvements in the coordination and management of care of the target patient population. Benchmarks help ensure that the remuneration exchanged pursuant to the value-based arrangement continues to drive meaningful improvements, or the maintenance of improvements, in the coordination and management of care for the target patient population.

Comment: Some commenters opposed a requirement for payors to identify outcome measures, positing that such a top-down approach would limit providers that are best situated to identify value-driving activities and may be impractical when payors are not parties to a value-based arrangement. Another commenter suggested that the adoption of payor-identified outcome measures by a VBE should be a favorable factor when evaluating a value-based arrangement for compliance with the proposed safe harbor. According to the commenter, payors have unique capabilities to: (i) Give providers the information they need to identify patient populations that may benefit most from management and care coordination interventions; and (ii) recommend benchmarks based on experience and access to data that are used to assess outcome measures.

Response: The final rule allows, but does not require, the use of payor-driven or developed outcome measures. Parties are free to use payor measures if they find them useful or if doing so is required by a payor.

Comment: We solicited comments on using a different outcomes measures standard for information technology than for other care coordination arrangements. Commenters were generally supportive of an alternative standard, such as an adoption and use standard, stating that it would allow more flexibility, which is important for arrangements that are centered on an ever-changing and developing industry. At least one commenter suggested language for this alternative standard, namely, “the parties determine in good faith that the technology is expected to meaningfully advance achievement of the targeted health outcomes, patient care quality improvements, or the appropriate reduction in costs . . . [etc.],” while another commenter suggested that VBE participants should have the option, but not be required, to designate utilization and adoption measures in IT arrangements as alternatives to outcome measures. A commenter who supported the use of alternative measures for IT advocated against OIG’s proposal to implement a time frame after which the recipient of IT would be required to pay fair market value for continued use of the IT, stating that suddenly requiring fair market value payments may unnecessarily cause drastic and costly changes to an entire system and could disrupt continuity of care.

Response: The final rule for establishing the required outcomes or process measures is flexible enough to address information technology arrangements. Legitimate process measures (including use and adoption) or performance measures can be used so long as the parties reasonably anticipate that the measures will advance the coordination and management of care of the target patient population and the benchmark and other requirements are met. No separate outcome measures requirement is needed for information technology arrangements. We are not finalizing our proposal that outcomes measures be evidence-based, which we acknowledged could have been a difficult standard for some information technology arrangements. Measures must be selected based on clinical evidence or credible medical or health science support. This support may be based on external sources or generated internally. The specific addition of health science as a basis for selection reflects our intent, among other things, to allow remuneration in the form of information technology under the care coordination safe harbor. Since we are not including an IT-specific standard, we are not placing a time limit on the use of IT-related remuneration in care coordination arrangements. In light of our modifications to the measurement standard and other safeguards against fraud and abuse in the safe harbor, adopting the additional requirements we considered in the OIG Proposed Rule related to outcomes measures for the exchange of health information technology is not necessary.

c. Commercial Reasonableness

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ee)(2) to require that the value-based arrangement pursuant to which the remuneration is exchanged be commercially reasonable, considering both the arrangement itself and all value-based arrangements within the VBE. We indicated that we were considering for the final rule whether to define a “commercially reasonable arrangement” as an arrangement that would make commercial sense if entered into by reasonable entities of a similar type and size, even without the potential for referrals. We solicited comments on the need for a definition of a “commercially reasonable arrangement.”

Summary of Final Rule: We are finalizing, without modification, our proposed requirement at paragraph 1001.952(ee)(2). We are not defining a “commercially reasonable arrangement” in the final rule.

Comment: Some commenters supported a commercial reasonableness requirement while others opposed it. Several commenters noted that this requirement is inconsistent with the value-based arrangements exception to the physician self-referral law, which does not require that the value-based arrangement be commercially reasonable. Others emphasized that the standard introduces complexity and uncertainty that may require parties to consult with legal counsel, with some of these commenters asserting that this burden could have a disproportionate impact on small and rural providers.

Response: In the context of care coordination arrangements where parties are not required to take on financial risk, the remuneration does not need to be consistent with fair market value, and the remuneration may take into account the volume of patients in the target patient population or the value of referrals or other business generated between the parties resulting from referrals of the target patient population, we believe requiring the value-based arrangement to be commercially reasonable is an important safeguard to ensure that safe harbor protection is limited to remuneration exchanged pursuant to value-based arrangements that are designed and implemented to achieve legitimate objectives rather than merely to induce or reward referrals.

The commercial reasonableness requirement focuses on ensuring that parties structure the terms of their value-based arrangement, including but not limited to the amount of the remuneration, in a manner that is calibrated to achieve the parties’ legitimate business purposes. For example, as described in the OIG Proposed Rule, if VBE participants were to enter into a value-based arrangement to facilitate the sharing of patient-outcome data, it may be commercially reasonable for a hospital VBE participant to donate technology to a group practice VBE participant to facilitate this process. However, it may not be commercially reasonable for that same hospital VBE participant to donate technology substantially more sophisticated, or with enhanced functionality, beyond that necessary for communicating data on shared patients between the two parties.^[35] We are concerned that, absent the commercial reasonableness requirement, the other conditions in this safe harbor will not sufficiently mitigate the risk of one party offering more remuneration than is necessary, such as in the example above, to reward the other party for referrals of target patient population patients, which is why we are finalizing the requirement in this final rule that the value-based arrangement itself be commercially reasonable. Further, the commercial reasonableness requirement is the only safeguard in the care coordination arrangements safe harbor that directly addresses the risk that parties might use a series of value-based arrangements to effectuate a payment-for-referral scheme. For this reason, we are finalizing the second prong of the commercial reasonableness requirement that the value-based arrangement must be commercially reasonable when considering all value-based arrangements in the VBE.

In sum, the commercial reasonableness requirement in this safe harbor: (i) Helps to ensure that the value-based arrangement, and all value-based arrangements within in the VBE, serve legitimate objectives; (ii) mandates that parties structure the terms of their value-based arrangement, including but not limited to the amount of the remuneration, in a manner that is calibrated to achieve the parties’ legitimate business purposes; and (iii) reduces the likelihood that the value-based arrangement might be a payment-for-referral scheme.

With respect to the complexities associated with assessing commercial reasonableness and the potential need to consult with legal counsel, we appreciate those concerns and note that the inclusion of a commercial reasonableness condition in safe harbors is not new. Several existing safe harbors require protected remuneration to be commercially reasonable. We believe parties, including small and rural providers, can apply this concept and that including it as a condition of this safe harbor will not impose significant additional burden.

In response to those commenters who noted that the proposed safe harbor is inconsistent with CMS’s proposed exception for value-based arrangements, we note that CMS’s exception for value-based arrangements (42 CFR 411.357(aa)(3)), as finalized, includes a commercial reasonableness requirement.

Comment: A commenter asserted that the move to value-based care helps to eliminate many of the program integrity concerns that OIG might seek to address through a commercial reasonableness requirement.

Response: We agree that a shift to value-based payment models may curb some of the traditional program integrity concerns associated with a fee-for-service payment system. However, this safe harbor offers protection for care coordination arrangements without requiring that the parties assume financial risk or otherwise participate in a value-based payment model. As a result, the traditional program integrity risks resulting from fee-for-service payment are likely to persist. For example, we are concerned that, in some circumstances and in the absence of safe harbor guardrails, remuneration furnished pursuant to a value-based arrangement may lead to overutilization, corruption of practitioners’ medical judgment, inappropriate patient steering, or unfair competition. By requiring the value-based arrangement to be commercially reasonable with respect to both the arrangement itself and all value-based arrangements within the VBE, this condition helps to safeguard against these program integrity concerns by requiring that the terms of the value-based arrangement be calibrated to achieve the parties’ legitimate business purposes.

For example, we explained in the OIG Proposed Rule that a single value-based arrangement in which a hospital VBE participant provides a necessary number of care coordinators for the target patient population to a SNF VBE participant may be commercially reasonable. However, if a VBE includes multiple similar value-based arrangements, each of which involves the same hospital VBE participant furnishing care coordinators to the same SNF VBE participant for the same or a similar target patient population, the commercial reasonableness of the remuneration exchanged within the value-based arrangements in the aggregate may be suspect if it lacks a legitimate business purpose.^[36] This arrangement could lead to the program integrity concerns identified above (e.g., inappropriate patient steering) and, absent a commercial reasonableness requirement, the conditions of the safe harbor might otherwise be met.

Comment: Some commenters asserted that a commercial reasonableness requirement will create an obstacle to value-based care. Others asserted that few arrangements would ever satisfy this criterion because value-based arrangements do not make any commercial sense without the potential for referrals. These commenters noted that changes in referral patterns alone are not the goal of a value-based arrangement but that they may well be the consequence.

Response: We are not persuaded that a commercial reasonableness requirement will impede the transition to value-based care. We believe that it is eminently feasible to structure value-based arrangements to meet the commercial reasonableness requirement by ensuring that the terms of the value-based arrangement, and all value-based arrangements within the VBE, are reasonably calculated to achieve the VBE participants’ legitimate business purposes.

The framing of the commercial reasonableness condition in the final rule, which allows for the possibility of referrals, addresses the commenters’ concerns. Specifically, we recognize that a value-based arrangement may, and often will, result in referrals. The commercial reasonableness requirement is intended to ensure that the terms of the value-based arrangement, considering both the arrangement itself and all value-based arrangements within the VBE, are calibrated to achieve the value-based purpose(s) of the arrangement, not the generation of referrals. We agree with the commenters’ related assertion that changes in referral patterns alone are not the goal of a value-based arrangement but may be the consequence.

For example, a value-based arrangement that provides remuneration in excess of what is reasonably necessary to coordinate and manage the care of the target patient population, as contemplated by the terms of that arrangement, would not be commercially reasonable. Likewise, terms that are calibrated to secure referrals, rather than to achieve the value-based purposes of the value-based arrangement, would result in an arrangement that is not commercially reasonable for purposes of this safe harbor. The mere fact that referral patterns may change as a result of a value-based arrangement does not necessarily preclude the arrangement from meeting the commercial reasonableness requirement.

Comment: With respect to whether we should adopt a definition for a commercially reasonable arrangement, several commenters expressed support, but these commenters did not agree on a definition. Some commenters supported the definition presented in the preamble to the OIG Proposed Rule, which defined a “commercially reasonable arrangement” as an arrangement that would make commercial sense if entered into by reasonable entities of a similar type and size, even without the potential for referrals. Others encouraged us to adopt CMS’s proposed definition, which states that commercially reasonable means the particular arrangement furthers a legitimate business purpose of the parties and is on similar terms and conditions as like arrangements. Other commenters suggested that OIG should focus on whether the arrangement makes “value-based” sense in the context of a value-based arrangement instead of whether it makes “commercial” sense. Other commenters provided alternative definitions that varied in scope. A commenter asserted that the definition should not preclude consideration of referrals not covered by Medicare.

Commenters also requested various clarifications and affirmative statements from OIG, including that: (i) Commercial reasonableness refers primarily to the non-financial elements of a transaction or arrangement while the concept of fair market value addresses the financial aspects, and (ii) an arrangement may be commercially reasonable even if it operates at a loss.

Response: While we are not adopting a definition of “commercially reasonable arrangement,” we appreciate commenters’ requests for guidance. There are multiple dimensions to commercial reasonableness, including both the financial and non-financial terms of an arrangement. The fact that an arrangement generates a loss for a party is one factor, among many, that could be considered in analyzing whether an arrangement is commercially reasonable. An arrangement may be commercially reasonable even if it does not result in profit for one or more of the parties. Any determination whether a particular value-based arrangement is commercially reasonable would be based on the totality of the facts and circumstances of such arrangement, and the financial aspects of the value-based arrangement would be relevant to that inquiry.

With respect to the assertion that the commercial reasonableness definition should not preclude consideration of referrals of non-Medicare business, as we stated above, we are not adopting this definition. We reiterate that the commercial reasonableness requirement in this safe harbor requires that the VBE participants structure the terms of the value-based arrangement in a manner that is calibrated to achieve the parties’ legitimate business purposes. We also reiterate our longstanding guidance that arrangements that do not involve referrals of Federal health care program beneficiaries or business generated by Federal health care programs may implicate the Federal anti-kickback statute by disguising remuneration for Federal health care program business through the payment of amounts purportedly related to non-Federal health care program business. Arrangements with this type of disguised remuneration would not be calibrated to achieve a legitimate business purpose and would thus not be commercially reasonable. Whether any particular arrangement reflects this type of disguised remuneration would depend on the specific facts of the arrangement.

Comment: Some commenters asserted that the definition of “commercially reasonable arrangement” in the preamble to the OIG Proposed Rule, which considered defining such an arrangement as one that would make commercial sense if entered into by reasonable entities of a similar type and size, even without the potential for referrals, is inconsistent with OIG’s prior commentary relating to the requirement in certain other safe harbors that the remuneration must be reasonably necessary to accomplish the commercially reasonable business purpose of the arrangement.

Response: We are not further defining a “commercially reasonable arrangement” in this final rule, beyond the test for commercial reasonableness articulated in the regulatory text (i.e., that commercial reasonableness must be evaluated by considering both the value-based arrangement itself and all value-based arrangements within the VBE). As explained above, the test for commercial reasonableness is tailored to this particular safe harbor for care coordination arrangements and is meant to be both flexible to allow for innovative arrangements that serve legitimate objectives and sufficiently constrained to limit the risk of schemes to pay for referrals. That said, our prior guidance remains instructive on the application of the term “commercially reasonable” in the safe harbor context, particularly with respect to having a legitimate business purpose.^[37]

d. Writing

Summary of OIG Proposed Rule: We proposed in proposed paragraph 1001.952(ee)(3) to require that each value-based arrangement, pursuant to which the remuneration is exchanged, be set forth in a signed writing, established in advance of, or contemporaneous with, the commencement of the value-based arrangement or any material change to the value-based arrangement. We proposed in the same paragraph that the writing state, at a minimum: (i) The value-based activities to be undertaken by the parties to the value-based arrangement; (ii) the term of the value-based arrangement; (iii) the target patient population; (iv) a description of the remuneration; (v) the offeror’s cost for the remuneration; (vi) the percentage of the offeror’s cost contributed by the recipient; (vii) if applicable, the frequency of the recipient’s contribution payments for the offeror’s ongoing costs; and (viii) the specific evidence-based, valid outcome measure(s) against which the recipient would be measured.

Summary of Final Rule: We are finalizing, with modifications, the writing requirement in paragraph 1001.952(ee)(3). The following modifications respond to public comments: (i) The writing requirement can be satisfied by a collection of documents; (ii) parties must document the fair market value of the remuneration or, alternatively, the offeror’s cost of the remuneration and the accounting methodology utilized to determine such cost; and (iii) parties must document the value-based purpose(s) of the value-based activities provided for in the value-based arrangement. We are also clarifying that the terms of the value-based arrangement must be established in advance of, or contemporaneous with, the commencement of the value-based arrangement “and any material change,” instead of “or any material change.” In the preamble to OIG Proposed Rule, we described a writing requirement that would promote transparency of the value-based arrangement, both at its commencement and when there is a material change. These are the logical junctures where the writing requirement particularly serves its transparency purposes. Our proposed regulatory text did not make clear that the writing was needed at both junctures; our modifications more clearly express that policy. Lastly, we are modifying the writing requirement for consistency with changes to the language of the outcome and process measures condition, discussed in section III.3.b. The remaining requirements of the writing requirement are finalized as proposed.

Comment: While several commenters expressed support for the writing requirement, numerous commenters were concerned that this requirement does not afford parties the flexibility to document their value-based arrangement in a “collection of documents” and instead requires a single signed writing.

Response: We have revised the writing requirement to permit a “collection of documents” approach in response to commenters’ concerns. To receive safe harbor protection, the terms of the value-based arrangement must be set forth in writing and signed by the parties in advance of, or contemporaneous with, the commencement of the value-based arrangement and any material change to the value-based arrangement. Under this approach, parties are not required to have a single, signed writing setting forth the terms of the agreement, but there must be either a single, signed writing or a collection of documents in place—in advance of, or contemporaneous with, the commencement of the value-based arrangement—in order to meet this condition. In addition, if any material term (e.g., an outcome or process measure) changes during the course of the value-based arrangement, the parties would need to set forth such changes in a signed writing or collection of documents in advance of, or contemporaneous with, the commencement of the modified value-based arrangement. We note that, while the terms do not need to be set forth in a single, signed writing, we believe this approach is a best practice from a compliance perspective.

Comment: A commenter requested that OIG permit a VBE to sign the writing required by this safe harbor on behalf of all parties to the applicable value-based arrangement because, according to the commenter, it would be challenging to arrange for all parties to sign a single document in advance of the commencement of the value-based arrangement.

Response: We decline to adopt the commenter’s suggestion. To promote transparency and accountability, each value-based arrangement must be set forth in writing and signed by all parties to the value-based arrangement. While the VBE may be a signatory to the value-based arrangement, its signature alone would not meet the writing requirement for this or any of the other value-based safe harbors. We believe there is sufficient flexibility in this requirement insofar as we do not require the writing to be a single document (i.e., the parties can sign separate documents), and we allow it to be signed in advance of, or contemporaneous with, the commencement of the value-based arrangement.

Comment: Some commenters disagreed with the proposed writing requirement, stating that it was burdensome, was too prescriptive, or would increase the risk of inadvertent non-compliance. Commenters took particular issue with the requirement that parties document the offeror’s cost for the remuneration. A commenter asserted that this provision is unnecessary in light of the condition to maintain and make available to the Secretary, upon request, all materials and records sufficient to establish compliance with the conditions of this safe harbor, while at least two commenters expressed concern that it could result in the inappropriate disclosure of competitively sensitive information. One such commenter provided the example of an offeror that might furnish certain in-kind remuneration to a VBE participant to benefit the VBE and further its value-based purpose, but who might want to offer the same in-kind remuneration to the recipient at market rates for use in other lines of business. According to the commenter, it would be commercially unreasonable to require the offeror to disclose its cost structure and requested that we allow parties to satisfy this condition through a written representation that the contribution amount equals at least 15 percent of the offeror’s cost.

Response: We are not persuaded that our writing requirement is overly prescriptive or burdensome, rather it is an essential safeguard. The required contents are of the kind commonly part of business agreements: The parties, purposes, services, financial and business terms, duration, and metrics. In addition, for safe harbor purposes, we view the requirement that the writing set forth the offeror’s cost for the remuneration or the fair market value of the remuneration—detailed in section III.B.3.g—as a material term to the parties’ arrangement because of the safe harbor’s 15 percent contribution requirement. The inclusion of this term in the writing ensures a transparent understanding of the arrangement agreed to by the parties.

Accordingly, we are finalizing the writing requirement, including a requirement that parties document: (i) Either the fair market value of the remuneration or the offeror’s cost of the remuneration, dependent upon the methodology used by the parties to determine the contribution amount; and (ii) the percentage and amount contributed by the recipient. Consistent with revisions to the contribution requirement methodology discussed in detail in section III.B.3.g, we require that parties who choose to document the offeror’s cost of the remuneration, instead of the fair market value, also must document the reasonable accounting methodology used to calculate such costs.

We believe requiring parties to calculate and document the contribution amount based on the fair market value of the remuneration or the offeror’s cost of the remuneration addresses commenters’ confidentiality concerns and, for this reason, we are not adopting the commenter’s suggestion to use written representations of the offeror’s cost for the purposes of satisfying the writing requirement. We understand that information relating to an offeror’s cost may include proprietary or competitively sensitive information that parties might not wish to put in their written agreements. We do not believe the same holds true for fair market value.

In response to commenters’ concerns that the writing requirement increases the risk of inadvertent non-compliance, we note that our modification to permit a collection of documents to satisfy the requirement should help address compliance concerns by incorporating more flexibility in this requirement. Further, should an arrangement inadvertently fail to comply with a safe harbor condition that would not mean that the arrangement violates the Federal anti-kickback statute. Rather, the arrangement would not have safe harbor protection and would need to be analyzed based on its facts, including the intent of the parties, for compliance with the statute.

Comment: A commenter requested that we address how parties to a value-based arrangement would need to document a value-based arrangement’s value-based purpose.

Response: We did not expressly propose—as part of the writing requirement—that the parties document the value-based purpose(s) of the value-based activities provided for in the value-based arrangement. However, such requirement, which we are including in the final rule, effectuates our intent and logically flows from the intersection of the following proposals, each which is finalized here: (i) That the writing state, among other things, the value-based activities to be undertaken by the parties to the value-based arrangement; (ii) the “value-based activity” definition, which would require, in part, that the activity is reasonably designed to achieve at least one value-based purpose of the value-based enterprise; and (iii) the requirement that protected remuneration be used predominantly to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population. In particular, it seems sensible that in describing the value-based activity—which, by definition, are reasonably designed to achieve at least one value-based purpose of the value-based enterprise—and to confirm that one purpose is the coordination and management of care, the writing would specify the value-based purpose that the activities are designed to achieve.

Consequently, we finalize a condition requiring that parties document the value-based purpose(s) of the value-based activities provided for in the value-based arrangement as part of the required writing. In particular, we view the documentation of the value-based purpose(s)—and specifically, documentation of the care coordination and management of care purpose—to be an important component of a writing designed to ensure transparency and accountability.

e. Limitations on Remuneration

i. In-Kind Remuneration

Summary of OIG Proposed Rule: We proposed that the remuneration exchanged must be in-kind under the proposed condition at paragraph 1001.952(ee)(4)(i).

Summary of Final Rule: We are finalizing, without modification, the requirement that the remuneration be in-kind, and moving it to paragraph 1001.952(ee)(1)(i).

Comment: While some commenters supported limiting protection under the care coordination arrangements safe harbor to in-kind remuneration, a number of commenters requested that OIG expand the safe harbor to protect monetary remuneration of any amount or, alternatively, monetary remuneration up to a certain amount annually. Many commenters asserted that the proposed safe harbor would not protect financial arrangements that incentivize behavior change, such as shared savings payments or payments to adhere to care protocols, and further asserted that the other safeguards in the safe harbor are sufficient to protect against fraud and abuse. A commenter suggested that OIG only protect shared savings distributed after the VBE has satisfied its expenses. Some commenters requested that the safe harbor protect monetary remuneration distributed under upside-only risk arrangements, particularly where the remuneration is tied directly or indirectly to achievement under a value-based arrangement with a payor. Other commenters asserted that the care coordination arrangements safe harbor should protect ownership, investment interests, loan arrangements (including interest payments), and similar transactions to fund infrastructure for the VBE that will facilitate the development and operation of a value-based arrangement.

Other commenters asserted that the safe harbor should permit the exchange of monetary remuneration, so physician practices can receive remuneration and purchase their own clinical tools or services and select staff members who best meet the needs of the practice. For example, a primary care practice explained that it would like to engage a psychologist or behavioral health professional to assist with patients presenting with depressive symptoms or needing additional assistance managing mental health conditions and that expanding this safe harbor to protect monetary remuneration would allow the practice to select a behavioral health professional who, among other things, best meets the needs of the practice’s patient population. They explained that, otherwise, the offeror of in-kind remuneration would make those purchasing decisions and selections for the recipient. Another commenter asserted that OIG’s and CMS’s final rules should align to protect both in-kind and monetary remuneration or only in-kind remuneration, arguing that any inconsistency would result in a barrier to the advancement of value-based care. A commenter suggested that the safe harbor protect monetary remuneration for specific services; for example, a hospital might offer to cover the costs of a nurse navigator at a SNF, instead of providing the nurse navigator directly, because it wants the SNF to have the contractual relationship with the nurse navigator. Lastly, several commenters requested that OIG expand the safe harbor to protect monetary remuneration exchanged under arrangements involving Indian health programs.

Response: We are finalizing the requirement that the remuneration exchanged pursuant to this safe harbor must be in-kind. We continue to believe that providing safe harbor protection to monetary remuneration exchanged under arrangements where: (i) The parties are not required to assume financial risk, and (ii) the protected remuneration is not required to be fair market value and may take into account the volume or value of referrals for the target patient population, presents heightened fraud and abuse risks that outweigh the potential benefits to Federal health care programs and patients. OIG’s longstanding guidance makes clear that remuneration in the form of cash and cash equivalents pose a higher risk of interfering with clinical decision-making, incentivizing overutilization or inappropriate utilization, and increasing costs to Federal health care programs. We do not view protection for ownership or investment interests as fundamental to parties entering into value-based arrangements for the coordination and management of care for a target patient population. Parties seeking to protect a particular investment interest may look to existing safe harbors (e.g., the safe harbor for investment interests at paragraph 1001.952(a)); in addition, the advisory opinion process remains available. Further, while we understand recipients’ desire to select their own care coordination items and services rather than receiving items and services an offeror selects, we note that parties do not have to enter into value-based arrangements and might agree to enter into such arrangements only where the item(s) or service(s) being offered are satisfactory to the recipient. We also note that, where a party offering remuneration desires for the recipient to contract directly for items and services, the recipient may do so as long as the offeror pays the vendor of the items and services directly. Further, while we understand recipients’ desire to select their own care coordination items and services rather than receiving items and services an offeror selects, we note that parties do not have to enter into value-based arrangements and might agree to enter into such arrangements only where the item(s) or service(s) being offered are satisfactory to the recipient. We also note that, where a party offering remuneration desires for the recipient to contract directly for items and services, the recipient may do so as long as the offeror pays the vendor of the items and services directly. Lastly, we note that individuals and entities may look to other safe harbors, such as the safe harbor for personal services and management contracts and outcomes-based payment arrangements at paragraph 1001.952(d), for protection for certain monetary remuneration.

Finally, in response to the comment requesting that CMS’s and OIG’s final protections align to protect both in-kind and monetary remuneration or only in-kind remuneration, we refer readers to section III.A.1, where we discuss fundamental differences in statutory structures and sanctions across the physician self-referral law and Federal anti-kickback statute and elaborate on the reasoning behind conditions that differ in any similar exception and safe harbor finalized by CMS and OIG, respectively, in each agency’s final rule in connection with the Regulatory Sprint. With respect to OIG’s specific policy to limit the care coordination arrangements safe harbor to in-kind remuneration, this policy addresses the heightened risk that fungible monetary remuneration could be misused to make intentional kickback payments and would be more difficult to track. OIG and CMS permit monetary and non-monetary remuneration in the value-based safe harbors and exceptions that require parties to assume risk.

ii. Remuneration Used To Engage in Value-Based Activities

Summary of OIG Proposed Rule: We proposed to require, at proposed paragraph 1001.952(ee)(4)(ii), that the remuneration provided by, or shared among, VBE participants be used primarily to engage in value-based activities that are directly connected to the coordination and management of care of the target patient population. We recognized that in-kind remuneration exchanged for value-based activities may indirectly benefit patients outside of the scope of the value-based arrangement and that parties may find it difficult to anticipate or project the scope or extent of these “spillover” benefits.

Summary of Final Rule: We are finalizing, with modifications, the proposed requirement at paragraph 1001.952(ee)(1)(ii). The two modifications are explained in greater detail in the responses to comments. First, the remuneration exchanged must be used predominantly to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population. We replaced the word “primarily” with the word “predominantly.” Second, we added a condition that the remuneration exchanged result in no more than incidental benefits to persons outside of the target patient population. Further, for the reasons previously explained in the value-based terminology section discussing the definition of the “coordination and management of care” at section III.B.2.g, we added a condition to this final safe harbor clarifying that remuneration exchanged pursuant to a value-based arrangement may not be exchanged or used more than incidentally by the recipient for the recipient’s billing or financial management services.

Comment: Commenters generally supported our proposal to require that protected remuneration be primarily used to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population and expressed concerns about our alternative proposal to require that the remuneration exchanged be limited to value-based activities that only benefit the target patient population. Commenters asserted a variety of reasons why prohibiting spillover benefits outside the target patient population would be unworkable or undesirable in practice. For example, some commenters asserted that prohibiting spillover benefits would create a disincentive for innovation, and others emphasized the complexities in trying to manage benefits to prevent spillover. Some commenters requested that we expressly state that the benefits of the value-based arrangement do not need to be limited to the members of a target patient population. Another commenter stated that the term “primarily” is vague, which could make this requirement difficult to implement and monitor.

Response: We agree with the commenters’ concerns that prohibiting spillover benefits outside of the target patient population would be unworkable. In the OIG Proposed Rule, and for purposes of this final rule, we recognize that in-kind remuneration exchanged for value-based activities may indirectly benefit patients out of the scope of the associated value-based arrangement and that parties may find it difficult to anticipate or project the extent of such “spillover” benefits. We likewise acknowledge the need to provide parties with sufficient flexibility while also minimizing the risk of disguised, improper remuneration unrelated to the coordination and management of care for the target patient population. To address the commenters’ concerns about spillover effects, in the final rule we have clarified that the value-based activities for which the remuneration is used can result in no more than incidental benefits to persons outside of the target patient population. This language acknowledges the difficulty VBE participants could face in preventing “spillover” benefits and reflects our intent to permit safe harbor protection for care coordination arrangements that predominantly benefit the target patient population.

We are replacing the proposed term “primarily” with “predominantly” in the final rule. These words are analogous (e.g., meaning chiefly, mainly, principally). We make the change for consistency with comparable language in other safe harbors. The term “predominantly” appears for a similar purpose in the EHR and cybersecurity safe harbors, at paragraphs 1001.952(y) and (jj), respectively, and our parallel use of the same term in paragraph 1001.952(ee) enhances consistency for stakeholders across safe harbors. To the commenter’s concern about vagueness, we are not quantifying with specificity the degree to which remuneration is used to engage in value-based activities to offer flexibility for the range of value-based arrangements for which safe harbor protection may be sought.

Comment: Several commenters requested that we clarify that a device with multiple functions does not violate the Federal anti-kickback statute or the Beneficiary Inducements CMP when it is primarily used for managing a patient’s health care. Commenters noted that increasingly medical devices are being produced with multiple functions, or they rely on non-medical platforms such as consumer electronic products (e.g., smartphones, tablets).

Response: It appears that the commenters are asking whether the furnishing of a multi-function device, or a device that relies on a multi-use technology platform, can meet the safe harbor requirement that the remuneration is predominantly used to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population. We also presume for purposes of this response that the device would be furnished to the recipient for less than fair market value.

As a threshold matter, compliance with the care coordination arrangements safe harbor depends on whether the device is furnished from one VBE participant to another VBE participant or if the device is furnished directly from a VBE participant to a patient. If the device is furnished by a VBE participant to another VBE participant, then the care coordination arrangements safe harbor may protect the remuneration if the device will be used predominantly to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population, and all other safe harbor requirements are met.

For example, a health information technology tool that enables both remote patient monitoring and two-way telehealth capabilities may satisfy the predominant use requirement if the remote patient monitoring and two-way telehealth technologies will be used by the recipient to coordinate and manage care for the target patient population. However, a health information technology tool that includes some functionalities that the recipient may use to coordinate and manage care for the target patient population and other functionalities that the recipient may use for purposes other than to coordinate and manage care for the target patient population may not meet this standard. For example, a health information technology tool that the recipient VBE participant uses to collect, track, and analyze data relevant to the outcome measures established by the VBE participants and is also used to collect, track, and analyze the VBE participant’s internal financial metrics for purpose of operating its own business would likely not meet the predominant use standard, unless the use for financial metrics is minimal.

In the above example, if the VBE participants wish to protect the health information technology tool under this safe harbor, the financial monitoring functionalities could be disabled to ensure that the predominant use test is met. Alternatively, if the recipient VBE participant pays fair market value for the financial monitoring functionalities, then the parties might conclude that they do not need to protect that aspect of the arrangement under this safe harbor, or they may look to another safe harbor, such as the personal services and management contracts safe harbor at paragraph 1001.952(d), to protect that aspect of the arrangement. To be protected under paragraph 1001.952(ee), the remaining remuneration for which fair market value has not been paid would need to meet the predominant use condition and all other safe harbor conditions.

We note that if the collecting, tracking, and analyzing data for the outcomes measures for the target patient population results in the VBE participant observing something that prompts a change to how it delivers care for all patients, not just the target patient population, this additional use would constitute an incidental benefit to persons outside the target patient population; such incidental benefit would not be a disqualifying feature of the remuneration under this provision in paragraph 1001.952(ee).

If a multi-function device is being furnished by a VBE participant directly to a patient, then the VBE participant would look to the patient engagement and support safe harbor, at paragraph 1001.952(hh), for protection, not the care coordination arrangements safe harbor. As explained above, the care coordination arrangements safe harbor does not protect remuneration—including a free or discounted device—flowing from VBE participants to patients. Note that, among other requirements, the patient engagement and support safe harbor requires that the remuneration has a direct connection to the coordination and management of care of the target patient population.

With respect to the Beneficiary Inducements CMP, we note that remuneration that is protected under a safe harbor to the Federal anti-kickback statute is not considered remuneration for purposes of the Beneficiary Inducements CMP.

Comment: Some commenters argued that this proposed limitation on the exchange of remuneration—in particular, the requirement that the remuneration be used to engage in value-based activities directly connected to the coordination and management of care of the target patient population—is unduly restrictive. Commenters stated that this condition should not be limited to the first of the four value-based purposes (the coordination and management of care for the target patient population) and should be expanded to permit a direct connection to any of the value-based purposes. Commenters further asserted that expanding this condition to require a direct connection to any value-based purpose would reduce regulatory burden, foster innovation, and facilitate alignment with CMS’s value-based exceptions to the physician self-referral law.

Response: The care coordination arrangements safe harbor does not preclude a value-based arrangement from furthering other value-based purposes; however, the safe harbor does require that the remuneration exchanged be used predominantly to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population. By requiring that each party to a value-based arrangement under the care coordination arrangements safe harbor include the coordination and management of care for the target patient population as at least one of the value-based purposes, we seek to distinguish between referral arrangements, which would not be protected, and legitimate care coordination arrangements, which naturally involve referrals across provider settings but include beneficial activities beyond the mere referral of a patient or ordering of an item or service.

Comment: Some commenters supported using alternative language to the direct connection standard, such as “reasonably related and directly tied” or “directly connected or reasonably related.” Many of these commenters asserted that alternative language would better convey the close nexus between this safe harbor and the coordination and management of care of a target patient population. Other commenters advocated for other changes to the standard, e.g., replacing “directly connected” with only “connected.”

Response: We are finalizing the standard, proposed at paragraph 1001.952(ee)(1), now codified at paragraph 1001.952(ee)(1)(ii) requiring that remuneration be used predominately to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population. We are not finalizing the similar standard proposed at paragraph 1001.952(ee)(7) requiring that the value-based arrangement is directly connected to the coordination and management care of the target patient population, because doing so would introduce unnecessary duplication to the safe harbor. We believe the direct connection standard we are finalizing appropriately captures the relationship we are requiring (i.e., a close nexus) between the value-based activities (for which protected remuneration must be used predominantly to engage in) and the coordination and management of care for the target patient population.

Comment: A commenter sought clarification as to whether remuneration tied to either receiving referrals or being included in a preferred provider network would be a value-based activity directly connected to the coordination and management of care.

Response: As stated elsewhere in this final rule, the making of a referral, standing alone, is not a value-based activity. Accordingly, neither the exchange nor use of remuneration tied solely to receiving patient referrals or being included in a preferred provider network would be a value-based activity, let alone one that is directly connected to the coordination and management of care. Were such conduct combined with other value-based activities, the “direct connection” standard could be met, depending on the facts and circumstances.

iii. No Furnishing of Medically Unnecessary Items or Services or Reduction in Medically Necessary Items or Services

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ee)(4)(iii) to require that the remuneration exchanged not induce VBE participants to furnish medically unnecessary items or services or reduce or limit medically necessary items or services furnished to any patient.

Summary of Final Rule: We are finalizing, with modification, this condition at paragraph 1001.952(ee)(7)(iii). The modification provides that the value-based arrangement (rather than merely the remuneration) cannot induce the parties to furnish medically unnecessary items or services or reduce or limit medically necessary items or services.

Comment: Commenters universally supported this safeguard. A commenter separately encouraged OIG to develop clear guidelines to enforce this provision that do not unduly hinder the provision of health care or second-guess physicians’ medical decision-making.

Response: We are finalizing this proposed protection for patient care and Federal program expenditures, with additional modifications to fully effectuate our intent. As stated in the OIG Proposed Rule, remuneration that induces a provider to order or furnish medically unnecessary care is inherently suspect. We likewise stated that a reduction in medically necessary services would be contrary to the goals of this rulemaking and could, in certain instances, be a violation of the CMP law provision relating to gainsharing arrangements.^[38] We do not intend to protect arrangements that do either. Upon further consideration, we have determined that our choice of language for the regulatory text too narrowly focused on the remuneration in the care coordination arrangement and did not capture the full range of ways through which ill-intentioned parties might seek to use a value-based arrangement to induce medically unnecessary care or limit medically necessary care. Accordingly, to better reflect our intent, the final regulation text prohibits the value-based arrangement from inducing parties to order or furnish medically unnecessary items or services or reduce or limit medically necessary items or services furnished to any patient.

In response to the commenter’s concern that this safeguard not unduly hinder physicians’ medical judgment, this condition is not intended to interfere with medical decision-making; rather, it is intended to support decision-making in the best interests of patients without inappropriate financial influence. This requirement is a hallmark safeguard against fraudulent and abusive practices that could lead to inappropriate utilization, inappropriate steering of patients, or stinting on care. We note that a separate condition of the safe harbor prohibits potential limitations on VBE participant’s ability to make decisions in the best interests of the target patient population.

iv. Remuneration From Individuals or Entities Outside the Applicable VBE

Summary of OIG Proposed Rule: We proposed at 1001.952(ee)(4)(iv) that the remuneration exchanged could not be funded by, or otherwise result from the contributions of, any individual or entity outside of the applicable VBE. We stated that we were considering a requirement that remuneration be provided directly from the offeror to the recipient.

Summary of Final Rule: We are not finalizing the proposed funding limitation or a requirement that remuneration be provided directly from the offeror to the recipient.

Comment: A few commenters supported the requirement prohibiting remuneration from individuals or entities outside the applicable VBE. Other commenters asked for exceptions to the requirement, such as exceptions for remuneration that would benefit the VBE’s patients and where the donating third-party would have no direction or control over how the remuneration could be used. Other commenters opposed the requirement, stating that it would prevent VBE participants from deriving remuneration from a wide variety of appropriate outside funding sources, such as payors. Another commenter raised concerns that a VBE participant could lose safe harbor protection unfairly if it receives remuneration from another VBE participant that was funded by another party without recipient of the renumeration knowing that source of funding. We also received comments on OIG’s consideration of whether to require that remuneration be provided directly from the offeror to the recipient, with such commenters stating that such a requirement would create unnecessary practical impediments.

Response: We are not finalizing the proposed requirement prohibiting parties to a value-based arrangement from exchanging any remuneration funded by, or otherwise resulting from the contributions of, an individual or entity outside of the applicable VBE. The purpose of these proposals was to ensure that protected arrangements would be closely related to the VBE, that VBE participants would be committed to the VBE and striving to achieve the coordination and management of care for the target patient population, and that non-VBE participants could not indirectly use the safe harbor to protect arrangements that are designed to influence the referrals or decision-making of VBE participants. On balance, we do not believe the proposed conditions would add appreciably to the program integrity protection offered by the combination of safeguards we are including in the final safe harbor, which address these same concerns. We seek to minimize practical impediments to use of the safe harbor by avoiding conditions we do not believe are needed. However, we emphasize that remuneration exchanged outside of a value-based arrangement would not be protected by any of the value-based safe harbors.

We also are not finalizing the requirement considered in preamble to the OIG Proposed Rule that remuneration be provided directly from the offeror to the recipient. As explained in the OIG Proposed Rule, this requirement would have prohibited the involvement of individuals and entities other than the VBE or a VBE participant in the exchange of remuneration under a value-based arrangement, including, potentially third-party vendors and contractors. We agree with commenters asserting that this requirement could create unnecessary practical impediments that would be outweighed by any potential benefit of such a condition.

f. Taking Into Account the Volume or Value of, or Conditioning Remuneration on, Business or Patients Not Covered Under the Value-Based Arrangement

Summary of OIG Proposed Rule: We proposed in proposed paragraph 1001.952(ee)(5) to prohibit the offeror of the remuneration from taking into account the volume or value of, or conditioning an offer of remuneration on: (i) Referrals of patients that are not part of the value-based arrangement’s target patient population; or (ii) business not covered under the value-based arrangement.

Summary of Final Rule: We are finalizing, without modification, the requirement in paragraph 1001.952(ee)(5).

Comment: While some commenters supported our proposal, asserting that the requirement appropriately differentiates between actual care coordination arrangements and improper pay-for-referral schemes, a few commenters did not support the requirement for various reasons. A commenter expressed concern that this requirement will be difficult to administer if recipients of remuneration have any business arrangements outside the VBE and posited that adequate remedies exist under current law to address the type of sham or abusive arrangements this provision intends to preclude from safe harbor protection, although the commenter did not identify any specific remedies. Another commenter asserted that this requirement should be removed to align physician incentives with the delivery of value-based care.

Conversely, a commenter opposed the proposed standard on the basis that it is too narrow and encouraged us to prohibit parties from taking into account the volume or value of referrals within the target patient population and to also prohibit exclusivity or minimum-purchase requirements in value-based arrangements. The commenter advocated for a modified condition that would restrict any remuneration that depends on or is calculated based on the volume or value of any Federal health care referrals, whether inside or outside the target patient population.

Response: We are finalizing this condition, as proposed. For purposes of the safe harbor, value-based care, including coordinated care, may take into account the volume of patients in the target patient population or value of referrals or other business generated between the parties resulting from referrals of the target patient population (e.g., an offeror may base the number of hours it provides care coordination services to the recipient on the volume of patients in the target patient population). A complete prohibition on remuneration that takes into account the volume or value of referrals could operate as an actual or perceived barrier to safe harbor protection for the kinds of innovative care coordination arrangements that are the goal of this rulemaking. We are finalizing the limitation with respect to referrals of patients and business generated outside the target patient population under the value-based arrangement as an important safeguard to protect against remuneration offered under the guise of a value-based arrangement that is intended to induce the recipient’s referrals of patients or business not covered under the value-based arrangement.

g. Contribution Requirement

Summary of OIG Proposed Rule: We proposed in paragraph 1001.952(ee)(6) to condition safe harbor protection on the recipient’s payment of at least 15 percent of the offeror’s cost for the in-kind remuneration (i.e., a 15 percent contribution requirement). We also proposed at paragraph 1001.952(ee)(6) that the recipient make such a contribution in advance of receiving the in-kind remuneration, if a one-time cost, or at reasonable, regular intervals if an ongoing cost.

Summary of Final Rule: We are finalizing, with modification, the contribution requirement in paragraph 1001.952(ee)(6). Based on comments, we are revising the contribution requirement methodology to require recipients to pay at least 15 percent of either the offeror’s cost of the remuneration, as determined using any reasonable accounting methodology, or the fair market value of the remuneration. We are finalizing, with only a minor technical modification to address syntax, our proposal that, if the remuneration is a one-time cost, the recipient must make the contribution in advance of receiving the in-kind remuneration; if the remuneration is an ongoing cost, the recipient must make any contributions at reasonable, regular intervals.

Comment: Many commenters expressed support for the proposed 15 percent contribution requirement or otherwise acknowledged that some level of contribution likely would be an appropriate safeguard to hold VBE participants accountable, promote engagement, and lower the risk that unnecessary or improper remuneration would be furnished pursuant to a value-based arrangement. The majority of commenters opposed any contribution requirement, with several asserting that such a requirement would be administratively burdensome; would necessitate onerous documentation and analysis, e.g., documenting and tracking the exchange of remuneration, in addition to undertaking an analysis as to whether the items or services exchanged constitute remuneration in the first place; and would discourage parties from entering into beneficial value-based arrangements.

Response: We are retaining a 15 percent contribution requirement for purposes of the care coordination arrangements safe harbor. We proposed the contribution requirement to: (i) Increase the likelihood that the recipient would use the care coordination item(s) and service(s); (ii) ensure that the remuneration would be well-tailored to the recipient; and (iii) promote the recipient’s vested interest in achieving the intended purpose of the value-based arrangement, namely, furthering the coordination and management of care of the target patient population.

We are not persuaded that the contribution requirement would be overly burdensome or chill participation in value-based arrangements. While there may be some administrative burden associated with a contribution requirement, on balance we believe this requirement is important to mitigate what OIG identified in the OIG Proposed Rule as traditional fraud and abuse risks, e.g., inappropriately increased costs to the Federal health care programs or patients, corruption of practitioners’ medical judgment, overutilization, and inappropriate patient steering.

Comment: Many commenters supported a lower contribution amount (or no contribution amount) for arrangements involving certain providers with financial constraints. These commenters generally asserted that, absent an exemption from, or significant reduction in the amount of, the contribution requirement, many providers would not be able to afford to participate in value-based arrangements. Commenters had varying suggestions for who should qualify as a provider with financial constraints, including, for example, essential hospitals, critical access hospitals, Indian health care providers, not-for-profit social services organizations, free and charitable clinics, small and rural practices, and practices serving medically underserved areas. Some commenters offered potential definitions while others favored existing definitions, such as those promulgated by the U.S. Small Business Administration, CMS, and the Health Resources and Services Administration.

Response: Having considered the comments and the goals of this rulemaking, we are not reducing or eliminating the contribution amount for arrangements involving certain providers with financial constraints. While we remain sensitive to the limited resources of many types of potential VBE participants, including those cited by commenters, we believe that the contribution requirement serves as an important guardrail to prevent fraud and abuse under the guise of a value-based arrangement and an incentive for parties to develop arrangements that are both effective in coordinating and managing care and economically prudent. We believe the contribution requirement will help ensure that parties are serious about collaborating to achieve the purpose of coordinating and managing patient care and will deliberately design care coordination arrangements most likely to be effective at achieving quality and efficiency aims in an economically prudent manner. In addition, we decline to make exceptions to the 15 percent contribution requirement for categories of VBE participants (e.g., small and rural practices) for several reasons. First, some designations can change over time (for example, a physician practice may qualify as a small practice at some points in time but not at others, depending on staffing changes), which could create confusion about the implementation of the contribution requirement when such a change occurs. Second, the same types of fraud and abuse risks associated with potentially valuable in-kind remuneration from a referral source apply equally to both larger or urban recipients, for example, and the types of recipients that requested an exemption from the 15 percent contribution requirement or a lower contribution percentage, such as small or rural providers. OIG’s enforcement experience demonstrates that fraud is perpetrated by both small and large entities and happens across all geographic areas. Third, the 15 percent contribution requirement is based on the electronic health records items and services safe harbor at paragraph 1001.952(y)(11), which does not differentiate among recipients. Finally, in the context of the flexibilities of the overall safe harbor, the advantages from a compliance perspective of a single bright line standard outweigh the potential benefits of variable standards based on geographic location or other characteristics. Moreover, we have no basis for determining different amounts for different parties. Should the 15 percent contribution requirement pose a barrier to use of the safe harbor, parties are reminded that failure to fit in a safe harbor does not mean that an arrangement is necessarily unlawful and that OIG’s advisory opinion process is also available.

Comment: At least one commenter suggested that the safe harbor except certain forms of in-kind remuneration (e.g., remuneration that consists of cybersecurity technology and related services and IT-related updates, upgrades, and patches) from the contribution requirement.

Response: We decline to include any exceptions to the contribution requirement under the care coordination arrangements safe harbor because we believe that, in the context of this safe harbor, this requirement is important to mitigate traditional fraud and abuse risks and ensure that parties enter into arrangements that serve value-based purposes. However, we remind parties seeking safe harbor protection for the exchange of cybersecurity technology and related services that the cybersecurity technology and related services safe harbor, paragraph 1001.952(jj), is available to protect the exchange of cybersecurity items and services, provided all safe harbor requirements are met, and note that such safe harbor does not include a contribution requirement.

Comment: Commenters generally opposed the proposal that the contribution requirement be calculated based upon the offeror’s cost. For example, a commenter asserted that an offeror’s cost may be difficult to determine where the offeror has substantial development costs but small marginal costs for each individual recipient or user. Another commenter posited that this standard would provide insufficient flexibility because the benefit of the remuneration exchanged may be realized by one party more than the other, for example, where the remuneration exchanged between two or more parties primarily benefits the offeror versus the recipient. Commenters suggested various methodologies to calculate the contribution requirement, including: (i) The offeror’s cost or fair market value; (ii) the offeror’s cost or a price charged by the offeror to purchasers outside of the VBE; (iii) any reasonable accounting methodology; and (iv) an amount based on the price for that product or service (or a reasonably comparable product or service if it is new to the market) typically charged by the offeror to reasonably comparable customers outside VBEs. Another commenter recommended we define “offeror’s cost,” whereas another commenter expressed concern that the standard would be difficult to implement because items or services that benefit patients could have little or no quantifiable independent value to the VBE recipient.

A commenter asserted that calculating cost may be difficult when tools and software are developed internally by the developer or manufacturer and made available by a VBE participant or acquired as part of a bundled sale under the discount safe harbor. A commenter also stated that there may be substantial development costs but only marginal costs for each individual recipient and that costs could be subject to proprietary and confidentiality obligations.

Response: In the OIG Proposed Rule, in addition to our proposal that the contribution requirement be calculated based upon the offeror’s cost, we stated we were considering two other methodologies for determining the 15 percent requirement: Fair market value of the remuneration to the recipient or the reasonable value of the remuneration to the recipient. To afford parties additional flexibility, we are revising the contribution requirement methodology in this final rule to require recipients to pay at least 15 percent of either: (i) The offeror’s cost of the remuneration, as determined using any reasonable accounting methodology; or (ii) the fair market value of the remuneration. As indicated in the OIG Proposed Rule, we are not requiring that parties obtain an independent fair market valuation. We selected fair market value rather than reasonable value because fair market value is a more specific standard, a widely used term in valuation, and common to many existing safe harbors such that many stakeholders and the government have experience with it. We are finalizing the requirement as “fair market value” instead of “fair market value of the remuneration to the recipient” because we believe the inclusion of “to the recipient” could confuse generally accepted valuation methodologies due to its focus on only one party. We expect that parties to a value-based arrangement seeking protection under this safe harbor would use generally accepted valuation methodologies and principles in any determination of “fair market value” in relation to the contribution requirement, which could incorporate factors related to the recipient.

To provide parties flexibility we are not specifically defining “offeror’s cost” or requiring a specific methodology for determining fair market value. To the extent costs are proprietary or confidential, depending on the circumstances, parties could meet this condition through the use of contractual provisions in their value-based arrangements to protect information from further disclosure or rely on the fair market value option to determine the 15 percent contribution requirement.

We are finalizing our proposal that, if the remuneration is deemed by the parties to be a one-time cost, e.g., a one-time purchase of telehealth-related technology, the recipient must make the contribution in advance of receiving the in-kind remuneration; to the extent the remuneration is deemed by the parties to be an ongoing cost, e.g., a subscription service to a data analytics tool, the recipient must make any contributions at reasonable, regular intervals, with the frequency of such payments documented in writing. We note that parties have the flexibility to structure the recipient’s contribution payment as either a one-time or ongoing payment, depending upon the facts and circumstances of the arrangement and the parties’ preference.

Comment: We received several comments advocating for or against the adoption of alternative proposals noted in the OIG Proposed Rule. For example, many commenters favored an across-the-board reduction in the contribution requirement from 15 percent to 5 percent. Other commenters backed an exemption to, or a significant reduction in, the contribution requirement for certain categories of remuneration, such as technology and technology-related items, although at least one commenter opposed this approach due to administrative burden concerns. Another commenter urged OIG to calibrate the contribution based on the financial need of the target patient population.

Response: We are retaining the 15 percent contribution requirement, as proposed, with the aforementioned methodology modifications. We believe that a contribution requirement lower than 15 percent would not achieve a sufficient level of accountability and engagement of the recipient. Moreover, we decline to vary the contribution requirement based upon the type of remuneration at issue or the arrangement’s target patient population; such variation would introduce unnecessary operational complexity.

Comment: A commenter recommended that OIG take into account nonmonetary contributions from the recipient to the offeror for purposes of calculating the contribution requirement.

Response: To meet this safe harbor’s contribution requirement, a recipient must pay at least 15 percent of the offeror’s cost of the remuneration (as determined using any reasonable accounting methodology) or at least 15 percent of the fair market value of the remuneration. Parties to a care coordination arrangement where any nonmonetary contributions flow in both directions—from the offeror to the recipient and the recipient to the offeror—would need to assess any potential Federal anti-kickback statute implications for both streams of contributions. To the extent that both streams of contributions constitute remuneration, implicate the Federal anti-kickback statute, and the parties seek protection under the care coordination arrangements safe harbor, the parties must satisfy the contribution requirement for each stream of remuneration. There may be circumstances under which the parties could appropriately offset payments made to satisfy the contribution requirement for each stream, but any such assessment would be fact specific. For example, it would be appropriate for parties to offset payment amounts to satisfy the contribution requirement for separate streams of remuneration to reduce administrative burden, provided each stream of remuneration complied with the Federal anti-kickback statute. In contrast, it would be inappropriate for parties to offset payment amounts in an attempt to reduce a party’s contribution requirement below 15 percent and any associated arrangement would not be protected by this safe harbor.

Comment: A commenter recommended that, for purposes of applying the 15 percent contribution requirement in the care coordination arrangements safe harbor, OIG recognize a VBE’s good faith allocation of the in-kind remuneration across various arrangements. The commenter identified a number of manners in which it believed a reasonable allocation could be made (e.g., patient needs associated with a particular arrangement, such as a chronic care program), and noted that in some cases, a reasonable allocation might be a per capita allocation of in-kind remuneration across all VBE participants.

Response: First, for the purposes of our response, we assume that the commenter means that the in-kind remuneration provided by the VBE or VBE participant to other VBE participants would be shared by various VBE participants to a value-based arrangement, or various value-based arrangements, under the same VBE (e.g., a shared care coordinator or shared information technology system). To the extent that VBE participants to a value-based arrangement or various value-based arrangements are sharing in-kind remuneration provided by the VBE or another VBE participant, it would be reasonable—under both methodologies that parties can use to determine the contribution requirement—to reasonably and in good faith allocate the “offeror’s cost for the in-kind remuneration” or the “fair market value” of the shared resources between the various VBE participants sharing in the resources.

As stated above, we would expect that parties to a value-based arrangement seeking protection under this safe harbor would use reasonable accounting methodologies and generally accepted valuation methodologies and principles in determining any appropriate allocation of the shared resources for the purposes of determining the “offeror’s cost for the in-kind remuneration” or the “fair market value” in relation to the contribution requirement. We acknowledge that reasonable accounting methodologies and commonly accepted valuation principles would allow for consideration of the shared nature of the in-kind remuneration. We further highlight that we would not expect that any aggregate contribution amounts—from VBE participants sharing in any in-kind remuneration—result in a windfall to the offeror.

Comment: Some commenters expressed concern that a contribution requirement would upend the existing regulatory framework that parties rely on to assess whether an item or service constitutes remuneration. For example, a dialysis provider stated that a contribution requirement may unintentionally create a presumption that many care coordination activities that do not constitute remuneration for purposes of the Federal anti-kickback statute are, in fact, remuneration with a specific value. The same commenter illustrated its concern by explaining that multiple Medicare conditions for coverage require dialysis facilities to coordinate dialysis patients’ care with other providers, including physicians and nursing homes. The dialysis provider requested that OIG confirm that the following does not constitute remuneration: (i) The provider performs care coordination services because they are required to do so by Medicare or other payors’ rules, other law, or to meet the clinical standard of care, and (ii) the care coordination services provided do not relieve another party of an obligation assigned to it by Medicare or other payors’ rules or other law.

Response: The contribution requirement does not change the current regulatory framework for assessing whether an item or service exchanged between two or more parties constitutes remuneration under either the Federal anti-kickback statute or the Beneficiary Inducements CMP. As we have stated in prior OIG guidance on this issue, we view “remuneration” under the Federal anti-kickback statute to consist of anything of value in any form or manner whatsoever.^[39] With respect to the request for guidance as to whether (i) care coordination services performed by a provider because they are required to do so by Medicare or other payors’ rules, other law, or to meet the clinical standard of care, and (ii) care coordination services that do not relieve another party of an obligation assigned to it by Medicare or other payors’ rules or other law, such services could constitute remuneration under the Federal anti-kickback statute. However, we remind readers that even if care coordination services constitute remuneration, the Federal anti-kickback statute is not necessarily implicated. For example, the Federal anti-kickback statute generally is not implicated for financial arrangements limited solely to patients who are not Federal health care program beneficiaries. Further, depending on the facts and circumstances (including the intent of the parties), the provision of care coordination services may implicate the Federal anti-kickback statute but not violate it.

Comment: Some commenters asserted that the proposed 15 percent contribution requirement is arbitrary or that there is no evidence a contribution requirement would mitigate fraud and abuse concerns. Other commenters suggested that the contribution requirement is duplicative of existing safeguards included in the care coordination arrangements safe harbor, e.g., the requirement that remuneration must be used primarily to engage in value-based activities that are directly connected to the coordination and management of care of the target patient population.

Response: We disagree with the commenters. We believe the contribution requirement will promote accountability, fiscal responsibility, and greater engagement by the recipient. We note that contribution requirements have been implemented in other contexts, such as those included in the electronic health records items and services (EHR) safe harbor at paragraph 1001.952(y) and the Federal Communications Commission’s Rural Health Care Pilot Program.^[40] Moreover, we do not believe the contribution requirement is duplicative of other safeguards. While several conditions in the safe harbor promote accountability, the contribution requirement provides an objective, bright-line standard for parties that requires recipients in value-based arrangements to have a financial stake in the arrangement and encourages a tangible commitment to achieving the value-based arrangement’s goals.

Comment: At least two commenters drew attention to the parallel contribution requirements in the care coordination arrangements and EHR safe harbors. For example, a commenter highlighted the perceived inconsistency of relying on the EHR safe harbor to justify our contribution requirement on the one hand and indicating that we were considering revisiting or eliminating the contribution requirement in the EHR safe harbor on the other. Another commenter sought to distinguish the care coordination arrangements safe harbor from the EHR safe harbor by stating that a contribution requirement may be appropriate in the EHR safe harbor because the EHR safe harbor has less stringent standards, but a contribution requirement is not warranted in the care coordination arrangements safe harbor. The commenter further asserted that the EHR safe harbor protects items and services that have clear independent value to the recipient, while items and services exchanged pursuant to value-based arrangements may not always have such independent value.

Response: In the OIG Proposed Rule, we considered removing the contribution requirement in the EHR safe harbor, but as discussed subsequently in this final rule, we are retaining the EHR safe harbor’s contribution requirement. Accordingly, both the care coordination arrangements safe harbor and the EHR safe harbor, as finalized, include a 15 percent contribution requirement. We disagree that the EHR safe harbor has less stringent standards. The care coordination arrangements and EHR safe harbors have distinct requirements tailored to the type of remuneration that may be protected by the respective safe harbor. With respect to the commenter’s suggestion that items and services exchanged pursuant to the care coordination arrangements safe harbor may not always have independent value to the recipient (in contrast to the EHR safe harbor), we note that any such determination would be fact specific. Moreover, the contribution requirement does not change any assessment of whether an item or service exchanged between two or more parties constitutes remuneration under the Federal anti-kickback statute. We remind stakeholders that to implicate the Federal anti-kickback statute, there must be “remuneration” offered, paid, solicited, or received in the transaction or arrangement at issue. If the Federal anti-kickback statute is not implicated by a transaction or arrangement, then safe harbor protection is not necessary. Consequently, we would expect arrangements that qualify under the care coordination arrangements safe harbor to involve remuneration exchanged between the parties.

h. Direct Connection to the Coordination and Management of Care

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ee)(7)(i) that a value-based arrangement must have a direct connection to the coordination and management of care for the target patient population.

Summary of Final Rule: We are not finalizing the condition at proposed paragraph 1001.952(ee)(7)(i) because it would substantially duplicate the condition at paragraph 1001.952(ee)(1)(ii), which requires the remuneration to be used predominantly to engage in value-based activities that are directly connected to the coordination and management of care.

Comment: Commenters generally did not support the condition proposed at paragraph 1001.952(ee)(7)(i), albeit for varying reasons. Some took issue with the fact that the condition did not afford parties the flexibility to select any one of the value-based purposes available to VBEs, and rather tied parties to the value-based purpose relating to the coordination and management of care. Some commenters argued that this condition was not necessary in light of other safeguards included in the care coordination arrangements safe harbor.

Response: We are not finalizing the condition proposed at paragraph 1001.952(ee)(7)(i) because it would substantially duplicate the condition we are finalizing at paragraph 1001.952(ee)(1)(ii). With respect to the commenters that argued that the proposed condition did not afford parties the flexibility to select any one of the value-based purposes available to VBEs, and rather tied parties to the value-based purpose relating to the coordination and management of care, we refer commenters to the discussion of the condition we finalize at paragraph 1001.952(ee)(1)(ii), in section III.B.3.e.ii. of the preamble. There we explain, in part, that the care coordination arrangements safe harbor’s conditions do not preclude a value-based arrangement from furthering other value-based purposes; however, the safe harbor does require that the remuneration exchanged be used predominantly to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population.

i. Preserving Clinical Decision-Making

Summary of OIG Proposed Rule: In proposed paragraph 1001.952(ee)(7)(ii), we proposed that the value-based arrangement must not limit parties’ ability to make decisions in the best interests of their patients.

We also proposed in proposed paragraph 1001.952(ee)(7)(iii) that value-based arrangements cannot direct or restrict referrals if: (i) A patient expresses a preference for a different practitioner, provider, or supplier; (ii) the patient’s payor determines the provider, practitioner, or supplier; or (iii) such direction or restriction is contrary to applicable law or regulations under titles XVIII and XIX of the Act.

Summary of Final Rule: We are finalizing, with modification, the proposed condition that the value-based arrangement must not limit the VBE participant’s ability to make decisions in the best interests of its patients and relocating it to paragraph 1001.952(ee)(7)(i). We are making a technical correction to change “their patients” to “its patients.” In paragraph 1001.952(ee)(7)(ii), we are finalizing the condition related to directing or restricting referrals with one clarification. We are deleting “or regulations” because “regulations” is already captured by the term “applicable law” in the final regulation. Thus, a value-based arrangement cannot direct or restrict referrals if such direction or restriction is contrary to applicable law under titles XVIII and XIX of the Act.

Comment: Commenters were very supportive of prohibiting any limitation on VBE participants’ ability to make decisions in the best interests of their patients and limiting how the value-based arrangement can direct or restrict referrals to a particular provider, practitioner, or supplier. Many commenters asserted that these standards will protect patient choice and ensure the independence of medical or professional judgment.

Response: We agree with the commenters, and we are finalizing these two requirements—a prohibition on any limitation of VBE participants’ ability to make decisions in the best interests of their patients, and limiting the circumstances in which parties to a value-based arrangement may direct or restrict referrals—to support patient choice and independent medical and professional judgment. Based on these conditions, remuneration exchanged as part of arrangements that unduly restrict patient choice or the independence of medical or professional judgment through inappropriate direction or restriction of referrals will not be protected. This requirement aims to ensure that VBEs and VBE participants that are parties to a value-based arrangement maintain their independent, medical, or other professional judgment without undue restriction. This condition is not intended to bar VBEs or VBE participants from communicating the benefits of receiving care from other VBE participants in the VBE.

Comment: Several commenters urged the OIG to adopt more robust safeguards to protect patient choice and ensure the independence of medical or professional judgment. A commenter recommended that health care professionals be given the ability to override any (i) practice guideline or standard; (ii) electronic health record technology; (iii) clinical-decision support software; (iv) computerized order entry program; or (v) policies that may be imposed or implemented by a VBE or payor if such an override is, in the professional judgment of the health care professional, consistent with their determination of medical necessity and appropriateness or nursing assessment, in the best interests of the individual patient, and consistent with the patient’s wishes.

Another commenter asserted that the OIG Proposed Rule appears to give a provider the authority to direct a referral unless the patient otherwise expresses an alternative choice. The commenter recommended that we include a requirement that the VBE provide notice to patients informing them that: (i) The entity is participating in a financial risk-based program where the entity receives financial benefits under applicable conditions; (ii) referrals for care may be made to a restricted list of providers and practitioners; and (iii) the patient has the freedom to choose any qualified provider or practitioner and the right to reject any referral to a particular provider or practitioner if they have an alternative preferred provider or practitioner. Another commenter urged OIG to provide consumer-tested templates for VBEs to communicate with patients that they retain their rights to choose providers.

Response: With respect to the commenter’s assertion that the OIG Proposed Rule appears to give the provider the authority to direct a referral unless the patient otherwise expresses an alternative choice, we note that the provision we are finalizing also prohibits the value-based arrangement from directing or restricting referrals where the patient’s payor determines the provider, practitioner, or supplier, or where the direction or restriction is contrary to applicable law under titles XVIII and XIX of the Act. Moreover, nothing in this safe harbor gives providers authority to direct referrals. This provision describes one among several conditions of safe harbor protection, in this case a limitation on what a protected value-based arrangement can do.

With respect to the suggestion that providers be permitted to override various care protocols, guidelines, policies, or technology-driven systems, this safe harbor does not affect the authority of providers to do so. A provider’s obligation to comply with care protocols, guidelines, policies, or technology-driven systems is outside the scope of this final rule. This safe harbor speaks only to the conditions under which a value-based arrangement would receive prospective safe harbor protection under the Federal anti-kickback statute. The value-based arrangement may not limit the VBE participant’s ability to make decisions in the best interests of its patients. Facts and circumstances demonstrating that the value-based arrangement has limited a VBE participant’s ability to make decisions in the best interest of its patients would disqualify the remuneration exchanged pursuant to the value-based arrangement from protection under this safe harbor. In drafting the final rule on this point, we have been guided in part by experience with long-established rules in the physician self-referral law ^[41] and the Medicare Shared Savings Program ^[42] that address preservation of patient preferences and clinician judgment choice in the context of directed referrals.

While we appreciate the commenters’ suggestions regarding patient notice, we did not propose a patient notice requirement in the OIG Proposed Rule for any of the three value-based safe harbors, and we are not including a patient notice requirement in this final rule. Such a requirement would add administrative burden without appreciably adding benefits, including protections against fraud and abuse, given the combination of conditions we are finalizing. Further, such notices, if executed poorly, could confuse patients. Parties may wish to provide notifications, and nothing in this rule prevents them from doing so. We are not providing templates for communications with patient regarding patient choice, and defer to providers, payors, and others to develop best practices for notices and other relevant communications.

Comment: A commenter urged the OIG to preclude safe harbor protection for any arrangement that involves paying for referrals and to protect against any given market player requiring referrals only to certain facilities. Another commenter recommended that VBEs be prohibited from taking any adverse action against a patient that chooses an alternative provider or practitioner.

Response: We share the commenter’s concerns regarding abusive, pay-for-referral arrangements. We also recognize that legitimate care coordination arrangements may involve an exchange of remuneration between parties that are in a position to give or receive referrals and that referrals may be made between VBE participants coordinating and managing a patient’s care through a value-based arrangement. One of the objectives of the care coordination arrangements safe harbor is to identify and define attributes of legitimate care coordination arrangements and afford protection only to remuneration exchanged under such arrangements. The requirements of this safe harbor and the value-based terminology (e.g., value-based purpose, value-based activity, value-based arrangement) work together to achieve this objective. Abusive, pay-for-referral arrangements, such as an arrangement where an individual or entity is required to offer remuneration to a provider in order to receive that provider’s referrals or an arrangement that encourages providers to steer patients in ways that are not in the patients’ best interests, will not be able to meet the requirements of the safe harbor.

With respect to the commenter’s concern regarding a particular person or entity requiring referrals only to certain entities, we believe these types of directed referral provisions may be problematic in certain instances but also are common features of many legitimate care coordination arrangements. As explained in the preceding response, the limitations we are adopting in this final rule reflect important safeguards to protect patient choice and independence of medical and professional judgment and effectuate an appropriate balance between the competing concerns of protecting legitimate care coordination arrangements and preventing inappropriate pay-for-referral schemes.

With respect to the recommendation that, as a condition of safe harbor protection, VBEs should be prohibited from taking any adverse action against a patient that chooses an alternative provider or practitioner, we note that nothing in the safe harbor limits or directs a patient’s choice of provider or services, including a patient’s choice to seek care outside the VBE. As indicated in the OIG Proposed Rule and implemented in this final rule, it is our intent that a patient can express a preference for a different practitioner, provider, or supplier and the value-based arrangement cannot restrict or limit that choice. Further, safe harbor protection does not extend to any arrangement where the value-based arrangement directs or restricts referrals to a particular provider, practitioner, or supplier if the patient’s payor determines the provider, practitioner, or supplier or the direction or restriction is contrary to applicable law under titles XVIII and XIX of the Act.

j. Marketing of Items or Services or Patient Recruitment Activities

Summary of OIG Proposed Rule: We proposed in proposed paragraph 1001.952(ee)(7)(iv) that the value-based arrangement could not include marketing to patients of items or services or engaging in patient recruitment activities. We stated that we did not intend for this limitation to prohibit a VBE participant that is a party to a value-based arrangement from educating patients in the target patient population regarding permissible value-based activities.

Summary of Final Rule: We are finalizing, with modifications, this requirement at paragraph 1001.952(ee)(1)(iii). We have revised the language of the text at paragraph 1001.952(ee)(1)(iii) to clarify that the protected remuneration under the value-based arrangement may not be exchanged or used for the purpose of marketing items or services furnished by the VBE or a VBE participant to patients or for patient recruitment activities.

Comment: Several commenters strongly supported our proposal, or, alternatively, advocated for the imposition of additional conditions to protect against abusive marketing practices. However, the majority of commenters on this topic either sought clarification on the parameters of the condition or opposed it altogether. A commenter asked OIG to define allowable educational activities and prohibited marketing activities, and another commenter questioned whether a distinction between marketing and educational activities is possible when, according to the commenter, the line between marketing and education is subjective and requires an intent-based inquiry. Another commenter suggested that OIG prohibit marketing and patient recruitment activities but permit efforts to make patients aware of the availability of items or services at times when the patient could reasonably benefit from such information. Other commenters requested that OIG provide guidance on, and specific examples of, the distinction between marketing and patient recruitment activities on the one hand, and patient education activities on the other. For example, a commenter asked whether a program to screen patients for fall risk and educate them on their risks and appropriate next steps would be considered patient education or a marketing activity. Another commenter asked whether a hospice’s provision of free home-based palliative care services or room and board to patients unable to pay would constitute marketing or patient recruitment activities.

Numerous commenters opposed the prohibition on patient marketing and patient recruitment activities altogether, asserting that the condition is too broad. A commenter declared that marketing activities are necessary in order to meaningfully educate patients on their health care options, and another commenter claimed that a marketing and patient recruitment prohibition would limit a value-based enterprise’s ability to leverage technology that might empower patients to make informed decisions and gain timely access to appropriate care. This commenter encouraged OIG to provide an exception for marketing-based technology that is used to achieve a defined health outcome under a value-based arrangement.

Response: We are finalizing a narrower condition than the condition proposed in the OIG Proposed Rule because we agree with the commenters that our proposed condition was broader than necessary to prevent the fraud and abuse concerns addressed by the condition. Rather than prohibiting all marketing and patient recruitment activities under a value-based arrangement, as proposed, the requirement we are finalizing prohibits the exchange of or use of remuneration for the purpose of marketing items or services provided by the VBE or VBE participants or for patient recruitment activities.

We use the terms “marketing” (e.g., promoting or selling something), “education” (e.g., informing, instructing, or teaching), and “recruitment” (e.g., enlisting someone to do something) in accordance with their commonsense meanings. We are not defining in regulatory text “marketing,” “patient recruitment activities,” or “education,” or a similar term (note that the regulatory text does not use “education” or “educational activities” but we use such terms in our preamble explanation). We decline to define these terms: (i) In recognition that these terms are commonly understood; and (ii) to avoid overly prescriptive definitions that may chill appropriate educational activities. In lieu of regulatory definitions, we offer illustrative examples below to aid stakeholders in applying the safe harbor provision.

As noted in the OIG Proposed Rule, the proposed marketing and recruitment restriction would prevent misuse of the safe harbor by those seeking to use purported value-based arrangements to perpetuate fraud schemes through the purchase of beneficiaries’ medical identity or other inducements to lure beneficiaries to obtain unnecessary care. As stated in the OIG Proposed Rule, our enforcement experience demonstrates that fraud schemes often involve a mixture of both inducements to lure beneficiaries to obtain unnecessary care and the use of marketing-like activities to steal patients’ medical identities. In particular, OIG has long-standing concerns about marketing activities that involve personal contact with beneficiaries. For example, OIG has previously explained that door-to-door marketing, telephone solicitations, direct mailings, and in-person sales pitches or “informational” sessions can be extremely coercive, particularly when such activities target senior citizens, Medicaid beneficiaries, and other particularly vulnerable patients.^[43]

Consequently, we believe that remuneration used for marketing and patient recruitment activities, regardless of whether the activities are driven by technology or tied to achieving a defined health outcome, remains suspect and requires fact-specific scrutiny under the Federal anti-kickback statute; therefore, we decline to provide safe harbor protection for such remuneration in this safe harbor.

Nevertheless, we acknowledge the benefits of objective educational materials to provide patients with general health care information and information about their health care options. We do not consider remuneration exchanged between parties to a value-based arrangement to (i) provide objective patient educational materials or (ii) engage in objective patient informational activities to constitute marketing or patient recruitment activities for purposes of this safe harbor condition. As we explained in the OIG Proposed Rule, this condition would not prohibit a VBE participant that is a party to the value-based arrangement from educating patients in the target patient population about permissible value-based activities.

A determination regarding whether remuneration is being exchanged or used for the purposes of marketing items or services or patient recruitment activities or for an educational activity requires a fact-specific analysis; however, the following examples illustrate how we distinguish between marketing and patient recruitment, on the one hand, and education on the other. Using examples from the OIG Proposed Rule,^[44] if a SNF or home health agency placed a staff member at a hospital to assist patients in the discharge planning process, and in doing so, the staff member educated patients regarding care management processes used by the SNF or home health agency, this would not constitute marketing of items and services (provided the staff member only worked with patients that had already selected the SNF or home health agency and SNF or home-health agency care was medically appropriate for such patient). However, if the SNF or home health agency placed a staff member at a hospital to perform care coordination services and to market the SNF’s or home health agency’s services to hospital patients, the arrangement would not comply with this requirement because the remuneration being exchanged pursuant to the arrangement—the services offered by the staff member—would be exchanged for the purpose of engaging in marketing.

As an additional example, we would not consider actions, such as notifying a patient of the criteria used by a VBE participant to determine patient eligibility for care coordination services or informing the target patient population of potential health benefits that may be derived from care coordination for a patient’s chronic condition, to be marketing or patient recruitment activities. This sort of targeted education to the patient is distinguishable from broader marketing and recruiting campaigns designed to sell products or services or recruit patients.

Notably, in some circumstances, it may not be necessary to make a distinction between marketing and education to determine whether an arrangement fits in a value-based safe harbor. If remuneration is exchanged pursuant to an arrangement that does not qualify as a “value-based arrangement,” as defined here, it is not eligible for safe harbor protection. For example, an arrangement solely for a direct-mail marketing campaign or other advertising would need to qualify as a value-based arrangement under the definition at paragraph 1001.952(ee) to be eligible to use a value-based safe harbor. We cannot envision a circumstance where such an arrangement would be a “value-based arrangement” as defined in this final rule or be eligible under this safe harbor. Should one VBE participant wish to engage in a direct-mail campaign that markets, in part, another VBE participant’s services and the parties seek safe harbor protection for such arrangement, they should look to the personal services and management contracts safe harbor at paragraph 1001.952(d).

In response to the commenter’s inquiry regarding a screening program for fall risk, it is not clear from the commenter’s description whether the program would be part of a coordinated plan of care for a target patient population to improve outcomes or a marketing or patient recruitment activity to attract patients to the VBE or its participants. If the former, the arrangement could qualify for safe harbor protection, if all safe harbor conditions are met. If the latter, it would not be protected. Based on our oversight experience, we are concerned that a fall risk screening program could be misused as a marketing or patient recruitment activity if the screening program was not part of the coordination and management of care or an objective educational program. There is a risk that such a program could be used to lure beneficiaries to obtain unnecessary care. Whether a particular fall risk screening program is a marketing program, an educational program, or a value-based arrangement will depend on its specific facts and circumstances.

Additionally, we note that remuneration exchanged between parties to a value-based arrangement that is used to offer something of value to patients to incentivize them to obtain a fall screening examination from one of the parties would not be protected by this safe harbor. We have modified the regulatory text to make clear that prohibited marketing includes not only exchanging remuneration for the purpose of engaging in patient recruitment activities or marketing but also using remuneration for such purposes. This change effectuates our intent articulated in the preamble to the OIG Proposed Rule to limit the risk of the value-based arrangement being used as a marketing or recruiting tool to generate federally payable business for the VBE participant.^[45] To illustrate how this condition would operate, the parties cannot exchange remuneration for the purpose of engaging in patient recruitment activities or marketing (e.g., a SNF or home health agency placed a care coordinator at a hospital to market the SNF’s or home health agency’s services to hospital patients). In addition, the parties cannot use the remuneration for marketing or engaging in patient recruitment activities (e.g., the hospital asks the care coordinator placed by the SNF or home health agency to send out mailings to the local community regarding the hospital’s services).

Regarding the question about a hospice’s provision of free home-based palliative care services or room and board to patients unable to pay, such an arrangement would not be protected by the care coordination arrangements safe harbor. This safe harbor is limited to remuneration exchanged between parties to a value-based arrangement, i.e., between a VBE and VBE participant or between VBE participants. It does not encompass arrangements involving the exchange of remuneration to patients. Other safe harbors or exceptions to the Beneficiary Inducements CMP may be available to protect the provision of such items and services to patients, depending upon the facts and circumstances.

We reiterate that nothing in this safe harbor prevents VBEs or VBE participants from marketing their services. Indeed, arrangements need not have safe harbor protection to be lawful, and we observe that many legitimate health care entities lawfully market services without benefit of a safe harbor. However, value-based arrangements that include the exchange or use of remuneration for the purpose of marketing or patient recruitment would not be eligible for protection under the care coordination arrangements safe harbor.

Comment: A commenter requested that OIG address whether a VBE participant that is a payor and owns a company that provides remote monitoring devices or has a vendor relationship with a company that provides such devices could suggest certain device utilization for purposes of improved care.

Response: The commenter describes the recommendation or referral of a device by a VBE participant that is a payor and is affiliated with a company that provides remote monitoring devices but does not identify remuneration provided under the value-based arrangement. Without additional facts, we can only respond generally to the comment. First, we would highlight that this safe harbor does not protect free or reduced-priced items or services that sellers provide either as part of a product sale arrangement or ancillary to a value-based arrangement. Free or reduced-priced items and services provided either as part of a product sale arrangement or ancillary to a value-based arrangement may not need safe harbor protection or may be protected by other safe harbors.

Second, nothing in the safe harbor would prohibit a VBE participant from using remuneration it received pursuant to a value-based arrangement to inform the target patient population of the availability of care coordination activities it provides to patients (e.g., patient monitoring) in a targeted, objective, and educational manner so long as the remuneration is not exchanged or used for marketing or patient recruitment activities. In this final rule, we have clarified that the content of the marketing the safe harbor prohibits is the marketing of items and services furnished by the VBE or a VBE participant to patients.

To the extent that payors or other VBE participants provide remuneration to patients in the form of a free device, such remuneration would not be protected by this safe harbor. We note that other safe harbors or exceptions to the Beneficiary Inducements CMP may be available to protect the provision of such items and services, depending upon the facts and circumstances.

Comment: A health system recommended that provider affiliation announcements be carved out of the definition of marketing or recruitment activities so that providers can inform patients that they participate in value-based arrangements. Another commenter similarly urged OIG to permit individuals or entities participating in a VBE to market themselves as VBE participants to patients.

Response: Remuneration exchanged between parties to a value-based arrangement may be used to inform patients in the target patient population that the VBE participant participates in the value-based arrangement without such information being considered a marketing or recruitment activity. However, whether broader advertising (that includes VBE participant-related information) would be considered a prohibited marketing or recruitment activity for safe harbor purposes would be a fact-specific determination. For example, as part of a larger value-based arrangement between a physician group and a hospital, a hospital provides tablets to the physician group, which the physician group uses for in-office patient asthma management education. If the education application used on the tablet identifies all VBE participants capable of helping the patients manage their asthma and provide other services, the tablet would not run afoul of the marketing prohibition because it is not being used to market or recruit patients. It informs patients of VBE participants capable of providing disease management and other services. However, if the hospital also used the tablets to send text messages, notifications, and other pop-ups that solicit the patient to receive services from VBE participants, the tablet would be marketing under this safe harbor because it is being used for broader advertising or patient recruitment activity. A tablet, as part of a care coordination arrangement, could be protected remuneration; however, if it is part of a larger marketing scheme, the tablet would not be protected because that scheme would not be eligible for protection under this safe harbor and would be subject to a separate analysis under the Federal anti-kickback statute. Similarly, if the tablet was used as part of larger data harvesting scheme for marketing purposes, that scheme would not be eligible for protection under this safe harbor and be subject to a separate analysis under the Federal anti-kickback statute.

Comment: A commenter sought clarification on how to interpret the marketing and patient recruitment prohibition in the context of Medicare Advantage beneficiaries, and, specifically, whether compliance with existing CMS and OIG requirements associated with marketing to, and recruitment of, Medicare Advantage patients would be sufficient to maintain protection under the value-based safe harbors. In a similar vein, a health insurer requested that OIG clarify its definition of marketing and patient recruitment activities, as it relates to pre-enrollment activities.

Response: While acknowledging that payors may be subject to a wide range of other regulations, including CMS regulations and guidance specific to Medicare Advantage plans, we do not believe that compliance with CMS marketing requirements is sufficient for purposes of the safe harbor. Medicare Advantage regulations relating to patient enrollment and marketing are specific to payor-patient interactions in that program. In contrast, the conditions of this safe harbor are focused on facilitating beneficial care coordination and addressing potential fraud and abuse risks related to the exchange of remuneration between and among providers and suppliers. We remind the commenter that compliance with the care coordination arrangements safe harbor, as with all Federal anti-kickback statute safe harbors, is voluntary, and Medicare Advantage plans, or their contractors, may continue to seek protection under other existing safe harbors.

Comment: Several commenters expressed concern that the prohibition on marketing and patient recruitment activities may conflict with existing CMS rules regarding discharge planning, or, at the very least: (i) Be inconsistent with the concept of a preferred provider network operating within the context of a VBE; or (ii) potentially limit VBE participants’ ability to inform patients of the availability of items and services during the discharge planning process.

Response: The prohibition on the marketing of items and services and patient recruitment activities, as finalized, relates specifically to the remuneration exchanged. Thus, for example, if a skilled nursing facility provides remuneration to a hospital under a value-based arrangement in the form of a discharge planner, the discharge planner could not market or recruit patients to the skilled nursing facility; doing so would prevent the value-based arrangement from qualifying for safe harbor protection. Nothing in the safe harbor prevents the hospital from informing patients about available skilled nursing facilities during the discharge planning process.

This prohibition is not inconsistent with current CMS hospital conditions of participation regarding discharge planning, which require (among other conditions) that hospitals provide a comprehensive list of certain post-acute care providers, as applicable, to patients prior to discharge.^[46] Providing a comprehensive list of post-acute care providers would not constitute exchanging or using remuneration for marketing or patient recruitment for safe harbor purposes. This would be true even if the discharge planner provided to the hospital in the prior example were the person furnishing the list to patients, provided the discharge planner did not market or recommend the skilled nursing facility or another VBE participant on the list.

This prohibition is not inconsistent with the potential for a preferred provider network to operate within the context of a VBE. Using the above discharge planner example, the remuneration could comply with the marketing and patient recruitment activity prohibition if, for example, the discharge planner only provides written educational materials regarding the preferred provider network to target patient population members and does not actively recruit patients to the skilled nursing facilities in the preferred provider network and does not market or recommend any particular provider on the list. It is incumbent on parties seeking to establish and operate preferred provider networks to do so in a manner that complies with all pertinent regulations, and our safe harbor requirements are not intended to interfere with or supplant other compliance obligations.

Comment: A commenter expressed concern that the proposed prohibition on marketing and patient recruitment would bar a VBE from publishing quality improvement or cost reduction data. The commenter declared that VBEs should be permitted to share performance data regarding VBE participants to help inform patient choice.

Response: We would not consider the publication of quality and cost data to constitute marketing or patient recruitment activity. Therefore, parties to a value-based arrangement could exchange remuneration for the purpose of publishing such data, and we believe such data may be beneficial to inform patient choice.

Comment: To mitigate OIG’s concerns regarding marketing, a manufacturer suggested that OIG include as an additional safe harbor requirement that VBE participants disclose their participation in the VBE to patients, similar to the Medicare Shared Savings Program beneficiary notice requirements.

Response: We thank the commenter for its suggestion. As noted elsewhere in this rule, we did not propose a patient notice requirement in the OIG Proposed Rule and are not including a patient notice requirement for reasons explained elsewhere. However, VBE participants are not prohibited, as noted above, from utilizing notices to transparently disclose their participation in a VBE to patients.

k. Monitoring and Assessment

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ee)(8) that the VBE, a VBE participant in the value-based arrangement acting on the VBE’s behalf, or the VBE’s accountable body or responsible person monitor and assess, no less frequently than annually, or once during the term of the value-based arrangement for arrangements with terms of less than 1 year: (i) The coordination and management of care for the target population in the value-based arrangement; (ii) any deficiencies in the delivery of quality care under the value-based arrangement; and (iii) progress toward achieving the evidence-based, valid outcome measure(s) in the value-based arrangement. We further proposed to require that the party conducting such monitoring and assessment report the results of the monitoring and assessment to the VBE’s accountable body or responsible person (if the VBE’s accountable body or responsible person is not itself conducting the monitoring and assessment).

Summary of Final Rule: We are finalizing the monitoring and assessment requirement, with modifications, at paragraph 1001.952(ee)(9). We are requiring that the VBE, a VBE participant in the value-based arrangement acting on the VBE’s behalf, or the VBE’s accountable body or responsible person reasonably monitor and assess the following, no less frequently than annually, or once during the term of the value-based arrangement for arrangements with terms less than 1 year: (i) The coordination and management of care for the target patient population in the value-based arrangement; (ii) any deficiencies in the delivery of quality care under the value-based arrangement; and (iii) progress toward achieving the legitimate outcome or process measure(s) in the value-based arrangement. We are revising the proposed language—from specific evidence-based, valid outcome measure(s) to legitimate outcome or process measure(s)—to align with the standard for outcomes measures finalized in paragraph 1001.952(ee)(4), discussed at section III.B.3.b.

We also require that the party conducting such monitoring and assessment report their findings to the VBE’s accountable body or responsible person (if the VBE’s accountable body or responsible person is not itself conducting the monitoring and assessment). Finally, we are making a technical correction by adding “the following” and “of the following” to the introductory language of the paragraph for greater clarity about what must be monitored and assessed.

Comment: Many commenters supported an annual monitoring and assessment requirement, where monitoring is tailored to the complexity and sophistication of the VBE and VBE participants. A physician trade organization recommended that OIG require monitoring and assessment of a value-based arrangement’s value-based activities instead of the coordination and management of care for the target patient population, and another commenter asserted that OIG should require monitoring and assessment of whether value-based activities meet any of the value-based purposes. A commenter urged that the monitoring and assessment provision require monitoring of utilization, referral patterns, and expenditure data to ensure that abuse is curtailed, and gaming is reduced. Another commenter supported heightened standards and conditions for monitoring and assessment but did not specify any such standards and conditions. Some commenters opposed a monitoring and assessment requirement, with a commenter stating that writing-related safeguards are sufficient to protect against fraud and abuse.

Response: We are finalizing a monitoring and assessment requirement because we believe it is a critical safeguard to ensure oversight of the value-based arrangement. We are not adopting the suggestion to expand the condition to require monitoring of all value-based activities instead of the coordination and management of the care for the target patient population. Paragraph 1001.952(ee)(1)(ii) of this safe harbor requires the remuneration exchanged to be used predominantly to engage in value-based activities related to the coordination and management of care for the target patient population; consequently, we believe that it is appropriate to require the monitoring and assessment to focus on this value-based purpose. Under this requirement, the responsible party must monitor and assess whether and how the coordination and management of care is being implemented. “Coordination and management of care” is defined at paragraph 1001.952(ee)(14) for purposes of this safe harbor as the deliberate organization of patient care activities and sharing of information between two or more VBE participants or VBE participants and patients, tailored to improving the health outcomes of the target patient population, in order to achieve safer and more effective care for the target patient population. Thus, we expect any monitoring and assessment to evaluate how the value-based arrangement is or is not achieving this value-based purpose, as defined in this final rule. The monitoring and assessment may identify opportunities to reevaluate the value-based activities the parties are undertaking and the manner in which they are undertaking them to improve their chances of achieving this value-based purpose.

While we are not requiring monitoring and assessment of utilization, referral patterns, and expenditure data, monitoring and assessment of such data may be a best compliance practice for many arrangements, depending on the complexity and sophistication of the VBE participants, the VBE, and the value-based arrangement and available resources. We have added “reasonably,” to the monitoring and assessment provision to codify that, for all value-based arrangements, monitoring and assessment should be reasonable in relation to the complexity and sophistication of the VBE participants, the VBE, and the value-based arrangement and available resources.^[47] We would expect parties to do as much as is appropriate based on the complexity and sophistication of the VBE participants, the VBE, and the value-based arrangement and available resources, but nothing in this provision should be construed to stop parties from having more robust monitoring and assessment processes than those described herein. This requirement both: (i) Provides flexibility for VBE participants associated with smaller, less-sophisticated VBEs and value-based arrangements to effectuate relatively more modest monitoring and assessment processes; and (ii) requires VBE participants associated with more complex and sophisticated VBEs and value-based arrangements to develop and operate appropriately complex and robust monitoring and assessment processes.

Comment: A commenter expressed concern that the annual monitoring and assessment requirement may have limited impact unless: Patients have a clearly articulated pathway for communicating and resolving concerns; outcome measures are valid and reflect outcomes important to patients; and results are reported to the Department or another oversight entity. Another commenter asked OIG to provide more information on the monitoring and assessment requirement and, specifically, to outline the reporting, auditing, and general oversight requirement of each VBE participant in the VBE.

Response: We appreciate the commenter’s concern regarding the potential limited impact of the monitoring and assessment requirement. We are not requiring parties to value-based arrangements to establish specific protocols for receiving and addressing patient concerns or to report data to the Department, except as otherwise set forth in paragraph 1001.952(ee)(12), which requires that the VBE or VBE participant make available to the Secretary, upon request, all materials and records sufficient to establish compliance with the conditions of this safe harbor. However, we are finalizing the requirement for parties to establish one or more legitimate outcome or process measures, and to monitor and assess certain information.

Specifically, to comply with the monitoring and assessment requirement, either the VBE, a VBE participant in the value-based arrangement acting on the VBE’s behalf, or the VBE’s accountable body or responsible person must reasonably monitor and assess: (i) The coordination and management of care for the target patient population in the value-based arrangement; (ii) any deficiencies in the delivery of quality care under the value-based arrangement; and (iii) progress toward achieving the legitimate outcome or process measure(s) in the value-based arrangement. While, as stated above, the final safe harbor does not require the establishment of specific monitoring and assessment protocols or prescribe how VBEs must receive and address any patient concerns, we note that, as part of any VBE’s regular monitoring activities, it would be a good compliance practice to establish a mechanism through which patients and others could submit reports related to, for example, deficiencies in the delivery of quality care under the value-based arrangement. Further, it would be a good compliance practice, as part of any VBE’s regular monitoring and assessment activities, to assess any credible reports of, for example, deficiencies in the delivery of quality care under the value-based arrangement to determine their validity and any potential triggering of the termination and corrective action provision.

Again, the final rule does not prescribe a one-size-fits-all approach for monitoring and assessment, nor does it specify the reporting, auditing, and general oversight requirement of each VBE participant in the VBE. This lack of specificity is designed to allow VBEs (and their VBE participants) flexibility to establish a monitoring and assessment program that is reasonable for that particular VBE and value-based arrangement. As stated above, the monitoring and assessment processes for each value-based arrangement should be reasonable in relation to the complexity and sophistication of the VBE, VBE participants, and value-based arrangement. Given the flexibility parties have to form VBEs and value-based arrangements of varying levels of complexity, we anticipate that the monitoring and assessment processes for the diverse value-based arrangements that could be protected by this safe harbor may vary.

Comment: A commenter expressed concern that, if the party responsible for monitoring and assessment does not comply with the requirements of the safe harbor, that party’s noncompliance places other parties at risk through no fault of their own.

Response: A safe harbor applies only where each condition of the safe harbor is squarely met. Therefore, if the party responsible for monitoring and assessment does not perform its responsibility in accordance with the safe harbor requirements, the remuneration exchanged pursuant to the value-based arrangement would not receive protection. However, where another party has done everything that it reasonably could to comply with the safe harbor requirements applicable to that party but the remuneration exchanged loses safe harbor protection as a result of another party’s noncompliance, the party’s efforts to take all possible reasonable steps would be relevant in a determination of whether such party had the requisite intent to violate the Federal anti-kickback statute.

Comment: Commenters expressed concern regarding, and urged flexibility for, the requirement for monitoring and assessment of progress toward evidence-based outcome measures. For example, a commenter asserted that participants to a new value-based arrangement need time to achieve success, as evidenced by the performance results of Medicare Shared Saving Program, and may not be able to progress quickly towards the outcome measures. Commenters noted that factors beyond a provider’s control can impact outcomes and that interventions such as primary care, preventive services, and chronic care management may yield benefits that take numerous years to materialize.

Response: For a number of reasons, we believe the responsible party or parties should monitor and assess progress toward the outcome or process measure(s) the parties establish. Such monitoring and assessment may reveal whether efforts to achieve the outcome measure(s) have led to improvements or deficiencies in patient care; whether the outcome measure(s) the parties initially established continue to be the best goalposts for achieving one or more value-based purposes; and whether the items or services the offeror provided under the value-based arrangement, such as care coordination services, are effective tools for driving beneficial changes in care delivery. We agree with commenters that factors beyond a VBE participant’s control could impact outcomes and that benefits of outcome measures could manifest over a longer timeframe; for this reason, the requirement for monitoring and assessment does not mandate that the parties achieve the outcome or process measure(s) on any particular timeframe.

l. Termination of the Arrangement

Summary of OIG Proposed Rule: We proposed at proposed paragraph 1001.952(ee)(9) that the parties terminate the value-based arrangement within 60 days if the VBE’s accountable body or responsible person determines that the value-based arrangement: (i) Is unlikely to further the coordination and management of care for the target patient population; (ii) has resulted in material deficiencies in quality of care; or (iii) is unlikely to achieve the evidence-based, valid outcome measure(s). We said we were considering for the final rule, and sought comments on, an alternative to the proposed termination requirement that would instead allow for remediation—within a reasonable timeframe—before any required termination.

Summary of Final Rule: We are finalizing, with modifications, a termination provision for this safe harbor at paragraph 1001.952(ee)(10). Under the final rule, if the VBE’s accountable body or responsible person determines, based on the monitoring and assessment conducted pursuant to paragraph 1001.952(ee)(9), that the value-based arrangement has resulted in material deficiencies in quality of care or is unlikely to further the coordination and management of care of the target patient population, the parties must, within 60 days, either terminate the arrangement or develop and implement a corrective action plan designed to remedy the deficiencies within 120 days and, if the corrective action plan fails to remedy the deficiencies within 120 days, terminate the value-based arrangement.

Comment: Some commenters expressed support for our proposed termination requirement, but many expressed concerns about what it would mean in practice. Many commenters supported the alternative we described in the preamble to the proposed rule that would allow for remediation, within a reasonable timeframe, before any required termination. These commenters noted a variety of operational and policy concerns with mandating termination within 60 days. For example, some commenters noted that complex arrangements may require more than 60 days to unwind responsibly. Some commenters suggested that a cure period be permitted where the VBE determines that a plan of correction may be devised to cure the deficiencies, and others suggested that remediation should be an option, but not a requirement. With respect to the length of a remediation period during which parties could develop and implement a corrective action plan, commenters suggested a variety of time periods, ranging from 90 days to 1 year. Multiple commenters suggested a 120-day period. Another commenter suggested that any termination requirement should be suspended indefinitely as long as the parties are working in good faith to implement a corrective action plan. A commenter also noted that there is a difference between arrangements that are not making progress and those that are causing harm and suggested that the latter require immediate termination. Finally, a commenter requested that OIG clarify that parties do not have an obligation to assess for any events that trigger the termination provision on an ongoing basis, but instead are required to do so annually or prior to renewal of an agreement.

Response: We appreciate commenters’ concerns regarding the potential challenges associated with requiring termination within 60 days if the VBE’s accountable body or responsible person determines one or more of the triggering events has occurred. Several changes in the final rule address many of the concerns expressed by the commenters. The final rule provides more flexibility by requiring the parties, within 60 days, either to terminate the arrangement or to develop and implement a corrective action plan in the event the VBE’s accountable body or responsible person determines that the value-based arrangement has resulted in material deficiencies in quality of care or is unlikely to further the coordination and management of care for the target patient population. The option for corrective action plans is consistent with our statements in the OIG Proposed Rule that we were considering allowing for remediation within a reasonable timeframe and that our goal is a reasonable but also prompt termination of arrangements that are no longer serving the goals for which safe harbor protection is offered.

The final rule does not require the parties to terminate the arrangement or implement a corrective action plan if the VBE’s accountable body or responsible person determines that the value-based arrangement is unlikely to achieve its legitimate outcome or process measures. This safe harbor does not require the recipient to achieve an outcome or process measure. Also, the safe harbor permits the parties to the value-based arrangement to modify outcome or process measures prospectively, as long as other elements of the safe harbor continue to be met (for example, a change to an outcome measure would be a material change to the value-based arrangement that would need to be documented in writing and signed by the parties, in accordance with paragraph 1001.952(ee)(3)).

With respect to the option to develop and implement a corrective action plan, the final rule requires that such plan be designed to remedy the identified deficiencies within 120 days. If the corrective action plan fails to remedy the deficiencies within 120 days, the parties are required to terminate the value-based arrangement, and safe harbor protection for remuneration exchanged pursuant to the value-based arrangement would no longer be available. We selected a 120-day period based on recommendations from commenters and because we believe this time period is both long enough to allow a meaningful opportunity to remediate the deficiencies and short enough to necessitate diligent attention by the parties.

With respect to the commenter who asserted that a determination that the value-based arrangement has resulted in patient harm should require immediate termination, we appreciate the commenter’s concern, and we agree that such a determination is a serious finding that should prompt immediate attention by the parties. We did not include a “patient harm” provision in the OIG Proposed Rule because incidents of patient harm will always be “material deficiencies in quality of care,” that would trigger this condition. However, not all material deficiencies in quality of care necessarily mean that there has been patient harm.

Finally, with respect to the commenter that requested clarification regarding the frequency with which parties must assess for any events that would trigger the termination or corrective action provision, we note that, consistent with the OIG Proposed Rule, this final rule ties the termination of the value-based arrangement or implementation of a corrective action to certain triggering events identified through “monitoring and assessment.” Monitoring and assessment must occur no less frequently than annually or at least once during the term of the value-based arrangement for arrangements with terms of less than 1 year. Thus, at a minimum, the party or parties responsible for monitoring and assessment must monitor the matters listed in the regulation at paragraph 1001.952(ee)(9) and report the results so that the accountable body or person can make a determination as to whether any of the events that trigger the termination or corrective action provision have occurred. We note that it would be a best compliance practice to ensure monitoring and assessment also involves receiving and assessing reports and other information related to the circumstances that must be monitored and assessed (e.g., deficiencies in the delivery of quality care under the value-based arrangement). These reports would inform the accountable body or responsible person’s determination regarding termination or corrective action under paragraph 1001.952(ee)(10).

Comment: A commenter expressed concern that the safe harbor contains too much deference to the subjective beliefs and determinations of the VBE participants, who the commenter asserts are self-interested. The commenter recommended that the termination provision in the safe harbor be revised to require termination if the information available to the VBE’s accountable body or responsible person indicates that a triggering event has occurred. The commenter also recommended that the safe harbor specify that the VBE bears the burden of proof with respect to the question of whether the information available to the VBE’s accountable body or responsible person required termination of the value-based arrangement.

Response: We believe that the revisions we are adopting in this final rule, which require termination or a corrective action plan if the VBE’s accountable body or responsible person reaches one of two determinations help to mitigate the commenter’s concerns regarding excessive deference to the subjective beliefs of the VBE participants. We do not believe it is necessary to specify that the VBE bears the burden of proof with respect to whether termination was required because any party seeking to avail themselves of the protection of a safe harbor generally bears the burden of proof that they meet the requirements of the safe harbor.

Comment: Several commenters raised concerns regarding our proposal to require termination if the VBE’s accountable body or responsible person determines that the value-based arrangement is unlikely to achieve the evidence-based, valid outcome measure(s). For example, several commenters noted that it may take time to see results and that results may plateau at certain times. Commenters suggested that this provision may result in parties’ prematurely judging an arrangement’s success or failure and that 60 days was an arbitrary timeframe. Another commenter expressed concern that the termination provision implies that an arrangement could move in and out of compliance with the safe harbor as performance changes from month to month. Another commenter requested that participants be permitted to modify measures prospectively, rather than have to terminate the value-based arrangement.

Response: We appreciate the concerns raised by commenters, and we are not finalizing the proposed requirement that the parties terminate the arrangement if the VBE’s accountable body or responsible person determines that the value-based arrangement is unlikely to achieve the outcome measure(s). We believe that requiring termination, or a corrective action plan, upon such a determination is at odds with other elements of this safe harbor. As we have stated elsewhere, this safe harbor does not require that the value-based arrangement result in a particular level of performance on the outcome or process measure. It requires that the parties identify an outcome or process measure and that the outcome or process measure relates to the remuneration exchanged under the arrangement. We also wish to clarify that the safe harbor permits the parties to modify the outcome or process measure prospectively during the term of the agreement, as long as the other elements of the safe harbor continue to be met and the modification is memorialized in a writing signed by the parties.

We caution, however, that this safe harbor separately requires the VBE, a VBE participant in the value-based arrangement acting on the VBE’s behalf, or the VBE’s accountable body or responsible person to reasonably monitor, assess, and report progress toward achieving the outcome or process measure. There may be circumstances where such monitoring and assessment of outcome or process measure progress may generate a finding that indicates that the value-based arrangement no longer meets all of the requirements of the safe harbor. For example, the finding may indicate that the remuneration exchanged is not being used predominantly to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population. Thus, while we are not creating an affirmative obligation to terminate or enter into a corrective action plan based on a determination that the value-based arrangement is unlikely to achieve the selected outcome or process measure, we caution that parties to a value-based arrangement who wish to be protected under the safe harbor should periodically evaluate compliance with safe harbor standards.

m. Diversion, Resell, or Use for Unlawful Purposes

Summary of OIG Proposed Rule: In proposed paragraph 1001.952(ee)(10), we proposed that an exchange of remuneration would not be protected under the care coordination arrangements safe harbor if the offeror knows or should know that the remuneration is likely to be diverted, resold, or used by the recipient for an unlawful purpose.

Summary of Final Rule: We are finalizing, without modification, this requirement at paragraph 1001.952(ee)(11).

Comment: We received very few comments on this proposal. Some commenters expressed support for the provision, while another commenter raised concerns that this standard would be difficult for individual providers and small group practices to understand and comply with because the standard is not specifically defined.

Response: We believe that the standard is straightforward. Where an offeror knows, or should know, that the recipient is likely to divert or resell the remuneration, or otherwise use it for an unlawful purpose, the remuneration is not protected by the safe harbor. This could arise in cases where the recipient’s intended diversion is overt. For example, where a recipient expressly states its intent to sell the items received from the offeror to third parties, it would make clear its intended diversion. It can also arise, for example, where the nature or scope of the remuneration offered to the recipient is such that the offeror should know that diversion or resale is likely, such as where a VBE participant provides remuneration far in excess of what could reasonably be needed for the recipient to undertake the value-based activity for which the remuneration is intended and the remuneration is transferable in nature. For example, if a VBE participant provides handheld tablets to another VBE participant to facilitate coordination and management of care, but the offeror provides substantially more tablets than could reasonably be used by the recipient for the intended purpose (e.g., 100 tablets when ten are objectively sufficient for the intended use), then the offeror might reasonably know that the recipient is likely to divert or resell the excess tablets. In sum, this standard is an explicit statement of what is otherwise implicit in the conditions of the care coordination arrangements safe harbor: The exchange of remuneration that the offeror knows or should know is likely to be diverted, resold, or used by the recipient for purposes other than the coordination and management of care of a target patient population would not be protected under this safe harbor.

n. Materials and Records

Summary of OIG Proposed Rule: To enhance transparency, we proposed a requirement at proposed paragraph 1001.952(ee)(11) that VBE participants or the VBE make available to the Secretary, upon request, all materials and records sufficient to establish compliance with the conditions of this safe harbor. We solicited comments regarding whether we should require parties to maintain materials and records for a set period of time (e.g., at least 6 years or 10 years).

Summary of Final Rule: We are finalizing, with modifications, the materials and records requirement at paragraph 1001.952(ee)(12). The final rule specifies that, for a period of at least 6 years, the VBE or its VBE participants must maintain records and materials sufficient to establish compliance with the conditions of the safe harbor.

Comment: While we received relatively few comments on this condition, commenters were generally supportive of our proposal. In response to our solicitation regarding whether we should require parties to maintain materials and records for a set period of time, e.g., 6 years or 10 years, multiple commenters were in favor of a 6-year retention period, with one stating that this approach would facilitate alignment with CMS’s proposed rule and existing HIPAA requirements.

Response: We are persuaded that a 6-year retention period will promote transparency while aligning with the corresponding requirement in CMS’s final rule. We have modified the relevant provisions in the care coordination arrangements, substantial downside financial risk, and full financial safe harbors.

Comment: A commenter questioned the need for a materials and records requirement because maintenance of these materials is already part of any compliance program. The same commenter further questioned whether OIG would bring an investigation or pursue a Federal anti-kickback statute case based solely on the failure to satisfy a documentation requirement rather than the underlying substantive safeguards.

Response: We continue to believe this requirement promotes transparency and gives parties notice that the Secretary may request materials and records sufficient to demonstrate compliance with the care coordination arrangements safe harbor. We further note that not all parties seeking protection under this safe harbor may have a compliance program or may have developed one that requires maintenance of materials and records for less than 6 years.

Safe harbors offer voluntary protection from liability under the Federal anti-kickback statute for specified arrangements, and no entity or individual is required to fit within a safe harbor. Failure to fit within a safe harbor does not mean a party has violated—or even implicated—the Federal anti-kickback statute, it simply means the party may not look to the safe harbor for protection for that arrangement. For a party to assert safe harbor protection, all of the safe harbor’s conditions must be satisfied, including any condition related to materials and records. Further, it would be prudent for any party relying on a safe harbor to protect certain remuneration to document in some form compliance with that safe harbor. Decisions regarding enforcement actions are made based on application of the Federal anti-kickback statute to the specific facts and circumstances presented by an arrangement.

Comment: A commenter stated that OIG should adopt additional requirements related to materials and records, including contemporaneous documentation of, among other things, the VBE’s belief that the value-based arrangement is reasonably designed to achieve a value-based purpose, the specific basis for such belief, and the VBE’s reasonable anticipation that particular evidence-based, valid outcome measures will advance the coordination and management of care of the target patient population.

Response: We decline to require the specific requested certifications. We intentionally drafted the materials and record requirement broadly to avoid creating a list of all documentation that parties must develop and maintain to comply with this condition of the safe harbor. Moreover, we do not seek to increase administrative burden by prescribing the manner in which parties must document their compliance.

Comment: A health system stated that the proposed care coordination arrangements safe harbor included burdensome reporting requirements and expressed concern about the large volume of paperwork that would go back and forth between ACOs and HHS or CMS.

Response: We disagree with the commenters’ assertion that the materials and records requirement is burdensome. To the extent parties wish to avail themselves of the protection of this safe harbor, we believe it is reasonable to require them to maintain documentation that demonstrates their compliance with its terms. With respect to the commenter’s concern about the exchange of large volumes of paperwork, we note that parties must only furnish such documentation to the Secretary upon request. We do not anticipate this requirement will necessitate frequent exchange of paperwork between, for example, an ACO and OIG.

Comment: A medical device manufacturer expressed concern that materials and records submitted to the Secretary pursuant to this condition would be subject to the Freedom of Information Act or other disclosure requirements. The manufacturer stated such materials could include proprietary and confidential trade secret information.

Response: OIG is subject to the Freedom of Information Act (FOIA) and the Department’s FOIA regulations set forth at 45 CFR part 5. These regulations provide that submitters of records may designate in writing that all or part of the information contained in such records is exempt from disclosure under FOIA exemption 4—covering trade secrets and confidential commercial or financial information—at the time they submit such records or within a reasonable time thereafter. The Department, including OIG, will make reasonable efforts to notify submitters of records if the Department determines that material that submitters have designated as exempt from disclosure under FOIA exemption 4 may have to be disclosed in response to a FOIA request. Under the Department’s FOIA regulations, submitters have an opportunity to respond and, if desired, file a court action to prevent disclosure of exempt records.

o. Additional Proposed Safeguards

i. Bona Fide Determination

Summary of OIG Proposed Rule: We considered a condition that would require that, in advance of, or contemporaneous with, the commencement of the applicable value-based arrangement, the VBE’s accountable body or responsible person make two bona fide determinations with respect to the value-based arrangement: (i) The value-based arrangement is directly connected to the coordination and management of care for the target patient population; and (ii) the value-based arrangement is commercially reasonable, considering both the arrangement and all value-based arrangements within the VBE.^[48]

Summary of Final Rule: We are not finalizing the proposed condition.

Comment: We received relatively few comments on this proposal. Commenters either expressed general statements of support or opposition, with a commenter who opposed the condition asserting that such bona fide determinations would add unnecessary complexity to demonstrating compliance with the safe harbor.

Response: We are not finalizing this requirement. We believe the goal of this proposed safeguard—ensuring appropriate oversight by the VBE’s accountable body or responsible person—is achieved through the combination of other conditions included in this safe harbor. We do not believe this condition is needed to prevent fraud or abuse in light of the totality of other conditions we are finalizing in this rule.

ii. Prohibition on Cost-Shifting

Summary of OIG Proposed Rule: We considered, and sought comment on, a condition prohibiting VBEs or VBE participants from billing Federal health care programs, other payors, or individuals for the remuneration exchanged under the value-based arrangement; claiming the value of the remuneration exchanged under the value-based arrangement as a bad debt for payment purposes under a Federal health care program; or otherwise shifting costs to a Federal health care program, other payors, or individuals.

Summary of Final Rule: We are not finalizing the proposed condition.

Comment: We received comments expressing either general support for or opposition to this proposed safeguard. For example, in support of finalizing a cost-shifting prohibition, a commenter stated that a value-based enterprise’s decision to offer remuneration in the context of a value-based arrangement should not make other parties financially responsible for such payments. A commenter argued that this proposed safeguard, among others, would be duplicative of other requirements in the safe harbor or be incompatible with or irrelevant in a value-based system. The commenter asserted that the additional safeguards proposed by OIG, including a prohibition on cost-sharing, would create an additional barrier to value-based arrangements rather than breaking down barriers that already exist. Other commenters, including Tribal organizations, advocated against the inclusion of a cost-shifting prohibition, stating such a safeguard is unnecessary because improvements in care coordination result in overall savings to the Federal Government even if they result in additional referrals or payments by Medicare and Medicaid.

Response: Having considered the comments, we are not finalizing a cost-shifting prohibition. On balance, we conclude that the combination of conditions in the final safe harbor will adequately protect against fraud and abuse risks, and an additional safeguard related to cost-shifting is not necessary in the context of the value-based safe harbors. We did not intend to limit appropriate billing of Federal health care programs or other payors for medically necessary items and services furnished in connection with value-based care. As we explained in the OIG Proposed Rule, we do not want to exclude arrangements from safe harbor protection that involve legitimate shifting of costs that result from achieving care coordination goals or other value-based purposes. As we explained, depending on the arrangement, one might expect to see increases in primary care costs or costs for care furnished in home and community settings paired with reductions in unnecessary hospitalizations, duplicative testing, and emergency room visits; one also might see increases in remote monitoring or care management services. Parties remain responsible for billing Federal health care programs and other payors in accordance with their program rules.

iii. Fair Market Value Requirement and Restriction on Remuneration Tied to the Volume or Value of Referrals

Summary of OIG Proposed Rule: We stated that we were considering including one or both of the following conditions in the care coordination arrangements safe harbor: (i) A fair market value requirement on any remuneration exchanged pursuant to a value-based arrangement; and (ii) a prohibition on VBE participants determining the amount or nature of the remuneration they offer, or the VBE participants to whom they offer such remuneration, in a manner that takes into account the volume or value of referrals or other business generated, including both business or patients that are part of the value-based arrangement and those that are not.

Summary of Final Rule: We are not finalizing either proposed condition in the care coordination arrangements safe harbor.

Comment: While we received some comments expressing support for these conditions, the overwhelming majority of commenters opposed the inclusion of a fair market value requirement or of a prohibition on determining the amount or nature of the remuneration in a manner that takes into account the volume or value of referrals or other business generated. While varying in their rationales, commenters generally asserted that including either safeguard would constrain care coordination efforts. Several commenters supported the condition that would prohibit taking into account the volume or value of referrals but recommended limiting this condition to patients who are not part of the value-based arrangement.

Response: In this final rule, we are not adopting a blanket prohibition on determining the amount or nature of remuneration in a manner that takes into account the volume or value of referrals or other business generated; rather, we are finalizing a narrower prohibition that the offeror of the remuneration cannot take into account the volume or value of, or condition an offer of remuneration on: (i) Referrals of patients that are not part of the value-based arrangement’s target patient population; or (ii) business not covered under the value-based arrangement. We stated in the OIG Proposed Rule, and we continue to believe, that fair market value requirements and restrictions that prohibit paying remuneration based on the volume or value of referrals help ensure that protected payments are for legitimate purposes and are not kickbacks. For this reason, we included a safeguard in paragraph 1001.952(ee)(5) that requires, as a condition of safe harbor protection, that the offeror not take into account the volume or value of, or condition remuneration on, business or patients not covered under the value-based arrangement. This approach is consistent with our proposal in paragraph 1001.952(ee)(5), as well as the comments summarized above recommending that we limit any volume or value condition to patients who are not part of the value-based arrangement.

However, we also acknowledge commenters’ concerns that legitimate care coordination arrangements may naturally involve referrals across provider settings. In this final rule, therefore, we have not finalized a fair market value requirement or a prohibition on determining the amount or nature of remuneration in a manner that takes into account the volume or value of referrals or other business generated. Instead, we have relied on other program integrity safeguards so that the safe harbor will protect beneficial care coordination arrangements while precluding protection for pay-for-referral schemes that do not serve, and may be contrary to, the goals of coordinated care and the shift to value. These safeguards operate to preclude safe harbor protection for abusive arrangements such as a provider churning patients through care settings to capitalize on a reimbursement scheme or otherwise generate revenue and arrangements where VBE participants offer, or are required to provide, remuneration to receive referrals or to be included in a “preferred provider network” (i.e., “pay-to-play” arrangements).

In response to commenters’ concerns that a fair market value requirement would constrain the kinds of care coordination arrangements that we intend to protect, we also are not finalizing a fair market value requirement. However, we have included a commercial reasonableness standard in this safe harbor, which requires that the value-based arrangement be commercially reasonable, considering both the arrangement itself and all value-based arrangements within the VBE. We believe this commercial reasonableness standard, in combination with the other safe harbor conditions, appropriately balances program integrity concerns and the need to facilitate innovative value-based arrangements.

iv. Additional Requirements for Dialysis Providers

Summary of OIG Proposed Rule: In recognition of the unique attributes of the dialysis industry (e.g., market dominance by a limited number of dialysis providers), we expressed concern in the OIG Proposed Rule that participation by dialysis providers in value-based arrangements could present increased fraud and abuse risks. Accordingly, we solicited comments on potential additional safe harbor conditions specific to dialysis providers to ensure that their care coordination arrangements operate to improve the management and care of patients and are not pay-for-referral schemes. We stated that we were considering including conditions such as enhanced monitoring, reporting, or data submission.

Summary of Final Rule: We are not finalizing additional conditions on dialysis providers in the care coordination arrangements safe harbor.

Comment: Commenters generally opposed additional conditions on dialysis providers on the basis of one or both of the following arguments: (i) ESRD patients would stand to benefit the most from the care coordination arrangements safe harbor (highlighting, for example, the fact that such patients require care across multiple providers); and (ii) OIG’s concerns regarding market consolidation were misplaced. Other commenters stated additional safeguards were not necessary for dialysis providers based on data indicating improved quality of care for ESRD patients and reduction of costs. In contrast, an association representing dialysis providers shared OIG’s concerns that the unique characteristics of the highly concentrated dialysis market posed unique and significant fraud and abuse risks and encouraged OIG to develop detailed methodologies and metrics to facilitate OIG’s monitoring and assessment of market consolidation and possible pay-for-referral schemes, before permitting dialysis providers to use the value-based safe harbors.

Response: While we are mindful of concerns created by a potential decrease in competition among dialysis providers, we are persuaded that the potential benefits of care coordination within the dialysis community outweigh the concerns for a potential decrease in competition. Accordingly, we are not imposing additional requirements specific to dialysis providers in the care coordination arrangements safe harbor.

v. Submission of Information to Department

Summary of OIG Proposed Rule: To promote transparency, we solicited comments in the OIG Proposed Rule on a requirement, specific to the care coordination arrangements safe harbor, for VBEs to submit certain data to the Department that would identify the VBE, VBE participants, and value-based arrangements.

Summary of Final Rule: We are not finalizing this proposed requirement in the care coordination safe harbor.

Comment: Some commenters strongly supported a requirement for VBEs to submit data to the Department or to a publicly available database that would identify the VBE, VBE participants, and value-based arrangements. A commenter supported an optional reporting requirement and appeared to believe that any such data submission would result in the applicable parties’ automatically satisfying the safe harbor’s writing requirement.

Other commenters urged OIG not to adopt such a requirement and provided various reasons for their position. For example, some commenters stated that the requirement would be unduly burdensome or that the administrative burden would outweigh any program integrity benefit to the Department, while at least one commenter believed the requirement could discourage implementation of value-based arrangements or full compliance with the safe harbor. Another commenter asserted that a requirement for VBEs to submit certain data to the Department would be unnecessary in light of the proposed requirement for parties to make available to the Secretary, upon request, all materials and records sufficient to establish compliance with the conditions of the care coordination arrangements safe harbor. A commenter also expressed concern that the materials and records submitted to the Department could be subject to the Freedom of Information Act and misused by some to gain access to potentially competitive, proprietary information regarding trade secrets, commercial relationships, or value-based arrangement business model information.

Response: To minimize burden, the final care coordination arrangements safe harbor does not require VBEs to submit data to the Department (e.g., data or information relating to the identity the VBE, VBE participants, and value-based arrangements), unless records are requested by the Secretary under the materials and records requirement. OIG will continue to evaluate whether to modify this safe harbor in the future. A better understanding of the structure of VBEs, likely VBE participants, and the form of value-based arrangements could allow for more effective oversight and identification of potential problems. OIG maintains its oversight authorities to conduct audits and evaluations, as well as criminal, civil, and administrative investigations of fraud and misconduct related to Federal health care programs, operations, and beneficiaries. Finally, we remind parties that they must make available to the Secretary, upon request, all materials and records sufficient to establish compliance with the conditions of a safe harbor, a required at paragraph 1001.952(ee)(12).

p. Alternative Regulatory Structure

Summary of OIG Proposed Rule: In the OIG Proposed Rule, we stated that we were considering an alternative regulatory structure and approach to protect care coordination and other value-based arrangements that are not at full financial risk and are not part of a CMS-sponsored model.^[49] Under the alternative approach, we stated that we would rely on the personal services and management contracts safe harbor at paragraph 1001.952(d) to allow greater flexibility for innovation as arrangements become more closely aligned with value-based purposes and the parties take on more downside financial risk.

Summary of Final Rule: We are not finalizing the alternative regulatory structure.

Comment: Several commenters opposed this alternative regulatory approach. Some argued that it would not provide as clear a mechanism for obtaining safe harbor protection for value-based arrangements as the proposed value-based safe harbors and that a fair market value requirement would create operational challenges. Another commenter asserted that the alternative approach would not provide sufficient protection against fraud and abuse and encouraged OIG to proceed with the proposed value-based safe harbors. Another commenter expressed support for the alternative regulatory structure to the extent OIG did not adopt the value-based exceptions proposed by CMS.

Response: We thank commenters for their insights. While we believe that the alternative approach of creating tiered protection using the personal services and management contracts safe harbor at paragraph 1001.952(d) also would accomplish the objective of allowing greater flexibility for innovation as the arrangements become more closely aligned with value-based purposes and the parties take on more downside financial risk, we concluded that the value-based framework described in section III.B.1 of this preamble is better calibrated to achieve the objectives of the Regulatory Sprint to Coordinated Care. We elected to finalize the value-based framework because we agree with those commenters who stated that the value-based framework would better protect against fraud and abuse, and we were mindful of those commenters who stated that the alternative approach would create operational challenges.

Comment: A commenter suggested that OIG adopt a safe harbor specific to value-based activities undertaken by an integrated delivery system that includes a non-profit payor and a dedicated physician group that includes physician owners and employees. According to the commenter, the remuneration paid among the system’s components presents a low risk of fraud and abuse. Another commenter recommended that OIG adopt a safe harbor for a limited set of arrangements that are pre-approved by OIG to promote care coordination and management, reduce costs, or facilitate a transition to value-based care. According to the commenter, the safe harbor should be limited to specific value-based purposes delineated by OIG, with certification required for any arrangements that have value-based purposes outside those identified by OIG.

Response: We did not propose these suggested safe harbors, and thus, we are not adopting them in this final rule. Depending on the facts and circumstances, remuneration exchanged pursuant to an arrangement between or among parties in an integrated delivery system could be protected under one of the value-based safe harbors we are finalizing in this final rule. With respect to the comment requesting a safe harbor for arrangements that would be pre-approved by OIG and, in certain instances, subject to certification requirements, we believe that such an approach would be administratively unworkable and overly burdensome. Parties who would like to recommend new safe harbors not finalized in this rulemaking may do so by responding to OIG’s annual solicitation regarding the development of new or modified safe harbor regulations.^[50]

4. Value-Based Arrangements With Substantial Downside Financial Risk (42 CFR 1001.952(ff))

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ff) a safe harbor for certain value-based arrangements involving the exchange of remuneration between a VBE that assumes substantial downside financial risk from a payor and a VBE participant that meaningfully shares in the VBE’s downside financial risk. We proposed methodologies for determining substantial downside financial risk and what it means to meaningfully share in risk (discussed further at III.B.4.b). We proposed that the safe harbor would protect both monetary and in-kind remuneration and explained that the safe harbor would offer greater flexibility, compared to the care coordination arrangements safe harbor at paragraph 1001.952(ee), in recognition of the VBE’s assumption of substantial downside financial risk. We explained in the OIG Proposed Rule that the safe harbor could apply, for example, to a value-based arrangement between an accountable care organization that is a VBE and a network provider to share savings and losses earned or owed by the accountable care organization, or between a VBE that has contracted with a payor for an episodic payment and a hospital and post-acute care provider that would be coordinating care for the patients under the episodic payment. We proposed additional conditions that would apply under the safe harbor, detailed in sections III.B.4.c-q.

Summary of Final Rule: We are finalizing, with modifications, the requirements of this safe harbor at paragraph 1001.952(ff). For a value-based arrangement to be protected under this safe harbor, a VBE must assume substantial downside financial risk from a payor under one of three methodologies, and a VBE participant must assume a meaningful share of the VBE’s total risk, which share has been reduced, under the first methodology, from 8 percent in the proposed rule to at least 5 percent in the final rule. The final provisions governing these levels of risk are discussed at section III.B.4.b of this preamble. The safe harbor, as finalized, protects both monetary and in-kind remuneration exchanged pursuant to value-based arrangements between VBEs and VBE participants. Other conditions finalized in the rule are explained in detail at sections III.B.4.c-q. These conditions include: Ineligible entities; inclusion of a 6-month “phase-in” period; requirements that certain remuneration be used to engage in value-based activities and directly connect to certain value-based purposes; writing and record retention requirements; protections for patient choice and clinical decision-making; protections against medically unnecessary services; limits on marketing or patient recruitment; and limits on remuneration that takes into account business or patients outside the value-based arrangement. We are not finalizing the proposed limit on outside funding of protected remuneration. The final safe harbor does not offer protection for arrangements downstream of a VBE participant, such as arrangements between two VBE participants. The final safe harbor permits protection for payments made under the upstream risk-assumption contracts between the VBE and the payor from whom the VBE assumes risk.

The final safe harbor at paragraph 1001.952(ff) may be used by participants in CMS-sponsored models, if safe harbor conditions are met, but it is primarily for other kinds of value-based arrangements, including arrangements in the commercial market. We are separately finalizing a safe harbor at paragraph 1001.952(ii) for CMS-sponsored models (as defined) (see discussion at section III.B.7).

a. General Comments

Comment: While some commenters supported the substantial downside financial risk safe harbor, others expressed concern that the safe harbor is too complicated to be useful.

Response: We appreciate commenters highlighting their concerns. We have revised the substantial downside financial risk safe harbor by streamlining and clarifying its defined terms and conditions, which we believe addresses these concerns. For example, in paragraph 1001.952(ff)(9), we provided additional clarity about the manner in which parties must calculate savings and losses pursuant to methodologies in the definition of “substantial downside financial risk.”

Comment: Multiple commenters urged OIG to align this safe harbor with CMS’s exception to the physician self-referral law for value-based arrangements with meaningful downside financial risk in order to facilitate their compliance efforts. Commenters generally favored the risk thresholds proposed in the meaningful downside financial risk exception to the physician self-referral law over the substantial downside financial risk thresholds proposed in OIG’s safe harbor.

Response: As with the OIG Proposed Rule, we coordinated with CMS in the development of this final rule and aimed to promote alignment between the two rules where possible. For a general discussion of the rationale for our decision to finalize safe harbors that diverge in certain aspects from the parallel exceptions to the physician self-referral law, we refer readers to section III.A.1 of the preamble to this final rule. With respect to the risk thresholds in CMS’s rule, and as discussed further below, we have determined that CMS’s methodology is not appropriate for this safe harbor because it focuses on physician risk arrangements and remuneration rather than risk assumed at the VBE level.

b. Definitions

i. Substantial Downside Financial Risk

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ff)(8)(i) that a VBE would be at substantial downside financial risk if it were subject to risk pursuant to one of four methodologies: (i) Shared savings with a repayment obligation to the payor of at least 40 percent of any shared losses, where loss is determined based upon a comparison of costs to historical expenditures, or to the extent such data is unavailable, evidence-based, comparable expenditures; (ii) a repayment obligation to the payor under an episodic or bundled payment arrangement of at least 20 percent of any total loss, where loss is determined based upon a comparison of costs to historical expenditures, or to the extent such data is unavailable, evidence-based, comparable expenditures; (iii) a prospectively paid population-based payment for a defined subset of the total cost of care of a target patient population, where such payment is determined based upon a review of historical expenditures, or to the extent such data is unavailable, evidence-based, comparable expenditures; or (iv) a partial capitated payment from the payor for a set of items and services for the target patient population where such capitated payment reflects a discount equal to at least 60 percent of the total expected fee-for-service payments based on historical expenditures or, to the extent such data is unavailable, evidence-based, comparable expenditures of the VBE participants to the value-based arrangements.

Summary of Final Rule: We are finalizing, with modifications, the definition of “substantial downside financial risk” at paragraph 1001.952(ff)(9)(i). Based on comments, we are reducing the risk threshold that parties must assume in order to meet the definition of “substantial downside financial risk” for the first payment methodology (the “Shared Savings and Losses Methodology”) to 30 percent, and we are clarifying that, under this methodology, savings and losses must be calculated by comparing current expenditures for all items and services that are covered by the applicable payor and furnished to the target patient population to a bona fide benchmark designed to approximate the expected total cost of such care. We are clarifying that, for the second methodology, savings and losses must be calculated by comparing current expenditures for all items and services furnished to the target patient population pursuant to a defined clinical episode of care that is covered by the applicable payor to a bona fide benchmark designed to approximate the expected total cost of care for the defined clinical episode of care (the “Episodic Payment Methodology”). We also clarify that, for the Episodic Payment Methodology, the parties must design the clinical episode of care to cover items and services furnished collectively in more than one care setting. We are finalizing a revised partial capitation methodology (the “VBE Partial Capitation Methodology”) pursuant to which the VBE is at substantial downside financial risk if the VBE receives from the payor a prospective, per-patient payment that is: (i) Designed to produce material savings; and (ii) paid on a monthly, quarterly, or annual basis, for a predefined set of items and services furnished to the target patient population designed to approximate the expected total cost of expenditures for the predefined set of items and services. Finally, we are not finalizing the proposed population-based payment methodology because population-based payments may not, in all circumstances, involve downside financial risk. For example, we understand that at least some population-based payments do not put providers at risk of receiving a lower reimbursement amount and instead are used as a cash-flow mechanism to support provider investments in care management tools.

Comment: Although we received some statements of support, the overwhelming majority of commenters on this topic opposed our proposed definition of “substantial downside financial risk.” These commenters generally asserted that our proposed risk thresholds were too high, particularly for the Shared Savings and Losses Methodology and suggested other thresholds, such as 10 percent for the Shared Savings and Losses Methodology. For example, a commenter asserted that our proposed definition of “substantial downside financial risk” was not aligned with the levels of risk assumed under other public and private sector value-based payment initiatives and would serve as a barrier to providers entering into risk-based arrangements. The same commenter suggested that, in setting qualifying risk levels too high, OIG would promulgate safe harbors that would be available only to sophisticated entities that are able to take on high levels of financial risk (e.g., ACOs associated with large health systems). Another commenter stated that our identified risk thresholds were arbitrary and biased against smaller and rural health care providers because such providers likely lack the capital reserves necessary to assume substantial downside financial risk. Other commenters asserted that our view of risk was too narrow by failing to consider the importance of upside financial risk, contractual risk, clinical risk related to treating complex patients, operational risk, and investment risk. At least one commenter urged OIG to include financial risk that is assumed only in the event certain quality benchmarks are not met.

Response: We solicited comments on whether the proposed risk thresholds should be higher or lower, or whether some or all of the methodologies should be modified to better capture the assumption of substantial downside financial risk for items and services furnished to patients or omitted from the final rule entirely. In response to comments and based on further consideration of risk assumption requirements used by Innovation Center models, we are reducing the risk threshold required for the Shared Savings and Losses Methodology from 40 to 30 percent, and we are not including a risk threshold in the VBE Partial Capitation Methodology. We are retaining the 20 percent risk threshold for the Episodic Payment Methodology because we believe the risk threshold proposed and finalized is consistent with the design of episodic payment models in which health care stakeholders currently participate, including Innovation Center models that adopt a similar payment methodology. The risk thresholds in the final rule reasonably reflect substantial downside financial risk under the three methodologies for purposes of this safe harbor. Moreover, we believe risk thresholds are necessary to mitigate traditional fraud and abuse risks associated with payment systems that incorporate, in whole or in part, fee-for-service reimbursement methodologies. Arrangements with lower risk levels would be analyzed for compliance with the anti-kickback statute on a fact-specific basis.

The requirement for the VBE to assume substantial downside financial risk, as opposed to upside financial risk, contractual risk, clinical risk related to treating complex patients, operational risk, or investment risk, or financial risk that is assumed only in the event certain quality benchmarks are not met, is appropriate because we are not persuaded that other types of risk would provide as strong an incentive to change ordering or referring behaviors of providers and suppliers that might still be paid on a fee-for-service basis or otherwise help ensure that safe-harbored arrangements would serve appropriate value-based purposes. We believe the risk levels set in the final rule will be substantial enough to reduce any traditional volume-driven incentives to overutilize or increase program costs by ordering and referring providers and to increase incentives to promote efficient delivery of health care.

This safe harbor does not prevent the VBE from assuming other types of risk from the payor suggested by commenters, e.g., investment risk, contractual risk, and clinical risk related to treating complex patients, as long as the VBE also assumes substantial downside risk from a payor. However, we note that these other types of risk may result in an exchange of remuneration that implicates the Federal anti-kickback statute and must be separately considered for compliance with the statute.

As discussed in section III.B.4.d below, a VBE and a payor that is a VBE participant can enter into value-based arrangements to protect remuneration under this safe harbor. The types of risk suggested by commenters may be protected by this safe harbor if remuneration exchanged and the associated value-based arrangements meet all applicable conditions.

We appreciate the challenges associated with assuming risk that certain smaller and rural providers may face. The definition of “VBE” affords parties significant flexibility and places no limit on the number of providers that can participate in the VBE and work together to assume substantial downside financial risk. We also highlight that other safe harbors, including the care coordination arrangements safe harbor, at paragraph 1001.952(ee), and the outcomes-based payments safe harbor at paragraph 1001.952(d)(2), may be available for parties that are not ready to assume the level of risk required by this safe harbor.

Comment: Commenters requested clarification on the practical application of the methodology OIG proposed in the “substantial downside financial risk” definition—shared savings with a repayment obligation to the payor of at least 40 percent of any shared losses. For example, a commenter asked whether the shared savings and losses repayment calculation must be applicable to the entire value-based enterprise or if it could be limited to a particular shared savings and losses arrangement between specified VBE participants. Other commenters asked whether the shared savings and losses repayment obligation could be in the form of a forfeited withhold or risk-pool payment, as opposed to an actual repayment of cash. Similarly, another commenter asserted that this methodology should permit the assumption of risk through front-end withholds or dues assessments. Another commenter asked how the shared savings and losses percentage threshold should be calculated if the sharing rate varies based on quality performance and other adjustments.

Response: In response to commenters’ request for additional detail, we are clarifying that the Shared Savings and Losses Methodology expressly requires that any losses and savings calculations take into account all items and services that are covered by the applicable payor and furnished to the target patient population, not simply those items and services furnished by specified VBE participants. In other words, the Shared Savings and Losses Methodology is dependent on the items and services covered by the payor and provided to the target patient population, not the specific composition of the VBE and its VBE participants. For example, a VBE could not limit its risk for shared savings and losses under this methodology for certain outpatient items and services by only entering into value-based arrangements with a narrow set of providers that only furnish care in outpatient settings.

In response to comments, we also are clarifying that this methodology permits the assumption of risk prospectively or retrospectively. As long as the VBE meets the requirements of the Shared Savings and Shared Losses Methodology, as finalized, including the requirement that losses and savings be calculated by comparing certain expenditures to a bona fide benchmark designed to approximate the expected total cost of the applicable care, this safe harbor does not prescribe how the payor and VBE structure payments to effectuate the VBE’s risk.

Finally, under the Shared Savings and Losses Methodology, financial risk must equal at least 30 percent of loss, where loss is determined by comparing current expenditures for all items and services that are covered by the applicable payor and furnished to the target patient population to a bona fide benchmark designed to approximate the expected total cost of such care. To satisfy the Shared Savings and Losses Methodology, any adjustments based on quality performance or other factors may not bring the financial risk below 30 percent of such loss.

Comment: With respect to the second proposed methodology (the Episodic Payment Methodology), some commenters asked whether such arrangements could be prospective or retrospective. A commenter asserted that we should add another episodic or bundled payment arrangement methodology, similar to this methodology, but that requires any repayment obligation for losses to equal, at a minimum, 20 percent of historical expenditures. The commenter also requested that we clarify that this methodology applies only to an “episode of care” that involves multiple care settings. Finally, a commenter, asserting that it was unaware of any value-based arrangement that can provide quality care at 80 percent of episode costs, recommended we reframe this substantial downside financial risk methodology as “discount-based.”

Response: As an initial matter, we clarify that the Episodic Payment Methodology is with respect to a set of defined items and services related to a clinical condition and, as a result, have replaced the OIG Proposed Rule term “episodic or bundled payment methodology” with “clinical episode of care” in order to better convey this requirement. We also confirm that financial risk assumed pursuant to the Episodic Payment Methodology may be prospective or retrospective.

In response to the commenter that requested we clarify that this methodology applies only to an “episode of care” that involves multiple care settings, we are requiring in paragraph 1001.952(ff)(9)(i)(B)(2) that the parties design the clinical episode of care to cover items and services collectively furnished in more than one care setting. The VBE and the payor can meet this requirement as long as they design the clinical episode of care to cover a collection of items and services that they anticipate will be provided in more than one care setting even if a particular patient in the target patient population undergoing a clinical episode of care ultimately does not receive items and services in more than one care setting. We believe this requirement is consistent with episodic or bundled payment methodologies that involve services delivered by more than one provider and promotes collaboration across providers and suppliers that may otherwise operate independently and deliver care in silos.

To illustrate these clarifications, the Episodic Payment Methodology could include a clinical episode of care for an inpatient procedure for which the payor and the VBE design the clinical episode of care to cover items and services furnished across care settings in a hospital and post-acute care setting, such as a physician clinic or a skilled nursing facility. In contrast, we do not consider a bundled payment to a provider for an episode of care that occurs in a single setting, such as a DRG payment to a hospital for inpatient services, to be an episodic payment for purposes of this rule.

Lastly, we are not finalizing an episodic payment methodology that requires a repayment obligation for losses equal to, at a minimum, 20 percent of historical expenditures or reframing the Episodic Payment Methodology as “discount based,” as suggested by a commenter. We clarify that the Episodic Payment Methodology, as finalized, does not require the payor to discount the cost of items and services included in the defined clinical episode of care by 20 percent. Rather, the VBE must assume risk for at least 20 percent of any loss realized pursuant to a defined clinical episode of care, with losses (and savings) calculated by comparing current expenditures for all items and services included in the defined clinical episode of care and furnished to the target patient population to a bona fide benchmark designed to approximate the expected total cost of such care.

Comment: Commenters generally expressed confusion regarding the application of the fourth prong included in the proposed “substantial downside financial risk” definition—a partial capitation payment that reflects a discount equal to at least 60 percent of the total expected fee-for-service payments. For example, a commenter asked why this methodology includes a discount because capitation itself places a physician at risk through a per-member, per-month payment. Another commenter suggested that we revise this prong to encompass capitated payments for a limited set of services, e.g., primary care. Some commenters asserted that the 60 percent discount level was not economically feasible and suggested that OIG lower the discount level.

Response: In response to comments, we are finalizing the VBE Partial Capitation Methodology, with modifications. We are removing the discount percentage requirement in recognition that the partial capitation payment, as set forth in paragraph 1001.952(ff)(9)(i)(C), itself, constitutes the assumption of substantial downside financial risk. In keeping with the intent of the prior discount percentage requirement, we also are requiring that this methodology be designed to result in material savings. In other words, the VBE Partial Capitation Methodology is designed to achieve cost efficiencies by incentivizing better care coordination that benefits patients and the health care delivery system by placing the VBE at substantial downside financial risk.

We are not defining material savings in regulatory text to provide parties flexibilities in designing partial capitation payments. There are a number of ways that parties might design a partial capitation payment consistent with this methodology to generate material savings. For example, the parties may design a capitation payment with utilization targets that are intended to lower costs versus historical utilization, or the parties may use other methodologies that incentivize the VBE to operate more efficiently and lower costs. We recognize that, as the VBE and its VBE participants become more efficient, the opportunity to achieve materials savings, as that term is commonly understood, may become more difficult. As a VBE successfully reduces costs in one year, it becomes harder to further reduce costs in subsequent years. Under this methodology, and because we are not defining “material savings,” parties have flexibility to design partial capitation payment rates to account for such issues. For example, the parties could use national or regional utilization data in designing the partial capitation payment to appropriately adjust the payment rates to account for the efficiency of the VBE.

Additionally, given the complexity of establishing a partial capitation payment, payors, from whom the VBE assumes risk under this methodology, will have a significant role in their design. Payors have experience and expertise in designing actuarial models to assess and project costs for their plans and establish rates. Capitation payments designed consistent with generally accepted actuarial principles can, for example, ensure that a partial capitation payment: (i) Captures all reasonable, appropriate, and attainable costs; (ii) is sufficient, based on past and anticipated service utilization by the target patient population; (iii) reflects cost trends; (iv) is risk adjusted as appropriate; and (iv) provides documentation and transparency on how the rate was developed. While not an exhaustive list, these factors would be relevant in assessing whether a capitation payment is designed to generate material savings.

We also are clarifying the form in which the VBE must receive a partial capitation payment. Specifically, we are requiring that the VBE receive from a payor a prospective, per-patient payment, paid on a monthly, quarterly, or annual basis. This methodology would not include fee-for-service payments under the Medicare inpatient prospective payment system or other fee-for-service payments under Medicare Parts A or B. The per-patient payment must be for a predefined set of items and services furnished to the target patient population, designed to approximate the expected total cost of expenditures for the predefined set of items and services. As noted above, this payment must be intended to result in material savings.

We emphasize that, under the VBE Partial Capitation Payment Methodology, the VBE is assuming risk for a predefined set of items or services that are less than all of the items and services covered by the payor, in contrast to the full financial risk safe harbor, which requires the VBE to assume full financial risk for all items and services from a payor. For example, a partial capitation payment under this methodology may cover primary care services only for a target patient population but not inpatient services, prescription drugs, or other items and services covered by the payor.

While we are not specifying a percentage or scope of items and services that must be reimbursed on a capitated basis, the requirement that partial capitation payments be intended to result in material savings achieves a similar purpose. A VBE assuming substantial downside risk is afforded flexibility under this safe harbor because, as explained previously, this level of risk mitigates the traditional risks of fraud and abuse associated with fee-for-service payments. The effectiveness of that mitigation is directly connected to the incentive associated with substantial downside risk methodologies; increased risk means the VBE has a greater incentive to reduce costs and improve outcomes for patients. In the context of the VBE Partial Capitation Methodology, the substantial downside risk is partly dependent on the scope of items and services covered by the partial capitation payment. For example, a VBE that receives a partial capitation payment for inpatient services associated with one DRG has less incentive than a VBE that receives a partial capitation payment for all inpatient services.

We recognize that payors are unlikely to contract with a VBE under a partial capitation payment for a narrow set of items or services. However, ensuring that VBEs have the appropriate level of incentives by assuming risk is a key safeguard in this safe harbor and is the reason why we are finalizing the requirement that partial capitation payments be designed to generate material savings. We note that the scope of services is just one factor for determining whether the capitation payment was designed to generate material savings. For example, a VBE and a payor could design a partial capitation payment that meets this methodology if the VBE receives capitation payments for a narrow set of services that are typically high cost as long as the capitation payments for that limited set of high-cost items or services were designed to generate material savings.

We also note that this safe harbor conditions protection on the VBE assuming substantial downside financial risk from the payor for the predefined items and services. It does not require the VBE to assume other functions from the payor, such as enrollment, grievance and appeals, solvency standards, and other administrative functions performed by payors.

Comment: In response to our solicitation of comments regarding alternative means to calculate savings and losses (and in particular, how best to establish a baseline that appropriately assesses the VBE’s financial performance), we received a number of comments recommending modifications to the proposed requirement that, for each methodology under the “substantial downside financial risk” definition, parties would need to determine any savings or losses realized based upon a review of historical expenditures, or to the extent such data was unavailable, evidence-based, comparable expenditures. For example, several commenters questioned our reliance on historical expenditures as a reliable datapoint, with several expressing concern that such a standard may not be adequately risk-adjusted or an accurate benchmark to the extent parties are providing new treatments, items, and services (representing the latest advances in technology, for example) that exceed the cost of treatment in benchmark years. At least two commenters recommended that we add “projected spending” as a method to compare costs, with one asserting that historical expenditures may not be appropriately risk adjusted. A commenter also suggested that we allow parties to adjust payments as needed to cover the costs of new treatment options.

Response: We are no longer requiring that parties rely on historical expenditures or evidence-based, comparable expenditures to determine a benchmark used in calculating any losses or savings realized. We recognize, as highlighted by commenters, that historical expenditures could be volatile or otherwise result in an inaccurate benchmark, particularly for smaller entities, and that other data, such as national or regional data, may be appropriate factors that can be used for setting an accurate benchmark. Consequently, we are revising this requirement to provide that, for two of the methodologies finalized in the “substantial downside financial risk” definition—the Shared Savings and Losses Methodology and the Episodic Payment Methodology—parties must calculate any losses or savings based upon a bona fide benchmark, i.e., a legitimate benchmark, designed to approximate the cost of care.^[51] Specifically, for the Shared Savings and Shared Losses Methodology, we require that the parties calculate losses by comparing current expenditures for all items and services that are covered by the applicable payor and furnished to the target patient population to a bona fide benchmark designed to approximate the expected total cost of such care. Similarly, for the Episodic Payment Methodology, we require that parties calculate losses by comparing current expenditures for all items and services that are covered by the applicable payor, furnished to the target patient population, and relate to a defined clinical episode of care to a bona fide benchmark designed to approximate the expected total cost of care for the defined clinical episode of care.

This revision has two aims. First, we seek to protect against the selection of benchmarks that artificially create savings or inappropriately insulate any VBE participant from losses. This is based on our intent to ensure that parties are truly assuming downside financial risk. Second, we seek to provide parties with the flexibility necessary to establish a baseline tailored to the contract or value-based arrangement between the VBE and the payor. Thus, under these revised methodologies, a bona fide benchmark does not need to be based on historical expenditures or, to the extent such data is unavailable, evidence-based, comparable expenditures, as proposed in the OIG Proposed Rule. With this revised standard, a bona fide benchmark may be appropriately adjusted, e.g., through a prospective or retrospective risk-adjustment to account for outlier health care expenditures, provided the methodology for such adjustment is established in advance. We emphasize that any such adjustment must be consistent with the requirement that the bona fide benchmark be designed to approximate the expected total cost of care.

We note that there are several ways that parties may demonstrate that a benchmark is bona fide. Parties seeking examples of bona fide benchmarks may look to Innovation Center models, the Medicare Shared Savings Program, Medicaid programs, or private payors that have adopted and validated benchmarks for their participants in similar risk-based models. Bona fide benchmarks may incorporate concepts such as risk adjustments, cost projections (including those related to new treatments), and peer comparisons, as applicable. Given the complexity of establishing a benchmark, we anticipate that payors from whom the VBE assumes risk will be involved in their design. Similar to the design of a partial capitation payment, payors have relevant experience and expertise in designing actuarial models to assess and project costs for their plans that will support the development of bona fide benchmarks. Benchmarks that are validated or designed consistent with generally accepted actuarial principles will likely be bona fide. Parties will need to assess and ensure the validity and appropriateness of the benchmark based on the specific facts and circumstances of their VBE, the value-based arrangement, the scope of the items and services covered, and the target patient population.

Comment: Several commenters requested that OIG include a cap or stop-loss threshold in the substantial downside financial risk safe harbor that would limit the amount of loss incurred by the VBE. For example, specific to the clinical episode of care methodology, a commenter recommended that we limit potential losses to 20 percent of historical expenditures; specific to the shared savings methodology, a commenter encouraged protection for arrangements that include stop-loss thresholds for shared losses set at a certain percentage of historical benchmark costs, akin to the Medicare Shared Savings Program.

Alternatively, other commenters urged OIG to simply clarify that reinsurance arrangements, or other like arrangements to protect against catastrophic losses, would not fall outside of our proposed definition of “substantial downside financial risk.” According to these commenters, reinsurance arrangements are critical to encouraging the assumption of downside financial risk.

Response: Given the inherent differences in target patient populations, the sophistication of parties participating in value-based arrangements, and varying risk methodologies that parties may adopt, we decline to include a specific cap, stop-loss threshold, or reinsurance threshold. This provides parties flexibility to adopt various risk methodologies that still satisfy the safe harbor’s definition of “substantial downside financial risk.” Parties entering into a contract or a value-based arrangement to assume substantial downside financial risk should have the flexibility to determine the appropriate cap, stop-loss, or reinsurance threshold, if any, and we clarify that neither the safe harbor’s conditions nor the definition of “substantial downside financial risk” precludes parties from entering into reinsurance arrangements or other like arrangements to protect against catastrophic losses. Nevertheless, we caution that such arrangements should not be used as a vehicle to materially shift the substantial downside financial risk a VBE is otherwise required to assume pursuant to this safe harbor.

Comment: Several commenters supported OIG’s alternate proposal to adopt risk levels more closely aligned with advanced APMs and other payor advanced APMs, as both terms are defined at 42 CFR 414.1305, or requested that the definition of “substantial downside financial risk” include advanced APMs. In addition, a commenter noted that the risk levels proposed by OIG exceeded those required in advanced APMs.

Response: We are not revising the risk levels set forth in the “substantial downside financial risk” definition to align with those of advanced APMs and other payor advanced APMs, as both terms are defined at 42 CFR 414.1305. Different risk thresholds between this safe harbor and advanced APMs and other payor advanced APMs are appropriate in light of the differing objectives between this rulemaking and the Quality Payment Program, the Medicare payment program that relies on the defined terms advanced APMs and other payor advanced APMs. For example, the advanced APM track of the Quality Payment Program is specific to eligible clinicians and offers a potential five percent Medicare bonus payment, among other benefits. By contrast, this safe harbor protects arrangements of a wide variety of industry stakeholders beyond eligible clinicians from liability under a criminal statute and sets out the conditions under which that protection is available.

It is possible that participants in an advanced APM might assume risk at levels that meet the requirements of this safe harbor. Further, some advanced APM participants may be eligible for safe harbor protection under the new CMS-sponsored model arrangements safe harbor found at paragraph 1001.952(ii).

Comment: Multiple commenters requested that we opine on whether certain arrangements would meet our proposed definition of “substantial downside financial risk.” For example, at least two commenters requested that we address whether a bonus pool or gainsharing arrangement, tied to the achievement of certain outcome measures, could potentially meet our definition of “substantial downside financial risk.” The commenters argued in favor of such an interpretation, asserting that the potential to earn a bonus payment constitutes downside risk to the extent the bonus is (i) otherwise considered part of the recipient’s aggregate compensation, and (ii) withheld if outcome measures are not met.

Response: The definition of “substantial downside financial risk” requires, among other criteria, that the VBE assume the potential for realizing losses. This definition would permit parties to design a two-sided risk methodology that would place the VBE at downside financial risk and upside financial risk. In other words, the definition requires, at a minimum, the VBE to assume substantial downside financial risk, but does not preclude the parties from including other risk methodologies, so long as all other conditions of the safe harbor are met. For example, arrangements that include a bonus pool or gainsharing, along with the VBE assuming the required substantial downside financial risk, may be protected by this safe harbor. However, a risk methodology that only includes upside risk would not meet this requirement.

ii. Meaningful Share

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ff)(2) that this safe harbor would protect remuneration exchanged between a VBE and a VBE participant if the VBE participant meaningfully shares in the VBE’s substantial downside financial risk for providing or arranging for items and services for the target patient population. We proposed that a VBE participant would meaningfully share in the VBE’s risk if the VBE participant met one of the following three methodologies: (i) A risk-sharing payment pursuant to which the VBE participant is at risk for 8 percent of the amount for which the VBE is at risk under its agreement with the applicable payor (e.g., an 8-percent withhold, recoupment payment, or shared losses payment); (ii) a partial or full capitated payment or similar payment methodology (excluding certain enumerated reimbursement methodologies); or (iii) in the case of a VBE participant that is a physician, a payment that meets the requirements of the physician self-referral law’s regulatory exception for value-based arrangements with meaningful downside financial risk at 42 CFR 411.357(aa)(2).

Summary of Final Rule: We are finalizing, with modifications, at paragraph 1001.952(ff)(3) a requirement for the VBE participant to be at risk for a meaningful share of the VBE’s substantial downside financial risk for providing or arranging for the provision of items and services for the target patient population. We are finalizing, with modifications, the proposed definition of “meaningful share” at paragraph 1001.952(ff)(9)(ii). Specifically, based on comments we are: (i) Revising the first methodology of the “meaningful share” definition (the “Risk-Sharing Payment Methodology”) to clarify that any risk assumed by a VBE participant pursuant to this methodology must be two-sided risk; (ii) lowering the risk threshold for the Risk-Sharing Payment Methodology from 8 percent to at least 5 percent of the losses and savings, as applicable, realized by the VBE pursuant to its assumption of substantial downside financial risk; (iii) revising the second methodology of the “meaningful share” definition to apply to prospective, per-patient payments for a predefined set of items and services furnished to the target patient population (the “Meaningful Share Partial Capitation Methodology”); and (iv) not finalizing the proposed methodology applicable to physician payments that meet the requirements of the physician self-referral law’s regulatory exception for value-based arrangements with meaningful downside financial risk at 42 CFR 411.357(aa)(2) (the “CMS Exception Methodology”).

Comment: While we received comments in favor of our proposed requirement for the VBE participant to assume a meaningful share of the VBE’s substantial downside financial risk, many advocated against it, suggesting no or optional risk requirements for VBE participants downstream from the VBE assuming substantial downside financial risk. These commenters highlighted varying Innovation Center models that do not require the downstream assumption of risk.

Response: We are finalizing a requirement for VBE participants, other than the payor from which the VBE is assuming risk, to be at risk for a meaningful share of the VBE’s substantial downside financial risk pursuant to a value-based arrangement with the VBE. This safe harbor is not chiefly designed for Innovation Center models, which may not have downside financial risk, and which may fit more readily in the new safe harbor at paragraph 1001.952(ii) for CMS-sponsored models. The requirement to assume a meaningful share of the VBE’s risk is foundational to the structure of the safe harbor, which does not include certain established safeguards, such as a fair market value requirement, designed to mitigate risks inherent to a traditional fee-for-service payment methodology, nor additional safeguards present in the care coordination arrangements safe harbor, such as a bar on monetary compensation or a contribution requirement, that protect against payment for referral schemes. The requirement to assume a meaningful share of the VBE’s risk helps ensure that VBE participants ordering or arranging for items and services for the target patient population share in the VBE’s value-based purposes and cost-reduction goals.

The payor from which the VBE is assuming substantial downside financial risk is exempt from the requirement to meaningfully share in the VBE’s substantial downside financial risk in paragraph 1001.952(ff)(3). As discussed in greater detail in section III.B.4.d, this carve-out applies to those payors from which VBEs are assuming risk that elect to also be a VBE participant and enter into a value-based arrangement with a VBE. In such circumstances, the payor, as a VBE participant, need not share again in the risk that the VBE assumed from it in the value-based arrangement.

Comment: While at least one commenter supported the risk threshold in the first proposed methodology for meaningfully sharing in the VBE’s risk (a risk-sharing payment pursuant to which the VBE participant is at risk for 8 percent of the amount for which the VBE is at risk under its agreement with the applicable payor), the majority of commenters advocated that we lower the risk threshold, such as to 5 percent. Commenters highlighted varying Innovation Center models that impose lower risk requirements or rely on a broader risk framework. Other commenters suggested that this methodology should be expanded to encompass other types of risk, for example, operational or contractual risk. Commenters suggested that a more expansive methodology would encourage a greater number of providers to take on downside risk arrangements while still effectively deterring potential fraudulent behavior. A commenter recommended that OIG revise the first proposed methodology for meaningfully sharing in the VBE’s risk to state that the VBE participant is at risk for “at least 8 percent” of the VBE’s risk to allow for other arrangements that involve greater downside risk.

Response: We are revising the Risk-Sharing Payment Methodology to reduce the required minimum risk threshold from 8 percent to at least 5 percent and requiring two-sided risk (e.g., savings and losses). We believe this level of risk is appropriate to ensure VBE participants share the VBE’s goal of cost reduction and to reduce fraud and abuse risks while making this safe harbor more accessible to individuals and entities that want to exchange remuneration with the VBE pursuant to this safe harbor. As finalized, this methodology aligns with the Shared Savings and Losses Methodology in the definition of “substantial downside financial risk.” This modification will provide VBE and VBE participants additional flexibilities to align risk-sharing methodologies and protect similar exchanges of remuneration (e.g., savings and losses) in value-based arrangements.

We are not permitting VBE participants to meet the Risk-Sharing Payment Methodology by assuming other types of risk, such as operational or contractual risk. We are concerned these types of risk would not adequately align a VBE participant’s financial incentives with that of the VBE’s cost-reduction goals resulting from the VBE’s assumption of substantial downside financial risk.

Comment: Some commenters opposed pegging the first risk-sharing payment methodology of the “meaningful share” definition to the total risk assumed by the VBE. For example, a commenter noted that VBE participants, and in particular smaller providers, are unlikely to accept risk for 8 percent of the total amount for which the VBE is at risk from the payor. The commenter urged OIG to revise its meaningfully share standard to require that the VBE participant assume risk only for its own costs and suggested 20 percent as a potential risk assumption threshold.

Response: As finalized, the Risk-Sharing Payment Methodology continues to require that the VBE participant share in a certain percentage of the VBE’s total risk. However, in response to comments, we are finalizing a lower risk threshold of 5 percent for this methodology and clarifying that this methodology requires two-sided risk.

We also clarify that, to the extent a VBE realizes catastrophic losses, triggering any reinsurance or other like arrangement into which the VBE has entered, the VBE participant would calculate any amount owed to the VBE pursuant to this methodology based on the VBE’s losses, as adjusted by the reinsurance or other like arrangement.

Comment: A commenter requested that OIG define “partial capitation arrangements” in the context of the second proposed methodology for meaningfully sharing in the VBE’s risk—a partial or full capitation payment or similar payment methodology, excluding the Medicare inpatient prospective payment system or other like payment methodology. The commenter also asked whether there is a minimum amount that would qualify as partial capitation.

Response: In response to comments, we are finalizing the Meaningful Share Partial Capitation Methodology with revisions that, for clarity, more fully describe the permissible capitation methodology. Pursuant to this revised methodology, a VBE participant must: (i) Receive from the VBE a prospective, per-patient payment on a monthly, quarterly, or annual basis for a predefined set of items and services furnished to the target patient population by the VBE participant designed to approximate the expected total cost of those expenditures for the predefined items or services; and (ii) not separately claim payment from the payor for the predefined set of items and services covered by the partial capitated payment. Consistent with our stated goal in the OIG Proposed Rule, we believe this methodology ensures that those VBE participants assuming a meaningful share of the VBE’s risk pursuant to the Meaningful Share Partial Capitation Methodology do so in a manner that is aligned with the payor’s cost-reduction goals.

For the same reasons we are not specifying the percentage or scope of items and services that must be included in the VBE Partial Capitation Methodology, we are not specifying a minimum amount of items and services that must be covered to meet the Meaningful Share Partial Capitation Methodology. Likewise, we note that this methodology would not include fee-for-service payments under the Medicare inpatient prospective payment system or other fee-for-service payments under Medicare Parts A or B. Payments must be made on a monthly, quarterly, or annual basis to satisfy this methodology.

A VBE participant may be at risk through this methodology not only where the VBE is at substantial downside financial risk through the VBE Partial Capitation Methodology but also any other substantial downside financial risk methodology. For example, VBE participants could be at risk through the Meaningful Share Partial Capitation Methodology, and the VBE could assume substantial downside financial risk from a payor through the Episodic Payment Methodology.

Comment: We received varying comments on the third proposed methodology for meaningfully sharing in the VBE’s risk: Physician VBE participants would be deemed to meaningfully share in the VBE’s risk if they meet the definition of “meaningful downside financial risk” under the physician self-referral law at 42 CFR 411.357(aa)(2). Some commenters either opposed this provision altogether or advocated for a lower threshold than the 25 percent threshold for sharing in the costs of the remuneration exchanged under a value-based arrangement, with a few commenters suggesting between 5 and 15 percent. On the other hand, some commenters supported this provision stating, for example, that it facilitated alignment across OIG’s and CMS’s rules. Another commenter requested that OIG amend this provision to apply more broadly to other VBE participants and not just physicians.

Response: We are not finalizing the third proposed methodology (the CMS Exception Methodology). Pursuant to the final meaningful downside financial risk exception at 42 CFR 411.357(aa)(2), a physician must be at “meaningful downside financial risk” for failure to achieve the value-based purpose(s) of the value-based enterprise during the entire duration of the value-based arrangement. A physician assumes “meaningful downside financial risk” if the physician is responsible to repay or forgo no less than 10 percent of the total value of the remuneration the physician receives (or is entitled to receive) under the value-based arrangement in the event of the failure to achieve the value-based purpose(s) of the value-based enterprise.

Upon further consideration of the varied comments we received regarding the CMS Exception Methodology, we believe the CMS Exception Methodology does not fit within the framework of the substantial downside financial risk safe harbor, which is different from the meaningful downside financial risk exception CMS is finalizing. Unlike CMS’s meaningful downside financial risk exception, OIG’s safe harbor requires the VBE participant to assume risk for a meaningful share of the VBE’s substantial downside financial risk. Risk under the CMS Exception Methodology is tied to a percentage of the total value of the remuneration the physician receives under the value-based arrangement rather than a percentage of the risk the VBE assumes from the payor. The CMS Exception Methodology does not require the physician to meaningfully share in financial risk assumed by the VBE, a requirement of the safe harbor.

Comment: A commenter expressed concern that the differing standards for the assumption of downside risk in the safe harbor (i.e., “substantial downside financial risk” and “meaningfully sharing in the VBE’s substantial downside financial risk”) would confuse parties to value-based arrangements and discourage participation. The commenter appeared to suggest that OIG adopt a single, low risk threshold in the substantial downside financial risk safe harbor.

Response: While we appreciate the commenter’s input, we respectfully disagree. It is appropriate to have differing risk assumption requirements for the VBE and the VBE participant. The VBE is contracting or entering into a value-based arrangement with a payor to assume substantial downside financial risk, most likely for items and services provided across care settings and by multiple VBE participants. Conversely, the VBE participant contracting with the VBE is not only one step removed from the payor contract, but its performance of value-based activities is likely to have a narrower focus, specific to the items and services it furnishes to the target patient population. As such, we believe a lower risk assumption threshold is appropriate for the VBE participant.

Comment: A commenter recommended that “advanced APMs” and “other payer APMs,” as both terms are defined at 42 CFR 414.1305, should be expressly included in the safe harbor and automatically qualify as assuming a meaningful share of the VBE’s substantial downside financial risk. Another commenter suggested that we adopt the “more than nominal risk” standard for advanced APMs instead of the proposed “meaningfully share” standard.

Response: Because this safe harbor has broader applicability to the health care industry than the regulations in which the defined terms referenced by the commenter are used (which apply to a Medicare payment program for physicians), we decline to revise the definition of “meaningful share” to encompass the potentially lower risk thresholds set forth in the “advanced APM” and “other payer APM” definitions as set forth in 42 CFR 414.1305 or adopt, in lieu of “meaningful share,” the “more than nominal risk” standard. Thus, participants in advanced APMs and other payer APMs will not automatically qualify as having a “meaningful share” of the VBE’s substantial downside financial risk and must meet the risk thresholds we are finalizing.

Comment: A commenter asked whether a VBE participant could join an existing value-based arrangement between a VBE and one or more VBE participants and satisfy the safe harbor requirement to assume a meaningful share of the VBE’s risk by sharing in such risk only for the duration of its participation in the value-based arrangement, as opposed to the duration of the value-based arrangement.

Response: If the VBE has already entered into a value-based arrangement with one or more VBE participants for purposes of this safe harbor, a party may join the existing value-based arrangement as a VBE participant provided all safe harbor requirements are met, including amending the signed writing to include a description of the manner in which the new VBE participant will have a meaningful share of the VBE’s substantial downside financial risk.

We note that, other than during the 6-month phase-in period that is available under this safe harbor, the VBE participant must be at risk for a meaningful share of the VBE’s risk throughout its participation in the value-based arrangement. This requirement does not apply if the VBE participant is the payor from which the VBE is assuming risk.

Comment: A commenter asserted that OIG should add language to the safe harbor stating that VBE participants’ meaningful share of risk can be through front-end withholds or dues assessments and need not be through back-end repayment.

Response: For the risk methodologies under the definition of “meaningful share,” we did not propose, and the final rule does not prescribe, how the parties to a value-based arrangement may effectuate the VBE participant’s risk, and as such, the parties could effectuate risk prospectively or retrospectively.

iii. Other Defined Terms

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ff)(8)(ii) that the terms “coordination and management of care,” “target patient population,” “value-based activity,” “value-based arrangement,” “value-based enterprise,” “value-based purpose,” and “VBE participant” would have the meaning set forth in proposed paragraph 1001.952(ee).

Summary of Final Rule: We are finalizing, with modifications, our proposed use of the value-based terminology at paragraph 1001.952(ff)(9)(iii). We no longer use the term “coordination and management of care” in this safe harbor. Additionally, because we are finalizing at paragraph 1001.952(ff)(1) a requirement making certain entities ineligible to use the safe harbor, we adopt for this safe harbor the definition of “manufacturer of a device or medical supply” at paragraph 1001.952(ee)(12).

Comment: A few commenters requested that OIG define the term “payor,” with a commenter specifically suggesting that we define such term to include a managed care organization that has a contract with Medicare, Medicaid, or another Federal health care program that is subject to 1128B of the Act. A commenter also asked OIG to define the term “used” in relation to the requirement that remuneration be used primarily to engage in value-based activities that are directly connected to the items and services for which the VBE is at substantial downside financial risk and that are set forth in writing. The commenter also asked OIG to define the term “offeror’s cost” in relation to the requirement that the writing state all material terms of the value-based arrangement, including the offeror’s cost of the remuneration.

Response: We are not defining the term “payor.” The term has its commonsense meaning of a payor of health care items and services on behalf of patients. We confirm that, for purposes of this safe harbor, such term would include managed care organizations that have contracted with Medicare, Medicaid, and other Federal health care programs. We also are not defining the term “used” in regulatory text but use the term consistent with its commonsense, well-understood meaning (e.g., to put into action or service, utilize). Further, we decline to define the term “offeror’s costs” because, as explained at section III.B.4.k, we are not finalizing the requirement that the writing include the offeror’s costs.

c. Entities Ineligible for Safe Harbor Protection

Summary of OIG Proposed Rule: We proposed in proposed paragraph 1001.952(ee) to limit the entities that could qualify as VBE participants, which would have the effect of limiting availability of the value-based safe harbors, including the substantial downside financial risk safe harbor at proposed paragraph 1001.952(ff), for those ineligible entities. The proposed definition of “VBE participant” is summarized more fully in section III.B.2.e of this preamble.

Summary of OIG Final Rule: As explained at section III.B.2.e, we are not finalizing our proposal in proposed paragraph 1001.952(ee) to limit the entities that could qualify as VBE participants. Rather, in the final rule we are identifying parties ineligible to rely on safe harbors in the safe harbors themselves. For the substantial downside financial risk safe harbor, we are finalizing a requirement that remuneration is not exchanged by any of the following entities: (i) Pharmaceutical manufacturers, wholesalers, and distributors; (ii) PBMs; (iii) laboratory companies; (iv) pharmacies that primarily compound drugs or primarily dispense compounded drugs; (v) manufacturers of devices or medical supplies; (vi) entities or individuals that manufacture, sell, or rent DMEPOS (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services, all of whom remain eligible); and (vii) medical device distributors or wholesalers that are not otherwise manufacturers of devices or medical supplies.

Summaries of comments, our responses, and policy decisions regarding this issue can be found in the discussion of VBE participants in section III.B.2.e of this preamble.

d. VBE’s Assumption of Risk From a Payor

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ff)(1) that the VBE must assume substantial downside financial risk from a payor and that the VBE could assume such risk directly from a payor or through a VBE participant acting on behalf of the VBE (i.e., as an agent of, and accountable to, the VBE).

Summary of Final Rule: We are finalizing, with modifications, this requirement at paragraph 1001.952(ff)(2). First, we are modifying the safe harbor to provide two options to VBEs assuming substantial downside financial risk from a payor. A VBE can assume risk from the payor through an arrangement that meets the definition of “value-based arrangement,” or a VBE can assume risk from a payor through a contract that places the VBE at substantial downside financial risk. The first option provides protection for the remuneration exchanged between the payor and the VBE, if all safe harbor requirements are met. To effectuate this, the payor must be a VBE participant and the VBE must assume risk from the payor through a value-based arrangement. Under the second option, if a payor does not wish to be part of the VBE, the VBE can assume substantial downside financial risk from the payor through a written contract. Under this option, the contract that places the VBE at risk is not a value-based arrangement and the safe harbor would not protect remuneration exchanged pursuant to it.

Second, we are modifying the risk assumption requirement to clarify that the payor cannot act on behalf of the VBE; the VBE must be a distinct legal entity or represented by a VBE participant, other than a payor, that acts on the VBE’s behalf.

Comment: Some commenters opposed the proposed requirement that a VBE assume risk from a payor, asserting payor involvement should not be a prerequisite to safe harbor protection. For example, a post-acute-care provider asserted that, where the financial risk shared between providers is significant, the safe harbor should be available regardless of whether a payor is directly involved.

Response: We are finalizing the requirement that the VBE assume substantial downside financial risk from a payor because we view it as a critical safeguard against the potential for fraud and abuse. Payors are ultimately responsible for the cost of the items and services furnished to a target patient population, which informs our decision to require that they be party to the risk arrangement that serves as the foundation for this safe harbor. Moreover, the payor serves as an entity with both a holistic view of, and a financial interest in reducing, total expenditures for the target patient population, which we believe mitigates the risks traditionally associated with fee-for-service systems, such as overutilization or inappropriate utilization.

Consistent with our emphasis in the OIG Proposed Rule that parties assuming substantial downside financial risk have more flexibility, we have modified the safe harbor so that payors and VBEs have two options for entering into the risk arrangement—entering into either a value-based arrangement or a written contract for the VBE to assume risk from the payor.

Under the first option for risk arrangements, payors must be a VBE participant, which is permitted under our final definition of “VBE participant.” The payor (as a VBE participant) and the VBE can enter into a value-based arrangement for the VBE to assume substantial downside financial risk. As we proposed and are finalizing in this rule, the introductory paragraph to 1001.952(ff) protects remuneration exchanged between a VBE and a VBE participant pursuant to a value-based arrangement. Therefore, remuneration exchanged pursuant to a payor’s and a VBE’s value-based arrangement could be protected by this safe harbor, including remuneration exchanged to implement a substantial downside financial risk methodology (e.g., shared savings and losses), if the value-based arrangement meets all applicable conditions of the safe harbor. We do not believe this option would pose an unreasonable burden on the payor because a value-based arrangement requires only the provision of at least one value-based activity for a target patient population, and the payor and VBE already must enter into an agreement to effectuate the VBE’s assumption of risk for the target patient population. We believe any burden would be outweighed by the benefits of safe harbor protection.

Under the second option, payors that do not wish to be part of the VBE may choose to enter into a written contract for purposes of the VBE assuming substantial downside financial risk. Under this option, payors would not be VBE participants, the written contract between the payor and the VBE would not be a value-based arrangement, and the payor would not be subject to the other conditions of the safe harbor. In such circumstances, these contracts must only meet the condition at paragraph 1001.952(ff)(2), i.e., they must evidence the VBE’s assumption of substantial downside financial risk from the payor. Remuneration exchanged pursuant to a risk assumption contract that is not a value-based arrangement is not protected by this safe harbor. The VBE and the payor would need to assess any potential remuneration exchanged pursuant to the risk arrangement contract and its compliance with the Federal anti-kickback statute.

In response to the commenter suggesting that providers should be permitted to assume risk without a payor, we recognize that there may be risk-based arrangements between and among providers that facilitate the goals set forth in the definition of “value-based purpose” and that seek to reduce overall costs. However, this safe harbor does not protect such arrangements. Other safe harbors may be available to protect such arrangements, such as the care coordination arrangements safe harbor or the personal services and management contracts and outcomes-based payment arrangements safe harbor.

Comment: Commenters requested that we clarify how the safe harbor would apply to arrangements involving certain categories of Federal health care program beneficiaries, such as Medicare fee-for-service patients or Indian Health Service (IHS) beneficiaries. In particular, multiple commenters expressed concern that, because Indian health care is compensated through IHS appropriations and the Medicare, Medicaid, and CHIP programs, Indian health care providers could not be risk-bearing entities, as required in the proposed substantial downside financial risk safe harbor.

Response: Given the requirement that the VBE assume substantial downside financial risk from a payor, this safe harbor will be available only for contracts or value-based arrangements where the target patient population is comprised of patients insured by a payor with which a VBE can enter into a risk arrangement. For example, whereas the safe harbor may be available for certain Medicaid direct contracting or managed care models,^[52] it likely would not currently be available for an arrangement with a target patient population comprised of patients enrolled only in Medicare Parts A and B (i.e., Medicare fee-for-service) because, outside of Innovation Center models and the Medicare Shared Savings Program, we are not aware of a mechanism that would allow a VBE to contract with the Medicare program to assume substantial downside financial risk for items and services for those patients.

It is also possible that Indian health care providers might not be risk-bearing entities for purposes of this safe harbor. This would not foreclose Indian health care providers from engaging in care coordination arrangements and seeking safe harbor protection under the care coordination arrangements safe harbor, which does not require the assumption of any risk (but is available for non-monetary remuneration in risk-bearing arrangements), or other available safe harbors, such as the personal services and management contracts and outcomes-based payments safe harbor that protects monetary payments for achieving quality outcomes. Moreover, the fact that an arrangement does not fit in a safe harbor does not make the arrangement unlawful, and the OIG advisory opinion process is also available for parties seeking a determination about a specific existing or proposed arrangement.

Comment: At least two commenters expressed support for the ability of a VBE participant to contract and assume risk on behalf of the VBE.

Response: We confirm that, for purposes of this final rule, parties have this flexibility. A VBE may assume risk from the payor directly or through a single VBE participant acting on its behalf because we recognize that not all VBEs may be a separate legal entity.

Comment: While acknowledging patients’ right to choose a provider, a commenter requested that OIG not require parties to assume downside financial risk for those patients who choose to receive health care items or services from parties outside of the VBE. According to the commenter, physicians participating in VBEs that are clinically integrated need to refer patients within high-functioning networks that follow care management programs, and providers should not be required to assume downside financial risk for those patients who seek care outside the network.

Response: We are not adopting the commenter’s suggestion to exclude those patients who choose to receive care outside a VBE from the calculation of downside financial risk. While we recognize that patients in the target patient population ultimately could select providers and suppliers both inside and outside the VBE, we believe the VBE and its VBE participants can still coordinate and manage the care of these patients and should be required to assume risk for these patients in order to benefit from the increased flexibility afforded by this safe harbor. In addition, allowing providers to remove patients from the calculation of downside risk if they choose any provider outside the VBE could lead to manipulation of the target patient population in ways that could compromise the quality of patient care, e.g., providers might encourage more costly patients to obtain care elsewhere. This approach is consistent with the Medicare Shared Savings Program.

Comment: A medical device manufacturer asserted that this safe harbor should be expanded to recognize that, in many cases, the items or services for which the VBE is at risk will not necessarily be provided directly to patients in the target patient population but instead may be an ancillary part of their care under the value-based arrangement, such as products and services deployed by medical device manufacturers.

Response: We require that the VBE be at substantial downside financial risk for providing or arranging for the provision of items and services for a target patient population and that the VBE participant assume a meaningful share of that risk. There is no requirement that such items and services be provided directly to the target patient population, and there is nothing in the safe harbor that prevents the VBE’s risk from encompassing items and services for, but not provided directly to, the target patient population, such as ancillary products and services. However, pursuant to paragraph 1001.952(ff)(1)(v), manufacturers of devices or medical supplies are not eligible to use this safe harbor to exchange remuneration.

e. Phase-In Period

Summary of OIG Proposed Rule: To address start-up arrangements for parties preparing to take on risk, we proposed at paragraph 1001.952(ff)(1) that this safe harbor would protect remuneration exchanged between the VBE and a VBE participant during the 6 months prior to the date by which the VBE must assume substantial downside financial risk. We proposed that, during this phase-in period, the VBE must be contractually obligated to assume such risk from a payor.

Summary of Final Rule: We are finalizing the 6-month phase-in period, with modification, and relocating it to paragraph 1001.952(ff)(2).

Comment: Commenters overwhelmingly supported a phase-in period, noting that many providers and organizations will need time to assume downside financial risk. However, many commenters asserted that the proposed 6-month time period was insufficient and recommended a longer phase-in period, such as 1 or 2 years. These commenters expressed concern that, absent a longer phase-in period, the safe harbor would be available to only highly sophisticated and large organizations that already have the capacity to take on high levels of financial risk. Another commenter argued that a longer phase-in period is essential in order to allow newly formed or small VBEs the flexibility to establish baselines against which to measure losses or savings. Some commenters highlighted other justifications for a longer phase-in period, including the significant training and integration needed for the adoption of new software systems and the need for providers with less experience with value-based arrangements, including small or rural providers, to have more time to assume financial risk. Other commenters requested that OIG extend the phase-in period only in defined circumstances, e.g., for VBEs created by independent medical practices or in circumstances where the 6-month phase-in period would place an undue burden on the parties to the arrangement. Finally, another commenter suggested a capacity-building period of 2 years where an entity would take on lower levels of downside financial risk and gradually build up to the thresholds set forth in the definition of “substantial downside financial risk.”

Response: We solicited comments on whether 6 months was a sufficient timeframe for a phase-in period or whether a longer or shorter timeframe would be appropriate. Having reviewed the comments and considered the issue, we have determined that, while some parties interested in assuming substantial downside financial risk might benefit from a phase-in period of more than 6 months, a 6-month phase-in period, paired with the availability of the care coordination arrangements safe harbor, should provide a sufficient on-ramp for parties seeking safe harbor protection for start-up or capacity-building arrangements to prepare to assume substantial downside financial risk.

In addition, the changes we have made to the definition of “substantial downside financial risk” to replace the previous requirements for comparisons to historical benchmarks should allay concerns raised by newly formed or small entities about the time needed to establish baselines against which to measure losses or savings. In particular, the new standard for setting a benchmark provides flexibility to individuals and entities that may not have historical benchmarks to establish benchmarks using other appropriate data, such as regional or national data.

Comment: A commenter requested that OIG confirm that all remuneration exchanged during the phase-in period related to VBE participants’ good faith efforts to set up the VBE or value-based arrangement would be protected, even if the value-based arrangement ultimately did not move forward.

Response: To qualify for protection during the phase-in period, the VBE must have a contract or a value-based arrangement with the payor to assume risk within the next 6 months. To illustrate, if a VBE enters into a contract with a payor on January 1, the VBE must assume substantial downside financial risk no later than July 1st. The phase-in period runs from January 1 to July 1 (or an earlier date if the VBE assumes risk sooner). We recognize that a VBE might discover during the phase-in period that it is unable to assume the planned risk because, for example, of a failure to achieve an adequate network or necessary infrastructure. Remuneration exchanged between a VBE and a VBE participant during the phase-in period would be protected even if the VBE ultimately does not assume substantial downside financial risk at the conclusion of the phase-in period, provided the VBE had entered into a contract or a value-based arrangement with the payor to assume substantial downside financial risk and all other safe harbor requirements were met.

With respect to the question about setting up a VBE, under the final rule, parties may not use the 6-month phase-in period to protect remuneration exchanged in order to set up a VBE because, as a condition of meeting the safe harbor, the VBE must already be in existence. In addition, there must be a value-based arrangement between the VBE and VBE participant that includes the exchange of payments or something of value for which safe harbor protection is sought. The remuneration under this value-based arrangement could relate to efforts to set up necessary infrastructure to assume risk for the target patient population.

Comment: A commenter asked OIG to protect all legitimate pre-arrangement activities associated with assuming risk, even where the VBE is not under a contractual obligation to assume risk. Another commenter asked whether payments by an academic medical center to physicians to maintain income levels during the phase-in period are protected.

Response: We decline to protect pre-arrangement activities when the VBE has not entered into a contract or a value-based arrangement to assume risk from a payor, although the actual assumption of risk need not occur for 6 months. The requirement that the VBE enter into a contract or value-based arrangement to assume risk is a critical safeguard to protect against parties’ attempts to exploit the phase-in period of this safe harbor to protect problematic payments when they have no intention of entering into the risk arrangements required by the safe harbor.

Income guarantee payments would not satisfy any of the risk-based methodologies set forth in the definitions of “substantial downside financial risk” or “meaningful share.” Whether income guarantee payments to physicians could otherwise be protected by this safe harbor would depend on whether such remuneration satisfies all requirements of the safe harbor. For example, such payments likely would not satisfy the requirement that remuneration be directly connected to at least one of the three value-based purposes defined in paragraph 1001.952(ee)(14)(x)(A)-(C). It seems unlikely that income guarantee payments would be directly connected to the deliberate organization of patient care activities and sharing of information to improve care for the target patient population, as the definition of coordination and management of care requires. Additionally, while we acknowledge that income guarantees could result in ancillary benefits to patients or could contribute to appropriate cost reductions, we consider it unlikely that income guarantee payments could be directly connected to improvements in the quality of care or appropriate reductions in costs.

f. Remuneration Used To Engage in Value-Based Activities

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ff)(3)(i) that the remuneration exchanged pursuant to this safe harbor must be used primarily to engage in value-based activities that are directly connected to the items and services for which the VBE is at substantial downside financial risk.

Summary of Final Rule: We are finalizing, with modifications, this requirement at paragraph 1001.952(ff)(4)(ii). First, for the reasons set forth in section III.B.3.e.ii of this preamble, we are replacing the word “primarily” with “predominantly” so that the safe harbor now requires the remuneration exchanged to be used predominantly to engage in value-based activities that are directly connected to the items and services for which the VBE has assumed (or has entered into a written contract or value-based arrangement to assume within the next 6 months) substantial downside financial risk. Second, we are modifying this requirement to provide that the remuneration exchanged pursuant to a methodology for the assumption of risk does not need to meet this condition if the remuneration is part of a value-based arrangement that meets all other safe harbor conditions. That is, remuneration exchanged between either a VBE and a payor (as a VBE participant) pursuant to a methodology that meets the definition of “substantial downside financial risk,” or between a VBE and a VBE participant (other than a payor) pursuant to a methodology that meets the definition of “meaningful share,” need not be used predominantly to engage in value-based activities that are directly connected to the items and services for which the VBE is at substantial downside financial risk. Lastly, we are clarifying that the items and services to which the value-based activities must be directly connected are those for which the VBE has assumed (or has entered into a written contract or value-based arrangement to assume within the next 6 months) substantial downside financial risk. This clarification is in recognition that parties to a value-based arrangement may exchange remuneration during the phase-in period when the VBE has not yet assumed substantial downside financial risk but has entered into a written contract or value-based arrangement to assume such risk within the next 6 months.

Comment: Some commenters expressed general concern that this proposed requirement would be administratively burdensome, and at least one commenter more specifically stated that it would be burdensome to track how monetary remuneration is spent in order to ensure compliance with this requirement. Another commenter suggested that this requirement would preclude protection of remuneration in the form of shared savings. These commenters appeared to request that OIG remove this condition either in its entirety (thereby permitting parties to use any remuneration protected under this safe harbor for any purpose permissible under applicable law) or only with respect to monetary remuneration or a subset of monetary remuneration, such as shared savings and other performance-based payments. Alternatively, a commenter asserted that OIG should treat certain payments, such as bonus distributions and performance-based payments, as payments for the past performance of activities directly connected to the items and services for which the VBE is at risk.

Response: The commenters’ concerns and recommendations appear to stem from a perceived difficulty with tracking and monitoring the VBE participant’s use of the remuneration. In response to the commenter’s concerns, we are revising this requirement to include the following modifier at the start of paragraph 1001.952(ff)(4)(i): Unless exchanged pursuant to risk methodologies defined in paragraph (9)(i) or (ii). With this modifier, monetary remuneration exchanged pursuant to a risk methodology that meets the definition of “substantial downside financial risk” or “meaningful share,” i.e., the risk methodologies defined in paragraph 1001.952(ff)(9)(i) and (ii), does not need to be used predominantly to engage in value-based activities. Because such remuneration effectuates the assumption of risk required by the safe harbor, it is appropriate to exempt this remuneration from the requirement for remuneration to be used predominantly to engage in value-based activities.

All other remuneration exchanged must be used predominantly to engage in value-based activities that are directly connected to the items and services for which the VBE has assumed substantial downside financial risk. With respect to the commenters’ concerns regarding tracking another party’s use of such remuneration, we emphasize that the safe harbor does not require the offeror of remuneration to track the recipient’s use to determine whether such use is consistent with the safe harbor requirement to predominantly use remuneration to engage in value-based activities for the target patient population. We recognize that all parties to the value-based arrangement would lose safe harbor protection if the recipient fails to satisfy the predominant use requirement, but we believe there are ways for an offeror to protect itself against this risk, such as by including terms in the signed writing requiring the recipient to use funds in a particular manner. With respect to a commenter’s concern that this condition would preclude the protection of shared savings, this condition, as finalized, would not preclude the protection of shared savings, as long as the shared savings arrangement satisfies all of the safe harbor’s conditions.

We are not persuaded by the suggestion that we allow remuneration to be used for any purpose permissible under applicable law. In order to use this safe harbor, the parties must have formed a value-based enterprise that has one or more value-based purposes. We believe that requiring remuneration to be used predominately for value-based activities associated with the target patient population is an important mechanism to help ensure that the parties are working toward these purposes.

Comment: Commenters stated that the requirement for parties to exchange remuneration that is used to engage in value-based activities that are “directly connected” to the items and services for which the VBE has assumed (or has entered into a contract to assume within the next 6 months) substantial downside financial risk could subject parties seeking protection under this safe harbor to undue scrutiny regarding what constitutes a direct connection.

Response: We believe parties are well-positioned to demonstrate that the value-based activities they undertake have a direct connection to the items and services provided to patients in the target patient population. Pursuant to paragraph 1001.952(ff)(5) of the safe harbor, the value-based activities must be set forth in writing, which provides an opportunity for parties to document how such activities are directly connected to the items and services for which the VBE is at substantial downside financial risk.

By way of example, in a value-based arrangement where a VBE is at risk for an episode of care involving hospital and post-acute care, if the VBE furnishes or finances the provision of additional clinical staff or social workers for use by both a VBE participant hospital and a VBE participant skilled nursing facility, the clinical staff or social workers must predominantly engage in value-based activities that are directly connected to the items and services furnished during the episode of care for which the VBE is at substantial downside financial risk. In the OIG Proposed Rule, we provided an example involving a target patient population undergoing hip replacement surgery to show what it means to have a direct connection between the value-based activities and items and services for the target patient population. Using this same example under the final rule, if a VBE is at substantial downside financial risk for the items and services provided to patients in a target patient population undergoing hip replacement surgery, the VBE could give a VBE participant money to hire a staff member who predominately coordinates patients’ transitions between care settings after hip replacement surgery. The VBE could not give the VBE participant money to hire a staff member who coordinates transitions between care settings for patients undergoing an array of surgical procedures other than hip replacement surgery.^[53]

g. Direct Connection to Value-Based Purposes

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ff)(3)(ii) that the protected remuneration must be directly connected to one or more of the VBE’s value-based purposes, at least one of which must be the coordination and management of care for the target patient population.

Summary of Final Rule: We are finalizing, with modification, this condition at paragraph 1001.952(ff)(4)(i). The final rule provides that protected remuneration must be directly connected to at least one of the three value-based purposes defined in paragraph 1001.952(ee)(13)(x)(A)-(C). Remuneration may advance more than one value-based purpose.

We summarize and respond to comments specific to the substantial downside financial risk safe harbor regarding this condition below. For a more detailed discussion and a summary of the general comments received regarding the requirement for a direct connection to the coordination and management of care, as proposed in both the care coordination arrangements safe harbor and this safe harbor, and our responses, we refer readers to the care coordination arrangements safe harbor section discussion at section III.B.3.h.

Comment: A commenter asserted that all payment arrangements protected by this safe harbor should have as a value-based purpose a focus on cost reduction and quality improvement.

Response: In the context of remuneration exchanged pursuant to value-based arrangements where parties have met the requirements of the definitions of “substantial downside financial risk” and “meaningful share,” we recognize that it may be appropriate for parties to have value-based purposes related to achieving appropriate cost reductions or quality improvements. Accordingly, we are revising this condition to provide parties additional options for remuneration to be directly connected to at least one of three value-based purposes defined in paragraph 1001.952(ee)(13)(x)(A)-(C). Remuneration must be directly connected to one or more of the following value-based purposes: The coordination and management of care for the target patient population; improving the quality of care for the target patient population; and appropriately reducing the costs to, or growth in expenditures of, payors without reducing the quality of care for the target patient population. Parties may choose to meet one or more of these three value-based purposes to satisfy this condition. For a more detailed discussion regarding these value-based purposes see section III.B.2.f.

h. Reductions in Medically Necessary Items or Services

Summary of OIG Proposed Rule: At proposed paragraph 1001.952(ff)(3)(iii), we proposed to require that the remuneration exchanged not induce the VBE participants to reduce or limit medically necessary items or services furnished to any patient.

Summary of Final Rule: We are finalizing, with modification, this condition at paragraph 1001.952(ff)(7)(iii). We are modifying the condition to clarify that the value-based arrangement (not merely the remuneration exchanged) may not induce the VBE or VBE participants to reduce or limit medically necessary items or services furnished to any patient. We summarize and respond to comments specific to the substantial downside financial risk safe harbor regarding this provision below. For a more detailed discussion and a summary of additional comments received regarding this requirement, as proposed in both the care coordination arrangements and substantial downside financial risk safe harbors, and our responses, we refer readers to the care coordination arrangements safe harbor discussion at section III.B.3.e.iii.

Comment: Multiple commenters supported additional conditions to safeguard against the risks of cherry-picking, lemon-dropping, and stinting on care. For example, a commenter stated that the assumption of downside financial risk presented a heightened risk for cherry-picking patients, discharging highly complex, rare, or costly patients, and stinting on care for patients with high medical needs. The commenter appeared to recommend Federal Government oversight of value-based arrangements to address these risks. Another commenter recommended OIG formally monitor for cherry-picking or lemon-dropping activities and eliminate eligibility for safe harbor protection for parties inappropriately engaged in these activities.

Response: We acknowledge that assuming downside financial risk may heighten the risks identified by the commenter. We believe that the parameters created by the value-based definitions as well as the safeguards in this safe harbor protect against such conduct. For example, the definition of “target patient population” requires that the VBE or its VBE participants identify the target patient population using legitimate criteria, and criteria that seek to exclude costly or noncompliant patients would not be legitimate. However, in response to the comment that the nature of value-based arrangements, themselves, can create incentives for stinting or cherry-picking, we are expanding this prohibition to apply to not only the remuneration exchanged between the parties but also all terms and conditions of a value-based arrangement.

With respect to OIG’s oversight, we anticipate that individuals and entities that are part of a value-based enterprise will be subject to OIG’s program integrity and oversight activities to the same extent as other individuals and entities that engage in Federal health care program business.

i. Ownership or Investment Interests

Summary of OIG Proposed Rule: At proposed paragraph 1001.952(ff)(3)(iv), we proposed that this safe harbor would not protect an ownership or investment interest in the VBE or any distributions related to an ownership or investment interest.

Summary of Final Rule: We are finalizing, without modification, this condition and relocating it to paragraph 1001.952(ff)(4)(iii).

Comment: A few commenters opposed this condition. For example, a commenter asserted that some potential participants may not be comfortable investing in a VBE where such investment is unprotected by safe harbors and therefore may avoid involvement in otherwise beneficial substantial downside financial risk arrangements. Another commenter urged OIG to clarify that it was not our intent to prohibit VBE participants from establishing a corporate structure for a VBE in which the participants may receive an equity interest, stating that, without such a clarification, the safe harbor would unnecessarily restrict the ability of individuals and entities to dictate the corporate structure of VBEs they create.

Response: We do not view protection for ownership or investment interests as fundamental to removing barriers to parties entering into value-based arrangements and are not protecting them under this safe harbor. Parties seeking to protect a particular ownership or investment interest may look to other safe harbors (e.g., the safe harbor for investment interests, paragraph 1001.952(a), which protects certain investment interests if all requirements of the safe harbor are met), and the advisory opinion process remains available.

j. Remuneration From Individuals or Entities Outside the Applicable VBE

Summary of OIG Proposed Rule: At proposed paragraph 1001.952(ff)(3)(v), we proposed that the safe harbor would not protect remuneration funded, or otherwise resulting from contributions, by an individual or entity outside of the applicable VBE.

Summary of Final Rule: We are not finalizing this condition.

Comment: A commenter asserted that imposing this requirement would inhibit contributions or funding by an affiliate of a VBE or a VBE participant (e.g., a parent organization). Another commenter suggested OIG permit “outside” donations under the substantial downside financial risk safe harbor when the donation would benefit a VBE’s patients and the third-party donor would have no direction or control over how the funds would be spent.

Response: We are not finalizing this condition because of concerns that it may be unduly prescriptive and for the reasons described at section III.3.e.iv related to the similar proposal for the care coordination arrangements safe harbor. However, the exchange of remuneration between parties other than the VBE and a VBE participant (e.g., remuneration exchanged between a third-party donor and a VBE participant or a VBE) would not be protected by this or any value-based safe harbor. Similarly, in the circumstances presented by the commenter, we would not view contributions or funding from an affiliate of a VBE (that is not a VBE participant) to that VBE as qualifying for protection under this or any value-based safe harbor. However, under this final rule, the mere fact that an affiliate of a VBE exchanges remuneration with that VBE would not preclude safe harbor protection for value-based arrangements between that VBE and its VBE participants.

Comment: A commenter requested that we address how the exclusion of safe harbor protection for remuneration funded, or otherwise resulting from contributions, by an individual or entity outside of the applicable VBE would operate where a VBE sought to enter into a value-based arrangement with a payor that was not, itself, a VBE participant.

Response: As noted above, we are not finalizing the proposed condition. For purposes of the value-based safe harbors, we are finalizing a definition of “value-based arrangement” in paragraph 1001.952(ee)(14)(vii) that requires the arrangement to be only between or among the VBE and one or more of its VBE participants or between or among VBE participants in the same VBE.

However, the modification explained in section III.B.4.d above, addresses the commenter’s concern regarding assuming risk from a payor that is not a VBE participant. In that section, we explained that, while a payor could opt to be a VBE participant, it need not do so in order for a VBE to contract to assume substantial downside financial risk from a payor. However, unless the payor is a VBE participant, this safe harbor would not protect the remuneration exchanged between the payor and the VBE.

k. Writing

Summary of OIG Proposed Rule: At proposed paragraph 1001.952(ff)(4), we proposed that the terms of the value-based arrangement must be set forth in a signed writing that contains, among other information, a description of the nature and extent of the VBE’s substantial downside financial risk for the target patient population and a description of the manner in which the recipient meaningfully shares in the VBE’s substantial downside financial risk.

Summary of Final Rule: We are finalizing, with modifications, this condition at paragraph 1001.952(ff)(5). The modifications are based on public comments. First, parties must document the manner in which the VBE assumes risk from a payor and the VBE participant assumes a meaningful share of such risk. Second, the writing requirement can be satisfied by a collection of documents. Third, we are not requiring documentation of the offeror’s costs. Fourth, the writing must be established in advance of, or contemporaneous with, the commencement of the value-based arrangement “and any material change,” instead of “or any material change.” Thus, the initial terms of the value-based arrangement must be set forth in the signed writing, in advance of, or contemporaneous with the commencement of the arrangement, and any material change to the value-based arrangement also must be set forth in the signed writing in advance of, or contemporaneous with the commencement of the material change. As with the similar modification we are making to the writing requirement in the care coordination arrangements safe harbor, these are the logical junctures where the writing requirement particularly serves its transparency purposes. Our proposed regulatory text did not make clear that the writing was needed at both junctures; our modifications more clearly express that policy.

This writing requirement does not apply to the contracts between a payor and a VBE in circumstances where the payor is not a VBE participant. Such contracts would not constitute value-based arrangements, subject to this condition. However, as set forth in paragraph 1001.952(ff)(2), such contracts must be in writing.

For further discussion of the general comments we received regarding a writing requirement in the value-based safe harbors, we refer readers to section III.B.3.d discussing the writing requirement for purposes of the care coordination arrangements safe harbor; in this section, we respond only to the comments specific to the proposed substantial downside financial risk safe harbor’s writing requirement.

Comment: A commenter recommended that OIG revise this condition of the substantial downside financial risk safe harbor to remove the requirement that parties specify the type and the offeror’s cost of the remuneration. The commenter stated that the offeror’s cost is not material to the arrangement because the safe harbor does not include a contribution requirement and, furthermore, may be difficult to determine.

Response: We agree and are removing the requirement that the parties include the offeror’s costs in the writing.

l. Does Not Take Into Account the Volume or Value of, or Condition Remuneration on, Business or Patients Not Covered Under the Value-Based Arrangement

Summary of OIG Proposed Rule: At proposed paragraph 1001.952(ff)(5), we proposed that the VBE or VBE participant offering the remuneration could not take into account the volume or value of, or condition the remuneration on, referrals of patients outside of the target patient population or business not covered under the value-based arrangement. This safeguard is identical to that proposed for the care coordination arrangements safe harbor.

Summary of Final Rule: We are finalizing this condition, without modification and relocating it to paragraph 1001.952(ff)(6). For a more detailed discussion and a summary of our responses to the comments received on this condition and our rationale for finalizing it, we refer readers to the care coordination arrangements safe harbor discussion at III.B.3.f. Comments received on this topic addressed the condition as it applied to the value-based safe harbors generally; we did not receive separate comments on this condition specific to this safe harbor.

m. Preserving Clinical Decision-Making

Summary of OIG Proposed Rule: At proposed paragraph 1001.952(ff)(6)(i), we proposed that value-based arrangements must not limit VBE participants’ ability to make decisions in the best interests of their patients. In addition, at proposed paragraph 1001.952(ff)(6)(ii) we proposed that value-based arrangements cannot direct or restrict referrals to a particular provider, practitioner, or supplier if: (i) A patient expresses a preference for a different practitioner, provider, or supplier; (ii) the patient’s payor determines the provider, practitioner, or supplier; or (iii) such direction or restriction is contrary to applicable law or regulations under titles XVIII and XIX of the Act. We proposed to interpret this condition consistent with the parallel condition proposed for the care coordination arrangements safe harbor.

Summary of Final Rule: We are finalizing, with modification, the proposed condition that the value-based arrangement must not limit the VBE participant’s ability to make decisions in the best interests of its patients at paragraph 1001.952(ff)(7)(i). We are making a technical correction to change “their patients” to “its patients.” We also are finalizing, with modification, the condition related to directing or restricting referrals, at paragraph 1001.952(ff)(7)(ii). We are deleting “or regulations” from the proposed provision because regulations are captured by the term “applicable law.”

For a more detailed discussion, summaries of comments we received regarding this requirement, as proposed in each of the value-based safe harbors, and our responses, we refer readers to the discussion of this condition in the care coordination arrangements safe harbor at section III.B.3. Below we discuss the comments we received on this condition specific to the proposed substantial downside financial risk safe harbor.

Comment: A commenter requested that OIG clarify how this requirement would apply to an arrangement involving patients who are covered by managed care payors, where patient preferences are likely to be limited.

Response: If a managed care payor determines the providers, practitioners, or suppliers from whom patients may seek health care items and services under a managed care plan, then the value-based arrangement could not direct or restrict referrals to a particular provider, practitioner, or supplier in a contrary manner.

n. Materials and Records

Summary of OIG Proposed Rule: At proposed paragraph 1001.952(ff)(7), we proposed to require that the VBE or its VBE participants make available to the Secretary, upon request, all materials and records sufficient to establish compliance with the conditions of the safe harbor. We solicited comments regarding whether we should require parties to maintain materials and records for a set period of time (e.g., at least 6 years or 10 years).

Summary of Final Rule: We are finalizing, with modification, the materials and records requirement. We are specifying that, for a period of at least 6 years, the VBE or its VBE participants must maintain records and materials sufficient to establish compliance with the conditions of the safe harbor.

This requirement will promote transparency and facilitate alignment with CMS’s parallel value-based exception. For a more detailed discussion and a summary of and responses to the comments received about the records requirement, as proposed in each of the value-based safe harbors, we refer readers to the discussion of this condition in the care coordination arrangements safe harbor at section III.B.3.n. Comments received on this topic addressed the requirement as it applied to the value-based safe harbors generally; we did not receive separate comments on this requirement specific to this safe harbor.

o. Marketing of Items or Services or Patient Recruitment Activities

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(ff)(6)(iii) a condition to bar protection for remuneration exchanged pursuant to value-based arrangements that include marketing to patients of items or services or engaging in patient recruitment activities. We proposed to interpret this condition consistent with our interpretation of the same proposed requirement in the care coordination arrangements safe harbor.

Summary of Final Rule: We are finalizing this requirement, with modifications and relocating it to paragraph 1001.952(ff)(4)(v). As with the care coordination arrangements safe harbor, rather than prohibiting all marketing and patient recruitment activities, we are modifying this provision to prohibit the exchange of remuneration for the purpose of marketing items or services furnished by the VBE or VBE participants to patients or for the purpose of patient recruitment activities. Comments received on this topic addressed the requirement as it applied to the value-based safe harbors generally; we did not receive separate comments on this requirement specific to this safe harbor. Consequently, we refer readers to the discussion in section III.B.3.j of this condition in the care coordination arrangements safe harbor for a summary of applicable comments, our responses, and a more detailed discussion of this standard, including our rationale for the modification being made.

p. Downstream Arrangements

Summary of OIG Proposed Rule: We proposed to protect only remuneration exchanged between a VBE and a VBE participant at paragraph 1001.952(ff).

Summary of Final Rule: We are finalizing, without modification, the requirement that the exchange of remuneration be between the VBE and a VBE participant in the introductory paragraph of 1001.952(ff).

Comment: A commenter agreed with our proposal to limit this safe harbor to remuneration exchanged solely between the VBE and a VBE participant and acknowledged the potential fraud and abuse risks inherent in downstream arrangements where a contracting party has assumed little or no financial risk. However, the majority of commenters advocated for extending safe harbor protection to remuneration that passes between and among VBE participants, or between VBE participants and downstream contractors. A commenter stated that downstream arrangements are essential to facilitating care coordination efforts, while another commenter asserted that requiring a VBE participant to meaningfully share in the VBE’s substantial downside financial risk appropriately curtails any fee-for-service incentives. A commenter posited that this requirement would result in value-based activities being inefficiently routed through the VBE, and another commenter questioned why this safe harbor only protects remuneration between a VBE and VBE participant when the care coordination arrangements safe harbor more broadly protects remuneration between a VBE and a VBE participant or between VBE participants.

Response: We did not propose to protect arrangements where remuneration is passed from one VBE participant to another VBE participant or from a VBE participant to a downstream contractor. In this final rule, we are limiting safe harbor protection to the exchange of remuneration between the VBE and a VBE participant for which the combination of safe harbor conditions was designed. This safe harbor provides greater regulatory flexibility than the care coordination arrangements safe harbor, and as a result, we decline to extend safe harbor protection to downstream financial arrangements to which the VBE is not a party and that may not include all of the safeguards required by this safe harbor, including requirements related to the assumption of downside financial risk. A VBE participant seeking to exchange remuneration with another VBE participant may look to the care coordination arrangements safe harbor or other safe harbors, such as the personal services and management contracts and outcomes-based payments safe harbor.

Comment: A commenter expressed concern that limiting safe harbor protection to remuneration exchanged between the VBE and a VBE participant would be unworkable if the applicable VBE were comprised of an informal network of individuals and entities (versus a separate legal entity). In particular, the commenter seemed to believe that, in such circumstances, the VBE participants would not be able to protect any remuneration using this safe harbor.

Response: This safe harbor requires that a VBE assume substantial downside financial risk for certain items and services provided to the target patient population. In circumstances where the VBE is not a formal legal entity, but rather is comprised of a network of VBE participants, a single VBE participant may act on behalf of the VBE to contract or enter into a value-based arrangement with a payor to assume substantial downside financial risk. In such circumstances, this safe harbor could protect the exchange of remuneration between the VBE participant acting on behalf of the VBE and other VBE participants. We note that, while different VBE participants may act on behalf of the VBE at different times during the term of the value-based arrangement, only remuneration between a VBE participant acting on behalf of the VBE and another VBE participant may be protected. The safe harbor would not protect remuneration exchanged between two VBE participants, neither of whom are currently acting on behalf of the VBE.

q. Possible Additional Safeguards

Summary of OIG Proposed Rule: We stated in the preamble to the OIG Proposed Rule that we were considering adopting specified additional safeguards in the final rule, including a commercial reasonableness requirement, a monitoring standard, a cost-shifting prohibition, and a requirement to submit information to the Department regarding the VBE, the VBE participants, and the value-based arrangement.

Summary of Final Rule: We are not finalizing these proposed conditions. Upon further consideration, we do not consider them necessary to mitigate fraud and abuse risk given the overall structure and totality of conditions in the final safe harbor.

Comment: We received a variety of comments regarding potential additional safeguards in the substantial downside financial risk safe harbor. A commenter opposed the addition of a commercial reasonableness requirement, asserting that it would be inconsistent with CMS’s similar exception and potentially would chill innovation where parties have assumed downside risk. Several commenters suggested including additional transparency requirements for patients. A commenter recommended that we include a prohibition on inappropriate cost shifting to Federal health care programs. A few commenters suggested that OIG require objective and quantifiable outcome measures to show the remuneration exchanged enhances patient outcomes. Another commenter urged us to include a termination provision similar to that in the care coordination arrangements safe harbor.

Response: We are not imposing a commercial reasonableness requirement in this safe harbor in recognition of the VBE and its VBE participants assuming substantial downside financial risk. We believe the assumption of downside financial risk helps to ensure that the remuneration is exchanged in order to achieve value-based purposes rather than to pay for referrals, which is at the core of the commercial reasonableness standard in other safe harbors. We did not propose patient transparency or notice requirements and are not including such conditions in this final rule. While parties may choose to provide patient notifications, such a condition in the safe harbor would not add appreciable additional protection against payments for referrals. We also are not including a cost-shifting prohibition, in recognition that the assumption of substantial downside financial risk is intended to drive a reduction in costs, which may include Federal health care program costs.

While parties may include termination provisions or outcome measure requirements as part of their value-based arrangements, we are not requiring these terms as a condition of the safe harbor.

5. Value-Based Arrangements With Full Financial Risk (42 CFR 1001.952(gg))

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg) a full financial risk safe harbor that would protect remuneration exchanged between a VBE and a VBE participant pursuant to a value-based arrangement where the VBE has assumed, or is contractually obligated to assume within the next 6 months, full financial risk, as set out at proposed paragraph 1001.952(gg)(1). We proposed to define “full financial risk” at proposed paragraph 1001.952(9)(i) to mean that “the VBE is financially responsible for the cost of all items and services covered by the applicable payor for each patient in the target patient population and is prospectively paid by the applicable payor.”

We proposed that the full financial risk safe harbor would include certain safeguards, such as requirements that: (i) The VBE have a signed writing with the payor that specifies the target patient population and terms evidencing full financial risk (proposed paragraph 1001.952(gg)(1)); (ii) the parties have a signed writing that specifies the material terms of the value-based arrangement (proposed paragraph 1001.952(gg)(2)); and (iii) the VBE participant not claim payment from a payor (proposed paragraph 1001.952(gg)(3)). Further, we proposed at paragraph 1001.952(gg)(4) that the remuneration exchanged be used primarily to engage in value-based activities; be directly connected to one or more of the VBE’s value-based purposes, at least one of which must be the coordination and management of care for the target patient population; not induce reductions or limitations of medically necessary care; and not be funded by outside contributions. At proposed paragraph 1001.952(gg)(5), we proposed a restriction on taking into account the volume or value of business outside the value-based arrangement, and at proposed paragraph 1001.952(gg)(6), we proposed that the VBE provide or arrange for an operational utilization review program and quality assurance program. At proposed paragraph 1001.952(gg)(7), we proposed a restriction on marketing and patient recruitment, and at proposed paragraph 1001.952(gg)(8), we proposed a requirement to make available materials and records to the Secretary.

Summary of Final Rule: We are finalizing, with modifications, the safe harbor at paragraph 1001.952(gg). We are modifying the definition of “full financial risk” at paragraph 1001.952(gg)(10)(ii) to require the VBE to be at risk on a prospective basis for the cost of all items and services covered by the applicable payor for each patient in the target patient population for a term of at least 1 year. We are defining “prospective basis” at paragraph 1001.952(gg)(10)(ii) to mean the VBE has assumed financial responsibility for the cost of all items and services covered by the applicable payor prior to the provision of items and services to patients in the target patient population.

We are finalizing the proposed safeguards, with some modifications at paragraphs 1001.952(gg)(2)-(8), as explained in more detail in the topical discussions below. In addition, we have added a list of entities ineligible to use the safe harbor at paragraph 1001.952(gg)(1) for the reasons set forth in the discussion of the definition of “VBE participant” at section III.B.2.e.

a. General Comments

Comment: While some commenters expressed support for this proposed safe harbor, multiple commenters conveyed their concerns that this safe harbor may have limited application. For example, some commenters noted that the proposed safe harbor requirements, including the definition of “full financial risk,” would limit the safe harbor to only large integrated delivery systems capable of providing nearly all Medicare and Medicaid covered services to a target patient population and would disadvantage small and rural practices and practices serving underserved areas. Other commenters highlighted a potential intersection between certain state insurance and licensure laws and the proposed safe harbor requirements that could, according to the commenters, limit the availability of safe harbor protection only to those entities that could comply with such state laws, some of which may require a VBE to be licensed as a health care services plan. To address this issue, a commenter requested revisions to the proposed safe harbor to make safe harbor protection available to advanced, risk-bearing provider networks in states with such licensure requirements.

Response: We designed this safe harbor to provide significant flexibility under the Federal anti-kickback statute in light of the level of financial risk assumed by the parties. We crafted the “full financial risk” definition, as well as the conditions of this safe harbor, to balance the additional flexibilities under the anti-kickback statute with appropriate safeguards against both risks associated with fee-for-service payment systems, such as overutilization and skewed decision-making, and risks present in risk-based arrangements, including stinting on care (underutilization), cherry-picking lucrative or adherent patients, and lemon-dropping costly or noncompliant patients. We believe that the definition of “full financial risk,” combined with the conditions of this safe harbor, appropriately balance the flexibilities afforded by this safe harbor with any identified program integrity risks.

We understand that there currently are a limited number of providers assuming the level of risk required by this safe harbor. The purpose of implementing a full financial risk safe harbor is to remove one potential barrier to providers taking on more risk and having additional financial incentives to coordinate care. Providers assessing whether they can move to full financial risk in the future can consider this safe harbor and the flexibilities it offers under the Federal anti-kickback statute as one factor in that determination. There are other factors that parties would consider in the decision to assume a higher level of risk, including some considerations raised by the commenters. While safe harbors cannot address all factors that may prohibit a provider from taking on full financial risk, this safe harbor is designed to encourage more providers to do so. We also note that this safe harbor conditions protection on the VBE assuming full financial risk from the payor for the items and services. It does not require the VBE to assume other functions from the payor, such as enrollment, grievance and appeals, solvency standards, and other administrative functions performed by payors.

We recognize that some states may have laws that limit providers and other health care entities from taking on full financial risk unless they form licensed health care plans or meet other licensure requirements. We have attempted to create significant flexibility under the Federal anti-kickback statute while recognizing that parties still must comply with applicable state laws. For example, this safe harbor provides flexibility around how the VBE assumes full financial risk from a payor. Such flexibilities provide payors, VBEs, and VBE participants with options to structure arrangements that are consistent with the safe harbor and state laws. Nothing in these safe harbors preempts any applicable state law (unless such state law incorporates the Federal law by reference). Other safe harbors may be available to parties unable—by virtue of any state law requirements—to structure an arrangement that satisfies the conditions of this safe harbor.

Comment: A commenter suggested that we consider a new safe harbor or a fraud and abuse waiver for Medicare Advantage plans testing value-based arrangements. The commenter asserted that such a safe harbor or waiver would allow entities not otherwise eligible for protection under the value-based safe harbors to participate in value-based arrangements.

Response: We did not propose a safe harbor or a fraud and abuse waiver specific to Medicare Advantage plans, and thus we are not finalizing such safe harbor or waiver in this final rule. This safe harbor may be available to protect remuneration exchanged under certain Medicare Advantage plan arrangements, provided the plan enters into a contract or a value-based arrangement with a VBE pursuant to which the VBE assumes full financial risk from the plan. We also note that there may be other existing safe harbors not modified by this final rule that are available to protect financial arrangements involving a Medicare Advantage plan, such as paragraphs 1001.952(t) and (u), and the advisory opinion process remains available.

Comment: While a commenter expressed support for OIG’s and CMS’s consistent definitions of full financial risk, others requested that OIG finalize a full financial risk safe harbor that further aligns with CMS’s parallel full risk exception. These commenters generally urged OIG and CMS to impose the same risk thresholds and requirements for purposes of the full financial risk safe harbor and the CMS full risk exception.

Response: As with the OIG Proposed Rule, in this final rule, we have endeavored to align our full financial risk safe harbor to the greatest extent possible with CMS’s full risk exception. The definition of “full financial risk” we are finalizing is more closely aligned with the definition of “full financial risk” that CMS is finalizing in its full risk exception. However, reflecting statutory differences that exist between the Federal anti-kickback statute and the physician self-referral law, explained further in section III.A.1, the full financial risk safe harbor differs from CMS’s full risk exception. For example, in recognition of the statutory differences between the two laws, the safe harbor includes conditions that differ from those in CMS’s parallel exception, such as the requirement that the value-based arrangement be set forth in writing and that the VBE provide or arrange for a quality assurance program for services furnished to the target patient population.

b. Definitions

i. Full Financial Risk

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(9)(i) that a VBE would be at “full financial risk” for the cost of care of a target patient population if the VBE is financially responsible for the cost of all items and services covered by the applicable payor for each patient in the target patient population and is prospectively paid by the applicable payor.

Summary of Final Rule: We are finalizing, with modifications, a definition of “full financial risk” at paragraph 1001.952(gg)(9)(i). The modifications, based on public comments, provide parties with additional flexibility in the manner in which the VBE assumes risk from the applicable payor. The definition of “full financial risk” now requires the VBE to be at risk on a prospective basis for the cost of all items and services covered by the applicable payor for each patient in the target patient population for a term of at least 1 year. “Prospective basis,” as defined at paragraph 1001.952(gg)(9)(ii), means the VBE has assumed financial responsibility for the cost of all items and services covered by the applicable payor prior to the provision of items and services to patients in the target patient population.

Comment: While at least one commenter supported the definition of “full financial risk,” as proposed, the vast majority of commenters recommended that we revise the definition to encompass arrangements where the VBE assumes risk for less than all of the items and services covered by the applicable payor. For example, many commenters recommended that the VBE be required to have risk only for “substantially all” items and services furnished to the target patient population, which commenters suggested could be defined as 75 percent of such items and services. Other commenters requested that full financial risk include assuming risk for a much more specifically defined set of services (e.g., hospital inpatient and outpatient care or ongoing services related to breast care). Other commenters asked OIG to carve out certain high-cost or specialty items and services (e.g., organ transplants or pharmacy benefits) or new technologies that were not incorporated into rate calculations from the scope of items and services for which a VBE must be at risk.

Some commenters requested that the definition of “full financial risk” include risk only for all of the items and services required to treat a particular disease or condition or an episode of care (e.g., risk for all of the items and services required to treat diabetes for patients with diabetes in the target patient population or an episode of care for a knee replacement). Another commenter asked OIG to permit partial capitation arrangements and, lastly some commenters contended that full financial risk should include risk for only the items and services to which the remuneration relates. Many of these commenters asserted that VBE participants would still be incentivized to maximize quality and efficiency of care even where the VBE assumes risk for less than all items and services provided to the target patient population by the applicable payor.

Response: We are finalizing a definition of “full financial risk” that requires the VBE to be at risk on a prospective basis for the cost of all items and services covered by the applicable payor for each patient in the target patient population for a term of at least 1 year. We decline to extend safe harbor protection under this safe harbor where a VBE has assumed risk for only a subset of items and services, such as for 75 percent of items and services, for all items and services except certain high-cost or specialty items and services, or for only the items and services to which the remuneration relates, although we note that the substantial downside financial risk safe harbor may be available for such arrangements. Additionally, a VBE could assume full financial risk for patients with a particular disease condition (e.g., patients with diabetes) by selecting a target patient population comprised only of patients with diabetes, but the VBE must cover all items and services for those patients. Therefore, while a VBE must be at risk for all items and services furnished to the target patient population, the VBE can limit the number of patients for whom it assumes full financial risk through its selection of the target patient population, as long as the VBE selects the target patient population using legitimate and verifiable criteria, among other requirements.

In light of the significant flexibility we are offering under this safe harbor, we believe the risk level we are requiring for VBEs is necessary to reduce traditional fraud and abuse concerns associated with payment systems that incorporate, in whole or in part, fee-for-service reimbursement methodologies. While we appreciate the challenges associated with assuming risk for certain high-cost or specialty items and services or new technologies, VBEs may address such challenges through arrangements to protect against catastrophic losses, such as risk-adjustment or reinsurance agreements, without losing safe harbor protection.

Comment: Some commenters asked OIG to clarify whether the VBE and its VBE participants can collectively be at risk for items and services to the target patient population, such as by each VBE participant being at risk only for the services it provides.

Response: A value-based enterprise is a collection of two or more VBE participants. As such, some or all of the VBE participants that comprise the VBE can combine their respective risk to satisfy the definition of “full financial risk” as long as the VBE participants’ collective risk amounts to risk for all items and services covered by the applicable payor for the target patient population.

Comment: A physicians’ trade organization expressed concern that smaller practices that attempt to assume too much risk could result in the closures of community practices and consolidation. Another commenter highlighted that there may be substantial up-front investments that can strain any physician practice’s limited resources but can be particularly challenging for small, rural, or underserved practices with smaller patient pools to spread risk.

Response: We recognize that the full financial risk safe harbor requires a level of risk that many in the health care industry may not currently be able to assume. For parties seeking protection for remuneration exchanged pursuant to risk arrangements requiring a lower level of risk, the substantial downside financial risk safe harbor or the care coordination arrangements safe harbor may be available. This safe harbor does not require small, rural, or community practices or practices serving underserved populations to assume full financial risk or make substantial up-front investments on their own. Parties have flexibility in establishing a VBE, which must have at least two VBE participants but can have any number of additional VBE participants. We believe the “VBE participant” definition and the safe harbors in this final rule provide small, rural, and community practices and practices serving underserved populations options to enter into arrangements to assume higher levels of risk without having to integrate practices or become part of a larger health care system.

Further, we believe that establishing a VBE with other providers, either similarly situated entities or larger entities, could help practices (including small, rural, and community practices) take on more risk and mitigate potential financial shocks. As value-based arrangements continue to proliferate, we believe there may be opportunities for these types of practices to form VBEs, take on risk, and potentially have success in reducing costs and coordinating care.

Comment: Commenters requested that the definition of “full financial risk” expressly include payments based on global budgets, as well as capitation and other alternative payment methodologies.

Response: While the definition of “full financial risk” does not expressly list global budget or capitation payment methodologies as permissible payment methodologies, we confirm that such prospective payment methodologies would satisfy the definition of “full financial risk” as long as the global budget or capitation payments covered the cost of all items and services covered by the applicable payor for the target patient population for a term of at least 1 year. Without additional detail related to the alternative payment methodologies referenced by the commenter, we are unable to opine on whether such payment methodologies would meet the definition of “full financial risk.” Parties also may request an advisory opinion from OIG to determine whether an arrangement meets the definition of “full financial risk” and the conditions of the full financial risk safe harbor or is otherwise sufficiently low risk under the Federal anti-kickback statute to receive prospective immunity from administrative sanctions by OIG.

Comment: A commenter requested that OIG explain why the proposed definition of “full financial risk” required that the payor prospectively pay the VBE.

Response: We proposed a definition of “full financial risk” that required prospective payment, and we stated in the OIG Proposed Rule that we interpreted “prospective” to mean the anticipated cost of all items and services covered by the applicable payor for the target patient population had been both determined and paid in advance (as opposed to billing under the otherwise applicable payment systems and undergoing a retrospective reconciliation after items and services have been furnished). In this final rule, we are revising the definition of full financial risk to require risk on a prospective basis and defining “prospective basis” to mean the VBE has assumed financial responsibility for the cost of all items and services covered by the applicable payor prior to the provision of items and services to patients in the target patient population. As such, the VBE no longer needs to be prospectively paid by the applicable payor prior to the provision of items and services to each patient in the target patient population. Instead, the VBE must simply assume financial responsibility prior to the provision of items and services.

We are requiring the assumption of risk on a prospective basis not only in recognition of the additional flexibilities under the Federal anti-kickback statute that this safe harbor affords but also because risk assumption can serve to limit the potential harms that may result from financial incentives inherent to fee-for-service payments systems, such as overutilization and skewed medical decision-making. For example, if providers know the amount of reimbursement they will receive for providing items and services to the target patient population before providing such items and services, then the providers may be less likely to order excessive tests or otherwise provide unnecessary items and services to the patients.^[54]

Comment: We received various comments regarding how a payor could transfer risk to the VBE. For example, a commenter requested confirmation that the payor and VBE could engage in retrospective reconciliations. Another commenter asserted that OIG should add language to the safe harbor stating that risk, both at the enterprise level and at the VBE participant level, can be through front-end withholds or dues assessments and need not be through a back-end repayment. A commenter further asked whether, as long as the payment covers a particular period, the payor could pay the VBE at the end or in the middle of the coverage period.

Response: Under the revised definition of “full financial risk,” a payor could pay the VBE at any point in the coverage period and engage in retrospective reconciliations, as long as the VBE has assumed full financial risk for a term of at least 1 year prior to the provision of items and services to patients in the target patient population. We also are not dictating the manner in which the VBE exchanges remuneration with VBE participants, so a VBE could impose front-end withholds or dues assessments on VBE participants.

Comment: A commenter asserted that the OIG Proposed Rule’s proposed definition of “full financial risk” allowed a payor to make payments to physician practices to offset losses that the practices incurred.

Response: This safe harbor would not protect payments from a payor to a physician practice that is a VBE participant to offset losses the practice incurred because the safe harbor prohibits a VBE participant from claiming payment in any form from a payor for the items and services covered under the value-based arrangement. In other words, under the terms of this safe harbor, the VBE must assume full financial risk for the cost of all items and services covered by the applicable payor; this means that any claims submitted to a payor by a VBE participant related to such items and services—including a claim for payment to offset losses incurred—would fail this requirement. The VBE, however, may enter into reinsurance or other risk-adjustment arrangements and could address losses incurred by VBE participants by using reinsurance payments, for example, to reimburse VBE participants for such losses.

Comment: Many commenters appreciated OIG’s position that the definition of “full financial risk” would not prohibit a VBE from entering into arrangements to protect against catastrophic losses. Multiple commenters requested guidance on the risk mitigation terms that full-risk arrangements can include while satisfying the requirements of the safe harbor, including whether there is a particular threshold on the amount of loss coverage. A commenter specifically asked whether incentive arrangements requiring stop-loss protection to meet existing physician incentive regulations in Federal health care programs would qualify as protecting against catastrophic losses under the full financial risk safe harbor.

Response: We are not imposing a specific limit on the amount of loss coverage a VBE may have, but as we stated in the OIG Proposed Rule, we would expect any stop-loss or other risk adjustment arrangements to act as protection for the VBE against catastrophic losses and not as a means to shift material financial risk back to the payor. Whether stop-loss protection required by the existing physician incentive regulations would be appropriate stop-loss protection for a VBE assuming risk pursuant to this safe harbor may depend on a number of factors, including the structure of the VBE, scope of the target patient population, and items and services covered by the applicable payor.

Comment: A commenter expressed concern that, because the proposed definition of “full financial risk” requires the assumption of risk for the cost of all items and services covered by the applicable payor, it would by default necessitate the involvement of hospitals as VBE participants. The commenter appeared to believe that this would lead to further consolidation of the health care industry.

Response: It is not the intent of this rule to foster industry consolidation. Rather, this rule aims to increase options for parties to create a range of innovative arrangements eligible for safe harbor protection. The safe harbor does not require all parties providing items and services to the target patient population to be VBE participants and thus does not require the VBE to enter into value-based arrangements with all such parties. For example, a VBE may enter into a services contract with a hospital that is not a VBE participant for the provision of items and services to the target patient population, although we note that the VBE must be at risk from the payor for the items and services provided by such hospital to the target patient population.

Accordingly, we do not view a hospital’s participation in a value-based arrangement as a driver of industry consolidation; rather, we view the voluntary nature of a hospital’s participation, as well as the voluntary participation of all other individuals or entities in a value-based arrangement, as facilitating collaboration and the transition to value-based care. Individuals and entities are not required to integrate their practices or corporations to meet the definition of “VBE,” to be a VBE participant, or to rely on this safe harbor. These definitions provide individuals and entities flexibility to determine how best to structure a VBE and the associated value-based arrangements to meet value-based purposes. VBEs and VBE participants that assume full financial risk from a payor and enter into value-based arrangements that meet the conditions of this safe harbor likely require different, more closely coordinated arrangements than VBEs and VBE participants that rely on the care coordination arrangements safe harbor. However, both sets of entities have flexibility to determine with what types of VBE participants to work and what types of arrangements work best.

ii. Items and Services

Summary of OIG Proposed Rule: We proposed to define “items and services” at paragraph 1001.952(gg)(9)(ii) as having the same meaning as that set forth in paragraph 1001.952(t)(2)(iv).

Summary of Final Rule: We are finalizing, with modification, the proposed definition of “items and services” at paragraph 1001.952(gg)(9)(iii) to mean health care items, devices, supplies, and services.

Comment: A commenter expressed concern that the proposed definition of “items and services” would inadvertently exclude arrangements that the health care industry views as full risk because “items and services” was defined to include services reasonably related to the provision of health care items, devices, supplies, or services, including, but not limited to, non-emergency transportation, patient education, attendant services, social services (e.g., case management), utilization review and quality assurance. According to the commenter, the scope of “items and services” could add significant potential costs to parties seeking protection under the safe harbor. The commenter recommended that OIG revise the definition of “items and services” to include covered medical items and services but not items and services more in the nature of optional supplemental benefits.

Response: In response to the commenter’s concerns, we are modifying the proposed definition of “items and services” to mean only health care items, devices, supplies, and services. We are no longer cross-referencing and incorporating the definition of “items and services” found in paragraph 1001.952(t)(2)(iv). Thus, a VBE may assume risk for items and services reasonably related to the provision of health care items, devices, supplies, or services such as non-emergency transportation, patient education, and social services (as provided for in the definition of “items and services” found in paragraph 1001.952(t)(2)(iv)), but doing so is no longer a safe harbor requirement.

The scope of items and services for which a VBE must be at risk depends on the items and services covered by the payor. We recognize that, across the health industry, what constitutes full risk for health care items, devices, supplies, and services varies greatly from program to program and plan to plan, and we have tailored this safe harbor requirement accordingly. For example, Medicare Advantage generally does not cover items and services for long-term care at nursing facilities, but Medicaid does. This safe harbor does not change the scope of items and services a payor must cover in order for a VBE to meet the definition of “full financial risk.”

As we explained in the OIG Proposed Rule, a VBE would be at “full financial risk” if it contracts or enters into a value-based arrangement with a Medicaid managed care organization and receives a fixed per-patient per-month amount to be at full financial risk if the fixed amount covered the cost of all items and services covered by the Medicaid managed care plan and furnished to the target patient population. Similarly, we would consider a VBE to be at “full financial risk” if it contracts or enters into a value-based arrangement with a Medicare Advantage plan to receive a prospective, capitated payment for all items and services covered by the Medicare Advantage plan for a target patient population. Under this safe harbor, we are not protecting partial capitated arrangements that require the VBE to assume risk for only a limited set of items and services.

Parties may utilize OIG’s advisory opinion process to determine whether an arrangement meets the conditions of this safe harbor or is otherwise sufficiently low risk under the Federal anti-kickback statute to receive prospective immunity from administrative sanctions by OIG.

Comment: While recognizing that the proposed definition of “full financial risk” ties risk to payor coverage, a commenter requested that OIG explicitly state the extent to which medication costs may be included in the items and services for which a VBE must be at risk under the safe harbor. Another commenter stated that, if prescription drugs are included in the definition of all items and services for purposes of the full financial risk safe harbor, it is important that pharmaceutical manufacturers be eligible to participate in the VBE.

Response: To the extent the payor with which the VBE contracts to assume full financial risk covers prescription drugs, the VBE’s risk must encompass prescription drugs. The definition of “full financial risk” requires that the VBE assume financial responsibility on a prospective basis for the cost of all items and services covered by the applicable payor for each patient in the target patient population. Conversely, if the contracting payor does not cover prescription drugs, the VBE does not need to assume risk for such costs.

While we recognize that prescription drugs may be included in the definition of “full financial risk,” manufacturers of a drug or biological remain ineligible to give or receive protected remuneration under this safe harbor as finalized here. Such parties may be VBE participants, but they cannot exchange remuneration protected by this safe harbor. We refer readers to the section of this final rule addressing the definition of “VBE participant” for a discussion of our rationale.

iii. Other Defined Terms

Summary of OIG Proposed Rule: We proposed in proposed paragraph 1001.952(gg)(9) that the terms “coordination and management of care,” “target patient population,” “value-based activity,” “value-based arrangement,” “value-based enterprise,” “value-based purpose,” and “VBE participant” would have the meaning set forth in proposed paragraph 1001.952(ee).

Summary of Final Rule: We are finalizing, with modifications, our proposed use of the value-based terminology at paragraph 1001.952(gg)(9)(iv). We no longer use the term “coordination and management of care” in this safe harbor. Additionally, because paragraph 1001.952(gg)(1) makes certain entities ineligible to use the value-based safe harbors, we are finalizing the term “manufacturer of a device or medical supply,” with the same meaning set forth in paragraph 1001.952(ee)(14).

c. Entities Ineligible for Safe Harbor Protection

Summary of OIG Proposed Rule: We proposed in proposed paragraph 1001.952(ee) to limit the entities that could qualify as VBE participants, which would have the effect of limiting availability of the value-based safe harbors, including the full financial risk safe harbor at proposed paragraph 1001.952(gg), for those ineligible entities. The proposed definition of “VBE participant” is summarized more fully in section III.B.2.e of this preamble.

Summary of Final Rule: We are not finalizing our proposal in proposed paragraph 1001.952(ee) to limit the entities that could qualify as VBE participants. As explained at section III.B.2.e, in the final rule we are identifying parties ineligible to rely on safe harbors in the safe harbors themselves. For the full financial risk safe harbor, we are finalizing a requirement that remuneration is not exchanged by any of the following entities: (i) Pharmaceutical manufacturers, wholesalers, and distributors; (ii) PBMs; (iii) laboratory companies; (iv) pharmacies that primarily compound drugs or primarily dispense compounded drugs; (v) manufacturers of devices or medical supplies; (vi) entities or individuals that manufacture, sell, or rent DMEPOS (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services, all of whom remain eligible); and (vii) medical device distributors or wholesalers that are not otherwise manufacturers of devices or medical supplies. This list, set forth at paragraph 1001.952(gg)(1), effectuates proposals in the OIG Proposed Rule to make these entities ineligible to use this safe harbor for the exchange of remuneration pursuant to a value-based arrangement.

Comments, our responses, and policy decisions regarding this issue can be found in the discussion of VBE participants in section III.B.2.e of this preamble.

d. VBE’s Assumption of Risk From a Payor

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(1)that the VBE must assume full financial risk from a payor. We proposed that VBEs could assume full financial risk directly from a payor or through a VBE participant acting on behalf of the VBE.

Summary of Final Rule: We are finalizing this requirement at paragraph 1001.952(gg)(2), with the following modifications. First, VBEs have two options to assume full financial risk from a payor. A VBE can assume risk from the payor through an arrangement that meets the definition of “value-based arrangement,” or a VBE can assume risk from a payor through a contract that places the VBE at full financial risk.

The first option for risk arrangements requires the payor to be a VBE participant, which is permitted under our final definition of “VBE participant.” The payor (as a VBE participant) and the VBE can enter into a value-based arrangement for the VBE to assume full financial risk. As we proposed and are finalizing in this rule, the introductory paragraph to 1001.952(gg) protects remuneration exchanged pursuant to a value-based arrangement. Therefore, remuneration exchanged pursuant to a payor’s and a VBE’s value-based arrangement could be protected by this safe harbor, including remuneration exchanged to implement the full financial risk methodology, if the value-based arrangement meets all applicable conditions of the safe harbor.

Under the second option, payors that do not wish to be part of the VBE may choose to enter into a written contract with the VBE that is not a value-based arrangement for the purposes of the VBE’s assumption of full financial risk. Under this option, payors would not be VBE participants, the written contract between the payor and the VBE would not be a value-based arrangement, and the payor would not be subject to the other conditions of the safe harbor. In such circumstances, these contracts must only meet the condition at paragraph 1001.952(gg)(2), i.e., they must evidence the VBE’s assumption of full financial risk from the payor. Remuneration exchanged pursuant to a risk assumption contract that is not a value-based arrangement is not protected by this safe harbor. The VBE and the payor would need to assess any potential remuneration exchanged pursuant to the risk arrangement contract and its compliance with the Federal anti-kickback statute.

To enable the payor and VBE to use this safe harbor to protect remuneration exchanged pursuant to their value-based arrangement, we are providing at paragraph 1001.952(gg)(4) of the safe harbor that, even though the payor is a VBE participant, the payor is exempt from the prohibition against a VBE participant claiming payment in any form from the payor for items or services covered under the value-based arrangement.

We are also modifying this requirement to clarify that the payor cannot act on behalf of the VBE; the VBE must be a distinct legal entity or represented by a VBE participant, other than a payor, that acts on the VBE’s behalf.

We summarize and respond to comments regarding this proposed condition as applied only to the full financial risk safe harbor below. For a summary of the comments received regarding the requirement that a VBE assume financial risk from a payor pursuant to a value-based arrangement, in both the substantial downside financial risk and full financial risk safe harbors and our responses, we refer readers to the discussion of this condition in the substantial downside financial risk safe harbor at section III.B.4.d.

Comment: Commenters requested that OIG clarify that payors can act on behalf of the VBE to assume full financial risk.

Response: We are revising the regulatory text in response to these comments to clarify that a single VBE participant may act on behalf of the VBE to assume full financial risk from a payor, provided it is not itself a payor. That is, the agent of the VBE and the payor from which the VBE is assuming full financial risk from may not be the same entity.

Comment: Multiple commenters expressed concern that, because Indian health care is compensated through Indian Health Service appropriations and the Medicare, Medicaid, and CHIP programs, Indian health care providers could not be risk-bearing entities, as required in the proposed full financial risk safe harbor.

Response: It is possible that Indian health care providers might not be risk-bearing entities for purposes of this safe harbor; that would be a programmatic matter outside the scope of this rulemaking. There may be other providers of varying types that are not able to, or choose not to, meet the requirements of this safe harbor. This would not foreclose Indian health care providers or other providers from engaging in care coordination arrangements and seeking safe harbor protection under the care coordination arrangements safe harbor at paragraph 1001.952(ee), which does not require the assumption of any risk (but is available for risk-bearing arrangements), or other available safe harbors, such as the safe harbor for personal services and management contracts and outcomes-based payments at paragraph 1001.952(d). Moreover, the fact that an arrangement does not fit in a safe harbor does not make the arrangement unlawful. The OIG advisory opinion process is also available for providers seeking a legal opinion regarding their arrangements.

Comment: A commenter requested that the safe harbor not be limited to items and services covered by a particular payor, but rather extended to all items and services provided to a VBE participant’s patients, regardless of payor. For example, the commenter requested that the safe harbor protect risk-based arrangements between a health system and providers where the VBE assumes risk for all of the providers’ patients, regardless of the patients’ payors.

Response: A VBE could assume full financial risk for all of the items and services provided to all of a VBE participant’s patients, provided the VBE and VBE participant have defined the target patient population to include all of the VBE participant’s patients, and if the VBE participant’s patients are insured by multiple payors, the VBE has assumed full financial risk from each payor that insures a patient who is part of the target patient population. The risk that a VBE assumes is not limited to the items and services covered by the applicable payor that a VBE participant provides (e.g., only the items and services provided by the health system); rather, the VBE’s risk encompasses all items and services covered by the applicable payor, regardless of whether a VBE participant or another provider provides such items and services.

e. Phase-In Period

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(1) that the full financial risk safe harbor would protect remuneration exchanged pursuant to value-based arrangements between a VBE and a VBE participant where the VBE is contractually obligated to assume full financial risk in the next 6 months. We solicited comments on whether such lead time should be shorter or longer.

Summary of Final Rule: We are finalizing, with modification, a protected “phase-in” period at paragraph 1001.952(gg)(2). In response to comments requesting a longer phase-in period, we are extending the protected phase-in period for parties that have entered into a contract or a value-based arrangement to assume full financial risk from the proposed 6 months to 1 year.

In contrast to the substantial downside financial risk safe harbor, we believe an extended 1-year phase-in period is warranted where a VBE is preparing to assume full financial risk for the total cost of items and services covered by the applicable payor for the target patient population.

We refer readers to the substantial downside financial risk safe harbor section at III.B.4.e regarding the phase-in requirement for a summary of comments we received on this phase-in period, and our responses, as applicable to both the substantial downside financial risk safe harbor and full financial risk safe harbor and for a more detailed discussion of this standard. We did not receive comments regarding the phase-in period specific to the full financial risk safe harbor. Among other comments, commenters recommended a 1-year phase-in period for both safe harbors.

f. Writing

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(2) that the parties to the value-based arrangement must set forth the material terms of the value-based arrangement in a signed writing that includes the value-based activities to be undertaken by the parties. At proposed paragraph 1001.952(gg)(1), we proposed that the VBE have a signed writing with the payor that specifies the target patient population and contains terms evidencing the VBE’s full financial risk.

Summary of Final Rule: We are finalizing, with modification, a writing requirement for value-based arrangements at paragraph 1001.952(gg)(3). The modification, based on public comments, clarifies that the writing requirement can be satisfied by a collection of documents. The writing requirement now states that the value-based arrangement must be set forth in writing, signed by the parties, and specify all material terms, including the value-based activities and the term. This writing requirement does not apply to contracts between a VBE and a payor that are not value-based arrangements.

For further discussion of and responses to the general comments we received regarding a writing requirement, we refer readers to section III.B.3.d that discusses the writing requirement for purposes of the care coordination arrangements safe harbor. The general comments addressed aspects of the writing requirement that were common to all three value-based safe harbors. In this section, we discuss only the comments specific to the proposed full financial risk safe harbor’s writing requirement.

Comment: A commenter asked OIG to clarify whether, to the extent parties have multiple value-based arrangements for which they are seeking protection under this safe harbor, each value-based arrangement must be set forth in separate writings or whether one agreement could suffice.

Response: This safe harbor, like the substantial downside financial risk safe harbor, does not dictate the manner in which parties document their value-based arrangements. For example, a VBE could choose to document the value-based arrangement it entered into with a payor and the value-based arrangement it entered into with a downstream VBE participant in a single writing; alternatively, it could maintain two separate writings for the two distinct value-based arrangements.

g. 1-Year Minimum Term of Value-Based Arrangement

Summary of OIG Proposed Rule: In the OIG Proposed Rule, we proposed in paragraph 1001.952(gg)(2) to require that the term of the value-based arrangement be for a period of at least 1 year.

Summary of Final Rule: We are not finalizing this proposed requirement.

Comment: A few commenters opposed the proposed requirement that the term of the value-based arrangement be for at least 1 year, with one commenter asserting that a value-based arrangement term requirement could impose unnecessary obstacles to beneficial innovation. Commenters also asked whether an arrangement would meet this requirement of the safe harbor if the parties terminate the arrangement during the first year but do not enter into a substantially similar arrangement until the expiration of the first year.

Response: We are not finalizing the proposed requirement that the term of the value-based arrangement be for a period of at least 1 year. We believe the requirement for a VBE to assume full financial risk from the payor for a period of at least 1 year is a sufficient safeguard against gaming without also requiring the value-based arrangement to have a 1-year minimum term. Parties must still document the term of their value-based arrangement as a condition of meeting this safe harbor’s writing requirement.

h. Remuneration Used To Engage in Value-Based Activities

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(4)(i) to require that the remuneration exchanged be used primarily to engage in the value-based activities set forth in the parties’ signed writing.

Summary of Final Rule: We are not finalizing this proposed requirement.

Comment: A commenter asked whether, given the requirement that remuneration must be used primarily to engage in value-based activities, all activities of an integrated delivery system subject to global budget arrangements, either upstream or downstream, will relate to the value-based activities for the target patient population. Another commenter requested that we interpret this requirement to mean that, if substantially all of an integrated delivery system’s activities include the assumption of financial risk for all services, the remaining incidental activities and associated remuneration among VBE participants also would be protected.

Response: We are not finalizing the proposed requirement that all remuneration exchanged pursuant to the full financial risk safe harbor be used primarily to engage in value-based activities for the target patient population. We intended this proposed condition to safeguard against the exchange of remuneration to inappropriately induce referrals. However, based on comments received to this safe harbor and the substantial downside financial risk safe harbor (as detailed in section III.B.4.f), we do not think this safeguard is necessary in the full financial risk safe harbor, given this safe harbor’s unique combination of safeguards, and in particular, the requirement that the VBE assume full financial risk from a payor for a target patient population and the safe harbor’s limitation on exchanges of remuneration to those between the VBE and a VBE participant. For purposes of the substantial downside financial risk safe harbor, we addressed this issue more narrowly, excluding monetary remuneration exchanged pursuant to a risk methodology that meets the definition of “substantial downside financial risk” or “meaningful share” from the requirement that remuneration exchanged be used predominantly to engage in value-based activities. However, for the reasons set forth above, we believe a more flexible approach is warranted in this safe harbor, and we are not finalizing the proposed condition.

With respect to the comment regarding safe harbor protection for incidental activities and associated remuneration where substantially all of an entity’s activities include the assumption of financial risk for all services, we note that the value-based safe harbors do not protect business models or necessarily all activities and remuneration flowing under, for example, an integrated delivery system. Rather, the full financial risk safe harbor, like the other value-based safe harbors, protects discrete streams of remuneration exchanged pursuant to a value-based arrangement, and parties would need to evaluate each stream separately to assess compliance with the Federal anti-kickback statute, and as applicable, any available safe harbor.

i. Direct Connection to Value-Based Purposes

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(4)(ii) to require that the remuneration be directly connected to one or more of the VBE’s value-based purpose(s), at least one of which must be the coordination and management of care for the target patient population. We proposed that this condition would be interpreted consistent with the similar condition in the care coordination arrangements safe harbor.

Summary of the Final Rule: We are finalizing, with modification, the requirement that remuneration exchanged between the VBE and a VBE participant under this safe harbor be connected to one or more value-based purposes at paragraph 1001.952(gg)(5)(i). Based on public comment, we are modifying the provision to remove the requirement that all remuneration be connected to the purpose of coordinating and managing care for the target patient population.

Comment: Commenters asked for examples of the types of arrangements the safe harbor could protect, and a commenter specifically asked whether the safe harbor would protect fee-for-service payments, bonus payments based on quality outcomes, or both from a VBE to a VBE participant. A commenter also asked whether a VBE could give remuneration to an owner of the VBE, where the owner is a VBE participant.

Response: This safe harbor could protect arrangements for bonus payments based on quality outcomes or shared savings and losses arrangements, among other types of payment arrangements, as long as all requirements of the safe harbor are satisfied, including the requirement that the remuneration exchanged must be directly connected to one or more value-based purposes. With respect to the commenter’s question about fee-for-service payment, this safe harbor does not dictate the manner of payment between the VBE and the VBE participant for items and services rendered to the target patient population. Provided the VBE has assumed full financial risk from a payor and the VBE participant does not claim payment from the payor for the items and services furnished to the target patient population, the VBE could pay the VBE participant on a fee-for-service basis.

Whether a VBE could give remuneration to an owner of the VBE, where the owner is a VBE participant, is a fact-specific determination. While the safe harbor, by its terms, does not preclude remuneration exchanged between a VBE and an owner of the VBE where the owner is a VBE participant, we highlight that this safe harbor does not protect an ownership or investment interest in the VBE or any distributions related to an ownership or investment interest.

Unlike the similar requirement in the other value-based safe harbors, we are not requiring a direct connection to any specific value-based purpose under this safe harbor. This safe harbor is designed to protect the broadest scope of remuneration, and some remuneration may be more closely connected to one of the other value-based purposes. Therefore, we are providing more flexibility for a VBE assuming full financial risk to determine the value-based purpose(s) to which the exchange of remuneration is directly connected. This includes remuneration exchanged pursuant to a value-based arrangement between the VBE and the payor (as a VBE participant) that effectuates the VBE’s assumption of full financial risk from the payor. For a summary of comments received regarding the requirement for a direct connection to the coordination and management of care and further discussion of this requirement as proposed in the care coordination arrangements safe harbor, the substantial downside financial risk safe harbor, and the full financial risk safe harbor, we refer readers to the applicable section of this final rule for each safe harbor.

j. No Reduction in Medically Necessary Items or Services

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(4)(iii) to require that remuneration must not induce the VBE or VBE participants to reduce or limit medically necessary items or services furnished to any patient. We proposed to interpret this condition consistent with the similar condition proposed in the care coordination arrangements safe harbor.

Summary of Final Rule: We are finalizing, with modification, this condition at paragraph 1001.952(gg)(6). The modification provides that the value-based arrangement (not merely the remuneration exchanged) may not induce the VBE or VBE participants to reduce or limit medically necessary items or services furnished to any patient.

For a summary of comments received and our responses regarding this condition, as proposed in each of the value-based safe harbors, we refer readers to the care coordination arrangements and substantial downside financial risk safe harbor sections discussing this requirement at III.B.3.e and III.B.4.h, respectively.

k. Taking Into Account the Volume or Value of, or Conditioning Remuneration on, Business or Patients Not Covered Under the Value-Based Arrangement

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(5) that the VBE or VBE participant offering the remuneration could not take into account the volume or value of, or condition the remuneration on, referrals of patients outside of the target patient population or business not covered under the value-based arrangement. This proposed safeguard is identical to that included in the proposed care coordination arrangements and substantial downside financial risk safe harbors.

Summary of Final Rule: We are finalizing, without modification, this condition, and relocating it to paragraph 1001.952(gg)(7). Comments received on this topic addressed the requirement as it applied to the value-based safe harbors generally; we did not receive separate comments on this requirement specific to this safe harbor. Consequently, we refer readers to the care coordination arrangements safe harbor section regarding this requirement at III.B.3.f for a summary of applicable comments, our responses, and a more detailed discussion of this standard.

l. Offer or Receipt of Ownership or Investment Interests

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(4)(iv) that the full financial risk safe harbor would not protect an ownership or investment interest in the VBE or any distributions related to an ownership or investment interest, and we solicited comments on this approach and, in particular, any operational challenges this approach might present.

Summary of Final Rule: We are finalizing, without modification, this condition and relocating it to paragraph 1001.952(gg)(5)(ii).

Comment: Similar to the substantial downside financial risk safe harbor, several commenters opposed this condition or, alternatively, requested that OIG clarify that it does not intend to prohibit VBE participants from establishing a corporate structure for a VBE in which participants may each receive some equity. A commenter asserted that, without modifying or clarifying OIG’s approach to protecting an ownership or investment interest in the VBE or any distributions related to an ownership or investment interest, the safe harbor would unnecessarily restrict individuals and entities from dictating the corporate structure of the VBEs they elect to create. Another commenter stated that the safe harbor should protect ownership or investment interests where payors require that only a single entity, as opposed to a collection of entities, enter into the full financial risk arrangement.

Response: We do not view protection for ownership or investment interests in a VBE as fundamental to parties entering into value-based arrangements under this safe harbor and decline to protect them under this safe harbor. We are concerned that, were we to protect such remuneration streams, such protection would serve only to align financial interests of the parties without benefitting the payor or target patient population. Remuneration in the form of ownership or investment interests presents a higher risk that offers of investment interests or returns on investment will be for the purpose of inducing referrals, without attendant care coordination, quality, or cost-reduction benefits related to the target patient population or the payor. Parties seeking to protect a particular ownership or investment interest may look to existing safe harbors (e.g., the safe harbor for investment interests found at paragraph 1001.952(a)), and the advisory opinion process remains available.

Regardless of whether a payor requires that a single entity, as opposed to a collection of entities, enter into a contract or a value-based arrangement to assume full financial risk, the safe harbor itself requires a single individual or entity to contract or enter into a value-based arrangement with the payor to assume full financial risk (e.g., the VBE may directly contract with the payor or a single VBE participant (other than a payor) may act on behalf of the VBE to contract with the payor). If a VBE participant that has assumed full financial risk as an agent of the VBE seeks to share its risk with other parties to the VBE, the safe harbor is available to protect such risk-sharing arrangements, provided they meet all requirements of the safe harbor.

m. No Remuneration From Individuals or Entities Outside the Applicable VBE

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(4)(v) that the full financial risk safe harbor would not protect any remuneration funded by, or otherwise resulting from contributions by, any individual or entity outside of the applicable VBE.

Summary of Final Rule: We are not finalizing this proposed requirement, based on concerns—raised by commenters in the context of the same provision in the care coordination arrangements safe harbor—that this condition could inadvertently restrict the exchange of beneficial remuneration that we intend to protect. While we are not finalizing this condition, we emphasize that remuneration exchanged outside of a value-based arrangement would not be protected by any of the value-based safe harbors. We did not receive separate comments on this requirement specific to this safe harbor. Consequently, we refer readers to the care coordination arrangements safe harbor and substantial downside financial risk safe harbor sections at III.B.3.e and III.B.4.j discussing this requirement for a summary of applicable comments, our responses, and a more detailed explanation of our rationale for not finalizing this standard.

n. Utilization Review and Quality Assurance Programs

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(6) that the VBE must provide or arrange for an operational utilization review program and a quality assurance program that protects against underutilization and specifies patient goals, including measurable outcomes, where appropriate. We noted that such proposed conditions would mirror those found in the managed care safe harbor at paragraph 1001.952(u) but explained that we were considering other ways to frame these proposed conditions to reflect the utilization review and quality assurance mechanisms in place today.

Summary of Final Rule: We are finalizing, with modifications, this proposed condition at paragraph 1001.952(gg)(8). Based on public comment, the modifications afford parties additional flexibility in conducting quality and utilization reviews. Specifically, VBEs seeking protection under this safe harbor must provide or arrange for a quality assurance program for services furnished to the target patient population that: (i) Protects against underutilization of items and services furnished to the target patient population; and (ii) assesses the quality of care furnished to the target patient population. We are not finalizing the proposed requirement to have an operational utilization review program.

Comment: Some commenters supported our proposal to require the VBE to provide or arrange for an operational utilization review program and a quality assurance program, while another commenter requested that OIG reconsider this requirement, stating that VBEs are not the equivalent of a managed care organization and that operational utilization review programs and quality assurance programs are robust, expensive programs that require significant lead time to implement. A couple of commenters asked OIG to explain the term “operational,” and a commenter specifically asked whether a utilization review program that is used only on an annual basis would be considered “operational.” Another commenter asked whether an existing utilization review program of a contracting payor or provider would meet this requirement.

Response: We are revising the terminology used in order to afford parties additional flexibility consistent with our intent that a VBE provide or arrange for a program to protect against underutilization and specify patient goals. Specifically, VBEs must provide or arrange for a quality assurance program for services furnished to the target patient population that: (i) Protects against underutilization of items and services furnished to the target patient population; and (ii) assesses the quality of care furnished to the target patient population. Such a quality assurance program may include an operational utilization review program and specify patient goals; however, an operational utilization review program is no longer a requirement. Pursuant to this revised standard, parties may determine what activities and mechanisms are most suitable to assess the quality and appropriateness of care furnished to the target patient population, provided such mechanisms meaningfully protect against underutilization and assess the quality of care furnished to the target patient population.

The flexibility we are providing to parties is in recognition that VBEs may be subject to varying requirements related to quality assurance programs based on State law or the terms of its value-based arrangement with the payor. Notwithstanding this additional flexibility, as with the condition proposed in the OIG Proposed Rule, this revised requirement effectuates our intent that a VBE provide or arrange for a program to protect against underutilization and specify patient goals.

In response to commenters’ specific inquiries, we acknowledge that, even with the additional flexibility afforded by our revisions to this condition, quality assurance programs are robust and potentially expensive undertakings. Thus, we are highlighting that this condition does not mandate that VBEs establish such review programs themselves; the VBE may also arrange for such programs. For example, VBEs may look to payors with which they are contracting or entering into value-based arrangements to assume full financial risk to share, or fully assume, this responsibility. In such circumstances, the VBE may reasonably rely on the payor’s existing quality assurance program infrastructure provided it meets all safe harbor requirements.

o. No Marketing of Items or Services or Patient Recruitment Activities

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(7) to exclude safe harbor protection for remuneration exchanged pursuant to a value-based arrangement that included marketing items or services to patients or engaging in patient recruitment activities. We proposed to interpret this condition consistent with our interpretation of this same proposed requirement in the care coordination arrangements safe harbor.

Summary of Final Rule: We are finalizing, with modifications, the limitation on marketing and patient recruitment at paragraph 1001.952(gg)(5)(iii). Rather than prohibiting all marketing and patient recruitment activities, we modified the provision to prohibit the exchange or use of remuneration for the purpose of marketing items or services furnished by the VBE or VBE participants to patients or for the purpose of patient recruitment activities. We received only one comment on this requirement specific to this safe harbor, detailed below. We refer readers to the care coordination arrangements safe harbor’s discussion regarding this requirement at section III.B.3.j for a summary of applicable comments, our responses, additional explanation regarding this standard, and a rationale for the modification we are making.

Comment: Without further explaining its position, a commenter stated that there is no need for any marketing or patient recruitment limitations in the full financial risk safe harbor.

Response: Consistent with the other value-based safe harbors, we have modified the marketing requirement to be more limited in scope but to preclude protection for remuneration exchanged or used for the purpose of marketing items or services furnished by the VBE or a VBE participant to patients or patient recruitment activities. Although we agree that the VBE’s assumption of full financial risk generally warrants greater flexibility in this safe harbor, we continue to believe that a prohibition on certain marketing and patient recruitment practices is an important fraud and abuse safeguard across all three value-based safe harbors for the reasons set forth in the discussion of the marketing condition in the care coordination arrangements safe harbor. In particular, with respect to the full financial risk safe harbor, we are concerned that remuneration under the value-based arrangement may be exchanged or used to engage in inappropriate patient recruitment activities to incentivize, for example, beneficiary enrollment in, or alignment to, a particular health plan.

p. Materials and Records

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(gg)(8) that the VBE or its VBE participants maintain documentation sufficient to demonstrate compliance with the safe harbor’s conditions and to make such records available to the Secretary upon request. We solicited comments regarding whether we should require parties to maintain materials and records for a set period of time (e.g., at least 6 years or 10 years). We proposed to interpret this requirement as described in the OIG Proposed Rule’s preamble discussing the proposed care coordination arrangements safe harbor.

Summary of Final Rule: We are finalizing, with modification, the materials and records requirement at paragraph 10001.952(gg)(9). The final rule includes new language to specify that, for a period of at least 6 years, the VBE or its VBE participants must maintain materials and records sufficient to establish compliance with the conditions of the safe harbor. We did not receive separate comments on this requirement specific to this safe harbor; the comments received related to the value-based safe harbors generally. Consequently, for a more detailed discussion and a summary of and responses to the comments received regarding this requirement, we refer readers to section III.B.3.n discussing the materials and records condition in the care coordination arrangements safe harbor.

q. Downstream Arrangements

Summary of OIG Proposed Rule: In the preamble, we noted that the proposed full financial risk safe harbor would apply only to remuneration exchanged between a VBE and a VBE participant pursuant to a value-based arrangement. We stated that the proposed safe harbor would not protect remuneration exchanged between or among VBE participants that are part of the same VBE, between a VBE participant and a downstream contractor, or between two downstream contractors. We explained that we were concerned about extending safe harbor protection to remuneration exchanged pursuant to these arrangements because the downstream parties may have assumed little or no financial risk, which could result in fee-for-service incentives, and therefore, a risk of overutilization or other traditional harms associated with fee-for-service payments. We solicited comments on a variety of alternate approaches to protecting remuneration exchanged pursuant to certain downstream arrangements (e.g., additional safeguards in either the full financial risk safe harbor or another safe harbor).

Summary of Final Rule: We are finalizing, without modification, the requirement that the exchange of remuneration must be between the VBE and a VBE participant in the introductory paragraph to 1001.952(gg). We are not extending safe harbor protection to remuneration that passes from one VBE participant to another VBE participant or a downstream contractor. As articulated in the substantial downside financial risk safe harbor section discussing downstream arrangements, we are limiting safe harbor protection to the exchange of remuneration between the VBE and a VBE participant because we believe it is important to provide the protection and regulatory flexibility the risk-based safe harbors afford only where the VBE is a party to the value-based arrangement. We are concerned that, without the VBE as a party, where neither party has assumed full financial risk and may continue to bill the applicable payor on a fee-for-service-basis, there is a heightened concern about traditional FFS fraud and abuse risks. We note that a VBE participant seeking to exchange remuneration with another VBE participant may look to the care coordination arrangements safe harbor or other safe harbors, such as the personal services and management contracts and outcomes-based payments safe harbor.

For a summary of the comments received regarding this limitation, our responses, and a detailed explanation regarding our decision not to extend this safe harbor to downstream arrangements, we refer readers to our discussion of the parallel provision in the substantial downside financial risk safe harbor in section III.B.4.p. We did not receive comments on this requirement specific to this safe harbor that diverged from the comments summarized in the section describing the parallel provision in the substantial downside financial risk safe harbor.

r. Potential Additional Safeguards

Summary of OIG Proposed Rule: We stated in the preamble that we were considering adopting two additional safeguards for purposes of the final rule: A cost-shifting prohibition and a requirement that parties submit information to the Department regarding their value-based arrangement.

Summary of Final Rule: We are not finalizing the two additional proposed safeguards. Similar to the substantial downside financial risk safe harbor, we are not including a cost-shifting prohibition, in recognition that the assumption of full financial risk is intended to drive a reduction in costs, which may include Federal health care program costs. We did not receive comments on this alternative condition specific to this safe harbor that diverged from the comments summarized in section III.B.4.q of the substantial downside financial risk safe harbor preamble, and we refer readers to that section for a summary of comments received and our responses.

We are likewise not finalizing a requirement for parties to submit information to the Department for the reasons previously articulated in the care coordination arrangements safe harbor’s discussion of this alternative safeguard, including minimizing administrative burden. We did not receive comments on this condition specific to this safe harbor that diverged from the comments previously summarized in section III.B.4.p of the care coordination arrangements safe harbor preamble, and we refer readers to that section for a summary of comments and our responses.

We received comments requesting additional safeguards to the full financial risk safe harbor that we did not propose, and we summarize such comments below.

Comment: Several commenters supported the addition of other safeguards that we did not propose in the preamble to the full financial risk safe harbor. For example, some commenters supported a requirement for value-based arrangements to include objective and quantifiable outcome measures, and a commenter asserted that the outcome measures, the methodology for measuring them, and how the measures affect cost should be transparent to the public. Other commenters suggested that we include the requirement that neither the value-based arrangement nor VBE participants limit parties’ ability to make decisions in the best interest of their patients.

Response: We are not requiring, in the context of the full financial risk safe harbor, that value-based arrangements include outcome measures (or any public transparency requirements related to such outcome measures) because we did not propose this as a requirement, and we do not believe that such a requirement would appreciably mitigate risk, given other conditions of the safe harbor. However, we note that we are separately requiring that the VBE provide or arrange for a quality assurance program for services furnished to the target patient population that: (i) Protects against underutilization of items and services furnished to the target patient population; and (ii) assesses the quality of care furnished to the target patient population. While outcome measurement is not a requirement of this safe harbor, as a practical matter, we anticipate that an assessment of the quality of care furnished to the target patient population pursuant to a quality assurance program may include quantitative or qualitative measures assessing, for example, performance on certain outcome measures. We did not propose and are not finalizing a requirement that neither the value-based arrangement nor VBE participants limit the parties’ ability to make decisions in the best interest of their patients, nor do we think it would be necessary given other protections in the safe harbor.

6. Arrangements for Patient Engagement and Support To Improve Quality, Health Outcomes, and Efficiency (42 CFR 1001.952(hh))

Summary of OIG Proposed Rule: We proposed to establish a new safe harbor at paragraph 1001.952(hh) to protect remuneration in the form of patient engagement tools and supports furnished directly by VBE participants to patients in a target patient population. The tools and supports could not be funded by anyone outside the VBE (proposed paragraph 1001.952(hh)(2)). We proposed to protect only in-kind preventive items, goods, or services, or in-kind items, goods, or services, such as health-related technology, patient health-related monitoring tools and services, or supports and services designed to identify and address a patient’s social determinants of health (proposed paragraph 1001.952(hh)(3)(i)). We proposed that protected remuneration would need to have a direct connection to the coordination and management of care (proposed paragraph 1001.952(hh)(3)(ii)) and advance one of six enumerated goals related to patient care (proposed paragraph 1001.952(hh)(3)(vii)). The proposal included a $500 cap on the amount of protected remuneration a VBE participant could furnish to a patient on an annual basis, with an exception based on the good faith, individualized determination of a patient’s financial need (proposed paragraph 1001.952(hh)(5)). The proposed safe harbor included several additional conditions, such as a requirement that provision of a tool or support would not result in medically unnecessary or inappropriate items or services reimbursed in whole or in part by a Federal health care program. Other proposed conditions are summarized more fully below.

Summary of Final Rule: We are finalizing, with modifications, the patient engagement and support safe harbor at paragraph 1001.952(hh). The bases for the modifications are explained the preamble sections that follow. In particular, we have revised the language at paragraph 1001.952(hh)(3)(i) to remove the specific illustrative categories of health-related technologies, patient health-related monitoring tools and services, and supports and services designed to identify and address a patient’s social determinants of health. With respect to preventive items, goods, and services, we have moved the element of prevention to the list of enumerated goals that can be advanced by protected remuneration at paragraph 1001.952(hh)(3)(vi). The final language at paragraph 1001.952(hh)(3)(i) articulates our policy to be agnostic as to the types of in-kind tools and supports that can be protected by the safe harbor if all safe harbor conditions are met.

Further, we are finalizing at paragraph 1001.952(hh)(1) a list of entities that may not furnish or otherwise fund or contribute to protected tools and supports under this safe harbor, which includes manufacturers, distributors, and wholesalers of pharmaceuticals; pharmacy benefit managers; laboratory companies; pharmacies that primarily compound drugs or primarily dispense compounded drugs; manufacturers of devices and medical supplies (unless the tool or support is digital health technology); entities or individuals that sell or rent DMEPOS (other than a pharmacy, a manufacturer of a device or medical supply, or a physician, provider, or other entity that primarily furnishes services); medical device distributors and wholesalers; and physician-owned medical device companies. Similar to our approach in the care coordination arrangements safe harbor at paragraph 1001.952(ee), a tool or support furnished or funded by a manufacturer of a device or medical supply (as defined in paragraph 1001.952(ee)(14)) is eligible for safe harbor protection only if the tool or support is digital health technology (defined at paragraph 1001.952(ee)(14)). As explained at section III.B.2.e above, we are listing ineligible entities in each safe harbor rather than excluding them in the definition of VBE participant.

The final safe harbor protects only in-kind remuneration. The final safe harbor includes at paragraph 1001.952(hh)(5) the proposed $500 annual, aggregate cap provision (without the proposed exception for tools and supports above the cap furnished based on good faith, individualized determinations of a patient’s financial need). The final safe harbor also includes at paragraph 1001.952(hh)(3)(iv) the proposed requirement that the provision of a tool or support not result in medically unnecessary or inappropriate items or services reimbursed in whole or in part by a Federal health care program. Additional conditions of the final safe harbor are summarized by topic in discussions that follow.

a. General Comments

Comment: Among the commenters offering general feedback on the proposed safe harbor, some commenters supported the proposed safeguards, others supported adding some or all of the additional considered safeguards on which we solicited comments, and others stated that certain proposed or additional safeguards would impose a significant administrative burden on stakeholders seeking protection under the safe harbor. A number of comments noted that the safe harbor would promote patient engagement, encourage adherence to treatment, and improve outcomes. Other commenters requested specific changes or clarifications to various proposals.

Response: We appreciate the commenters’ suggestions regarding the scope and impact of this safe harbor, including the conditions we proposed and considered. As discussed below, we are finalizing a number of the proposed conditions, in some cases with modifications suggested by commenters. We also are removing or modifying some conditions in response to comments and adding some of the proposed conditions for which we solicited comments.

b. Entities Ineligible for Protection

Summary of OIG Proposed Rule: We proposed to protect only tools and supports furnished by VBE participants, as defined in proposed paragraph 1001.952(ee)(12). This proposed definition excluded pharmaceutical manufacturers, laboratories, and manufacturers, distributors, and suppliers of DMEPOS. As a result, these entities would be ineligible to use this proposed safe harbor. The entities we proposed to make ineligible to participate in a VBE are described in more detail in section III.B.2.e of this preamble. We also indicated that the final rule might exclude additional entities from furnishing patient engagement tools and supports, including physician-owned device companies, compounding pharmacies, and medical device and supply manufacturers, wholesalers, and distributors.^[55] We solicited comments on several alternative frameworks for protected offerors and conditions related to protected offerors under this safe harbor, including whether the offeror should assume at least some downside financial risk.

Summary of Final Rule: As explained in section III.B.2.e of this preamble, the final definition of VBE participant has been expanded to make all entity types eligible as VBE participants. However, within each value-based safe harbor, we identify entities that are ineligible to rely on that particular safe harbor. For the patient engagement and support safe harbor, and as set forth in paragraph 1001.952(hh)(1), we are finalizing the following entities as ineligible to use the safe harbor to furnish protected remuneration to patients: (i) Pharmaceutical manufacturers, wholesalers, and distributors; (ii) PBMs; (iii) laboratory companies; (iv) pharmacies that primarily compound drugs or primarily dispense compounded drugs; (v) manufacturers of devices or medical supplies (except with respect to digital health technology, as described below); (vi) entities or individuals that sell or rent DMEPOS (other than a pharmacy, a medical device or supply manufacturer that also sells or rents DMEPOS, or a physician, provider, or other entity that primarily furnishes services, all of whom remain eligible); (vii) medical device distributors or wholesalers that are not otherwise manufacturers of devices or medical supplies; and (viii) medical device manufacturers, distributors, or wholesalers with ownership or investment interests held by physicians. This expanded list of excluded entities addresses our concerns, based on our longstanding enforcement and oversight experience, that certain types of entities present a higher risk of misusing this safe harbor primarily or significantly to offer remuneration to beneficiaries as a means to market their products and services rather than to improve the coordination and management of patient care.

In this final rule, OIG recognizes the important role that digital health technology plays in advancing the Department’s goals in connection with the Regulatory Sprint, including improving the coordination and management of patient care. Accordingly, at paragraph 1001.952(hh)(1)(v), this final rule permits manufacturers of devices and medical supplies to furnish patient engagement tools or supports that constitute digital health technology, as defined at paragraph 1001.952(ee)(14). On balance and in consideration of the full set of applicable safe harbor conditions, we have concluded that this policy would advance the benefits of improved care coordination without undue risk to patients or programs.

With respect to whether an entity falls into a category of ineligible entities, we refer readers to the discussion of the various types of ineligible entities and entities with multiple lines of business at section III.B.2.e of this preamble. The same rationale set forth there for excluding each type of entity from the value-based safe harbors and the same analysis for categorizing entities with multiple lines of business apply to the patient engagement and support safe harbor.

Comment: A number of commenters supported OIG’s proposal to limit safe harbor protection to tools and supports furnished by VBE participants, as defined in the OIG Proposed Rule, because it helps ensure that the tools and supports are aligned with the goals of well-coordinated care and improving value by incentivizing coordination and collaboration among a patient’s providers. Commenters also supported making specific types of entities ineligible for protection under this safe harbor, such as pharmaceutical manufacturers and manufacturers, distributors, and suppliers of DMEPOS.

Response: We are finalizing our policy that safe harbor eligibility is limited to VBE participants and, consequently, that tools and supports furnished or funded by certain types of entities would not be eligible for safe harbor protection. The final patient engagement and support safe harbor protects only remuneration provided by a VBE participant; this term, as defined in this final rule, does not limit or restrict what type of entity may be a VBE participant. However, this safe harbor does not protect tools and supports furnished or funded by the entities listed in paragraph 1001.952(hh)(1), even if such entities are VBE participants.

We continue to believe that offering and furnishing patient engagement tools and supports by these ineligible entities elevates the risk of fraud and abuse. For example, as we stated in the OIG Proposed Rule, offers of tools or supports by pharmaceutical manufacturers to a patient could improperly influence the patient, as well as a clinician’s decision to prescribe one drug over another. Such remuneration could influence a patient to request a particular drug that is more expensive or less clinically efficacious than other clinically equivalent drugs. This could both improperly influence patient choice and increase costs to Federal health care programs—two factors cited by Congress to consider when developing safe harbors—without necessarily increasing quality. Similarly, we remain concerned that the entities identified as ineligible for this safe harbor may inappropriately use patient engagement tools and supports to induce the use of medically unnecessary items and services; market their products; or divert patients from a more clinically appropriate item or service, provider, or supplier without regard to the best interests of the patient. Accordingly, we are finalizing paragraph 1001.952(hh)(1) to specify that the entities listed above are ineligible to furnish, fund, or contribute to remuneration protected by the patient engagement and support safe harbor.

Comment: Several commenters urged OIG to broaden the safe harbor to protect tools and supports offered by entities that are not VBE participants. Another commenter noted that many payors and providers have developed effective patient incentive programs that have occurred outside the value-based care setting but nonetheless advance OIG’s goals of improving adherence to a followup care plan, improving adherence to a treatment or drug regimen, enhancing the management of a disease or condition, or ensuring patient safety. Commenters also expressed concern that requiring VBE participation imposes an increased administrative burden on providers, which could be a barrier to offering patient engagement tools and supports. Another commenter added that limiting the safe harbor to VBE participants would effectively preclude single-provider entities from safe harbor protection.

Response: As noted above, we are finalizing a condition that safe harbor protection is only available for tools and supports furnished by VBE participants, subject to additional conditions. In the preamble to the OIG Proposed Rule, we explained that safe harbor protection would only be available to VBE participants in order to align the proposed patient engagement and support safe harbor with the value-based framework proposed in that rule.^[56] Limiting safe harbor protection to VBE participants is an important condition because it requires entities to adhere to certain formalities that promote value-based objectives including, for example, articulating a value-based purpose and identifying a target patient population based on legitimate and verifiable criteria that are set out in writing and further the VBE’s value-based purpose.

Moreover, we believe the modest administrative steps required to establish a VBE—namely, establishing an accountable body and creating a governing document—require that entities determine how to effectively promote value-based care (e.g., how the VBE participant intends to achieve its value-based purpose). In the context of patient engagement tools and supports, the VBE must connect the provision of tools and supports to the goal of furthering value-based care that underlies this rulemaking. We emphasize that we perceive the administrative steps required to establish a VBE as relatively minimal, and they should not pose a significant burden on providers and others that desire to furnish protected tools and supports. We also note that solo practitioners are not foreclosed from protection under this safe harbor. A solo practitioner could partner with another entity or individual—without changing the membership of the practitioner’s own practice—to form a VBE. As a VBE participant, the solo practitioner would then be eligible to offer protected tools and supports to patients, provided the other conditions of the safe harbor are satisfied.

Comment: Several commenters urged OIG to extend safe harbor protection to providers in rural or underserved areas even if they are not VBE participants. According to commenters, these practices may not have sufficient patient populations or resources to create or participate in a VBE.

Response: We do not believe the modest administrative steps required to establish a VBE will be a barrier to most entities—including providers serving rural or underserved patients—that are seeking to offer tools and supports to beneficiaries. Moreover, we believe that requiring entities to fulfill certain VBE-related requirements will help ground any offer or provision of patient engagement tools and supports in the value-based objectives central to this rule, namely the coordination and management of patient care. A VBE does not require a target patient population to be a particular size, and in any event a small practice or a provider in a rural or underserved community may partner with larger providers or other entities with more resources to form VBEs. Accordingly, the final rule does not offer providers in rural or underserved areas an exception to the safe harbor’s condition that requires that the individual or entity offering or furnishing protected tools and supports be a VBE participant.

Comment: Commenters recommended that tools and supports furnished or funded by various specific types of entities should be eligible for protection under this safe harbor. In particular, commenters recommended that pharmaceutical manufacturers; manufacturers, distributors, and suppliers of DMEPOS; and laboratories—all of which were ineligible for VBE participation per the definition of “VBE participant” in the OIG Proposed Rule—should be eligible to furnish or fund protected tools and supports under this safe harbor. Commenters also noted that pharmaceutical manufacturers; manufacturers, distributors, and suppliers of DMEPOS; and laboratories increasingly are diversified entities that include corporate affiliates and business units that provide a wide range of items and services, including health technologies, care coordination and clinical management, and other offerings and services. Commenters also urged that pharmacists, pharmacies, pharmacy benefit managers, dialysis facilities, and health technology companies should be eligible for protection under the patient engagement and support safe harbor.

Response: Under the final rule, tools and supports furnished or funded by manufacturers, distributors, and wholesalers of pharmaceuticals; individuals and entities that sell or rent DMEPOS; pharmacy benefit managers; laboratory companies; pharmacies that primarily compound drugs or primarily dispense compounded drugs; medical device distributors and wholesalers; and physician-owned medical device companies are not eligible for protection under the patient engagement and support safe harbor. Based on our longstanding enforcement and oversight experience, there is a risk that these entities could misuse this safe harbor to offer remuneration to beneficiaries as a means to market their products and services rather than advancing the goal of improving the coordination and management of patient care. For the same reasons, medical device manufacturers are not eligible for protection under this safe harbor except to the extent the tools or supports provided are digital health technology.

Similar to the care coordination arrangements safe harbor, we have taken a tailored, risk-based approach to address protection for the provision of digital health technology to patients. Among the entities that are otherwise ineligible for this safe harbor, we have identified manufacturers of devices or medical supplies as an entity type that should, to advance the policy goals of this rulemaking, have a limited pathway for protection when they provide digital health technologies as defined in this rule. Under the final rule, manufacturers of devices or medical supplies as defined in paragraph 1001.952(ee)(14) are eligible for protection under the patient engagement and support safe harbor, but only to the extent that the tools and supports they provide to patients meet the definition of digital health technology, as also defined in paragraph 1001.952(ee)(14). All VBE participants that are eligible to use this safe harbor may provide patients with digital health technology. Eligible VBE participants, other than a manufacturer of a device or medical supply, are not limited to digital heath technology as defined at paragraph 1001.952(ee)(14) as long as all safe harbor conditions are met.

Under the final care coordination arrangements safe harbor, DMEPOS companies (i.e., entities or individuals that sell or rent DMEPOS (other than a pharmacy, a manufacturer of a device or medical supply, or a physician, provider, or other entity that primarily furnishes services)) are also eligible for the limited technology participant pathway. However, for the patient engagement and support safe harbor, we are finalizing our proposal to make companies that sell or rent DMEPOS ineligible for the safe harbor without exception. We make this distinction based on the different roles and risks associated with entities and individuals that sell or rent DMEPOS when they interact directly with patients. Our enforcement experience reveals persistent and troubling fraud and abuse in sectors of the DMEPOS industry, including inducements paid to beneficiaries to order medically unnecessary products or to disclose their Medicare beneficiary identifier or other personal information. Entities and individuals that sell or rent DMEPOS have more pervasive and personal relationships with individual patients and sell more products directly to patients than manufacturers of medical devices and supplies. This restriction does not mean that patients cannot receive digital tools and supports related to DMEPOS under the safe harbor, but they cannot be provided or funded by entities and individuals that sell or rent DMEPOS. Arrangements between entities and individuals that sell or rent DMEPOS and patients would be subject to a case-by-case analysis for compliance with the Federal anti-kickback statute.

Consistent with the discussion in section III.B.2.e.ii, the final rule lists “an entity or individual that sells or rents” DMEPOS as ineligible for safe harbor protection unless the entity or individual is a pharmacy, a manufacturer of a device or medical supply, or a physician, provider, or other entity that primarily furnishes services. This approach focuses on the nature of the entity’s business rather than relying on unrelated definitions of “distributor” or “supplier.” As explained in section III.B.2.e.ii, carving out pharmacies, providers, and other entities that primarily furnish services will ensure that these entities—which are likely to be at the front lines of care coordination—remain eligible for safe harbor protection.

For purposes of the patient engagement and support safe harbor, a manufacturer of a device or medical supply is eligible for protection, as provided in paragraph 1001.952(hh)(1)(vi), even if it rents or sells DMEPOS. The multiple business lines analysis would not be needed. The definition for DMEPOS companies at paragraph 1001.952(hh)(1)(vi) is different from the definition of DMEPOS companies for the care coordination arrangements safe harbor to effectuate and clarify the policy goal that the patient engagement and support safe harbor protect digital technology provided by medical device and supply manufacturers.

Regarding commenters’ concern about the potential impact of the safe harbor’s entity carve-outs on diversified entities that include corporate affiliates and business units that provide a wide range of items and services, we reiterate the discussion in section III.B.2.e.v above regarding entities with multiple lines of business.

Among other specific entity types addressed by commenters, we note that the only entities not eligible to provide protected remuneration under this safe harbor are those entities listed in paragraph 1001.952(hh)(1). Accordingly, many of the entities mentioned by commenters including many pharmacists and pharmacies and dialysis facilities could furnish protected tools and supports, provided all conditions of the safe harbor are satisfied. Pharmacy benefit managers are not eligible to furnish protected tools and supports under this safe harbor for the reasons set forth at section III.B.2.e. Health technology companies are eligible to be VBE Participants and furnish protected tools and supports. If the health technology company is a manufacturer of a device or medical supply, then it may only furnish protected tools and supports in the form of digital health technology. If the health technology company is an entity or individual that sells or rents DMEPOS covered by a Federal health care program (other than a pharmacy, a manufacturer of a device or medical supply, or a physician, provider, or other entity that primarily furnishes services) or any other type of ineligible entity, it may not use this safe harbor.

As explained in more detail in section III.B.2.e.ii.f, pharmacies that primarily compound drugs or primarily dispense compounded drugs are ineligible for protection under the patient engagement and support safe harbor. We have significant concerns about fraud and abuse risks based on enforcement and oversight experience involving compounding pharmacies. Although pharmacies that primarily compound drugs or primarily dispense compounded drugs are ineligible for safe harbor protection, we believe most community pharmacies would remain eligible. As explained in section III.B.2.e.iv, we believe that many community and retail pharmacies have the potential to be VBE participants and further the coordination and management of patient care, including through the provision of patient engagement tools and supports. Accordingly, pharmacies (other than compounding pharmacies) are fully eligible for protection under this safe harbor.

Comment: Some commenters objected to categorically limiting protection based on entity type altogether, urging OIG to focus on program integrity safeguards that could prohibit inappropriate behavior rather than carving out categories of entities from protection. A commenter suggested that, to the extent OIG retains its categorical approach in the final rule, it should clarify that parties will not be ineligible for safe harbor protection on the basis of corporate affiliates, shared ownership, or separate business units.

Response: As noted in our response to the prior comment, the entities listed in paragraph 1001.952(hh)(1) may not furnish protected tools and supports under this safe harbor because of the risk that tools and supports from these entities could improperly influence patients or physicians. The final rule does not explicitly prohibit an entity that is a corporate affiliate or under shared ownership with an ineligible entity from offering protected tools and supports. For entities with multiple business lines, this preamble at section III.B.2.e.v describes the analysis to determine whether such an entity would be considered one of the ineligible entity types under this safe harbor. Notably, corporate affiliation—whether by majority ownership, common ownership, or another structure—has no bearing on eligibility for safe harbor protection under the patient engagement and support safe harbor.

Comment: Several commenters recommended that OIG structure the patient engagement and support safe harbor to protect tools and supports offered by Indian health programs.

Response: We are mindful of the important work done by Indian health programs and the critical needs of their patient populations for improved coordination and delivery of care. Indian health care providers that become VBE participants are eligible to use this safe harbor to provide tools and supports to beneficiaries. We did not propose and have not structured a specific safe harbor for Indian health programs. Providers interested in patient engagement programs can also use the local transportation safe harbor. It is important to note that arrangements that do not fit in a safe harbor are not necessarily unlawful, and the OIG advisory opinion process remains available for providers seeking a legal opinion regarding an existing or proposed arrangement.

Comment: In response to our solicitation of comments in the OIG Proposed Rule regarding a potential condition that safe harbor protection is only available to entities that assume downside financial risk, several commenters urged OIG not to adopt such a financial risk assumption requirement. One commenter opined that there is no logical connection between a provider’s financial risk and the benefits of patient engagement. Another commenter noted that adding a financial risk requirement could limit application of this safe harbor to large practices and health systems, positing that small, rural, and underserved practices are unable to take on financial risk and therefore would not be able to provide tools and supports protected by the safe harbor should it include a requirement that protected offerors assume downside financial risk. A commenter noted that for a VBE with downside financial risk there is no incentive to provide an item, tool, support, or service that is not related to treating or preventing a disease or injury among a target patient population. As such, inherently, the VBE participant must believe the tool or support will provide a medical or health benefit to the patient to whom it is being given. Another commenter with experience as a risk-bearing ACO entity supported limiting this safe harbor to VBEs engaged in risk-bearing arrangements, citing a learning curve in the appropriate use of tools and supports, and highlighting that the assumption of downside financial risk may offset some of the traditional fraud and abuse concerns, such as overutilization.

Response: We agree with commenters and believe that various providers and other entities—including those who have not assumed downside financial risk—could engage in beneficial patient engagement and support. Consequently, in an attempt to promote flexibility and innovation related to patient engagement and support, the safe harbor as finalized in this rule does not contain a financial risk requirement.

c. Limitations on Recipients

Summary of OIG Proposed Rule: The proposed safe harbor protected only tools and supports furnished by a VBE participant to a patient within a defined “target patient population,” as that term is defined at proposed paragraph 1001.952(ee)(12)(ii), and without regard to payor type. We solicited comments on whether to broaden the category of patients who can receive protected tools and supports under this safe harbor to include, for example, any patient, so long as the tools and supports predominantly address needs of the target patient population and the tools and supports have a direct connection to the coordination and management of care for the patient.^[57]

Summary of Final Rule: We finalize, with modification, our proposal to limit safe harbor protection to tools and supports provided to patients in a target patient population. The final safe harbor clarifies our intent that, to qualify for safe harbor protection, a tool or support must be furnished by a VBE participant to a patient in the target patient population of a value-based arrangement to which the VBE participant is a party. This language ensures that the remuneration is linked to the target patient population relevant to the VBE to which the VBE participant is a party. It further ensures that the remuneration has a direct connection to the coordination and management of care of the relevant target patient population, as set forth in the condition at paragraph 1001.952(hh)(3)(ii).

Comment: Several commenters appreciated that we proposed protection for patient engagement tools and supports offered to a target patient population, notwithstanding payor type, and agreed as a general matter that the provision of protected tools and supports should be limited to the target patient population.

Response: We have finalized the condition, as proposed. The safe harbor only protects remuneration provided to a patient in a target patient population.

Comment: Some commenters suggested that this safe harbor not incorporate the definition of “target patient population” proposed at paragraph 1001.952(ee)(12)(ii), or that this safe harbor protect tools and supports given to certain patients outside the target patient population. Other commenters proposed alternative “target patient population” definitions or exceptions for rural and underserved communities outside of the VBE construct, as well as exceptions designed to address social determinants of health. Commenters also asked us to finalize a broad category of protected recipients without any defined parameters, such as limiting the scope of protected recipients to patients with a specific disease state or certain chronic conditions. Several commenters highlighted problems with and sought clarity regarding a VBE participant’s inability to retrospectively or prospectively identify or assign patients to the target patient population, and whether a precise population was required to satisfy the definition of “target patient population” for purposes of this safe harbor.

Response: The final safe harbor retains the conditions that a protected tool or support must be provided to a patient in the target patient population and must have a direct connection to the coordination and management of care of the target patient population. We believe that requiring a VBE participant to specify a target patient population prior to offering patient engagement tools and supports will help tie the tools and supports to the underlying value-based purposes of the VBE and will necessitate careful consideration of the objective characteristics of the patient population that likely will benefit from any offered tools and supports. We also believe that a connection to an objectively defined target patient population decreases the risk that valuable remuneration will be offered to patients as an inducement to seek care. We have incorporated the definition of “target patient population” as finalized at paragraph 1001.952(ee)(14)(v) for the sake of consistency and because VBE participants will have familiarity with the defined term through the creation of a VBE.

As noted in the summary above, we also are finalizing the proposed requirement that only tools and supports furnished by VBE participants are eligible for protection under this safe harbor. This provision does not impose additional burdens on VBE participants. Establishing a VBE requires articulating a value-based purpose and defining a target patient population, which significantly contributes to meeting this condition. The requirement that a patient engagement tool or support be furnished by a VBE participant to a patient in a target patient population does not include any exceptions for patients in rural or underserved areas, or for remuneration intended to address social determinants of health. We emphasize, however, that VBE participants have considerable flexibility in determining how to define a target patient population, as long as the population is selected using legitimate and verifiable criteria that are set out in writing and further the VBE’s value-based purpose. In addition, VBE participants could establish multiple target patient populations for the purposes of furnishing tools and supports to be protected by this safe harbor as long as all safe harbor conditions are satisfied.

Comment: Many commenters supported the alternative language for which we solicited comments, which would have protected tools and supports furnished to any patient, as long as the tools and supports predominantly address the needs of the target patient population, and the tools and supports have a direct connection to the coordination and management of care for the patient, noting, for example, that it can be challenging to make accurate prospective predictions of which patients are aligned with a target patient population at any given time.

Response: In this final rule, we decline to protect remuneration furnished to patients outside a specified target patient population. Limiting protected tools and supports only to patients within the target patient population will help to ensure the tools and supports have a nexus to the VBE’s underlying value-based purpose in a way that might be more attenuated under our alternative proposal.

Comment: Some commenters recommended that the safe harbor protect the provision of tools or supports for patients whose conditions or circumstances are similar to those of the target patient population, highlighting the risk of penalties associated with providing tools and supports to patients who could benefit from them despite falling outside of the target patient population.

Response: The final safe harbor requires VBE participants seeking protection under the patient engagement and support safe harbor to define the scope of the applicable target patient population to include patients likely to benefit from the relevant tools and supports. As discussed above in more detail in section III.B.2.c, the selection criteria—not the individual patients—must be identified in advance. Parties may modify their target patient population selection criteria prospectively by amending their existing value-based arrangement. VBE participants can retroactively attribute patients to the target patient population without amending the value-based arrangement if such patients meet the selection criteria established prior to the commencement of the value-based arrangement.

d. Furnished Directly to the Patient

Summary of OIG Proposed Rule: We proposed to include a condition at proposed paragraph 1001.952(hh)(1) that the tool or support must be furnished directly to the patient by a VBE participant. We solicited comments on arrangements through which a VBE participant might order or arrange for the delivery of a tool or support from an independent third party. We also sought comment on whether to expressly permit a VBE participant to furnish the tool or support through someone acting on the VBE participant’s behalf and under the VBE’s direction, such as a physician practice that is a VBE participant providing a tool or support through an individual member of the practice or a nurse employed by the practice. We also solicited comments regarding whether to require patient notice if third parties are involved in the furnishing of the tool or support.

Summary of Final Rule: We are finalizing, with modification, this condition at paragraph 1001.952(hh)(2). The final rule extends safe harbor protection to a VBE participant that provides patient engagement tools or supports through a third party that qualifies as an “eligible agent,” as defined in paragraph 1001.952(hh)(9).

Comment: Most commenters did not support the condition requiring that tools or supports be furnished directly to the patient by the VBE participant, for several reasons. For example, commenters asserted that, depending on the size or sophistication of the VBE participant’s practice, the VBE participant may outsource the furnishing of the tool or support, or otherwise not be present at the time it is furnished. Others suggested that a partner or an agent of a VBE participant, such as a vendor, contractor, or employee of the participant, should also be permitted to furnish the patient engagement tools or supports at the direction of the VBE participant, noting that for entities and individuals furnishing tools and supports, outsourcing the provision of such tools and supports to independent third parties is a common practice. Other commenters recommended protection of tools and supports provided by nontraditional or nonclinical (but health-related) third parties that address social determinants of health or transportation needs. For example, a health system commenter indicated that it contracts with vendors to provide digital devices and tools to patients. Another commenter also provided an illustrative example, explaining that to furnish a patient with a “grab bar” at home, it would purchase a grab bar through an online retailer and then contract with a local hardware vendor to install the grab bar. Another commenter recommended safe harbor protection for the provision of tools and supports through which the third party is under the control and oversight of the VBE participant and is otherwise eligible to participate in a VBE (as proposed in the OIG Proposed Rule).

Response: We agree that the safe harbor should protect the provision of tools and supports through a person or entity acting on behalf of the VBE participant and under the VBE participant’s direction, but only if certain conditions are met. Requiring that the tool or support be furnished directly to the patient by the VBE participant prevents entities that are ineligible to participate in a VBE from directly or indirectly furnishing tools or supports to patients. Also, as we explained in the OIG Proposed Rule, the requirement would help patients understand who is furnishing the tool or support and why. Notwithstanding, we have finalized a provision at paragraph 1001.952(hh)(2) that extends protection to tools and supports furnished through a VBE participant’s “eligible agent,” assuming the other conditions of the safe harbor are met. For purposes of this paragraph, “eligible agent” means any person or entity that is not identified in paragraph 1001.952(hh)(1)(i)-(viii) as ineligible to furnish protected tools and supports. Thus, the eligible agent must be an individual or entity that could furnish protected tools and supports under paragraph 1001.952(hh)—even though the eligible agent does not itself need to become a VBE participant. The VBE participant’s eligible agent could be, for example, employees and contractors of a practice when the VBE participant is the practice itself, or other third parties such as technology vendors or retailers. This condition also means that an entity precluded from furnishing or funding protected tools and supports under paragraph 1001.952(hh)(1) cannot be an eligible agent of a VBE participant for purposes of furnishing a protected patient engagement tool or support. Furthermore, this safe harbor does not protect any remuneration that flows through or is furnished by a third party that is not an eligible agent.

Comment: Some commenters recommended that a tool or support be eligible for safe harbor protection if it is furnished to a caregiver or family member of a patient in the target patient population.

Response: We agree that a tool or support should be eligible for safe harbor protection if it is furnished to a caregiver or family member of a patient in the target population, as long as the tool or support satisfies all conditions of the safe harbor conditions. As we stated in the OIG Proposed Rule, a tool or support would not be considered “diverted” if furnished to the patient indirectly through the patient’s caregivers or family members, or through another individual acting on behalf of the patient. We provided examples of such scenarios, including one in which a patient is unable to care for himself or herself and another person has legal authority or the patient’s consent to do so, such as when a parent caring for a minor child with asthma accepts and installs an air purifier on behalf of the child.^[58] Although we included this discussion in the context of a proposed condition to mitigate potential diversion of patient engagement tools and supports—which is not being finalized in this rule—we nevertheless believe the discussion is applicable to the “furnished directly” condition at paragraph 1001.952(hh)(2). Accordingly, intervening caregivers and family members or others acting on behalf of the patient may facilitate the provision of the tool or support without the remuneration running afoul of the “furnished directly” requirement if all other conditions of the safe harbor are satisfied.

Comment: Some commenters suggested that when a third party is providing the tool or support, the patient should be notified in writing or otherwise about the sponsor and other details about the vendor and the purpose of the tool or support. Other commenters objected to any additional notification requirements as burdensome to the provider and the patient.

Response: We appreciate the commenters’ suggestion but decline to impose such a notification requirement. The safe harbor only protects the provision of tools and supports that are recommended by a patient’s health care professional, and many of the enumerated goals in the safe harbor also require the involvement of the patient’s licensed health care professional. Based on these conditions, we believe beneficiaries are unlikely to receive tools or supports that otherwise meet the conditions of the safe harbor without an awareness of the source and purpose of those items or services. Furthermore, lack of awareness of the source and purpose also may diminish the likelihood for improved patient engagement. To best promote patient engagement and ensure the benefits of any tools and supports are realized, VBE participants have an incentive to clearly communicate about the tools and supports they provide without a formal patient notification requirement.

e. Funding Limitations

Summary of OIG Proposed Rule: In proposed paragraph 1001.952(hh)(2), we proposed to prohibit any third-party entity or individual outside of the VBE from financing or otherwise contributing to the provision of patient engagement tools or supports. In the OIG Proposed Rule, this condition would have prevented entities not eligible to become VBE participants from circumventing that limitation and seeking protection for tools and supports they furnished to patients under the patient engagement and support safe harbor.

Summary of Final Rule: We are finalizing, with modifications, this condition at paragraph 1001.952(hh)(4). Specifically, the final regulation text states that the patient engagement tool or support must not be funded or contributed by a VBE participant that is not a party to the applicable value-based arrangement or by an entity listed at paragraph 1001.952(hh)(1)(i) through (viii). The modifications have been made to ensure that the specified entities ineligible for protection under this safe harbor at paragraph 1001.951(hh)(1) are not able to circumvent that restriction by indirectly funding or contributing to tools and support protected under this safe harbor. This condition also clarifies our intent that the VBE participant must be a party to the “applicable value-based arrangement.” In other words, the patient receiving the tool or support must be a member of the target patient population of a VBA to which the VBE participant is a party. This also ensures that the remuneration has a direct connection to the coordination and management of care of the target patient population of the applicable VBA to which the VBE participant is a party. The condition at paragraph 1001.952(hh)(4) effectuates our proposed policy to bar safe harbor protection for tools and supports funded by entities that, under the proposed rule, could not have been in a VBE (see section III.B.2.e.ii for discussion of these entities). The safe harbor does not protect any patient engagement tools and supports funded by or involving contributions from entities identified at paragraph 1001.952(hh)(1)(i) through (viii).

Comment: Several commenters found this condition unduly restrictive, citing potential challenges with meeting this condition when delegating the provision of tools and supports or sharing a care coordinator with someone outside of the VBE. Another commenter stated that entities explicitly ineligible for participation in a VBE under the OIG Proposed Rule’s definition of “VBE participant” play a vital role in supporting the care of patients, and without funding from such entities, hospitals and payors would be limited regarding what types of patient engagement tools and supports they could provide.

Response: We are finalizing this condition with modifications. This condition is an important safeguard that prevents entities ineligible for safe harbor protection from circumventing the conditions of the safe harbor by doing indirectly what they cannot do directly. Regarding commenters’ concerns about the impact of this condition on the ability to delegate the provision of tools or supports, we emphasize that, as discussed in the prior section of this preamble, VBE participants may provide tools and supports via an eligible agent, which can be any third party as long as the third party is not otherwise ineligible to furnish protected tools and supports under this safe harbor.

Comment: A commenter supported this condition, noting that outside funding or contributions pose a risk of inappropriate steering to specific suppliers of products or services. Other commenters appreciated the purpose of this limitation but asked OIG to allow for certain donations from foundations or charities to a VBE, together with a safeguard prohibiting the donating third party from having direction or control over how the funds are spent. Another commenter stated that other types of entities such as construction companies may offer to modify homes with ramps and wider doors, among other things, without charge, and that this condition could prevent protection for such donations.

Response: We appreciate that many entities would like to fund or otherwise contribute to protected patient engagement tools and supports provided by a VBE participant, including through charitable or otherwise arm’s-length donations made to a VBE. Our goal in implementing the funding and contribution limitations is to ensure that entities that may not furnish protected tools and supports directly are unable to indirectly provide or fund protected tools and supports. We believe that limiting the types of entities that may fund protected tools and supports is an important safeguard against circumvention schemes, including potential arrangements involving foundations or charities. Without the funding and contribution limitations, it is possible that entities ineligible to provide tools and supports could indirectly fund such items or services through a foundation, charity, or other entity, which could make it difficult to determine the ultimate source of funding. We believe the final funding and contribution limitations described here provide sufficient flexibility for VBE participants to provide protected tools and supports while safeguarding against the heightened risk of fraud and abuse related to tools and supports furnished to patients by the types of entities that are ineligible for safe harbor protection.

Nothing in this condition would prevent a charity or foundation from providing tools and supports directly to patients, assuming such an arrangement complies with the Federal anti-kickback statute or Beneficiary Inducements CMP, if either statute is implicated. If the charity or foundation is not funded by health care entities, the arrangement might not implicate the statutes. Further, nothing in this safe harbor would prevent construction companies from modifying homes with ramps, widening doors, or providing other construction services for free to patients, provided those arrangements comply with the statute. Free services offered to a patient directly by a construction company that does not provide Federally reimbursable items or services or make referrals for them would not implicate the statutes, and therefore, safe harbor protection would not be needed. However, such free services offered through an intermediary that provides federally reimbursable items and services, such as a hospital, would need to be evaluated on a case-by-case basis under the statute; the arrangement between the construction company and hospital would not implicate the statute, but the arrangement between the hospital and patient might.

f. Nature of the Remuneration

Commenters provided numerous suggestions regarding specific types of remuneration potentially protected under this safe harbor. In the sections below, we respond to such comments and provide examples of potentially protected types of remuneration, but we note that the examples or categories of items, goods, and services included here are neither exhaustive nor presumptively protected under this safe harbor. Specifically, we remind stakeholders that all conditions of the safe harbor must be squarely satisfied for the tools and supports to be protected by the safe harbor.

i. In-Kind Remuneration

Summary of OIG Proposed Rule: At proposed paragraph 1001.952(hh)(3)(i), we proposed to protect any in-kind preventive item, good, or service, or an in-kind item, good, or service such as health-related technology, patient health-related monitoring tools and services, or supports and services designed to identify and address a patient’s social determinants of health.

Summary of Final Rule: We are finalizing, with modifications, the provision at paragraph 1001.952(hh)(3)(i). The final rule protects patient engagement tools and supports that are in-kind items, goods, and services provided they meet all applicable safe harbor conditions. We are not finalizing the regulatory text at proposed paragraph 1001.952(hh)(3)(i) that provided specific examples of protected in-kind items, goods, or services (i.e., health-related technology, patient health-related monitoring tools and services, supports and services designed to identify and address social determinants of health). As finalized by this rule, paragraph 1001.952(hh)(3)(i) specifies that protection is offered only for in-kind items, goods, or services, without specifying categories of items, goods, or services. We believe including nonexhaustive categories in regulatory text was not necessary or helpful to explain the meaning of an “in-kind item, good, or service.” These changes are intended to ensure the final rule does not inadvertently preclude types or categories of tools or supports that could receive protection under the safe harbor. Provided that all safe harbor requirements are satisfied, the final rule protects a broad range of tools and supports that may include, among others, health-related technology, patient health-related monitoring tools and services, and supports and services designed to identify and address a patient’s social determinants of health. We have modified and reorganized the regulatory text to better effectuate this policy.

Based on public comments, we confirm that preventive items, goods, or services can be protected under this safe harbor. However, we are not finalizing the proposed regulatory text at paragraph 1001.952(hh)(3)(i) regarding preventive care. To make clear that preventive items, goods, or services can fit in the safe harbor, we have amended the goal of “management of a disease or condition” to read “prevention or management of a disease or condition” at paragraph 1001.952(hh)(3)(vi)(D).

Comment: A number of commenters supported our overall approach to identify categories of protected in-kind remuneration instead of endeavoring to provide a comprehensive list of tools and supports eligible for safe harbor protection and believed that the categories proposed are—and should remain—sufficiently flexible to encompass a range of tools and supports across various care settings. Commenters stated that VBEs should have flexibility to determine the most appropriate tools and supports to provide as a part of the arrangements and recommended against OIG specifying a list of tools and supports that could, ultimately, stifle innovation, particularly with respect to tools and supports designed to address social determinants of health. Alternatively, some commenters encouraged us to provide greater specificity and more examples of protected patient engagement tools and supports based on comments received in response to the OIG Proposed Rule. For example, a commenter urged OIG to provide as many examples as possible of the tools and supports that would and would not be protected by this safe harbor in the preamble to the final rule. Others requested some examples but urged us to clarify that any examples are illustrative, not exhaustive.

A commenter supported protection for tools and supports that impact positive behavioral change, such as receiving an annual wellness visit, participating in a smoking cessation program, or seeking care from a lower cost provider (e.g., receiving imaging services in a freestanding setting as opposed to a hospital outpatient department). The commenter also supported addressing a barrier to adhering to a care plan, such as providing cooking classes to facilitate the preparation of healthy meals, providing condition-specific groceries, or providing condition-specific technology (e.g., electronic scales, internet service to facilitate data collection, or both). Another commenter listed examples of additional dialysis-related tools and supports that should be covered.

Response: Rather than listing specific examples of tools and supports potentially eligible for protection under this safe harbor, the final safe harbor contains a list of goals at paragraph 1001.952(hh)(3)(vi), at least one of which a tool or support must advance in order to qualify for safe harbor protection. We believe this provides substantial flexibility for VBE participants to offer a wide range of tools and supports.

As noted above, we have omitted the examples of remuneration listed in proposed paragraph 1001.952.(hh)(3)(i). With respect to tools and supports designed to address a patient’s social determinants of health, such remuneration is protected if it meets one of the final safe harbor’s enumerated goals listed at paragraph 1001.952(hh)(3)(vi). This change is intended to ensure the final rule is agnostic about the specific types or categories of tools and supports protected by this safe harbor. As a result, health-related technology and patient health-related monitoring tools and services are eligible for safe harbor protection if they meet the other conditions of the safe harbor, including at least one of the goals at paragraph 1001.952(hh)(3)(vi).

We have provided some examples of categories and specific tools and supports in the discussion below at section III.B.6.f.iv related to social determinants of health, as well as general descriptions of certain health technologies potentially protected by this safe harbor. We also agree with commenters who suggested that any examples provided in this final rule’s preamble should be illustrative rather than exhaustive, to provide for flexibility and innovation in the provision of patient engagement tools and supports. We intend for the safe harbor to protect a range of in-kind remuneration and agree that many of the tools and supports described by the commenters may satisfy the safe harbor if all other conditions of the safe harbor are met.

Comment: A commenter stated that the proposed safe harbor is too narrow to truly drive patient engagement because, although it protects the provision of tools and supports to patients, it does not protect efforts to encourage the utilization of those tools or otherwise protect efforts to incentivize care adherence.

Response: We disagree that the safe harbor lacks sufficient regulatory flexibility for the provision of tools and supports that promote patient engagement. In response to the suggestion that the safe harbor should protect efforts to encourage the utilization of protected tools and supports, we note that nothing in the safe harbor would limit the ability of VBE participants to educate patients about available tools and supports as long as the VBE participant does not use the patient engagement tools or supports to market other reimbursable items or services, or for patient recruitment purposes, as prohibited at paragraph 1001.952(hh)(6).

In response to the suggestion that the safe harbor should protect efforts to incentivize care adherence, we note that a VBE participant must ensure that the tool or support advances an enumerated goal at paragraph 1001.952(hh)(3)(vi), several of which involve patient adherence. For example, the safe harbor protects tools and supports that advance goals for adherence to a treatment regimen, adherence to a drug regimen, and adherence to a followup care plan if all other conditions are met. In addition, we think that the conditions requiring a licensed health care professional to recommend the tool or support and requiring that the tool or support be directly connected to the coordination and management of care require the offeror to evaluate whether the tool or support will advance the enumerated goals listed in the safe harbor.

Comment: A commenter requested OIG clarify its interpretation of the phrase “preventive care item or service” for the purposes of this safe harbor to ensure that the definition remains flexible enough to encompass rapidly advancing technology. Another commenter requested that we add “primary and secondary prevention” to the regulatory text of this safe harbor to clarify that various forms of preventive efforts are protected by the safe harbor. Another commenter requested that we add “tertiary” prevention. Commenters generally supported OIG’s proposal to defer to VBE participants or physicians in determining: (i) What constitutes a preventive item or service for the purposes of this safe harbor; and (ii) the appropriate tools and supports to address such preventive care, asserting that physicians are in the best position to assess whether a particular item or service is preventive.

Response: Tools and supports in furtherance of preventive care and services can be protected under this safe harbor if the other conditions are satisfied. The final safe harbor regulation does not identify a specific category of remuneration for preventive care items, goods, or services. Instead, preventive items, goods, and services could be protected under the safe harbor’s general protection of in-kind items, goods, or services that satisfy the conditions of the safe harbor, including advancing one of the safe harbor’s enumerated goals. For example, a preventive item, good, or service could advance the goal of “prevention or management of a disease or condition” at paragraph 1001.952(hh)(3)(vi)(D).

ii. Cash, Cash Equivalents, and Gift Cards

Summary of OIG Proposed Rule: We proposed at proposed paragraph 1001.952(hh)(3)(iii) to exclude protection for remuneration in the form of cash, cash equivalents, and gift cards, and we sought additional comments on whether the safe harbor should protect those forms of remuneration.

Summary of Final Rule: We are finalizing, with modification, the proposed condition at paragraph 1001.952(hh)(3)(iii). The final regulatory text does not reference gift cards because some gift cards would be considered in-kind remuneration eligible for safe harbor protection. Cash, cash equivalents, and most gift cards are excluded in the final rule because the safe harbor is limited to in-kind remuneration.

Comment: Several commenters echoed the concerns we raised in the OIG Proposed Rule regarding the risks of protecting cash, cash equivalents, and gift cards under the safe harbor, urging us to limit safe harbor protection to in-kind remuneration to reduce the risk of inappropriate patient steering or coercion.

Response: We agree with these comments, and we believe restricting protection to in-kind remuneration in the final rule reflects OIG’s longstanding concern about the fraud and abuse risks inherent to providing cash, cash equivalents, or gift cards to beneficiaries.

Comment: A number of commenters urged OIG to protect gift cards under this safe harbor. In particular, several commenters suggested that we clarify that a voucher provided through a debit card-like mechanism that could be used to acquire tools or supports, such as food or transportation, would be considered “in-kind” under the safe harbor. Another commenter urged OIG to protect the provision of gift cards but suggested that prepaid debit cards should be excluded from protection, similar to existing OIG guidance regarding cash and cash equivalents.

A commenter recommended protecting gift cards that may be redeemed only at certain stores for certain purposes consistent with OIG’s previous guidance on cash and cash equivalents, as long as they are not advertised or otherwise included in prospective marketing or promotional efforts, and earned via active, verifiable participation in core elements of a beneficiary’s treatment plan.

A commenter noted that gift cards provide sufficient flexibility with less risk than cash, noting that a gift card may be exchanged for cash, but typically at a reduced value.

Response: As we stated in the preamble to the OIG Proposed Rule, we would consider a voucher for a particular tool or support (e.g., a meal voucher or a voucher for a taxi) to satisfy the safe harbor’s in-kind requirement. However, consistent with our treatment of these issues in prior regulations,^[59] we consider debit cards, rebate checks, and most gift cards to be cash equivalents and not a protected form of in-kind remuneration under this safe harbor.

We are not, however, departing from OIG’s existing guidance regarding limited-use gift cards.^[60] Gift cards that can be redeemed only for certain categories of items (such as fuel-only gift cards redeemable at gas stations) could meet the in-kind requirement under this safe harbor. Gift cards meet the in-kind requirement only if their potential use is limited to certain categories of items or services that meet the conditions of the safe harbor. For instance, a gift card for a service that delivers the ingredients necessary for a healthy meal would meet the in-kind requirement and could be protected if the other conditions of the safe harbor are satisfied. Gift cards offered by large retailers or online vendors that sell a wide variety of items (e.g., big-box stores) could easily be diverted from their intended purpose or converted to cash; we would consider such gift cards to be cash equivalents and therefore not eligible for protection under this safe harbor.

Comment: A commenter posited that when gift cards are furnished to patients within the VBE context, the financial model of VBEs serves as an inherent safeguard against unnecessary and excessive utilization. The commenter asserted that when a VBE is financially at risk for improving outcomes, the VBE likely would not furnish gift cards to patients to drive unwarranted utilization and would be financially incentivized to encourage only beneficial utilization that improves health and helps manage the total cost of care.

Response: Although we recognize that VBEs assuming downside financial risk may have incentives to avoid offering tools and supports to beneficiaries that could drive medically unnecessary utilization, we are not, as discussed above, requiring VBE participants under this safe harbor to assume some degree of financial risk. We believe that some of the risks associated with fee-for-service payment systems—such as overutilization—may continue to exist in VBEs where VBE participants continue to be paid on a fee-for-service basis. Therefore, there is a risk that VBEs would furnish gift cards to patients to drive inappropriate utilization, but such conduct would not be protected by this safe harbor and may implicate the Federal anti-kickback statute.

Comment: Several commenters urged OIG to protect cash, cash equivalents, and gift cards under this safe harbor but to attach additional safe harbor conditions to such means of remuneration. For example, a commenter suggested that cash, cash equivalents, and gift cards should be protected as a reward for taking a particular action, but that remuneration should be provided only after a patient has taken the required action. Another commenter suggested that OIG protect cash, cash equivalents, and gift cards but impose a separate monetary cap that parallels OIG’s nominal value guidance. The commenter also urged OIG to consider requiring that any patient eligible to receive a cash or cash-equivalent incentive would need to be an “established patient” as defined in the local transportation safe harbor, paragraph 1001.952(bb).

Other safeguards recommended by commenters specific to cash, cash equivalents, and gift cards include: Prohibiting the advertising of rewards; tying incentives to outcomes associated with the prescribed course of treatment; a requirement that incentives cannot be utilized to generate business or otherwise promote the utilization of unnecessary or inappropriate items and services; limiting the use of such incentives to items that promote health and wellness, such as nutritious food, exercise equipment, or health monitoring and tracking devices; and requiring entities to have an evidence-based reason to believe that cash, cash equivalents, or gift cards can increase patient adherence to recommended medical guidance. A commenter suggested that retrospective evaluation and auditing could be used to identify any potentially fraudulent activity relating to cash, cash equivalents, and gift cards.

Response: We appreciate the commenters’ suggestions for additional safe harbor conditions specific to the provision of cash, cash equivalents, and gift cards. Based on longstanding program integrity concerns, the final safe harbor only protects in-kind remuneration to include limited types of gift cards as described further above. OIG historically has had significant concerns about providing protection for providers’ and other health care stakeholders’ offers of cash or cash equivalents to patients, and our oversight experience suggests that cash and cash-equivalent remuneration raises substantial fraud and abuse risks, including the potential for inappropriate utilization of medically unnecessary items and services and improper patient steering. OIG tailored the final safe harbor’s safeguards to in-kind tools and supports; therefore, it is not necessary to adopt additional conditions recommended by commenters specific to the provision of cash, cash equivalents, and gift cards.

Comment: Commenters noted that cash and cash equivalents are a useful way to address social determinants of health and noted that cash and cash equivalents could facilitate patient access to transportation, counseling and coaching, meal preparation, existing and emerging self-monitoring health technologies, and other supports that promote independence and positive health outcomes.

Response: We recognize that cash and cash equivalents may be a useful way to address social determinants of health. We remain concerned, however, for the reasons explained above, that cash or cash-equivalent remuneration to Federal health care program beneficiaries presents an elevated risk of fraud and abuse, and we are finalizing our proposal to protect only in-kind remuneration. Parties can structure a wide range of arrangements involving in-kind remuneration to address social determinants of health under the final safe harbor. For example, in lieu of cash, protected tools and supports could include vouchers or limited-use gift cards (e.g., to address transportation access to medical appointments to advance adherence to a followup care plan, a ride share voucher or gas card could be protected, provided all other safe harbor conditions are satisfied). Arrangements involving cash or cash equivalents used to address social determinants of health are not necessarily illegal; they would need to be evaluated under the anti-kickback statute on a case-by-case basis, including the intent of the parties.

Comment: A commenter asserted that expanding the safe harbor to protect gift cards, discount cards, and coupons toward future services would support the viability of smaller independent practices that operate in consolidated markets and are competing against hospitals and health systems.

Response: We appreciate the commenter’s concern regarding consolidation and the potential effects of our safe harbors on competition. This final safe harbor protects certain, limited categories of gift cards in accordance with OIG’s previous guidance on cash equivalents and limited-use gift cards. We note that discount cards and coupons may qualify as protected in-kind remuneration as long as the other conditions of this safe harbor are satisfied. We do not, however, intend for this safe harbor to protect waivers or reductions in patient cost-sharing obligations, as discussed below. For example, a coupon designed to cover only a patient’s cost-sharing obligation would not be protected by this safe harbor. We also note that to the extent parties wish to have safe harbor protection for any discounts offered to beneficiaries, they would need to comply with the terms of the discount safe harbor at paragraph 1001.952(h) in order to receive safe harbor protection. Finally, to the extent the commenter is referencing gift cards, discount cards, and coupons that would reward patients for seeking care, such arrangements may not satisfy the prohibition on marketing and patient recruitment at paragraph 1001.952(hh)(6).

Comment: A number of commenters offered general support for extending safe harbor protection to cash, cash equivalents, and gift cards provided to patients as rewards or incentives to promote various behaviors, including attending necessary appointments, adherence to a treatment regimen, or participation in a substance abuse treatment or behavioral modification program. Several commenters cited a body of research suggesting that cash incentives can be effective at improving patient engagement and adherence or behavioral modification. For example, a commenter cited behavioral economics research findings that even nominal amounts of cash or cash-equivalent remuneration can produce substantial improvements in overall health outcomes when used as an incentive to motivate patients to lead healthier lifestyles.

Commenters also noted that gift cards may be employed as rewards for healthy patient behaviors and activities in a number of other contexts, including pursuant to certain section 1115 waiver programs, some Medicaid managed care organizations, and programs or initiatives related to Medicaid Incentives for the Prevention of Chronic Diseases.

Response: In the OIG Proposed Rule, we solicited comments on including gift cards when they are provided to patients with certain conditions, such as substance abuse disorders and behavioral health conditions, as part of an evidence-based treatment program for the purpose of effecting behavioral change. We appreciate the responses from commenters and understand that incentives can effectively drive patient adherence to treatment programs, lead patients to follow healthier lifestyles, or effect other behavioral changes.

For example, we recognize that research shows that contingency management interventions are the most effective currently available treatment for stimulant use disorders. Substance use disorder treatment programs utilizing contingency management often involve payments to the patient in the form of the opportunity to earn vouchers, gift cards, or even, in some models, salaries in exchange for desired prosocial behaviors or meeting specified goals. We also understand and acknowledge that there is a growing problem with stimulant (e.g., cocaine and methamphetamine) co-use with opioids. Combatting the opioid epidemic, including ensuring that patients have access to effective treatment programs, has been a top priority for the Administration, the Department, and OIG. In addition, many treatments involving contingency management interventions have been developed over decades by scientists supported by the Federal government through the National Institutes of Health.

After weighing the potential benefits of contingency management and other programs designed to motivate beneficial behavioral change with the potential risks to program integrity—and understanding that many of these programs involve cash and cash-equivalent payments to patients—we are not expanding the patient engagement and support safe harbor to include cash and cash-equivalent payments offered as part of contingency management interventions or other programs to motivate beneficial behavioral changes. This does not mean that all such cash or cash-equivalent payments are unlawful, but they would be subject to case-by-case analysis under the Federal anti-kickback statute and Beneficiary Inducements CMP. In addition, we emphasize—as further discussed below—that in-kind remuneration and certain limited-use gift cards offered as part of contingency management interventions or other programs to motivate beneficial behavioral changes could receive protection under the patient engagement and support safe harbor if all safe harbor conditions are satisfied. Indeed, OIG’s final rule offers many opportunities for those treating patients for substance use disorders to improve the coordination and management of patient care through value-based arrangements between providers that band together to improve care, the provision of in-kind incentives to patients to motivate them to meet treatment goals, and broader flexibilities for transportation arrangements under the existing local transportation safe harbor, which would meet an identified need for patients in rural areas seeking treatment. While not all such arrangements implicate the fraud and abuse statutes, arrangements involving community recovery support systems such as clubhouses and peer-to-peer focused support services would have broader access to safe harbor protection under the final rule.

With respect to nominal amounts of cash or cash-equivalent remuneration mentioned by the commenter, we understand that some industry stakeholders believe OIG’s guidance permits cash and cash-equivalent incentive payments up to $75. This is a misunderstanding of OIG’s guidance. The Conference Committee report accompanying the enactment of the Beneficiary Inducements CMP expressed Congress’ intent that inexpensive gifts of nominal value be permitted.^[61] OIG has interpreted inexpensive gifts of nominal value to mean in-kind items and services with a retail value of no more than $15 per item or $75 in the aggregate per beneficiary on an annual basis.^[62] Gifts that implicate the Beneficiary Inducements CMP that exceed these dollar limits are not prohibited but are analyzed on a case-by-case basis for compliance under the statute. We highlight, however, that this nominal value guidance applies to the value of in-kind items and services, not to the value of incentive payments in the form of cash or cash equivalents. In other words, cash and cash-equivalent payments under $75 would not be covered by this guidance. Moreover, this guidance applies only with respect to the Beneficiary Inducements CMP and not to the Federal anti-kickback statute. Furthermore, we are aware that some industry stakeholders may be under a misimpression that OIG prohibits contingency management program incentives above $75. There is no OIG-imposed $75 limitation on contingency management program incentives. Rather, the Federal anti-kickback statute may constrain the ability of individuals or entities to offer contingency management program incentives of any value to Federal health care program beneficiaries, depending on the facts of the arrangement. Moreover, in-kind incentives above the $75 annual, aggregate limit, and all cash or cash-equivalent incentives regardless of the amount, must be analyzed on the basis of their specific facts for compliance with the Beneficiary Inducements CMP.

With respect to contingency management program incentives and other programs that offer incentives to motivate healthy behaviors—whether above or below $75 in value—we offer the following observations. In-kind remuneration in connection with such programs can fit in the patient engagement and support safe harbor if all safe harbor conditions are met (including the $500 annual cap). As further explained in this section, the final safe harbor protects certain limited-use gift cards that advance one or more of the enumerated goals at paragraph 1001.952(hh)(3)(vi) and meet other safe harbor conditions, including that the remuneration must have a direct connection to the coordination and management of care of the target patient population. To the extent that a program involves salary payments to a bona fide employee for services furnished by the employee, the payments might qualify under the existing safe harbor for employees at paragraph 1001.952(i).

If a contingency management incentive that implicates the Federal anti-kickback statute, Beneficiary Inducements CMP, or both does not satisfy an existing safe harbor or exception (as applicable), that does not mean that such incentive automatically violates the statutes and is illegal. Contingency management incentive arrangements that do not comply with a safe harbor must be analyzed on a case-by-case basis for compliance with the Federal anti-kickback statute and Beneficiary Inducements CMP. In addition, incentives that are included in a service covered by a Federal health care program (i.e., the coverage includes the incentive itself) would not implicate the Federal anti-kickback statute or the Beneficiary Inducements CMP, provided that the applicable billing and coverage rules are followed including collection of any applicable patient cost-sharing obligations. In addition, incentives offered as part of a CMS-sponsored model may qualify for protection under the new safe harbor at paragraph 1001.952(ii). Further, we are aware that some incentives may be provided pursuant to or in connection with other government-sponsored demonstrations or other government-sponsored programs (including studies initiated, organized, funded, and managed by the National Institutes of Health). Participation in and adherence to the requirements of such demonstrations or programs would be a relevant factor in assessing the intent of the parties and the risk posed by the arrangement.^[63] Incentives offered to commercially insured patients or uninsured patients would not implicate the statutes. Application of the statutes is discussed in further detail in sections II.B and II.C of this preamble.

With respect to incentives in the form of cash or cash equivalents, we are concerned about heightened fraud and abuse risk. As noted in the OIG Proposed Rule, OIG historically has had significant concerns with allowing providers and others to offer cash or cash equivalents to patients, and our oversight and enforcement experience suggests that cash incentives can result in medical identity theft and misuse of patients’ Medicare numbers, lead to inappropriate utilization (in the form of medically unnecessary items and services), and cause improper patient steering (including patients selecting a provider because the provider offers the most valuable incentives and not because of the quality of care the provider furnishes).^[64]

Moreover, in the area of substance use disorder treatment, OIG and its law enforcement partners have substantial enforcement experience that demonstrates the pervasiveness of fraud in treatment programs that serve neither the best interests of patients nor taxpayers. For example, OIG has participated in enforcement actions resulting from allegations of significant fraud by substance use disorder treatment facilities, or “sober homes,” that take advantage of individuals with substance abuse disorders.^[65]

We preclude cash or cash equivalents from protection under this safe harbor in recognition of the critical need to protect vulnerable patients from fraud. That said, as stated above, arrangements involving cash or cash equivalents used to promote adherence or healthy behavior modification do not necessarily violate the Federal anti-kickback statute; they would need to be evaluated under the anti-kickback statute on a case-by-case basis, including the intent of the parties. Parties may seek an OIG advisory opinion if they want assurance that their arrangement(s) comply with the statutes or would not be subject to OIG administrative enforcement sanctions, but having an advisory opinion is not mandatory. Declining to seek an OIG advisory opinion is not evidence that parties have improper intent under the Federal anti-kickback statute.

As stated above, in-kind incentives in connection with contingency management or other motivational programs can fit in the final safe harbor if all conditions are met. We note that offering incentives to patients as a reward for accessing care may not satisfy the prohibition on marketing and patient recruitment at paragraph 1001.952(hh)(6), depending on the facts and circumstances. We also emphasize that remuneration offered as a reward or incentive is not protected if it results in a beneficiary being furnished medically unnecessary care or inappropriate items or services reimbursed by a Federal health program, pursuant to the condition at paragraph 1001.952(hh)(3)(iv).

Finally, to the extent that existing safe harbors might not address all facets of contingency management incentive programs, we are considering addressing them in future rulemaking.

Comment: A commenter urged OIG to consider extending safe harbor protection to benefits such as direct payments from a provider to utility companies and the direct provision of technology (e.g., electronic scales and tablets to provide continuing condition-specific education).

Response: Because the beneficiary does not directly receive cash or cash-equivalent remuneration, we consider the specific examples provided by the commenter to be in-kind remuneration, which may be protected by this safe harbor if the other conditions of the safe harbor are satisfied.

Comment: A commenter observed that Congress has recognized the value of providing incentive payments to patients in allowing Accountable Care Organizations (ACOs) participating in the Medicare Shared Savings Program to make payments to patients who receive qualifying primary care services from providers participating in those ACOs.

Response: We recognize that the ACO Beneficiary Incentive Program, which is administered by CMS as part of the Medicare Shared Savings Program, allows an ACO to make incentive payments to beneficiaries of up to $20 per qualifying service as an incentive to encourage utilization of medically necessary primary care services if certain eligibility, recordkeeping, and notification requirements are met. Nothing in the new patient engagement and support safe harbor would prevent ACOs from continuing to participate in that program or from structuring ACO Beneficiary Incentive Payment programs to satisfy the requirements of the new safe harbor set forth at paragraph 1001.952(kk), which protects payments under the ACO Beneficiary Incentive Program. Although we are not protecting similar incentives in this safe harbor, this decision does not reflect the programmatic value of the ACO Beneficiary Incentives.

The patient engagement and support safe harbor will protect tools and supports furnished outside of the context of a program administered and monitored by CMS. Without that programmatic oversight, we believe the safeguards in this final rule, including limiting safe harbor protection to in-kind remuneration, are appropriate and necessary to protect Federal health care programs and beneficiaries from harms associated with fraud and abuse.

Comment: A commenter urged OIG to update its 2016 Policy Statement Regarding Gifts of Nominal Value to Medicare and Medicaid Beneficiaries to revise its interpretation of “nominal value” from $15 per instance to $20 per instance, and from $75 in the aggregate per year to $100 in the aggregate per year.

Response: We decline commenter’s request to update our guidance on “nominal value” ^[66] in this rulemaking. We note that our nominal value guidance focuses only on OIG’s Beneficiary Inducements CMP authorities, and not the anti-kickback statute.

iii. Waiver or Reduction of Cost-Sharing Obligations

Summary of OIG Proposed Rule: In the OIG Proposed Rule, we sought comments on a variety of issues relating to potential safe harbor protection for waivers or reductions of patient cost-sharing obligations in different circumstances, including waivers or reductions of patient cost-sharing in the context of the proposed value-based framework. We also noted that the requirements related to cost-sharing in the Medicare and Medicaid programs are a programmatic matter; cost-sharing is required pursuant to statute, regulations, and other rules set forth by CMS and state Medicaid programs.

Summary of Final Rule: We are not finalizing a condition to protect cost-sharing waivers or reductions under this safe harbor.

Comment: Many commenters expressed support for protecting waivers of beneficiary cost-sharing obligations for remote patient monitoring, chronic care management, digital technologies that include care coordination functionality, and other care coordination services. A commenter argued that both patients and Federal health care programs benefit from waiving cost-sharing requirements for these items and services because reducing barriers to accessing preventive care can improve health outcomes for patients while also ensuring efficient use of taxpayer resources. Commenters also asserted that cost-sharing obligations can serve as a significant barrier to patient access for these and other care coordination items and services, and that providers’ concerns regarding patients’ fulfilling cost-sharing obligations could discourage providers from even offering these services. A commenter pointed out that protecting cost-sharing waivers could give flexibility to certain manufacturers to structure rewards programs that could incentivize patient behavior that may improve health outcomes, such as treatment adherence. One commenter noted that waivers of cost-sharing obligations are less prone to abuse than providing cash to patients but posited that waivers can still lead to undesirable effects such as cherry-picking and patient steering.

Commenters also noted that collecting cost-sharing amounts may be administratively burdensome for providers, and for certain items and services the cost of collection often exceeds the cost-sharing amount to be collected. In order to address this issue, a commenter recommended that OIG protect waivers of cost-sharing amounts when the amount owed by the beneficiary is nominal, similar to OIG’s Policy Statement Regarding Gifts of Nominal Value to Medicare and Medicaid Beneficiaries, or that OIG amend its interpretation of “reasonable collection efforts” under section 1128A(i)(6)(A)(iii)(II) of the Act so that these collection efforts do not include situations where the cost of collection by the provider exceeds the cost-sharing amount that the provider would potentially collect.

Commenters also urged OIG to implement safe harbor protection for waivers or reductions of other types of cost-sharing obligations, including cost-sharing for services furnished through patient-centered medical homes and patient-centered specialty practices, such as visits that promote medication adherence, preventive care, and kidney disease education. A commenter suggested that OIG should protect full or partial cost-sharing waivers where care coordination arrangements result in cost savings to the health care system, which would allow patients to share in savings resulting from compliance with disease management or treatment programs.

A number of commenters urged OIG to protect waivers of IHS beneficiaries’ cost-sharing obligations for items and services furnished by Indian health programs, noting that the imposition of cost-sharing obligations can be a barrier to care coordination for those patients.

Response: Cost-sharing waivers, or other tools and supports designed to effectuate a waiver of beneficiary cost-sharing, are not protected under the final patient engagement and support safe harbor. We appreciate commenters’ suggestions regarding potential safe harbor protection for waivers or reductions of certain cost-sharing obligations, particularly in the context of value-based care and coordination of care. However, for a number of reasons we are not convinced that a safe harbor promulgated by OIG through regulation would be the appropriate mechanism to protect the waiver or reduction of a programmatic requirement. As we stated in the OIG Proposed Rule, beneficiary cost-sharing obligations are a programmatic requirement, and we do not believe it would be appropriate to broadly protect cost-sharing waivers that could obviate a programmatic requirement created by statute to the extent requested by commenters. On several occasions, Congress has enacted limited and individualized statutory protection for cost-sharing waivers. For example, Congress enacted an exception to the anti-kickback statute that allows pharmacies to waive Medicare Part D cost-sharing under certain conditions, and we have promulgated corresponding, implementing regulations.^[67]

In addition, commenters requested OIG provide safe harbor protection for the waiver of beneficiary cost-sharing for certain items and services (e.g., remote patient monitoring, chronic care management, digital technologies that include care coordination functionality, and other care coordination services). We do not think it would be appropriate or feasible for this rule to make distinctions regarding cost-sharing waivers based on particular categories of services. We do not discern a reasonable basis for making such distinctions. We note that longstanding OIG guidance allows for waivers of cost-sharing amounts based on individualized, good faith determinations of financial need.

In the OIG Proposed Rule, we stated that we were considering protecting cost-sharing waivers for certain specified services (e.g., care management services). We are not adopting the commenter’s recommendation to waive nominal cost sharing amounts. As discussed above, we do not view a safe harbor to the Federal anti-kickback statute as an appropriate vehicle to address programmatic rules related to beneficiary cost sharing.

In addition, we did not propose to amend our interpretation of “reasonable collection efforts” under section 1128A(i)(6)(A)(iii)(II) of the Act and decline to do so in this final rule.

iv. Social Determinants of Health

Summary of OIG Proposed Rule: For reasons described in the OIG Proposed Rule, including the connection of social determinants to health outcomes and costs,^[68] we proposed to protect at paragraph 1001.952(hh)(3)(i) an in-kind item, good, or service such as, among others, supports or services designed to identify and address a patient’s social determinants of health. In the OIG Proposed Rule, we cited the existence of substantial evidence that “unmet social needs” related to social determinants of health such as transportation, nutrition, and safe housing play a critical role in health outcomes and expenditures,^[69] two key policy goals of this rulemaking. We sought comment on which social determinants are most crucial to improving care coordination and transitioning to value-based care and payment.^[70] We also sought comments on how or whether to protect tools and supports designed to address social determinants of health, including whether to make distinctions among various categories of social determinants or to list specific permissible tools and supports.

Summary of Final Rule: We are finalizing, with modifications, paragraph 1001.952(hh)(3)(i). The modifications remove the illustrative example related to social determinants of health from paragraph 1001.952(hh)(3)(i). Notwithstanding, the final rule at paragraph 1001.952(hh) protects in-kind tools and supports that identify and address a patient’s social determinants of health, provided that the tools and supports otherwise meet all applicable safe harbor conditions, including, among others, the $500 annual cap, the requirement for a direct connection to the coordination and management of the care of the target patient population, the requirement that the tool or support is recommended by the patient’s licensed health care professional, and the requirement that the tool or support advances at least one of the enumerated goals set forth at paragraph (hh)(3)(vi) of the final rule. The five enumerated goals ensure that protected tools and supports have a close nexus to care coordination, quality of care, and health outcomes for patients.

As with health-related technology and patient health-related monitoring tools and services, we are no longer including the specific example of tools and supports that identify and address social determinants of health in the final paragraph 1001.952(hh)(3)(i). Explicitly listing illustrative categories of protected remuneration is not necessary to effectuate the policy set out in the proposed rule that these categories and other types of tools and supports can be protected if all safe harbor conditions are met. This change ensures the final rule does not inappropriately limit the type or range of in-kind tools and supports that could be protected by this safe harbor. This will allow the licensed health care professional to determine the specific type of tool or support that works best for the patient, as long as all conditions of the safe harbor are met.

Comment: Numerous commenters urged us to extend explicit safe harbor protection to address various social determinants of health, focusing primarily on tools and supports to address food insecurity, housing instability, and transportation needs. Commenters also noted that identifying and addressing patients’ social determinants of health through patient engagement tools and preventive care items will allow entities to improve patient outcomes while also reducing health care costs.

Response: We agree that these types of tools and supports have the potential to improve patient outcomes while producing savings to Federal health care programs and patients. Tools and supports to address the categories of social determinants cited by the commenters may be eligible for safe harbor protection if they meet all safe harbor conditions including, among others, one of the safe harbor’s enumerated goals at paragraph 1001.952(hh)(3)(vi). For examples of how the safe harbor could protect tools and supports that identify and address social determinants of health, we refer readers to the response directly below. We are finalizing this safe harbor without including tools and supports designed to identify and address social determinants of health as an example of protected remuneration in the regulatory text. This change will ensure the final rule avoids inadvertently constraining the types or categories of in-kind tools and supports protected by this safe harbor in order to foster beneficial innovation.

Comment: We received a number of comments addressing the question of how to define social determinants of health and related tools and supports for the purpose of this new safe harbor. Many commenters urged us not to specify permissible tools and supports, but instead to adopt a flexible approach. Other commenters requested OIG provide a nonexclusive and nonexhaustive list illustrative of the types of permissible tools and supports that could receive protection under the safe harbor, indicating that such a list would provide clarity to the industry regarding the scope of tools and supports this safe harbor would protect without limiting flexibility and innovation. Another commenter sought clarification regarding how to interpret our proposed protection for tools and supports that address social determinants of health and other items and services such as preventive care items and services and health-related technology, including how to interpret the list of illustrative examples we provided in the preamble.

Commenters provided examples of a wide range of categories of social determinants of health and the tools and supports that commenters argued should be protected under this safe harbor, which they consider most crucial to improving coordination and management of care and transitioning to value-based care and payment. The social determinants of health—and tools and supports to address such social determinants of health—cited by commenters include food insecurity, housing instability, transportation, nutrition education, supervised exercise, fitness training programs, household or vehicle modifications to promote mobility and independence, addiction recovery programs, mental health programs, payment of utility bills, and supports related to interpersonal violence.

Some commenters offered extensive lists of social determinants of health relevant to specific health issues, such as determinants that impact musculoskeletal care or chronic diseases. Another commenter urged OIG to use the framework developed by the Kaiser Family Foundation to make distinctions among categories of social determinants using the following categories: (i) Economic stability; (ii) neighborhood and physical environment; (iii) food; (iv) community and social context; and (v) health care system. Another commenter suggested OIG reference services offered as supplemental benefits within Medicare Advantage as well as the special supplemental benefits for the chronically ill included in the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act.

Response: We appreciate commenters’ suggestions regarding how best to identify and protect categories of social determinants of health and related tools and supports that should be protected under this safe harbor. We agree with the concern that an exclusive list of protected tools or supports in regulatory text could inappropriately constrain entities from offering the most useful types of tools and supports, and a rigid definition of social determinants of health could limit innovation related to tools and supports that may be protected by this final rule, if all conditions of the safe harbor are met. We are not providing a specific definition of “social determinants of health” for the purpose of this final rule, as one is not needed, nor are we providing an exclusive list of the types of tools and support that will receive safe harbor protection. We agree with the commenters that recommended flexibility.

We offer below illustrative, but not exhaustive, examples of tools and supports related to identifying and addressing patients’ needs related to social determinants of health that may qualify under the safe harbor if all safe harbor conditions are met. We provide this list of representative tools and supports to readers to explain our interpretation of the safe harbor; we emphasize that this list is neither exhaustive nor does it point to the Government’s view of the effectiveness of the listed examples. Furthermore, we remind readers that the safe harbor is specifically focused on the coordination and management of patient care. There are other important aspects of addressing social determinants of health that are not covered by this rulemaking because they do not relate to the coordination and management of patient care. In some cases, other safe harbors such as the local transportation safe harbor, or other exceptions to the Beneficiary Inducements CMP, such as the financial-need-based exception and the promote access to care exception (both found at paragraph 1003.110), may be available for incentives that address patients’ needs related to social determinants of health.^[71] OIG’s advisory opinion process is also available, and OIG has issued several advisory opinions addressing areas such as nutrition, lodging, and transportation.

Illustrative examples of tools and supports related to social determinants of care that could be structured to fit in the safe harbor, depending on the facts and circumstances, include the following: Provision of in-kind transportation, such as transit vouchers or rideshares organized by the VBE participant; home modifications such as grab bars, air filters or purifiers, and other physical or structural modifications that allow patients to live safely at home; temporary housing for an individual experiencing homelessness or living far from a hospital following a surgical discharge; providing broadband access to a patient to enable remote patient monitoring or virtual care; grocery or meal delivery services, nutrition supplements, and nutrition education; exercise or fitness programs or equipment; vehicle modifications; incentives as part of addiction recovery programs, including peer-to-peer programs and contingency management programs; incentives as part of mental health programs; and supports related to interpersonal violence. For each of the preceding examples, all safe harbor conditions would need to be met, including that the tool or support advances one of the goals enumerated in paragraph 1001.952(hh)(3)(vi).

In contrast, some tools and supports that could help address needs related to social determinants of health would be very unlikely to fit in the safe harbor. For example, tools and supports related to finding employment or housing-related tools and supports of a routine nature, such as routine or ongoing rent or utility payments, are unlikely to meet the requirements that they be directly related to coordination and management of patient care, be recommended by the patient’s licensed health care professional, and advance an enumerated goal at paragraph 1001.952(hh)(3)(vi).

We emphasize that the changes to the regulatory text ensure this final rule is agnostic about the specific types of in-kind tools or supports protected by this safe harbor. This will give licensed health care professionals flexibility to determine and recommend the tool or support that would best address a patient’s social determinants of health to foster coordination and management of patient care.

Comment: A commenter urged OIG to identify an additional goal under paragraph 1001.952(hh)(3)(vi) for “management of activities of daily living,” to clarify that tools and supports may be protected if used to address social determinants of health.

Response: We are not adopting this suggestion. As explained above, in-kind tools and supports used to address social determinants of health may be protected by the safe harbor if they meet all safe harbor conditions. Depending on the specific facts and circumstances, in-kind tools and supports for the management of activities of daily living could meet several of the enumerated goals in paragraph (hh)(3)(vi) including, for example, goals related to adherence to a followup treatment plan, prevention or management of a disease or condition, and ensuring patient safety. Such tools and supports would need to meet all other safe harbor conditions as well. The goals proposed in the OIG Proposed Rule and finalized in paragraph 1001.952(hh)(3)(vi) are intended to have a close nexus to the coordination and management of patient care. Ensuring that beneficiaries have the support they need to manage activities of daily living is critically important. However, for purposes of this safe harbor, a separate goal related to “management of activities of daily living” would not have the same close nexus.

We note that nothing in this rule alters any existing program rules or benefits available to support activities of daily living.

In particular, some health care benefits, such as long-term care services covered by Medicaid, utilize assessments of activities of daily living to determine the appropriate level of care for a patient. This safe harbor does not affect those rules. Additionally, some long-term care benefits may also provide coverage for items or services to help manage a patient’s activities of daily living that are similar or the same as the tools and supports protected by this safe harbor. Consistent with the discussion in section III.B.6.l on cost-shifting, if a provider furnishes covered items or services that are covered by a Federal health care program and billed following normal rules, the provision of those items or services alone would not implicate the Federal anti-kickback statute.

v. Health-Related Technology and Patient Monitoring

Summary of OIG Proposed Rule: Proposed paragraph 1001.952(hh)(3)(i) included health-related technology and patient health-related monitoring tools and services as examples of permissible tools and supports.

Summary of Final Rule: We are not finalizing our proposal to include these examples in regulatory text. Paragraph 1001.952(hh)(3)(i) simply requires an in-kind item, good, or service, without qualifiers or examples. We confirm that health-related technology and patient health-related monitoring tools and supports can be protected remuneration if all safe harbor conditions are met.

Comment: Commenters were encouraged that the OIG Proposed Rule recognized wearable monitoring devices as “health-related technology and patient health-related monitoring tools and services” that were potentially protected tools and supports, noting the power of such technologies in managing chronic illness and promoting patient adherence. A commenter asked OIG to consider how to ensure that the safe harbor does not stifle innovative health care provider arrangements for care coordination implemented via remote patient monitoring. The same commenter urged OIG to reexamine what constitutes an inducement and help health care stakeholders better understand these regulations by offering FAQs, guidance, or web-based access to additional information.

Response: As noted above in the discussion relating to preventive care, we have simplified the safe harbor language to reflect the breadth of protected categories of remuneration. Accordingly, the safe harbor no longer specifically references health-related monitoring tools and services but instead requires that tools or supports are in the form of an in-kind item, good, or service that meets the other requirements of the safe harbor. This revision is in no way intended to limit the scope of remuneration protected by the safe harbor to exclude or otherwise limit health-related technology; rather, we intend the new text at paragraph 1001.952(hh)(3)(i) to reflect the breadth of tools and supports eligible for protection under the safe harbor.

We believe the safe harbor, including this broadened language, will expand opportunities for innovation in how industry stakeholders engage and support patients, including arrangements involving remote patient monitoring. For instance, tools such as connected scales or blood pressure monitors that track and transmit data to a patient’s licensed health care professional, or applications that allow a patient’s mobile devices to monitor activity or other health data, could be protected, if all other conditions of the safe harbor are satisfied.

Comment: Commenters sought clarification as to how telehealth tools and supports fit within the category of health-related technology. In particular, a commenter asked whether the new patient engagement and support safe harbor may be used to protect the provision of non-device-based telehealth platforms and aggregators. Another commenter urged OIG to clarify that, as a general matter, multifunction equipment could comply with the Federal anti-kickback statute through a safe harbor and exception to the Beneficiary Inducements CMP.

Response: In-kind telehealth supports can be protected under this safe harbor if the provision of such supports satisfies all of the safe harbor’s conditions.^[72] For instance, a smartphone that facilitates telehealth services with a patient’s licensed health care professional, or a platform or software that facilitates telehealth services, may be a protected form of remuneration under this safe harbor if all safe harbor conditions are satisfied. The commenter’s request for additional OIG guidance on whether the provision of multifunctional equipment would implicate the Federal anti-kickback statute and Beneficiary Inducements CMP is a fact-specific inquiry. Tools and supports that may be protected by this safe harbor could include multifunctional equipment, as long as the tool or support advances one of the enumerated goals at paragraph 1001.952(hh)(3)(vi).

Comment: A commenter urged that patient communication and counseling services are aligned with the spirit of the proposed safe harbor and requested confirmation that these services constitute patient health-related monitoring tools and services.

Response: We agree that patient communication and counseling services may qualify as protected in-kind remuneration if the conditions of the safe harbor are satisfied.

vi. Not Duplicative

Summary of OIG Proposed Rule: We solicited comments on whether to require the VBE participant to confirm that the tool or support is not duplicative of, or substantially the same as, tools and services the patient already has.

Summary of Final Rule: We are not finalizing this condition.

Comment: A commenter supported requiring the patient to confirm that the tool or support is not duplicative of something already owned by the patient. A commenter stated that restrictions related to providing duplicative tools or services that the patient already has are unnecessary in light of the proposed safe harbor requirement prohibiting the sale or diversion of the item or service. Moreover, some commenters stated that this type of requirement would prove difficult to implement because even if a patient has a similar device or service, it does not mean that it has enough or the correct technology to accomplish the VBE’s or VBE participant’s care objectives and goals. Some commenters stated that this condition would be difficult to interpret and enforce, and some commenters asserted that the provision of duplicative tools and supports would be unlikely to result in patient inducement. Another commenter highlighted concern related to any such condition’s intersection with providing updated or upgraded tools and supports that might technically duplicate tools and supports to which a patient already has access. A commenter asked what would be considered duplicative or substantially the same, asking specifically whether an updated smartphone to support the use of a monitoring application would be duplicative if a patient already owns a cell phone. The same commenter also inquired whether providing other updated technology—such as a newer version of a patient’s glucose monitor—would be considered duplicative.

A commenter stated that OIG should not require confirmation that the tools and supports provided to a patient are not duplicative of, or substantially the same as, tools and supports the patient already has, which the commenter believed fails to recognize that VBE participants may want to rely on the safe harbor to test the effectiveness of a particular tool or support.

Response: In this final rule, we are not adopting a requirement that a VBE participant confirm that a tool or support is not duplicative of, or substantially the same as, tools or supports the patient already has. We appreciate the concerns raised by commenters regarding the practical challenges in implementing this requirement, including that it is difficult to determine which tools or supports would be considered duplicative.

However, tools or supports that are duplicative of items or services that a patient already owns or has access to may not advance one of the goals listed at paragraph 1001.952(hh)(3)(vi) and therefore may not be eligible for safe harbor protection. For example, providing a patient with a new smartphone would not necessarily advance any of the enumerated goals if the patient already has a cell phone with sufficient functionality. For instance, the licensed health care professional’s recommendation of a smartphone to transmit medication adherence reminders may not advance the patient’s adherence to a drug regimen if the identified need for the smartphone—to transmit medication adherence reminders—is already achievable with the patient’s existing cell phone. On the other hand, provision of a smartphone could promote adherence to a treatment regimen determined by the patient’s licensed health care professional (pursuant to the goal listed at paragraph 1001.952(hh)(3)(vi)(A)) if, for example, the new smartphone adds functionality needed for remote monitoring that is not available on the patient’s existing cell phone.

In response to the comment regarding using the patient engagement and support safe harbor to test the effectiveness of tools or supports, the safe harbor protects remuneration that advances one or more of the enumerated goals under paragraph 1001.952(hh)(3)(vi). While protection under this safe harbor is not conditional on achieving one or more of these enumerated goals, a tool or support would not be eligible for safe harbor protection without a reasonable basis that it would advance at least one of the enumerated goals. The requirement to advance one or more of the listed goals means, at a minimum, that the VBE participant reasonably expects the tool or support to be effective in advancing a goal.

g. Marketing and Patient Recruitment

Summary of OIG Proposed Rule: We proposed a condition at proposed paragraph 1001.952(hh)(3)(iv) that would exclude from safe harbor protection tools or supports used for patient recruitment or marketing of items or services to patients. Separately, we sought comment on whether to include a condition that would prohibit advertising of the patient engagement tools or supports offered by a VBE participant. We solicited comments on how best to preclude using tools and supports as a marketing or advertising strategy to recruit patients or otherwise influence referral sources, patients or otherwise, while still permitting beneficial educational efforts and activities that promote patient awareness of care coordination activities and available tools and supports.

Summary of Final Rule: We are finalizing, with modifications, the proposed condition at paragraph 1001.952(hh)(6). Under the final rule, neither the VBE participant, nor an eligible agent of the VBE participant, may use the patient engagement tools or supports to market other reimbursable items or services or for patient recruitment purposes. The final safe harbor condition clarifies the limitation on marketing and patient recruitment consistent with our intent in the OIG Proposed Rule to preclude protection of tools and supports used solely for patient recruitment purposes or used to market other reimbursable items and services to patients. The final condition clarifies that the marketing prohibition only applies with respect to the marketing of items and services reimbursable by Federal health care programs. Providing remuneration to patients in order to market items or services not reimbursable by Federal health care programs is unlikely to implicate the anti-kickback statute and therefore would not need safe harbor protection. As discussed further below, this condition does not preclude a VBE participant from educating patients, such as providing objective patient educational materials to a patient or engaging in objective patient informational activities with respect to patients in the target population.

Comment: Commenters generally supported our proposed prohibitions on marketing and patient recruitment but urged OIG to clarify that certain activities would not be prohibited, such as providing education and information to established patients or members of the target patient population about available resources, tools, and supports. For example, a commenter suggested that a health care facility operating an onsite food pantry should be able to post basic information, such as the food pantry’s hours of operation, to ensure patient access. Another indicated that providers should be able to educate beneficiaries about how to access care and to increase awareness and utilization of services by describing available tools and supports on a provider’s website or by offering free marketing items such as refrigerator magnets, stickers, and notepads.

Other commenters opposed these conditions altogether or requested that we clarify the delineations between prohibited marketing, advertising, and patient recruitment as opposed to permissible patient education and awareness activities. Commenters warned that dissemination of information to patients and their providers is necessary for patients to achieve the health benefits intended by a particular patient engagement program. A commenter added that restricting advertising requires providers to determine which patients may benefit from available resources, rather than empowering patients to self-identify whether they may benefit from a given tool or support.

Response: We agree with the commenters who supported conditions relating to marketing and patient recruitment, and we are finalizing these concepts in a revised safe harbor condition at paragraph 1001.952(hh)(6). The patient engagement and support safe harbor does not protect the provision of tools or supports if the VBE participant uses the tools or supports to market other reimbursable items or services or for patient recruitment purposes. As noted in the proposed rule, the proposed condition was designed to preclude a VBE using a tool or support to market other reimbursable items and services, or using a tool for patient recruitment while permitting beneficial educational efforts and activities that promote patient awareness of care coordination activities and available tools and supports. We do not intend to protect tools or supports that serve solely as patient recruitment incentives.^[73]

This condition does not preclude providers from educating their patients or otherwise providing information about available tools and supports to established patients. In other words, this condition does not limit providers from offering objective information, education, and reminders to their patients, nor does it limit providers from offering tools and supports designed to educate patients and increase awareness and utilization of appropriate services.

As an example, the following activity would not violate this condition: A physician VBE participant informs a patient with asthma that clean air in the home is important for keeping asthma symptoms under control. The physician explains that clean air conditioning filters and other air purifying machines are important for keeping the air in a home clean and healthy. The physician informs the patient that the VBE has a program to provide air filters, and the patient may be eligible to receive free air filters provided by the physician.

However, the safe harbor does not protect a tool or support if used to recruit patients or used to market other reimbursable items or services. This condition protects against abusive marketing schemes where the patients are inappropriately induced to select providers or use items or services because they are being provided with free or low-cost tools and supports. Importantly, the patient engagement and support safe harbor protects the provision of tools and supports to patients; it does not protect any marketing, advertising, or patient recruitment arrangements.

As with the care coordination arrangements safe harbor’s marketing and patient recruitment provision discussed in section III.B.3.j we use the terms marketing (e.g., promoting or selling something), recruitment (e.g., enlisting someone to do something), and education (e.g., informing, instructing, or teaching) in accordance with their common sense meanings. Additionally, we consider “advertising” to be a subset of “marketing,” so the prohibition of using tools or supports to market other reimbursable items or services also prohibits advertising. This approach best allows flexibility for VBE participants to engage in appropriate educational efforts. We offer illustrative examples in response to comments to aid stakeholders in applying the safe harbor provision.

For example, a VBE participant could operate a non-billable diabetes remote monitoring program to help patients manage their diabetes and coordinate their care. As part of the program, the VBE participant offers patients with diabetes a free tablet to facilitate the remote monitoring program. Should the VBE participant seek to protect the tablet under this safe harbor, it would need to satisfy the marketing and patient recruitment condition at paragraph 1001.952(hh)(6). To illustrate the scope of this condition, we offer the following examples of educational activities that would comply with this condition. First, the VBE participant may counsel a patient with diabetes about the benefits of the non-billable remote monitoring program and explain that such program includes a free tablet to facilitate the program. Second, the VBE may explain that the tablet is used to convey information such as nutritional information, recipes, wellness tips, and appointment reminders. In these illustrative examples, the VBE participant is not using the tablet to market other reimbursable items or services or for patient recruitment.

By contrast, if the VBE participant uses the tablet to send patients text messages and notifications to induce them to obtain tests, equipment, supplies, or other reimbursable items and services, the condition at paragraph 1001.952(hh)(6) would not be satisfied; the VBE participant is using the tool and support (the tablet) to market other reimbursable items and services. Similarly, if the VBE participant advertises that patients will receive a free tablet if they register for the remote monitoring program and receive services, the VBE participant is using the tool and support to recruit patients and the provision of the tablet does not qualify for safe harbor protection. It would be the same result if the VBE participant used the provision of the tablet to market other reimbursable services or recruit patients through door-to-door marketing, telephone solicitations, direct mailings, or through sales pitches masquerading as “informational” sessions.

In response to commenters, we clarify that notification to an entire target patient population about the availability of tools and supports does not necessarily raise concerns under this condition. Whether a notification to an entire patient population satisfies this condition would require a highly fact-specific assessment. For example, if a physician used an announcement to an entire target patient population about the availability of free air conditioning filters if those patients come in for an office visit (e.g., as an inducement to attract patients to schedule an appointment billable to a Federal health care program), that would constitute prohibited marketing or patient recruitment, even if the announcement also had an educational purpose. In contrast, if the announcement provided information on the need for asthma patients to ensure the air in the home is clean and to contact the physician for further information, that type of notification would not violate this condition. Again, we highlight that whether any particular communication satisfies this marketing condition would require a highly fact-specific assessment.

Among the examples described by the commenters, a hospital posting general information such as the hours of operation of its food pantry to make patients aware of when the food pantry is open and enhance patient access would not run afoul of this condition. Providing free marketing items as described by a commenter such as refrigerator magnets, stickers, and notepads likely would not be protected by this safe harbor for multiple reasons. If provided for the purpose of marketing or patient recruitment, such items would not meet this condition. Furthermore, these items are unlikely to advance one of the enumerated goals at paragraph 1001.952(hh)(3)(vi) or have a direct connection to the coordination and management of care of the target patient population.^[74]

In response to the commenter who asserted that restricting advertising requires providers to determine which patients may benefit from available resources, rather than empowering patients to self-identify whether they may benefit from a given tool or support, we note that this condition is intended to preserve patient choice and protect vulnerable patients from the undue influence of coercive marketing. We also remind readers that any protected tool or support must satisfy the other conditions of the safe harbor as well, including that the patient engagement tool or support is recommended by the patient’s licensed health care professional and advances one or more of the goals enumerated in the safe harbor. The protections in the safe harbor are designed to emphasize the patient’s relationship with their provider in developing plans for treatment and care and the appropriate provision of tools and supports. Consequently, the final safe harbor preserves patient choice and empowerment by relying on close communication and collaboration between patient and provider.

A prohibition on marketing and patient recruitment serves as an important protection against inappropriate patient steering and overutilization of federally reimbursable items and services. Our enforcement experience demonstrates that using tools and supports to recruit patients or to otherwise market reimbursable items and services presents a risk of harms associated with fraud and abuse (e.g., overutilization, provision of unnecessary services to patients, and theft of patient’s medical identity information).

We highlight that this prohibition extends to eligible agents of the VBE participant. More specifically, to qualify for safe harbor protection, neither the VBE participant nor any eligible agent may exchange or use the patient engagement tools or supports to market other reimbursable items or services or for patient recruitment purposes. Under paragraph 1001.952(hh)(2), the patient engagement tool or support may be furnished directly to the patient (or the patient’s caregiver, family member, or other individual acting on the patient’s behalf) by a VBE participant that is a party to the value-based arrangement or its eligible agent. The modification of the marketing and patient recruitment prohibition in paragraph 1001.952(hh)(6) reflects the changes to paragraph 1001.952(hh)(2) related to eligible agents. The marketing and patient recruitment prohibition applies equally to the VBE participant and to the eligible agent that may be furnishing the tool or support as an agent of the VBE participant. For example, this final rule precludes safe harbor protection for tools and supports used by a patient recruiter to induce or recruit beneficiaries to receive items or services reimbursed by a Federal health care program.

Comment: A commenter warned that an overly broad limit on advertising could be a barrier to providers giving basic information to patients. The commenter noted that OIG recognized this risk by limiting the scope of its advertising prohibition in the local transportation safe harbor, which explicitly allows posting shuttle route and schedule details.

Response: First, we remind readers that arrangements need not have safe harbor protection to be lawful, and we observe that many health care entities lawfully provide basic information to patients (which may not even implicate the Federal anti-kickback statute) and even market services without the benefit of a safe harbor. Second, we believe the final prohibition on marketing and patient recruitment is not overly broad. It prohibits using patient engagement tools and supports to market other reimbursable items and services or for patient recruitment. It does not limit providers giving basic information directly to their patients; indeed, as explained above, many types of basic information would not even implicate the Federal anti-kickback statute (e.g., appointment reminders and mailings explaining the best hygiene practices to prevent influenza).

As the commenter states, the local transportation safe harbor provides protection for a shuttle service that is not marketed or advertised (other than posting necessary route and schedule details). We do not believe a specific exception, similar to the route and schedule details exception included in the shuttle services provision of the local transportation safe harbor, is needed in the patient engagement and support safe harbor, nor would such an exception be feasible to address the wide range of tools and supports potentially protected by this safe harbor. The final safe harbor’s condition related to marketing and patient recruitment does not prohibit a VBE participant from providing basic information relating to available patient engagement tools and supports to patients.

For example, a hospital that also runs a food pantry could post the hours of operation of a food pantry. In contrast, should the hospital conduct a general advertisement to the public indicating, for example, that it has a free food program available to patients with diabetes (the target patient population) who come to the hospital to receive services, providing the support in the form of the free food program would fail to satisfy this condition and would not be protected by this safe harbor.

We emphasize that the provision of tools and supports to Federal health care program beneficiaries by certain entities (which could be VBE participants consistent with revisions made by this final rule)—such as a social services agency that does not bill Federal health care programs—would not implicate the Federal anti-kickback statute and, consequently, would not require safe harbor protection.^[75] Therefore, such entities would not be subject to this marketing and patient recruitment condition.

Comment: A commenter urged OIG to ensure that the safe harbor allows sufficient flexibility to inform patients of the types of interventions designed to address social determinants of health that the VBE participant offers to support patients in achieving improved health outcomes and to furnish the best possible patient care. The commenter highlighted that in the context of tools and supports designed to address unmet social needs, patients may be reticent to self-identify absent appropriate outreach and advertising due to potential social stigmas associated with such needs. A commenter stated that a safe harbor condition prohibiting advertising could: (i) Reduce the ability of patients and providers to make fully informed decisions; (ii) lower the number of patients who have access to beneficial tools and supports; and (iii) hinder the ability to achieve the entity’s value-based goals.

Response: The safe harbor condition prohibiting use of the patient engagement tools and supports to market other reimbursable items and services or for patient recruitment is not intended to constrain a licensed health care professional from informing patients of the types of available tools and supports. The safe harbor also would not prohibit other types of VBE participants from providing educational information about available tools and supports to patients in the target population.

Comment: A commenter asserted that a facility should be able to advertise the patient engagement tools and supports it offers, and if a patient elects a certain facility on that basis, then the patient has demonstrated active engagement in their care options.

Response: We recognize the importance of activated and engaged patients and consumer choice. As previously stated, potential donors may provide educational information and inform patients about the availability of engagement tools and supports. This condition prohibits only using tools and supports to market other reimbursable items and services or for patient recruitment. This final condition is designed to prevent VBE participants from influencing patients’ decision-making regarding billable health care items and services based on the offer of free tools and supports. We are concerned that patients might be coerced into selecting items and services that are not in their medical best interests. We emphasize, however, that nothing in this final rulemaking constrains patient decision-making; notably, patients are free to select (or decline to select) providers based on their participation in a VBE, on the care coordination and management services they furnish, or on the tools and supports they offer.

Comment: A commenter noted that a prohibition on advertising could disproportionately impact skilled nursing facilities and assisted living facilities whose patients are more likely to rely upon traditional advertising methods to understand their treatment options and alternatives.

Response: This condition restricts VBE participants who wish to use the safe harbor from using the tools and supports to market other reimbursable items or services (e.g., an advertisement that offers to provide a free smartphone after a patient receives a service) or using such tools for patient recruitment. It does not prohibit a VBE participant, which could be a skilled nursing facility or assisted living facility, from otherwise advertising or marketing the patient care items and services they offer.

h. Direct Connection

Summary of OIG Proposed Rule: At proposed paragraph (hh)(3)(ii), we proposed that the tool or support furnished to the patient must have a “direct connection” to the coordination and management of care of the target patient population. We proposed to interpret “direct connection” to mean that the VBE participant has a good faith expectation that the tool or support will further the coordination and management of care for the patient. We solicited comments on whether to require a “reasonable connection” instead of a “direct connection.” We also solicited comments on an alternative proposal that would have required the VBE participant to make a bona fide determination that an arrangement to provide tools and supports is directly connected to the coordination and management of care for the patient. We solicited comments on whether the “direct connection” should be to any of the four value-based purposes described at proposed paragraph 1001.952(ee)(12)(vii) instead of requiring a direct connection to the coordination and management of care for the patient.

Summary of Final Rule: We are finalizing the condition, without modification, at paragraph 1001.952(hh)(3)(ii). Specifically, any protected tool or support must have a “direct connection” to the coordination and management of care of the target patient population. We are not finalizing any of the alternative proposals considered in the OIG Proposed Rule.

Comment: A number of commenters supported our proposal to require that any protected tool or support furnished to a patient have a direct connection to the coordination and management of care.

Response: We are finalizing this condition as proposed. As we explained in the OIG Proposed Rule, we do not believe it should be difficult for a VBE participant providing the patient engagement tool or support to clearly articulate the nexus between the tool or support and the coordination and management of care.

Comment: We received several comments recommending that we require only a “reasonable connection” to coordination and management of care, rather than a “direct connection.” Many commenters expressed a preference for the “reasonable connection” standard because it gives entities greater flexibility in the provision of patient engagement tools and supports and is better aligned with the standard that a VBE participant must have a good faith expectation that the tool or support will promote the VBE’s objectives. A commenter opposed the “reasonable connection” alternative because it would weaken the partnership between providers that are collaborating to coordinate and manage a patient’s care.

Response: We decline to modify the condition to require only a “reasonable connection.” The safe harbor protects the provision of potentially valuable in-kind remuneration furnished to patients. It is appropriate for the offerors of potentially valuable remuneration to carefully evaluate the nexus between the tool or support and the coordination and management of patient care. In the final rule, we opted for the “direct connection” standard, which will ensure that the remuneration is closely linked to the goals of the Regulatory Sprint, including promoting care coordination and value-based care. In particular, the final safe harbor is designed to protect tools and supports that are designed to result in higher value and better coordinated care. The “direct connection” standard will help ensure that protected remuneration specifically and intentionally advances the goals of the Regulatory Sprint over other possible objectives.

Comment: One commenter supported a condition requiring the VBE to make a bona fide determination that tools or supports have a direct connection to the coordination and management of care for a patient. However, numerous other commenters urged OIG not to adopt such a requirement, warning that it would be unduly burdensome and create administrative hurdles that would unnecessarily duplicate the determination made by a VBE in establishing value-based activities of the VBE and the role of the VBE participants in carrying out those activities.

Response: To avoid introducing unnecessary administrative burdens, and because we believe the other safeguards sufficiently mitigate the risk of patient harm and program integrity concerns, we are not finalizing a requirement—considered in the preamble to the OIG Proposed Rule—that the VBE make a bona fide determination that the tool or support has a direct connection to the coordination and management of care. We note, however, that while safe harbors are voluntary, parties that seek protection for tools and supports under this safe harbor must strictly satisfy each of the safe harbor’s conditions, including the requirement that the tool or support has a direct connection to the coordination and management of care. The VBE and VBE participants may establish satisfaction of this condition in a variety of ways without such a bona fide determination; of course, making such a bona fide determination could support satisfaction of this safe harbor condition.

Comment: Several commenters suggested that OIG broaden the safe harbor to protect tools and supports that are directly connected to any of the four value-based purposes articulated in proposed paragraph 1001.952(ee)(12)(vii), rather than requiring a direct connection to a single value-based purpose, that is, coordination and management of patient care. Commenters suggested that this would provide greater flexibility for entities to offer tools and supports connected to the other three value-based purposes.

Response: We appreciate the commenters’ input. However, we respectfully decline to adopt the commenters’ suggestion. We believe the safe harbor is appropriately limited to the protection of tools and supports that are directly connected to the coordination and management of care, which empowers patients to fully participate in the care coordination activities that are the spirit of the Regulatory Sprint. The other three value-based purposes described in paragraph 1001.952(ee)—improving the quality of care; appropriately reducing the costs to, or growth in expenditures of, payors without reducing the quality of care; and transitioning the health care delivery and payment systems to value-based care—are purposes that the applicable VBE participants, not patients, are in the best position to deliver.

In contrast, the coordination and management of care more directly relates to the patient engagement goals of this safe harbor. At paragraph 1001.952(ee)(14)(i)), this final rule defines “coordination and management of care” to mean the deliberate organization of patient care activities and sharing of information between two or more VBE participants, one or more VBE participants and the VBE, or one or more VBE participants and patients, that is designed to achieve safer, more effective, or more efficient care to improve the health outcomes of the target patient population. This definition provides sufficient flexibility in designing arrangements for patient engagement that would be protected by this safe harbor because a broad range of tools and supports could be tailored to improving health outcomes and achieving safer and more effective care, while advancing one of the five enumerated goals at paragraph 1001.952(hh)(3)(vi). For instance, a program to provide grab bars or handrails to patients recovering from knee surgery to prevent falls at home could be properly tailored to improving health outcomes for these patients and designed to achieve safer, more effective care for this population.

Comment: A commenter sought clarification regarding when an item has a direct connection to coordination and management of care, specifically requesting a list of scenarios that would qualify. Another commenter suggested that we not finalize a description of specific tools or supports that would be considered to have a direct connection to the coordination and management of care because doing so could frustrate the goals of fostering flexibility, adaptability, and innovation.

Response: We agree with the commenter who suggested that we not finalize a description of specific tools or supports that would be considered to have a direct connection to the coordination and management of care. Consequently, we decline to provide a list of scenarios linking which tools and supports would qualify as having a direct connection to the coordination and management of a patient’s care. In taking this approach, we hope to foster innovation and allow VBEs and VBE participants flexibility in appropriately identifying the nexus between the tool or support and the coordination and management of care. Revisiting our example of providing grab bars to patients recovering from knee surgery, the tool or support in that example has a direct connection to the coordination and management of care because it is intended to prevent falls and therefore provides safer and more effective care for the target patient population (knee surgery patients).

i. Medical Necessity

Summary of OIG Proposed Rule: In the OIG Proposed Rule’s paragraph 1001.952(hh)(3)(v), we proposed that the tool or support must not result in medically unnecessary or inappropriate items or services reimbursed in whole or in part by a Federal health care program.

Summary of Final Rule: We are finalizing, without modification, this condition and relocating it to paragraph 1001.952(hh)(3)(iv).

Comment: A hospital association supported our proposal to protect only tools and supports that do not result in medically unnecessary or inappropriate items or services reimbursed by Federal health care programs.

Response: We are finalizing this safeguard as proposed at paragraph 1001.952(hh)(3)(iv).

Comment: A commenter stated that any incentives protected by the final safe harbor should not be limited to incentives furnished to patients for attendance at medically necessary primary care or other clinically appropriate medical appointments, but also expanded to incentives for participating in community-based services that could impact clinical outcomes through addressing patients’ social determinants of health.

Response: This safe harbor protects tools and supports that advance one or more enumerated goals set out at paragraph 1001.952(hh)(3)(vi), which include goals related to adherence to treatment regimens and followup care plans, and prevention and management of diseases and conditions. For a specific discussion of our treatment of tools and supports that address social determinants of health, please see the discussion at III.B.6.f.iv. of this preamble. To qualify for protection under the safe harbor, any incentives for participation in community-based services also would need to meet all other safe harbor conditions, including the condition that the remuneration cannot result in medically unnecessary or inappropriate items or services reimbursed in whole or in part by a Federal health care program. We also note that such community-based services would need to be recommended by the patient’s licensed health care professional (per the condition at paragraph 1001.952(hh)(3)(v)) and have a direct connection to the coordination and management of care of the target population (per the condition at paragraph 1001.952(hh)(3)(ii)).

j. Licensed Health Care Professional Recommendation

Summary of OIG Proposed Rule: We proposed a safe harbor condition at proposed paragraph 1001.952(hh)(3)(vi) that would provide safe harbor protection only for tools or supports recommended by the patient’s licensed health care provider. Relatedly, we sought comments on whether to require a written certification, under 18 U.S.C. 1001 and 1519, from a patient’s licensed health care provider certifying that the particular tool or support is recommended solely to treat a documented chronic condition of a patient in a target patient population.

Summary of Final Rule: We are finalizing, with modification, this condition at paragraph 1001.952(hh)(3)(v). Based on public comment, we are revising the language to clarify that the tool or support must be recommended by the patient’s licensed health care “professional” rather than “provider.” The term “provider” is often used to mean a hospital or other entity that furnishes institutional health care services. We believe “professional” is a clearer description of our intent in the OIG Proposed Rule that this requirement emphasizes the importance of a health care professional’s medical judgment, as well as the patient’s relationship with a health care professional. We have made conforming changes in each enumerated goal in paragraph 1001.952(hh)(3)(vi) that referenced a licensed health care provider. We are not finalizing the written certification requirement.

Comment: A trade association representing physicians supported the proposal to require that a tool or support must be recommended by the patient’s licensed health care provider. Another commenter stated that this requirement is a key fraud and abuse protection to ensure that the safe harbor is not used for improper purposes such as marketing or patient recruitment, or to steer patients to particular treatments. A commenter also noted that this requirement helps ensure the centrality of the patient-provider relationship.

Another commenter expressed concern that a safe harbor condition requiring a licensed health care provider’s recommendation would lead to underutilization of valuable tools and supports to treat social comorbidities. The commenter stated that many tools and supports that address social comorbidities do not stem from a single condition in isolation and, therefore, may not be evident to a treating clinician. Another commenter warned that this requirement could deter use of the new safe harbor because physicians do not typically recommend the types of tools and supports that would be most beneficial to patients. More often, according to the commenter, social workers, case workers, or others who may not be licensed clinicians would be in a better position to recommend such patient tools, including those that would address social determinants of health.

A commenter also urged OIG to include a requirement that clinicians offering any patient engagement tools and supports instruct patients on how to use them appropriately.

Response: We agree with commenters who support the condition because it protects against harms resulting from fraud and abuse and supports the centrality of the patient-provider relationship. As we explained in the preamble to the OIG Proposed Rule, this condition is designed to ensure that the remuneration is specifically focused on patient care and to underscore the importance of quality of care, the health care provider’s medical judgment, and the patient’s relationship with their provider in developing plans for treatment and care. The condition also ensures that the professional recommending the tool or support has undergone some degree of review and is subject to some level of oversight by a licensing body.

In response to the assertion that this condition would lead to underutilization of valuable services to treat social comorbidities, we believe the patient’s licensed health care professional is in the best position to determine whether the tool or support is directly connected to the coordination and management of the patient’s care, advances an enumerated goal at paragraph 1001.952(hh)(3)(vi), and will not result in medically unnecessary or inappropriate reimbursable items and services, as required by the safe harbor. The licensed health care professional recommending the tool or support can be any type of licensed health care professional, which should be sufficiently broad to ensure this safe harbor protects beneficial patient engagement tools and supports, including those cited by commenters in various submissions. We recognize that social workers, case workers, and others who may not be licensed clinicians play an important role in patient care and are often well-positioned to recommend patient tools, including those that would address social determinants of health. However, for purposes of this safe harbor, we are requiring a recommendation by a licensed health care professional for the reasons noted above.

We did not propose a definition of “licensed health care provider” or “licensed health care professional.” We intended to require the recommendation of a licensed health care professional, who would be a person chosen by the patient. The term “licensed health care professional” could include, for example, the following health care professionals, assuming they are appropriately licensed by an appropriate State licensing body for each respective profession: Physicians (including doctors of medicine, osteopathy, dental surgery, dental medicine, podiatric medicine, and optometry); osteopathic practitioners; chiropractors; physician assistants; nurse practitioners; clinical nurse specialists; certified registered nurse anesthetists; physical therapists; occupational therapists; clinical psychologists; qualified speech-language pathologists; qualified audiologists; and registered dietitians or nutrition professionals.^[76]

Comment: A commenter warned that requiring a licensed provider’s recommendation could incentivize a provider to recommend a tool or support for which the provider can subsequently receive remuneration.

Response: To the extent the tool or support is a billable item or service, we would expect the provider to bill appropriately. The tool or support would not require safe harbor protection because it would be furnished by the provider as a covered service. If the provider were to waive any beneficiary cost-sharing, such cost-sharing waiver would not be protected by this safe harbor.

Comment: We solicited comments on whether to require a written certification, under 18 U.S.C. 1001 and 1519, from a patient’s licensed health care provider certifying that the particular tool or support is recommended solely to treat a documented chronic condition of a patient in a target patient population. A commenter opined that requiring a licensed health care provider to document in writing their recommendation of the tool or support along with the justification, and requiring the offeror to maintain this documentation, is a reasonable safeguard. The commenter surmised that such documentation need not be in the form of a prescription or physician referral but could take the form of a recommendation that is documented in the care plan or approved by the care team. A commenter supportive of the certification requirement recommended that it be enforced through administrative or civil penalties, rather than potential criminal liability under 18 U.S.C. 1001 and 1519. Other commenters warned that imposing a certification requirement would be overly burdensome and could have a chilling effect on provider recommendations, even where the benefits of the tool or support are clear.

A commenter warned that requiring physicians to certify that a tool or support is used to treat a documented chronic condition could lead to a fragmented approach that looks at each condition in isolation, rather than offering coordinated support for all of a patient’s health care needs.

Response: We are not finalizing a requirement that the patient’s licensed health care professional certify that the tool or support is recommended solely to treat a documented chronic condition. The final safe harbor includes a number of other conditions designed in combination to safeguard against the risk of harms resulting from fraud and abuse including, among other conditions in the safe harbor, that the patient engagement tool or support must have a direct connection to the coordination and management of care, be recommended by the patient’s licensed health care professional, and advance one or more enumerated goals.

Comment: Commenters also noted that the proposed certification requirement, especially with criminal penalties attached, would create a significant barrier to providing patient engagement tools and supports under this safe harbor. In addition, commenters cited concerns that a focus on documented chronic conditions would inappropriately narrow the protections afforded by this safe harbor.

Response: As stated above, we are not finalizing a requirement that the patient’s licensed health care professional certify that the tool or support is recommended solely to treat a documented chronic condition. We believe the other safeguards are sufficient to allow innovative tools and supports for a wide array of enumerated goals while safeguarding against the harms resulting from fraud and abuse.

k. Advances Specified Goals

Summary of OIG Proposed Rule: Under the proposed condition at paragraph 1001.952(hh)(3)(vii), the tools and supports must advance one or more of the following enumerated goals: (i) Adherence to a treatment regimen as determined by the patient’s licensed health care provider; (ii) adherence to a drug regimen determined by the patient’s licensed health care provider; (iii) adherence to a followup care plan established by the patient’s licensed health care provider; (iv) management of a disease or condition as directed by the patient’s licensed health care provider; (v) improvement in measurable evidence-based health outcomes for the patient or the target patient population; or (vi) ensuring patient safety.

Summary of Final Rule: We are finalizing, with modifications, the requirement at paragraph 1001.952(hh)(3)(vi). Specifically, we are not finalizing the proposed goal relating to improvement in measurable evidence-based health outcomes for the patient or for the target patient population because it is largely captured by the other goals. The final rule revises the goal of “management of a disease or condition” to read “prevention or management of a disease or condition” to incorporate the element of prevention that was included at proposed paragraph 1001.952(hh)(3)(i). We are replacing references in this section to “licensed health care providers” with “licensed health care professionals” consistent with the preamble discussion in the previous section regarding this terminology.

Comment: Several commenters supported protection for these enumerated goals and appreciated that we did not specify which tools and supports would advance the specific goals to allow flexibility for VBE participants and promote innovation in patient engagement mechanisms, tools, and supports, particularly with respect to rapidly evolving technologies. A commenter requested that OIG add protection for adherence to a “prevention regimen” and prevention of a disease to the safe harbor’s list of specified goals. Another commenter noted that the enumerated goals proposed could limit the offering of innovative tools and supports designed to address social determinants of health because such tools and supports may not directly link to the goals set forth in the OIG Proposed Rule.

Response: We are finalizing these goals as proposed, with the omission of the proposed goal relating to evidence-based health outcomes and modifications to include prevention of a disease or condition and to use the term licensed health care professionals. To avoid inadvertently limiting which tools and supports advance specified goals and provide VBE participants flexibility and the opportunity to innovate, we are not providing an exhaustive list of tools and supports. Indeed, one particular patient engagement tool may satisfy a number of these enumerated goals. For instance, a device or program that reminds a patient to take a medication or attend a scheduled office visit might advance the goals related to adherence to a treatment regimen, drug regimen, or follow-up care plan, or advance goals related to prevention or management of a disease or ensuring patient safety depending, in part, on the functionality and purposes of the device or program. In response to a commenter’s suggestion, we revised the goal at paragraph 1001.952(hh)(3)(vi)(D) to read “the prevention or management of a disease or condition” so that this safe harbor is available to protect preventive items, goods, or services that meet the other safe harbor conditions. Adding a specific goal relating to preventive items and services also effectuates a change discussed above, in section III.B.6.e.i, in which we removed the reference to preventive items, goods, or services that had appeared in proposed paragraph 1001.952(hh)(3)(i). Furthermore, we note that this change is consistent with section 1128A(i)(6)(D) of the Act, which excepts certain remuneration given to individuals to promote the delivery of preventive care from the definition of “remuneration” for purposes of the Beneficiary Inducements CMP, as further interpreted in the regulatory exception at paragraph 1003.101.

l. Prohibition on Cost-Shifting

Summary of OIG Proposed Rule: We sought comments on whether the final rule should include a safe harbor condition that would prohibit VBE participants that furnish patient engagement tools and supports from: (i) Billing Federal health care programs, other payors, or individuals for those tools or supports; (ii) claiming the value of a tool or support as a bad debt for payment purposes under a Federal health care program; or (iii) otherwise shifting the burden of the value of a tool or support on a Federal health care program, other payors, or individuals.

Summary of Final Rule: We are not finalizing this proposed condition.

Comment: Several commenters supported this proposed condition. A commenter agreed that entities offering tools and supports should not receive payment for the value of those items or services, but the commenter asserted that an explicit safe harbor condition prohibiting receiving payment for tools and supports is unnecessary.

Other commenters suggested different variations on this prohibition, urging that any safe harbor condition related to billing for tools and supports should permit entities to bill commercial payors for tools and supports when, for example, a provider has negotiated reimbursement terms that permit certain costs to be passed on to third-party payors. Another commenter urged that OIG prohibit all direct billing of any costs related to protected tools and supports to patients but otherwise allow direct billing for tools and supports to nonpatient third parties. One commenter opposed this cost-shifting prohibition altogether, arguing that because tools and supports could result in overall cost savings to payors, those items and services should be reimbursable.

Response: We are not finalizing this condition. In light of the combination of safeguards in the final rule, we do not believe the addition of a cost-shifting prohibition would add appreciable additional protection for programs or patients. We acknowledge that VBE participants may have a variety of arrangements with payors, including reimbursement terms that permit certain costs to be passed on to third-party payors, and we do not want to foreclose safe harbor protection for such VBE participants. With respect to direct billing of payors or individuals for tools and supports, if the tool or support is a covered item or service under a Federal health care program and a VBE participant appropriately obtains full payment for such tools or supports in accordance with applicable coverage and billing rules, then the VBE participant has not transferred any remuneration to a beneficiary, and the arrangement would not implicate the Federal anti-kickback statute. In other words, if a provider or supplier furnishes items or services that are covered items or services under a Federal health care program, the provision of those items or services alone would not implicate the Federal anti-kickback statute.

However, we would note there could be circumstances under which a VBE participant, when furnishing a covered item or service, does give a Federal health care program beneficiary something of value, thereby implicating the Federal anti-kickback statute. For example, the Federal anti-kickback statute would be implicated by a provider waiving or reducing any required cost-sharing obligations for the covered item or service incurred by a Federal health care program beneficiary or providing extra items and services—those that are not part of the covered item or service—for free. Furthermore, nothing in this rule exempts parties from responsibility for compliance with all applicable coverage and billing rules. In addition, nothing in this safe harbor transforms an item or service—which is not otherwise billable or allowable under the relevant cost-reporting rules—into a billable or allowable item or service.

Comment: Several commenters warned that the proposed prohibition on billing Federal health care programs would render Indian health care providers ineligible for protection under this new safe harbor because they are federally funded.

Response: As noted, we are not finalizing this condition.

m. No Selection Based on Payor

Summary of OIG Proposed Rule: In the OIG Proposed Rule, we stated that we were considering and solicited comments on whether to include a “consistent provision” condition, which would require VBE participants to provide the same patient engagement tools or supports to an entire target patient population or otherwise consistently offer tools or supports to all patients who satisfy specified, uniform criteria.^[77] We noted that such condition would protect against a VBE participant targeting certain patients to receive tools and supports based on, for example, the patient’s insurance or health status, resulting in targeting of particularly lucrative patients to receive tools and supports (cherry-picking) while avoiding high-cost patients (lemon-dropping). We solicited comments regarding: (i) Whether such a provision would limit certain VBE participants’ ability to offer tools and supports due to financial constraints; and (ii) why offering tools and supports to a smaller subset of a target patient population would be appropriate and not elevate fraud and abuse risks, including cherry-picking and lemon-dropping.

Summary of Final Rule: We are finalizing a condition at paragraph 1001.952(hh)(8) that the availability of patient engagement tools and supports cannot be determined in a manner that takes into account the type of insurance coverage of the patient.

Comment: A number of commenters expressed concern that a consistent provision requirement could result in requiring VBE participants to provide tools and supports to an overly broad population, including patients for whom such tools or supports are not clinically appropriate or who do not want the tools or supports. Some commenters posited that VBE participants need flexibility to tailor the types of tools or supports to the particular patient and recommended that we protect remuneration directed at particular subsets or subpopulations of target patient populations of a VBE, such as higher-risk or higher-cost patients, or only those patients within the target patient population who achieve a certain goal. Other commenters suggested that because not all patients within the target patient population may benefit from any tool or support, offerors should be permitted to establish in advance specified criteria by which to evaluate patients for the appropriateness of any tool or support. For instance, a commenter suggested that it would be appropriate to limit the provision of particular tools and supports to subpopulations (e.g., it would be appropriate to exclude patients residing in an assisted living facility who receive significant support with their activities of daily living when furnishing a support such as installing grab bars in patients’ homes to prevent falls). A commenter also noted that some patients may refuse tools and supports, which could undermine compliance with a consistent provision requirement.

Response: We acknowledge commenters’ concerns regarding the practical challenges of including a consistent provision requirement for safe harbor protection. We have instead adopted a condition that the availability of patient engagement tools and supports cannot be determined in a manner that takes into account the type of insurance coverage of the patient, which largely addresses the concerns that caused us to consider a consistent provision requirement, with fewer practical challenges. Under this condition, VBE participants offering protected tools or supports must do so without regard to the patient’s payor type, but nothing in this safe harbor would require a VBE participant to offer tools or supports when they cannot be used or accepted, nor would it require patients to accept unwanted tools or supports in order for the safe harbor to apply. As a practical matter, this condition also would prevent a VBE—assuming at least one VBE participant intends to provide protected tools and supports to patients—from defining its target patient population in a manner that takes into account patients’ payor type.

This requirement addresses the concern we expressed in the OIG Proposed Rule related to the possibility of discriminatory provision of tools and supports based on a patient’s payor type, but without some of the complications highlighted by commenters, including concerns regarding cost. It is possible that a particular tool or support if offered on a neutral basis unrelated to payor type could result in the provision of tools and supports primarily to Federal health care program beneficiaries. Such remuneration would still be protected under the safe harbor as long as the decision to offer tools and supports was based on a patient’s individual need rather than the patient’s payor type, and assuming the remuneration otherwise meets the requirements of the safe harbor. More specifically, offering or furnishing tools and supports to patients based on clinical characteristics, such as presence of a specified chronic condition, or geographical considerations, such as a common ZIP Code, would not be precluded even if the patient population receiving the tools and supports disproportionally has the same insurance. By way of further illustration, in the case of a geriatric practice providing tools and supports to patients above a certain age or with a particular illness, it is possible that all or virtually all patients would be Medicare beneficiaries. However, so long as patients receiving the tools and supports are not selected based on their Medicare insurance status, the requirement would not be violated. Stated another way, for purposes of this safe harbor, we would not view a VBE participant offering or furnishing tools and supports to a population disproportionately comprised of Medicare beneficiaries to run afoul of this condition provided that the decision to offer tools or supports is not based upon the patient’s Medicare insurance status. As another further example, a VBE could define its target patient population—and therefore limit the scope of potential recipients of tools and supports—based on individual or family income, which might overlap substantially with Medicaid or dual-eligible populations but would not be strictly determined based on an individual’s enrollment in Medicaid or as dually eligible for both Medicare and Medicaid.

This condition ensures that a potential donor uses actual needs or related characteristics outside of payor status to determine the appropriate target patient population rather than the potential value of future Federally reimbursable items and services provided to such population. In addition, nothing in this condition would prevent a VBE participant from offering protected tools and supports only to a population of uninsured individuals, which we would not consider to be a determination based on the type of insurance coverage (indeed, as a preliminary matter, such remuneration would be unlikely to implicate the Federal anti-kickback statute or Beneficiary Inducements CMP).

Comment: A commenter posited that requiring consistent provision across the entire target patient population undercuts the requirement that the tool or support be recommended by the patient’s licensed health care practitioner, which includes clinical judgment of the clinician and avoids unnecessary waste and other fraud and abuse concerns. The commenter also noted that VBEs would be forced to create many iterations of the target patient population with minute differences to avoid these concerns, which it described as unfeasible.

Response: We believe the final safe harbor does not raise the risks identified by the commenter because the condition in its final form does not require consistent provision of tools or supports to every patient in an entire target patient population specified by the VBE participant. The final safe harbor also would not require VBE participants to establish different target patient populations merely to satisfy a consistent provision requirement. The commenter is correct that the condition requiring a licensed health care professional’s recommendation is designed to preclude from safe harbor protection tools and supports provided to patients who do not need them to advance one of the enumerated goals of this safe harbor.

Comment: Several commenters suggested that providers should have the ability to test the effectiveness of the tool or support before committing to widespread provision, noting that VBE participants are in the best position to make determinations regarding how to allocate limited resources, including whether to offer tools and supports to patients. Other commenters highlighted that small practices may be unable to offer any tools or supports due to financial constraints if they were required to provide them consistently across a population.

Response: We appreciate these comments regarding potential challenges associated with requiring consistent provision of tools and supports across a target patient population. The condition limiting selection based on payor, as finalized, largely accomplishes the goals of a consistent provision requirement without triggering the types of limitations highlighted by these and other commenters. In addition, we agree that VBE participants in collaboration with any applicable VBE are in the best position to make a determination regarding whether to offer and provide a tool or support to patients and emphasize that this determination remains solely at the discretion of a VBE participant (in collaboration with the VBE(s) in which the VBE participant participates).

We are confident the final safe harbor affords VBE participants sufficient flexibility to furnish protected tools and supports and assess their effectiveness, as long as all conditions of the safe harbor are met. For example, a VBE participant may wish to initially establish a narrowly construed target patient population based on specific criteria that limits the size and scope of the patients to whom the VBE participant offers or provides certain tools and supports. After engaging with that limited target patient population, the VBE participant could then identify a new, broader target patient population to whom it offers or provides the same tools and supports. This type of assessment period—and subsequent expansion to a larger, more broadly construed target patient population—could be protected if all conditions of the safe harbor are met, including that the tool or support advances one of the safe harbor’s enumerated goals. The requirement to advance one or more of the listed goals means, at a minimum, that the VBE participant reasonably expects the tool or support to be effective in advancing a goal.

We reiterate that safe harbors are voluntary and that this safe harbor does not require any individual or entity to offer free or reduced-cost tools or supports to patients; it sets forth conditions and limitations to ensure safe harbor protection for the provision of such tools or supports. VBE participants are free to evaluate the costs and overall cost savings associated with the provision of patient engagement tools and supports, and to structure such arrangements in economically viable ways as long as such structure does not directly take into account a patient’s payor status.

Comment: A commenter supported a prohibition on discriminating based on insurance or payor type to avoid lemon-dropping or cherry-picking.

Response: We appreciate the comment and note that we have adopted a condition designed to prevent lemon-dropping or cherry-picking as it relates to payor type or lack of insurance. In addition, requirements for selecting a target patient population and for involvement of the patient’s licensed health care professional provide additional protections against selecting only lucrative patients (cherry-picking) or selectively refusing tools and supports for expensive patients (lemon-dropping).

n. Monitoring Effectiveness

Summary of OIG Proposed Rule: We solicited comments on whether to add a condition requiring offerors to use reasonable efforts to monitor the effectiveness of the tool or support in achieving the intended coordination and management of care for the patient. We also solicited comments on whether to add a safeguard that would require monitoring to ensure that the tool or support does not result in diminished quality of care or patient harm.

Summary of Final Rule: We are not finalizing these conditions because they are not necessary in light of the totality of other conditions we are finalizing in this rule.

Comment: Some commenters supported our proposal to require offerors to use reasonable efforts to monitor: (i) The effectiveness of the tool or support in achieving its intended purpose; and (ii) to ensure the tool or support does not result in diminished care or patient harm. Other commenters opposed this proposal, warning that it would impose an administrative burden that could negatively impact the ability of small, rural, and underserved practices to offer tools and supports. Another commenter noted that it can take a substantial period of time to realize the effects of any intervention and the measurement of these effects often utilize outcome measures that may be unreliable. Some commenters stated that it would be reasonable for the safe harbor to require the offeror of a particular tool or support to document and demonstrate outcomes associated with the tool or support, and monitor use, impact, and quality of such tools and supports. A commenter recommended that if OIG adopts a monitoring requirement, it should allow flexibility to entities in designing a monitoring program in acknowledgment of the good faith monitoring efforts undertaken.

Response: We acknowledge the concerns raised by commenters, and we are not finalizing a monitoring requirement in this final rule. We note that the safe harbor separately requires that tools and supports must advance one or more of the specific goals articulated at paragraph 1001.952(hh)(3)(vi). Although the final safe harbor does not contain a prospective monitoring requirement, the requirement to advance one or more of the listed goals means, at a minimum, that the VBE participant reasonably expects the tool or support to be effective in advancing a goal.

o. Retrieval of Items and Goods

Summary of OIG Proposed Rule: We solicited comments on whether to include a condition requiring the offeror to make a reasonable effort to retrieve the tool or support in certain circumstances, such as when the patient is no longer in the target patient population or the offeror is no longer a VBE participant. We also solicited comments on whether a minimum value should trigger any retrieval requirement and other issues related to the practicality of retrieval.

Summary of Final Rule: We are not finalizing a retrieval requirement in the final safe harbor.

Comment: Some commenters supported the proposal to require a reasonable effort to retrieve the tool or support if certain conditions are met, such as when the patient is no longer within the target patient population or when the tool or support is valued above a certain threshold (applying appropriate depreciation). Others requested that we clarify that any required retrieval efforts would only need to be reasonable and not hold offerors to unrealistic requirements to retrieve tools or disable software.

One commenter suggested that in order to ensure that an offeror’s decision to cease retrieval is not driven by an attempt to inappropriately influence beneficiaries, we could require that decisions regarding whether and how to retrieve items be reviewed and approved by the VBE’s accountable body or person responsible for the financial and operational oversight of the VBE.

Other commenters stated that a retrieval requirement would be administratively burdensome, impossible or wasteful for nontransferable consumables, counter to clinical recommendations where a patient still benefits from the tool or support and may prevent potential offerors from providing tools and supports or discourage patients from accepting them. Some commenters noted that the reduced value or obsolescence of the tool or support could render recovery unnecessary, futile, or disproportionate in cost to the value of the tool or support. Another commenter noted that retrieval could be impractical or insensitive following a patient’s death and urged us not to finalize the requirement for that reason. Other commenters recommended that if we do finalize this requirement, we include exceptions for patient harm and death and consider only two written attempts at retrieval to be reasonable.

One commenter noted that offerors may have limited legal right to tools and may be unable to retrieve them. Commenters asked us to clarify that if retrieval is not required, offerors still retain the right to recover tools and supports if they deem it reasonable and necessary or otherwise make a business decision to retrieve the tool or support.

Response: We agree with commenters who highlighted the administrative burdens and other challenges associated with any retrieval requirement, and we are not finalizing this requirement. We note, however, that offerors are free to make retrieval efforts or require the return of tools and supports where it would not harm the patient, as long as the decision to retrieve or the extent to which retrieval policies are applied is consistent and not undertaken in a manner that takes into account the volume or value of referrals of Federal health care program business. We further note that the safe harbor separately requires that tools and supports must advance one or more of the specific goals articulated at paragraph 1001.952(hh)(3)(vi). Although the final safe harbor does not contain a retrieval requirement, the requirement to advance one or more of the listed goals means that the VBE participants should cease providing tools or supports they find to be ineffective. In addition, we note that the structure of the safe harbor would necessitate termination of ongoing services (e.g., recurring monthly fees associated with a fitness center membership) if the individual is no longer part of the target patient population or the entity is no longer a VBE participant.

p. Monetary Cap

Summary of OIG Proposed Rule: We proposed a monetary cap on the tools and supports protected under this safe harbor. Specifically, at proposed paragraph 1001.952(hh)(5), we proposed that the aggregate retail value of protected tools or supports furnished to a patient by a VBE participant may not exceed $500 per year unless the tools and supports are furnished to a patient based on a good faith, individualized determination of the patient’s financial need. We solicited comments on whether this figure strikes the right balance between: (i) Flexibility for beneficial tools and supports; and (ii) a limit on the amount of protected remuneration to shield patients from being improperly influenced by valuable gifts and to protect Federal health care programs from overutilization or inappropriate utilization. We asked whether $500 was too high or too low, and whether a number of other safeguards or alternatives would be more appropriate.

Summary of Final Rule: We are finalizing, with modifications, an annual $500 monetary cap at paragraph 1001.952(hh)(5). The final rule does not include an exception to the cap requirement that would permit exceeding the monetary cap for patients with demonstrated financial need. Based on public comments, we are including an inflation adjuster.

Comment: Several commenters supported a monetary cap for many reasons, including that it provides a bright-line safeguard for program integrity purposes. Other commenters disagreed with any monetary cap for several reasons, such as finding it unnecessary due to the combination of other proposed conditions or asserting that any monetary cap would be unreasonable because the delivery of care—and tools and supports related to such care—depends on each patient’s particular needs. Many commenters supported an exception to the proposed cap based on financial need, while some were concerned with the administrative burden associated with administering a financial need policy, which would require individualized determinations of financial need rather than bright-line limits. A commenter suggested that OIG define financial need using a validated social need screening tool, such as the Hunger Vital Sign, a validated, two-question tool used by health care providers and community-based organizations to identify risk for food insecurity among youth, adolescents, and adults.

Response: We agree with commenters who stated that a monetary cap provides bright-line guidance to VBE participants on the value of acceptable tools and supports. To this end, we are finalizing a straightforward annual, aggregate $500 cap, subject to an inflation adjuster. The final rule does not include the proposed condition that would have allowed the cap to be exceeded, without limitation on amount, in instances of good faith, individualized determination of a patient’s financial need. Because we are not finalizing this condition, we do not need to define financial need.

OIG is mindful that different patients may have different needs and for some patients tools and supports exceeding a retail value of $500 in the aggregate per year could help improve coordination of their care, improve health outcomes, and have other beneficial impacts, particularly for patients with financial need. Nothing in this final rule makes it necessarily unlawful, in individual cases, for a provider or other party to furnish for free or below fair market value tools and supports that exceed $500 per year (nor does this rule make remuneration under $500 automatically immune from sanctions under the Federal anti-kickback statute and Beneficiary Inducements CMP unless it meets all safe harbor conditions). Such arrangements would be evaluated on a case-by-case basis under the statutes, including with respect to the intent of the parties. We note that there may be lawful avenues for providers to offer tools and supports to patients who need tools and supports that exceed an aggregate of $500 annually, particularly those experiencing financial need. For example, the local transportation safe harbor, found at paragraph 1001.952(bb), remains available to protect certain local transportation furnished to patients, provided that the local transportation satisfies the requirements of the safe harbor. With respect specifically to the Beneficiary Inducements CMP, exceptions exist for remuneration that promotes access to care and poses a low risk of harm and for renumeration offered to patients experiencing financial need; the requirements for these exceptions are found at paragraph 1003.110.^[78]

In addition, for arrangements involving tools and supports that may exceed the monetary cap, that implicate the Federal anti-kickback statute, Beneficiary Inducements CMP or both, and do not meet any other safe harbor to the Federal anti-kickback statute or exception to the Beneficiary Inducements CMP, the advisory opinion process remains available. OIG has previously issued favorable advisory opinions to health care industry stakeholders seeking to furnish free or below fair market value tools and supports to patients when such tools and supports do not squarely satisfy a safe harbor to the Federal anti-kickback statute, an exception to the Beneficiary Inducements CMP, or both.^[79]

Comment: Several commenters asked for clarity regarding how to calculate the “retail value” of the tools or supports. A commenter asked OIG to define retail value as the commercial value of the tool or support to the recipient instead of its fair market value. Several commenters agreed that if OIG finalized any cap to the annual aggregate value of protected tools and supports, the cap should apply separately to each VBE participant, rather than at the VBE level or the value-based arrangement level, citing the administrative burden associated with tracking caps for patients receiving tools and supports from different VBE participants. Others suggested that the cap should adjust for inflation over time automatically or through other mechanisms.

Response: The aggregate retail value of patient engagement tools and supports furnished by a VBE participant to a patient may not exceed $500 on an annual basis. The retail value of the tools and supports should be measured at the time they are provided to the patient. Specifically, for purposes of this safe harbor, the retail value is the commercial cost the patient would have incurred at the time the VBE participant provides the tool or support if the patient had procured the tool or support on the open market on their own. We note that, as proposed, this cap applies per VBE participant and per patient, not at the VBE level or the value-based arrangement level. A patient may receive a number of tools and supports from a number of VBE participants (in one or more VBE) through the course of a year, as long as no single VBE participant individually provides more than $500 in aggregate value to the patient per year. The VBE participant providing the tool or support is responsible for tracking the aggregate retail value of the tools or supports that it—and only it—provides to the patient through the course of a year.

VBE participants are not required to monitor the value of tools and supports provided by other parties—even within the same VBE—to a particular patient. This should ease any burden of tracking the value of tools in connection with the aggregate, annual cap. Finally, in response to commenters’ suggestions, we are finalizing an annual adjustment to the monetary cap to account for inflation. Under this provision, the monetary cap will be adjusted for inflation to the nearest whole dollar effective January 1 of each calendar year using the Consumer Price Index-Urban All Items (CPI-U) for the 12-month period ending the preceding September 30. OIG will publish an announcement on its website after September 30 of each year reflecting the increase in the CPI-U for the 12-month period ending September 30, and the new monetary cap applicable for the following calendar year.

Comment: A number of commenters suggested increasing the dollar limit of the cap for all tools and supports. Some commenters suggested alternatives, such as per-occurrence limitations on value, coupled with a higher cap. Others proposed increasing the cap or adding additional exceptions to the cap for categories of tools and supports or specific tools and supports such as disposable and nondurable items and supplies; recurring services; ongoing costs for the tool or support (e.g., batteries and software upgrades); transportation; housing and home safety items and services; certain digital or other health-related technologies; home monitoring devices; tools and supports that address chronic or complex disease management; tools and supports for the seriously injured; harm-reduction items (e.g., helmets and medication lockboxes); and other tools and supports that address a patient’s social determinants of health. Several commenters asked OIG to consider increasing the cap to account for changes in technology or care innovation over time. Some commenters recommended permitting a higher cap when the VBE’s accountable body or responsible person determines the circumstances support it. Others recommended a tiered cap system based on outcomes or on the amount of risk a VBE participant bears.

Response: The generally applicable $500 cap establishes a bright-line limitation for VBE participants seeking protection under this safe harbor. We believe the safe harbor conditions, including the monetary cap, strike an appropriate balance between giving flexibility to VBE participants to provide beneficial tools and supports to patients and protecting programs and patients from the improper influence of valuable remuneration. We are not finalizing exceptions to the $500 cap because we believe exceptions would add complexity to this safe harbor and would raise compliance challenges. Further, tools and supports of higher value could improperly influence patients to select treatments or providers not in their best interests, potentially leading to the harms against which the Federal anti-kickback statute is designed to protect.

q. Diversion or Resale

Summary of Proposed Rule: We proposed, at proposed paragraph 1001.952(hh)(4), a condition that would have excluded from safe harbor protection tools or supports if the offeror knew, or should have known, that the tool or support was likely to be diverted, sold, or utilized by the patient other than for the express purpose for which the tool or support was provided.

Summary of Final Rule: We are not finalizing this proposed condition.

Comment: Several commenters supported this condition, while another urged us to consider how such limitation may inadvertently restrict access to these tools. A commenter posited that it is not feasible for a VBE participant to determine the likelihood of diversion and proposed instead limitations on categories of tools and supports that are likely to be abused, such as cell phones. The commenter suggested protection only for tools and supports that are not likely to be abused or those likely to improve health, such as helmets, car seats, and medication lockboxes.

Response: We agree with the commenter who questioned the feasibility of a VBE participant determining the likelihood of diversion. We are not finalizing this provision. Other safeguards we are finalizing in this safe harbor adequately address the concern that a recipient of a tool or support is receiving it for appropriate purposes. For instance, the requirement that a licensed health care professional recommend the tool or support and that it be directly connected to the coordination and management of care should mitigate the risk that a tool or support is likely to be diverted or resold. Similarly, the monetary cap, the requirement that a tool or support advance an enumerated goal, and the restriction on marketing and patient recruitment further limit the risk of diversion or resale.

r. Materials and Records

Summary of Final Rule: We proposed at proposed paragraph 1001.952(hh)(6) that VBE participants providing tools and supports under this safe harbor make available to the Secretary, upon request, all materials and records sufficient to establish that the tool or support was distributed in compliance with the conditions of the safe harbor. We noted that we were considering a requirement that VBE participants retain materials and records sufficient to establish compliance with the safe harbor for a set period of time, such as 6 or 10 years. We did not propose specific parameters regarding the creation or maintenance of documentation in order to allow for flexibility. We solicited comments on several alternative safeguards.

Summary of Final Rule: We are finalizing, with modification, a requirement at paragraph 1001.952(hh)(7) that materials and records sufficient to establish compliance with the safe harbor be made available to the Secretary, including that those records be kept for a period of at least 6 years.

Comment: One commenter stated that a rigid documentation requirement would make clinicians hesitant to use the safe harbor. Another commenter questioned the need for the proposed condition, noting that such documentation is already part of the existing compliance programs. The same commenter further questioned whether OIG would bring an investigation or pursue a Federal anti-kickback case based solely on the failure to satisfy a documentation requirement rather than underlying substantive safeguards. A commenter found documentation—particularly regarding the goals proposed at paragraph 1001.952(hh)(3)(vii)—to be excessive or impractical. Another commenter suggested that it would be appropriate for offerors to retain documentation under this condition for a period of 6 years.

Response: We disagree with the characterization of this documentation requirement as rigid. The condition does not require a signed writing in advance of the provision of tools and supports to a patient, nor does it propose any specific parameters on the type or form of documentation. It simply requires that parties make available, on request, documentation sufficient to show that tools or supports were provided in accordance with the safe harbor’s conditions. Safe harbors offer voluntary protection from liability under the Federal anti-kickback statute for specified arrangements, and no entity or individual is required to fit within a safe harbor. Failure to fit within a safe harbor does not mean a party has violated—or even implicated—the Federal anti-kickback statute; it simply means the party may not look to the safe harbor for protection for that arrangement. It would be prudent for any party relying on a safe harbor to protect certain arrangements to document compliance with that safe harbor in some form. For purposes of this safe harbor, we are requiring VBE participants to retain relevant documentation for a minimum of 6 years. This retention period was recommended by a number of commenters and it is consistent with the retention period required by the value-based safe harbors finalized in this rule. In addition, because a 6-year retention requirement is already present in several existing CMS regulations, we expect that many parties are familiar with this retention period and that the maintenance of records is part of their routine business practices.

s. Notice to Patients

Summary of OIG Proposed Rule: We solicited comments on whether to require the VBE to provide a patient receiving a tool or support with written notice identifying the VBE participant and describing the nature and purpose of the tool or support.

Summary of Final Rule: We are not finalizing this requirement.

Comment: A commenter suggested that verbal, not written, notice should suffice. Another commenter stated that if such notice is required, OIG should develop consumer-tested templates to convey the information in an objective, easily understood way that will not mislead beneficiaries or create false expectations or reliance on protected tools and supports. Another commenter objected to any notice requirement as burdensome and questioned whether OIG would use investigative resources based on a claim of deficient notice.

Response: We are not finalizing this requirement. We believe that the appropriate time for the patient to understand the purpose of the tool or support is at the time a licensed health care professional is recommending it for the individual patient. While we are not requiring any formal notice to a patient in this final rule, we expect providers will naturally communicate the purpose of the tool or support to the patient at the time it is recommended in furtherance of the coordination and management of care.

t. Other Comments

Comment: A commenter asked OIG to clarify that its proposed rule does not mean that certain existing or hypothetical practices involving tools and supports to beneficiaries implicate, or constitute violations of, the Federal anti-kickback statute, such as certain group education or certain types of gift cards. Other commenters requested that OIG clarify, in the context of value-based arrangements or otherwise, that the safe harbor protects remote physiologic monitoring tools and services at no or low cost, and furthermore that providing access to software-based platforms for patient-generated health data analytics or telemedicine at no or low cost does not violate the Federal anti-kickback statute.

Response: We decline to provide further guidance related to the various comments summarized above because any analysis of whether any of the various practices and conduct implicate the Federal anti-kickback statute or would be protected by this safe harbor would depend on the facts and circumstances specific to the practice or conduct. We note, however, that the provision of at least some of the tools and supports described above (e.g., tools that facilitate remote monitoring) could be protected by this safe harbor. Parties may seek an OIG advisory opinion for a determination regarding a proposed or existing arrangement.

Comment: A commenter requested clarification regarding the intersection of the proposed safe harbor and the existing safe harbors or exceptions to the definition of “remuneration” under the Beneficiary Inducement CMP. Another commenter asked whether an entity is precluded from using the so-called “promotes access to care exception” ^[80] if it becomes a VBE. Furthermore, the commenters asked whether an entity that is a VBE can use both the new safe harbor and the existing exception with the same patients. A commenter asked that we adopt a CMP exception corresponding to the patient engagement and support safe harbor.

Response: The Federal anti-kickback statute and Beneficiary Inducements CMP are separate statutes with separate safe harbors and exceptions, respectively. Any remuneration implicating the Federal anti-kickback statute need only satisfy one safe harbor to be protected under the statute. Similarly, any remuneration implicating the Beneficiary Inducements CMP need only satisfy one exception under that statute to be protected. As a matter of law, arrangements that fit in an anti-kickback safe harbor are also protected under the Beneficiary Inducements CMP.^[81] This means that the final safe harbor for patient engagement and support offers protection under the Beneficiary Inducements CMP as well as the Federal anti-kickback statute. The converse is not true, however. Arrangements that fit in an exception to the Beneficiary Inducements CMP are not automatically protected under the anti-kickback safe harbor. A party that is a VBE participant can use any exception under the Beneficiary Inducements CMP for which its arrangement qualifies. In some cases, an arrangement that does not fit in the new safe harbor for patient engagement and support might qualify for protection under the “promotes access to care exception” or another CMP exception; this protection would not apply to the anti-kickback statute.

Comment: A commenter noted that this safe harbor does not have a corresponding exception under the physician self-referral law.

Response: The commenter is correct. The physician self-referral law, section 1877 of the Act, does not prohibit remuneration exchanged between physicians or entities and patients, so a corresponding exception would not be necessary.

7. CMS-Sponsored Model Arrangements and CMS-Sponsored Model Patient Incentives (42 CFR 1001.952(ii))

Summary of OIG Proposed Rule: We proposed to create a new safe harbor at paragraph 1001.952(ii) to: (i) Permit remuneration between and among parties to arrangements (e.g., distribution of capitated payments, shared savings or losses distributions) under a model or other initiative being tested or expanded by the Innovation Center under section 1115A of the Act or under the Medicare Shared Savings Program under section 1899 of the Act (collectively “CMS-sponsored models”); and (ii) permit remuneration in the form of incentives provided by CMS-sponsored model participants and their agents under a CMS-sponsored model to patients covered by the CMS-sponsored model. We proposed certain additional conditions, including a requirement that patient incentives have a direct connection to the patient’s health care.

Summary of Final Rule: We are finalizing, with modifications, the safe harbor as proposed at paragraph 1001.952(ii). We are revising the introductory text of paragraphs 1001.952(ii)(1) and (2) to clarify that CMS determines the specific types of financial arrangements and incentives to which safe harbor protection will apply; safe harbor protection will not necessarily apply to every possible financial arrangement or incentive that CMS-sponsored model parties may wish to implement as they participate in the Medicare Shared Savings Program or an Innovation Center model. We are finalizing without substantive change the remainder of proposed paragraph 1001.952(ii)(1) regarding the conditions for safe harbor protection of financial arrangements under a CMS-sponsored model.

We are finalizing with some modification the conditions for safe harbor protection of CMS-sponsored model patient incentives at paragraph 1001.952(ii)(2). First, this final rule specifies at paragraph 1001.952(ii)(2)(ii) that the patient incentive must have a direct connection to the patient’s health care unless the participation documentation expressly specifies a different standard, in which case that standard must be met. Second, as explained more fully below, we are moving certain language from the proposed definition of “CMS-sponsored model patient incentive” in paragraph 1001.952(ii)(3) to the conditions of safe harbor protection in paragraph 1001.952(ii)(2). Third, we are modifying the safe harbor to provide at paragraph 1001.952(ii)(2)(iii) that an individual other than the CMS-sponsored model participant or its agent may furnish an incentive to a patient under a CMS-sponsored model if that is specified by the participation documentation.

Finally, we are relocating the general substance of the provision that permits patients to retain incentives they received under the CMS-sponsored model from paragraph 1001.952(ii)(2)(v) to new paragraph 1001.952(ii)(4)(iii). We are finalizing the safe harbor definitions at paragraph 1001.952(ii)(3) largely as proposed. As noted above, we are relocating a portion of the definition of “CMS-sponsored model patient incentive” to the conditions of safe harbor protection in paragraph 1001.952(ii)(2). In addition, we are clarifying the definition of “CMS-sponsored model arrangement” to refer to “a financial arrangement,” which is consistent with our discussion of the definition in the OIG Proposed Rule.^[82] Last, we made two minor technical revisions to the definition of “CMS-sponsored model party.”

We are addressing the duration of safe harbor protection at new paragraph 1001.952(ii)(4). We are making a technical edit to the introductory language in proposed paragraph 1001.952(ii)(2) to replace the phrase “if all of the conditions of paragraph (ii)(2)(i) through (v) are met of this section” with “if all of the following conditions are met.”

Modifications to the scope of the safe harbor, conditions of protection, and its duration are summarized and explained in the preamble sections that follow.

a. General Comments

Comment: We received several comments that generally supported finalizing a safe harbor for CMS-sponsored models and agreed with the goals set forth in the OIG Proposed Rule. For example, a commenter posited that the safe harbor could encourage greater voluntary participation in new CMS-sponsored models. Commenters also expressed support for a simplified and standardized approach rather than disparate OIG waivers, with tailored conditions, for CMS-sponsored models.

Some commenters expressed concern about the impact of any safe harbor on existing waivers of the fraud and abuse laws issued by OIG that currently apply to CMS-sponsored models, and about our ability or willingness to issue future waivers. For example, a commenter noted that there are benefits to model-specific waivers that may not be realized in a safe harbor.

Response: A goal of this safe harbor is to provide uniformity and predictability for those participating in CMS-sponsored models, which are testing innovations to improve quality and lower cost. As we stated in the OIG Proposed Rule, this safe harbor does not supersede OIG’s existing fraud and abuse waivers for CMS-sponsored models. Existing model waivers will continue in effect in accordance with the waiver terms. A CMS-sponsored model party may structure arrangements that might otherwise implicate the Federal anti-kickback statute, Beneficiary Inducements CMP, or both to meet the terms of an applicable fraud and abuse waiver or any applicable safe harbor. In addition, the promulgation of this safe harbor does not preclude OIG from issuing model-specific waivers in the future. We note, however, that we would expect OIG’s issuance of model-specific waivers in the future to be infrequent. We expect that model participants in new CMS-sponsored models will be able to use this new safe harbor.

b. Scope of the Safe Harbor and Definitions

Summary of OIG Proposed Rule: We proposed to create a new safe harbor at paragraph 1001.952(ii) to protect certain financial arrangements and patient incentives related to the Medicare Shared Savings Program under section 1899 of the Act and models established and tested by CMS under section 1115A of the Act. At proposed paragraph 1001.952(ii)(3), we proposed to define the following terms that shape the scope of the safe harbor: “CMS-sponsored model, “CMS-sponsored model arrangement,” “CMS-sponsored model participant,” “CMS-sponsored model party,” “CMS-sponsored model patient incentive,” and “participation documentation.”

Summary of Final Rule: We are finalizing, with modifications, the defined terms. We have modified the definition of “participation documentation” by removing the phrase “is currently in effect.” This phrase is unnecessary in the context of a definition. Temporal language is more appropriate in the new paragraph 1001.952(ii)(4) that specifies the duration of safe harbor protection. In addition, we have modified the definition of “participation documentation” by replacing the reference to “cooperative agreement” with the phrase “legal instrument setting forth the terms and conditions of a grant or cooperative agreement.” The purpose of this change is to accommodate future CMS-sponsored models that may be implemented by a type of grant that is not a cooperative agreement and to accurately characterize the relevant documentation for such forms of Federal funding.

Comment: We received several comments recommending that we expand the safe harbor beyond “CMS-sponsored models,” as we proposed to define that term. For example, some commenters requested protection for arrangements and patient incentives related to other waivers, demonstrations, value-based arrangements, and commercial payors such as: (i) Arrangements under State Innovation Waivers granted pursuant to section 1332 of the Affordable Care Act; (ii) arrangements involving commercially insured patients that operate “alongside” an arrangement related to the CMS-sponsored model if the commercial arrangement is identical in all respects to the CMS-sponsored model arrangement; (iii) arrangements needed to support CMS-approved Medicaid Alternative Payment Models and delivery system initiatives; (iv) arrangements established in the Medicare Physician Fee Schedule and Merit-based Incentive Payment System (MIPS); and (v) arrangements between organizations participating in any CMS-led or CMS-supported demonstration authorized by statute.

Some commenters also sought to have the safe harbor protect tools and supports furnished to patients who are: (i) Approved by CMS through a Medicaid section 1115 waiver; (ii) approved by CMS as a State Plan Amendment; or (iii) allowed through Supplemental Benefit for Chronically Ill Enrollees in the Medicare Advantage program. Another commenter recommended that the safe harbor protect arrangements under any model where the Secretary has sufficient authority to waive the Federal fraud and abuse laws.

In contrast, we received support for limiting the scope of protection to what we set forth in the OIG Proposed Rule, with some commenters opposing broadening the safe harbor to protect remuneration for models or demonstrations under other sections of the Act. For example, a commenter opposed broadening the scope of the safe harbor, suggesting that it is appropriate for the Federal anti-kickback statute to serve as “backstop.”

Response: We have carefully considered the comments requesting expansion of this safe harbor beyond CMS-sponsored models, as that term is as defined in the OIG Proposed Rule. We are finalizing the scope of the safe harbor as proposed. This safe harbor is designed to work in tandem with the Innovation Center’s models under section 1115A of the Act and the Medicare Shared Savings Program under section 1899 of the Act. It permits a certain amount of flexibility, which is sufficiently low risk because CMS includes program integrity safeguards in the Medicare Shared Savings Program and the Innovation Center models. There may be variation in program integrity safeguards and oversight in other initiatives, even if the authorizing statute permits the waiver of fraud and abuse laws.

We are tailoring the scope of the safe harbor to include the Medicare Shared Savings Program under section 1899 of the Act and models established and tested by CMS under sections 1115A and of the Act. Both the Medicare Shared Savings Program and Innovation Center models are: (i) Designed to coordinate and redesign care; and (ii) contain program integrity oversight and safeguards. In addition, the Innovation Center oversees the development, testing, and monitoring of models. Furthermore, CMS-sponsored model participants may undergo certain screening to participate in a model or the Medicare Shared Savings Program and may be subject to documentation and reporting requirements to promote transparency in the model or program. This level of CMS involvement and oversight may not be present in many of the programs, waivers, and demonstrations cited by the commenters. To the extent that the Department has the authority to issue fraud and abuse waivers for the Medicare Shared Savings Program or Innovation Center models, the issuance of any such waivers remains an option to protect certain arrangements in those programs. In addition, other safe harbors may protect many arrangements that may otherwise implicate the Federal anti-kickback statute and Beneficiary Inducements CMP, and that participants in the types of programs described above may desire to implement.

Comment: A commenter asked that this safe harbor protect a broad range of incentives given to patients such as transportation, nutrition support, home monitoring technology, and gift cards.

Response: This safe harbor protects patient incentives for which CMS has determined that this safe harbor is available. Thus, CMS defines in the participation documentation the scope of the model or program and the arrangements or incentives permitted under the model or program. Depending on the particular CMS-sponsored model’s parameters, the safe harbor could protect a broad range of incentives, including those cited by the commenter. If the CMS-sponsored model prohibits a particular type of incentive, then it would not be protected by this safe harbor. Similarly, we note that CMS defines which entities may provide an incentive. For example, if the CMS-sponsored model is a State-based model where the State or State Medicaid agency implements the model through care-delivery partners in a State, the Innovation Center may expressly specify that such State partners may provide CMS-sponsored model patient incentives under the model on behalf of the State.

We are modifying the proposed definition of “CMS-sponsored model patient incentive” at paragraph 1001.952(ii)(3)(v) for simplicity and to consolidate at paragraph 1001.952(ii)(2) language regarding the conditions of safe harbor protection.

We proposed to define “CMS-sponsored model patient incentive” to mean remuneration not of a type prohibited by the participation documentation and is furnished consistent with the CMS-sponsored model by a CMS-sponsored model participant (or by an agent of the CMS-sponsored model participant under the CMS-sponsored model participant’s direction and control) directly to a patient under the CMS-sponsored model. We are moving the phrase “furnished consistent with the CMS-sponsored model” to paragraph 1001.952(2)(v), and we are moving the requirement regarding who may furnish the patient incentive to paragraph 1001.952(2)(iii). We are relocating the language so it will appear where the other conditions for patient incentives are enumerated under paragraph 1001.952(ii)(2), rather than including these requirements within the definition of “CMS-sponsored model patient incentive.” We do not intend for this to be a substantive change.

Comment: A commenter recommended expanding the safe harbor to include incentives given to patients who the CMS-sponsored model participant believes in good faith are covered, or within a reasonable period will be covered, by a CMS-sponsored model. The commenter noted as an example that the Comprehensive ESRD Care Model has shown that 120 or more days may elapse between the time when a Medicare beneficiary commences dialysis treatment and the time by which the ESRD Seamless Care Organization receives confirmation of beneficiary alignment.

Response: As with the scope of permissible types of incentives, the Innovation Center defines the scope of patients who may be eligible to receive such incentives. We recognize that, depending on how the Innovation Center has designed the model, a CMS-sponsored model participant may not know exactly which beneficiaries are in the model or aligned to the model participant at the time the beneficiary could benefit from a patient incentive. By definition, a “CMS-sponsored model patient incentive” is remuneration that is not of a type that is prohibited by the participation documentation. Also, as a condition of safe harbor protection, the incentive must be furnished consistent with the CMS-sponsored model. To the extent that the Innovation Center intends for incentives to be furnished before any beneficiary alignment is finalized, and the participation documentation or programmatic requirements do not prohibit such incentives, an incentive given before final alignment could still meet the condition set forth in paragraph 1001.952(ii)(2)(v) and qualify for safe harbor protection if all other terms of the safe harbor are met.

Comment: A commenter noted that we proposed to define “CMS-sponsored model” to include a model expanded under section 1115A(c) of the Act and requested further clarity on how this safe harbor would apply to “Phase II” testing of an Innovation Center model. The commenter noted that risks and benefits of financial arrangements and patient incentives under a model may change within a given model’s design due to a change in scope.

Response: The safe harbor would protect arrangements and incentives consistent with the CMS-sponsored model regardless of the model’s phase of testing. We agree with the commenter that risks and benefits of financial arrangements and patient incentives under such models may change, but the Innovation Center would continue to set the parameters of what is being tested. If a CMS-sponsored model participant’s arrangements or incentives meet the terms of the safe harbor, which incorporates elements of the model design, then the arrangements or incentives would be protected.

c. Conditions for Safe Harbor Protection

Summary of OIG Proposed Rule: We proposed safeguards to ensure that arrangements protected by this safe harbor operate as intended by CMS, including requirements that: The remuneration not induce the furnishing of medically unnecessary services or reduce or limit medically necessary care (proposed at paragraph 1001.952(ii)(1)(ii)); the remuneration not induce referrals of patients outside the CMS-sponsored model (proposed at paragraph 1001.952(ii)(1)(iii)); the parties make materials and records available to the Secretary upon request (proposed at paragraphs 1001.952(ii)(1)(v) and 1001.952(ii)(2)(iii)); the parties satisfy programmatic requirements imposed by CMS (proposed at paragraphs 1001.952(ii)(1)(vi) and 1001.952(ii)(2)(iv)); and a patient incentive offered under the safe harbor have a direct connection to patient care (proposed at paragraph 1001.952(ii)(2)(ii)).

Summary of Final Rule: We are finalizing, with modifications, the conditions of this safe harbor. Specifically, paragraph 1001.952(ii)(2)(ii) is finalized with a modification to provide that the CMS-sponsored model patient incentive must have a direct connection to the patient’s health care, unless the participation documentation specifies a different standard. We are liberalizing and relocating to paragraph 1001.952(ii)(2)(iii) language regarding who may furnish a CMS-sponsored model patient incentive. Specifically, a CMS-sponsored model patient incentive must be furnished by a CMS-sponsored model participant (or by an agent of the CMS-sponsored model participant under the CMS-sponsored model participant’s direction and control), unless otherwise specified by the participation documentation. We also are moving to paragraph 1001.952(ii)(2)(v) the proposed language specifying that a CMS-sponsored model patient incentive must be “furnished consistent with the CMS-sponsored model.” As proposed, the relocated provisions were essentially conditions of safe harbor protection. To improve the clarity of the final rule, we are moving the provisions to appear with the other conditions for protecting CMS-sponsored model patient incentives.

Comment: A commenter suggested that safe harbor protection should apply as long as the remuneration at issue meets all programmatic requirements and the terms of the model participation agreements or other participation documentation. The commenter expressed concern that incorporating additional substantive requirements in the safe harbor beyond the model’s contractual and programmatic requirements could: (i) Limit the ability to tailor program integrity requirements for specific models; and (ii) potentially lead to inconsistent or conflicting formulations of similar concepts such as between the safe harbor and the model’s contractual and programmatic requirements. The commenter illustrated this concern by explaining that the Innovation Center may test a model that allows for the provision of patient incentives that have no direct connection to the patient’s health care and instead includes a different safeguard. Another commenter, while supporting the all-encompassing approach to the safe harbor, stated that the specific requirements regarding protected parties are redundant because they are already currently embedded within most of the Innovation Center model participation requirements. Another commenter urged OIG to look carefully at the safe harbor conditions and modify any conditions that impose an undue burden or that are unclear.

Response: We appreciate the desire to streamline the safe harbor’s conditions as much as possible. However, if we were to add a condition requiring satisfaction of all programmatic requirements and all terms of the model participation agreements and other participation documentation to ensure safe harbor protection, then some arrangements or incentives might not be protected due to potentially inadvertent failures to satisfy model requirements that may not bear on the particular financial arrangement or patient incentive. We recognize that implementing a safe harbor rather than continuing with model-by-model fraud and abuse waivers may result in an approach less tailored to the specific model. Similarly, in an effort to encompass an array of possible models, we may have introduced some redundancy through defined terms or safe harbor conditions that also could appear in programmatic requirements for a particular CMS-sponsored model. However, we believe the benefits of having a safe harbor available that provides consistency and certainty to parties considering participation in a CMS-sponsored model outweigh the concerns related to any possible redundancy.

The conditions we are finalizing generally either rely on parameters CMS will specify as part of the CMS-sponsored model or address important program integrity concerns and resemble conditions previously included in model-specific waivers (e.g., the condition prohibiting parties from offering, paying, soliciting, or receiving remuneration in return for, or to induce or reward, any Federal health care program referrals or other Federal health care program business generated outside of the CMS-sponsored model). CMS defines the parameters of the model, which includes the types of financial arrangements and incentives that could receive safe harbor protection. Finally, as we noted in the OIG Proposed Rule, the condition requiring that the patient incentive have a direct connection to the patient’s health care is consistent with the design of all CMS-sponsored models contemplated as part of this safe harbor.

However, to provide additional flexibility for the Innovation Center to design future models and in response to commenters, we are modifying the condition such that CMS may specify in the participation documentation a standard other than “direct connection to the patient’s health care.” If CMS does not specify a particular standard that would contrast with a “direct connection to the patient’s health care,” then this standard remains. In other words, if CMS does not specify any particular standard to which the incentive must relate, then the standard is that it must directly relate to the patient’s health care. If, for example, a CMS-sponsored model permitted incentives related to social determinants that might not “directly” relate to a patient’s health, and the participation documentation specified that the incentive must bear a “reasonable” connection to the patient’s health, then compliance with the “reasonable connection” standard would satisfy the safe harbor condition.

As we stated in the OIG Proposed Rule, to reduce administrative burden, parties under a CMS-sponsored model would have flexibility to determine which type of documentation would best memorialize the arrangement such that they could demonstrate safe harbor compliance, including through a collection of documents as opposed to one agreement.^[83]

Comment: A commenter expressed concern that the safe harbor condition requiring an arrangement to satisfy “other programmatic requirements” would leave the protection for these arrangements significantly uncertain.

Response: The regulatory text that we proposed and are finalizing requires that the CMS-sponsored model participant satisfies (or CMS-sponsored model parties satisfy) such programmatic requirements as may be imposed by CMS in connection with the use of this safe harbor. The phrase “other programmatic requirements” appeared in the preamble of the OIG Proposed Rule ^[84] and needed to be considered in the context of the totality of the condition. The programmatic requirements that parties would have to satisfy to qualify for safe harbor protection would be set out in the CMS-sponsored model’s participation documentation or would be otherwise publicly available. Therefore, we disagree with the commenter that the protection would be uncertain, since any programmatic requirements specified by the Innovation Center and incorporated into the safe harbor by reference in this condition would be in participation documentation or otherwise would be publicly available.

Comment: A commenter recommended that OIG specify that the safe harbor is automatically applicable to CMS-sponsored models absent any affirmative exclusion of a CMS-sponsored model from protection by the safe harbor by OIG, rather than requiring the Innovation Center to specify that the safe harbor applies to a particular model.

Response: We did not propose and are not adopting this recommendation because safe harbor protection may not be necessary to test all models or for every arrangement within a model that the Innovation Center may test under section 1115A of the Act. This approach allows the Innovation Center to evaluate each model and determine whether waivers are necessary for parties to enter into certain arrangements to effectuate the purposes of the particular model. CMS has broad authority to develop and define the Innovation Center models, what the models are testing, and the scope of participation in the models. It is important, therefore, that CMS affirmatively state that the safe harbor would be available for specific CMS-sponsored model arrangements and CMS-sponsored model patient incentives within a particular model or initiative. As we stated in the OIG Proposed Rule, CMS would determine whether the safe harbor protection would be available for arrangements or patient incentives under the particular CMS-sponsored model.^[85] We also explained that we would expect CMS to notify CMS-sponsored model participants, through participation documentation, or other public means as determined by CMS, when CMS-sponsored model participants may use this safe harbor under a CMS-sponsored model.^[86] To ensure that it is clear that CMS determines the arrangements or incentives (and not just the models, in general) for which safe harbor protection is available, this final rule makes a technical correction to the proposed regulatory text to remove “in a model” in paragraph 1001.952(ii)(1) and “under a model” in paragraph 1001.952(ii)(2).

Because this safe harbor was not available when existing models began, we recognize that the applicable participation documentation would not affirmatively reference that this safe harbor is available for particular arrangements or incentives as required by paragraphs 1001.952(ii)(1) and (2). Consequently, we clarify that for the Medicare Shared Savings Program and any existing model that has a fraud and abuse waiver issued by OIG, CMS may determine that this safe harbor is available for specific CMS-sponsored model arrangements and CMS-sponsored model patient incentives that began prior to issuance of this final rule. To do so, CMS would at its discretion issue a public notice or notice to individual CMS-sponsored model participants that such parties can seek protection for such arrangements under this safe harbor as of the effective date of that notice. For example, if a particular CMS-sponsored model has a waiver for patient engagement incentives, the parties may rely either on the fraud and abuse waiver or, following notice from CMS that this safe harbor may be available for protection of future incentives, this safe harbor provided all of the waiver’s or safe harbor’s conditions, as applicable, are met.

d. Duration

Summary of OIG Proposed Rule: We proposed that the duration of safe harbor protection would align with the duration of the participation documentation under a CMS-sponsored model, including a period of time after that model ends to allow for reconciliation.^[87] We indicated that we might finalize one or a combination of the following options: (i) Terminating protection after the end of the performance period or within a certain time period after the end of a performance period; (ii) terminating protection upon termination of the CMS-sponsored model participation documentation or within a certain period of time after that; and (iii) terminating protection after the last payment or exchange of anything of value made by a CMS-sponsored model party under a CMS-sponsored model occurs, even if the model has otherwise terminated. We also solicited comments on whether a CMS-sponsored model participant should be able to continue to provide the outstanding portion of any service to a patient if the service was initiated before its participation documentation terminated or expired.

Summary of Final Rule: We are adding a new paragraph 1001.952(ii)(4) that specifies timeframes for when safe harbor protection begins and ends. The details of each timeframe are explained in greater detail below.

Comment: While generally agreeing with our proposal that most safe harbor protections should end at the conclusion of the model, a commenter suggested that there are some instances when OIG should consider extended safe harbor protection for CMS-sponsored model patient incentives. For example, a commenter recommended that OIG continue safe harbor protection if ceasing protection would affect continuity of care for patients or if the protected incentives promoted positive outcomes for the patient. Similarly, another commenter recommended that patients be allowed to retain any incentives received prior to the termination or expiration of the participation documentation of the CMS-sponsored model participant. Furthermore, the commenter also recommended protecting participants who continue to provide the same service to a patient for a terminated model if the service was initiated before the model was terminated or expired.

Response: We agree with commenters, in part. The proposed regulatory text at paragraph 1001.952(ii)(2)(v) stated that patients would be permitted to retain any incentives received prior to the termination or expiration of the participation documentation of the CMS-sponsored model participant. We are finalizing that proposed provision in this final rule, but it is now included in paragraph 1001.952(ii)(4)(iii).

We also agree that there are circumstances where it may be appropriate to continue protection for patient incentives given after the date on which the model concludes. However, this safe harbor protects only patient incentives that are furnished consistent with the CMS-sponsored model. In the OIG fraud and abuse waiver context, we have protected patient incentives that continued past expiration or termination of an agreement for a certain period of time. For example, in connection with the Bundled Payments for Care Improvement (BPCI) Advanced Model, we indicated that the waiver for beneficiary incentives would continue to apply for patients who were in a “clinical episode” that began during an “Agreement Performance Period,” as those terms were defined in the Participation Agreement for that particular model, recognizing that the clinical episode might not conclude before the end of the Agreement Performance Period.^[88] However, not all models may be tied to particular clinical episodes. If a model ends, or a particular CMS-sponsored model participant’s participation documentation terminates, the safe harbor would not protect patient incentives indefinitely, even if the incentive benefits or improves outcomes for a particular patient. More specifically, we are providing at new paragraph 1001.952(ii)(4)(iii) that safe harbor protection would continue for incentives given on or after the first day on which patient care services may be furnished under the CMS-sponsored model as specified by CMS in the participation documentation and no later than the last day on which patient care services may be furnished under the CMS-sponsored model, unless a different timeframe is established in the participation documentation (e.g., a clinical episode if such a concept is incorporated into a model). Thus, if the participation documentation expressly specifies a period of time beyond the end of a final performance period or other termination event during which a CMS-sponsored model patient incentive may be given, then that incentive would be protected during that extended timeframe, assuming all other safe harbor conditions are met. If the participation documentation does not specify an extended timeframe, then this safe harbor protects only incentives furnished until the last day on which patient care services may be furnished under the CMS-sponsored model (e.g., the last day of the final performance period). In addition, for clarity, we are specifying that protection for CMS-sponsored model patient incentives begins on or after the first day on which patient care services may be furnished under the CMS-sponsored model as specified by CMS in the participation documentation. In general, this would be the first day of the first performance period during the model.

This approach is generally consistent with timeframes incorporated into fraud and abuse waivers for existing models. We further note that some arrangements that cease to meet the requirements of this safe harbor could be structured to fit into the safe harbor for patient engagement and support at paragraph 1001.952(hh).

Comment: With respect to CMS-sponsored model arrangements, a commenter recommended that the safe harbor protect the last payment or exchange of value made or received by a CMS-sponsored model party following the final performance period in which the CMS-sponsored model participant that is a party to the arrangement participates, even if the model has otherwise terminated.

Response: We agree, and it was our intent in the OIG Proposed Rule that the safe harbor protect remuneration exchanged pursuant to CMS-sponsored model arrangements for a limited period of time after the CMS-sponsored model expires or is terminated to allow for necessary reconciliation. We are addressing the duration of safe harbor protection in new paragraph 1001.952(ii)(4), which provides greater clarity than addressing the issue in certain defined terms. We address both the start date and end date for protection in a manner that aligns with the particular CMS-sponsored model. The start or end date for protection may differ depending on whether the CMS-sponsored model is governed by participation documentation in the form of a legal instrument setting forth the terms and conditions of a grant or a cooperative agreement. For remuneration provided in connection with arrangements under a CMS-sponsored model governed by participation documentation other than a legal instrument setting forth the terms and conditions of a grant or cooperative agreement, the safe harbor protects the exchange of remuneration between CMS-sponsored model parties that occurs on or after the first day on which services under the CMS-sponsored model begin and no later than six months after the final payment determination made by CMS. The first day on which services begin is often the first day of the first performance period of a model, which may be referred to in the participation documentation as the “Start Date.” If a CMS-sponsored model has an “implementation period” included in the participation documentation, the first day on which “services under the CMS-sponsored model begin” would be the first day of the implementation period, unless otherwise specified by CMS in the participation documentation. For a CMS-sponsored model governed by a legal instrument setting forth the terms and conditions of a grant or cooperative agreement, the safe harbor protects the exchange of remuneration between CMS-sponsored model parties that occurs on or after the first day of the period of performance (as defined at 45 CFR 75.2), which is specified in the Notice of Award, or such other date specified in the participation documentation and no later than six months after closeout occurs pursuant to 45 CFR 75.381.

We emphasize, however, that the safe harbor protects only remuneration between or among CMS-sponsored model parties under a CMS-sponsored model arrangement for which CMS has determined that this safe harbor is available, and that a “CMS-sponsored model arrangement” includes only “a financial arrangement between or among CMS-sponsored model parties to engage in activities under the CMS-sponsored model . . . .” Therefore, the safe harbor does not protect remuneration exchanged between CMS-sponsored model parties for activities such as care coordination or other patient-care activities that occur before the model begins or beyond the termination or expiration of the model. Any such activities that are undertaken after the model expires or is terminated are not “activities under the model.” ^[89] Payment that is made within the specified timeframe in paragraph 1001.952(ii)(4)(i) or (ii) for such services that were completed prior to termination or expiration of the final model performance period can be protected, similar to reconciliation payments that would necessarily be completed after expiration or termination of the final model performance period. In addition, CMS may specify that no remuneration may be exchanged after termination of the participation documentation if a participant is terminated from the CMS-sponsored model for cause. Any such remuneration would be prohibited by the model and thus not protected by the safe harbor. We also recognize that some CMS-sponsored model participants might want protection for certain arrangements that begin before a model starts (“pre-participation”). This safe harbor protects only financial arrangements among, and patient incentives furnished by, parties participating in the CMS-sponsored model. Any pre-participation arrangements not governed by participation documentation (in contrast to arrangements in an implementation period that is part of a CMS-sponsored model, as explained above) would need to comply with existing law, including another safe harbor, or CMS could request a fraud and abuse waiver be issued to cover activities in the pre-participation time period.

8. Cybersecurity Technology and Related Services (42 CFR 1001.952(jj))

Summary of OIG Proposed Rule: We proposed to establish a new safe harbor at paragraph 1001.952(jj) to protect nonmonetary donations of certain cybersecurity technology and related services to help improve the cybersecurity posture of the health care industry. We proposed to define “cybersecurity” as the process of protecting information by preventing, detecting, and responding to cyberattacks, and we proposed to include within the scope of covered technology any software or other types of information technology, other than hardware. In an effort to foster beneficial cybersecurity donation arrangements without permitting arrangements that might negatively impact beneficiaries or Federal health care programs, we proposed a number of conditions on cybersecurity donations protected by the safe harbor. We also included an alternative proposal to protect donations of cybersecurity hardware in more limited circumstances. These proposals are summarized in more detail in following sections of this preamble.

Summary of Final Rule: We are finalizing, with modifications, the safe harbor at paragraph 1001.952(jj). The modifications are summarized in more detail in following sections. This safe harbor will protect arrangements intended to address the growing threat of cyberattacks impacting the health care ecosystem. In addition to software and other types of information technology, the final safe harbor will protect certain cybersecurity hardware donations that meet conditions in the safe harbor. We are not finalizing our alternative proposal to require parties to conduct a risk assessment prior to donating hardware.

a. General Comments

Comment: Most commenters generally supported OIG’s proposed cybersecurity technology and related services safe harbor, with several commenters supporting the safe harbor as proposed. Some commenters highlighted that patients and providers of all sizes benefit when small and under-resourced providers can better protect themselves against cybersecurity threats. For example, a commenter stated that the safe harbor would significantly benefit small and rural provider groups that lack the required resources to install needed cybersecurity measures. Another commenter stated that four in five physicians in the United States currently have experienced some form of cybersecurity attack compromising patient privacy.^[90] According to a commenter, with the growing cost of cybersecurity software, it is essential that stakeholders be able to donate cybersecurity software to entities with which they interact that may not be able to afford the software. This commenter highlighted the threat that infiltrated data systems could lead to the corruption of health records, while another commenter explained that patient safety is the most critical concern when cyberattacks occur, especially when they impact a patient’s electronic health records or medical devices. At least one of these commenters noted that cyberattacks could result in disclosure of sensitive patient information and could alter the treatment that a patient is prescribed, among other negative consequences.

Response: We agree that there is an urgent need to improve cybersecurity hygiene in the health care industry to protect patients and the health care ecosystem overall. As discussed in more detail below, we are finalizing the safe harbor, with several modifications.

Comment: A small number of commenters expressed general concerns about the proposal. One commenter warned that the safe harbor should not be used to further intentional or unintentional anticompetitive behavior, while another commenter stated that a safe harbor of this kind is bound to be abused, regardless of the types of safeguards OIG implements. Another commenter asked OIG to reconsider this safe harbor and whether cybersecurity protection and any donations related to the same are understood sufficiently at this time to warrant a safe harbor.

Response: While we appreciate the concerns expressed by these commenters, we believe that this safe harbor can be an important tool to help the health care industry address the prevalent and increasing cybersecurity threats facing the industry, which can negatively impact the quality of care delivered to beneficiaries, among other things.^[91] Any donation of valuable technology or services to physicians or other sources of Federal health care program referrals may pose the risk of harms associated with fraud and abuse, and such risk may increase as the value of the donated technology or services increases. Similarly, any time a health care industry stakeholder is permitted to give something for free or at a reduced cost to actual or potential referral sources, there is a risk that such donation or discount will affect competition because entities with greater financial resources may be in a better position to provide the donation or discount or a more valuable donation or discount. However, we believe that the combination of safeguards in the safe harbor, as finalized, appropriately balances the risks against the potential benefits of properly structured donations to help address the critical cybersecurity needs of the health care industry.

b. Purpose of Donation

Summary of OIG Proposed Rule: We proposed in proposed paragraph 1001.952(jj)(1) to limit safe harbor protection to donated technology and services that are necessary and used predominantly to implement and maintain effective cybersecurity. We solicited comments on the breadth of protected technology and services, particularly surrounding multifunctional technologies and services that might have use or value to a recipient beyond implementing and maintaining effective cybersecurity, such as donations that are otherwise used in the normal course of a recipient’s business, which we did not propose to protect.

Summary of Final Rule: We are finalizing, with modifications, our proposal to limit the applicability of the cybersecurity safe harbor to technology and services that are necessary and used predominantly to implement, maintain, or reestablish cybersecurity. However, in the final cybersecurity safe harbor as established here, this limitation will be placed in the introductory paragraph of 1001.952(jj), instead of a condition in 1001.952(jj)(1). (The remaining conditions of the safe harbor will be finalized with redesignated numbering to account for this organizational change; for example, proposed paragraph 1001.952(jj)(2)(i) will be finalized at paragraph 1001.952(jj)(1)(i), and so forth). We are also removing the phrase “certain types of” before “cybersecurity technology and services” from the introductory paragraph to avoid ambiguity regarding the scope of the safe harbor. As finalized, the cybersecurity safe harbor introductory paragraph will read as follows: As used in section 1128B of the Act, `remuneration’ does not include nonmonetary remuneration (consisting of cybersecurity technology and services) that is necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity, if all of the conditions in paragraphs (jj)(1) through (4) of this section are met.

This organizational change does not alter the scope of remuneration protected by the safe harbor. This reorganization of the final cybersecurity safe harbor is intended to ensure consistency with the EHR safe harbor, without altering or affecting the substance of the “necessary and used predominantly” standard as discussed in the proposed rule. As finalized, the introductory paragraph of the cybersecurity safe harbor mirrors the introductory paragraph in the EHR safe harbor at paragraph 1001.952(y), which provides that donated items or services must be necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records. We believe this consistency is especially important insofar as certain cybersecurity software may be donated under both safe harbors.

Comment: A number of commenters supported the “necessary and used predominantly” standard. A commenter noted that this provision would ensure the legitimacy of donations and help differentiate the technology and services that may have multiple uses beyond cybersecurity. Another commenter urged OIG to require a clear nexus between the cybersecurity donation and the business relationship. The commenter explained that the cybersecurity technology should be necessary for the provision of the services involved, such as when a hospital donates cybersecurity technology to a physician to ensure the secure transfer of personal health information and thus improve care coordination for shared patients. The commenter stated that this safe harbor should not protect cybersecurity technology donations that are used as a way to entice new business.

Response: The goal of this condition is to ensure that donations are made to address the legitimate cybersecurity needs of donors and recipients, not to induce new Federal health care program business. We decline to adopt the “clear nexus” standard suggested by the commenter, and we reiterate that the donation must be “necessary” under this condition. It is unlikely that a donation would be necessary for the donor or recipient to implement, maintain, or reestablish effective cybersecurity if it is not connected to the underlying services furnished by either party (e.g., ensuring the secure transfer of information between the parties).

We explained in the OIG Proposed Rule that the core function of the donated technology or service must be to protect information by preventing, detecting, and responding to cyberattacks. We also provided a nonexhaustive list of examples of technology and services that we believed would be necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity.^[92]

We are not finalizing a risk assessment condition (described in more detail in section III.B.8.g), but parties remain free and are encouraged as a general matter to obtain a risk assessment to evaluate their cybersecurity needs. We are finalizing a condition whereby donors may not directly take into account the volume or value of referrals or other business generated between the parties when determining the eligibility of a potential recipient for donated technology or services, or the amount or nature of the technology or services to be donated. This should address the concern regarding parties that improperly use the safe harbor for donations to entice new business.

Comment: Another commenter suggested that in cases where cybersecurity is built into software that gives physicians access to a hospital’s computer system, the technology and services should be deemed to be necessary and used predominantly to implement and maintain cybersecurity.

Response: Software that gives physicians access to a hospital’s computer system may be protected if it meets all conditions of the safe harbor. However, software that has multiple functions, one of which is cybersecurity, would not meet the necessary and predominant use standard in the introductory paragraph at 1001.952(jj). Conversely, if software has multiple functions but cybersecurity is the predominant function, then that software may be eligible for protection under this safe harbor. Available safe harbor protection of specific software would require an analysis of the facts and circumstances specific to particular arrangement. The advisory opinion process remains available for parties that seek an individualized determination from our office.

Comment: A commenter representing the dental industry urged OIG to permit, with appropriate safeguards, both nonmonetary donations and monetary remuneration for the purchase of cybersecurity technologies and services. The commenter suggested that permitting monetary remuneration in appropriate circumstances could help alleviate the final rule’s unintended adverse effects on competition, such as when a donor wishes to supply cybersecurity technology to two competing small providers, and one of the small providers has already purchased the technology but the other has not. The commenter asserted that protecting monetary reimbursement to the first provider and an in-kind donation to the second provider would be fairer than protecting a donation to one competitor and not the other.

Response: We respectfully disagree with the suggestion to protect monetary remuneration or reimbursement for cybersecurity technology and services. As explained elsewhere in this final rule, we view cash and cash-equivalent remuneration to potential referral sources as inherently higher risk under the Federal anti-kickback statute and the Beneficiary Inducements CMP. We also highlight that the example provided by the commenter likely would not satisfy the other conditions of this safe harbor even if it protected monetary remuneration in the form of reimbursement. For instance, reimbursing a provider for technology and services already obtained by a provider would not satisfy the condition that the donation be necessary and predominantly used to implement, maintain, or reestablish effective cybersecurity. In particular, if the recipient already has an effective cybersecurity program, any monetary reimbursement likely would be viewed as duplicative and not used to implement, maintain, or reestablish effective cybersecurity, in addition to being outside the scope of remuneration protected by this safe harbor, which is limited to in-kind remuneration.

Comment: A commenter suggested that the scope of permissible cybersecurity services under paragraph 1001.952(jj)(1) should be broad and varied, provided that the donated services substantially further the interests of strengthening cybersecurity for the end user. The commenter agreed with our proposal that donors should have the discretion to choose the level of cybersecurity technology and services they donate to physicians (or other health care providers) based on a risk assessment of the potential recipient or based on the risks associated with the type of interface between the parties.

Response: We are not adopting the commenter’s suggestion. Requiring the donation to be necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity is an appropriate safeguard that limits safe harbor protection to the legitimate cybersecurity needs of donors and recipients.

a. Protected Donors

Summary of OIG Proposed Rule: We did not propose in regulatory text to restrict the types of individuals and entities that may qualify for protection under this safe harbor as donors, but we indicated that we were considering some restrictions. We solicited comments on whether particular types of individuals and entities should be ineligible for protection under the safe harbor.

Summary of Final Rule: We are finalizing a policy to protect all donors, without any limitations on the type of individual or entity donating cybersecurity technology and services, as long as the other conditions of the safe harbor are satisfied.

Comment: A number of commenters recommended that the safe harbor protect a broad range of donors, with commenters suggesting that limitations on donors could stifle advances in care coordination, health information security, or both. Commenters stated that other conditions of the safe harbor, including the written agreement requirement and restrictions on taking into account referrals, would effectively safeguard against potential abuses. Commenters provided a number of examples of entities encompassing a range of stakeholder types that desire to make cybersecurity donations. A commenter highlighted potential industry confusion regarding whether the proposed safe harbor would protect donations by cybersecurity vendor firms to patients and requested clarification that such donations do not implicate the Federal anti-kickback statute.

Response: We agree with the commenters who urged protection for a broad range of donor entities and individuals, and we are finalizing an agnostic approach to the types of individuals and entities that may donate technology and services protected by this safe harbor. The need to improve the cybersecurity posture of the health care industry is paramount to restrictions on donors traditionally found in other safe harbors, such as paragraph 1001.952(y). Donations of cybersecurity technology and services are self-protective measures the industry can take because a cybersecurity breach to a recipient’s system can have a devastating impact on the donor and others connected to its system.

As we stated in the OIG Proposed Rule, the donor-type restrictions included in the EHR safe harbor at paragraph 1001.952(y) are necessary in that safe harbor and distinguishable from the cybersecurity safe harbor because donations under the EHR safe harbor facilitate the exchange of clinical information between a recipient referral source and the donor, and present a greater risk that the donation is for the donor to secure additional referrals from the recipient or otherwise influence referrals or other business generated. We are confident that the other safeguards in this safe harbor appropriately address the risks associated with permitting parties to donate valuable technology and services to potential referral sources such that a limitation on the scope of protected donors is not necessary.

In response to the comment inquiring about donations from cybersecurity vendor firms, such donations may not implicate the Federal anti-kickback statute or the Beneficiary Inducements CMP (e.g., when the donor is not in a position to induce, influence, or even receive referrals of Federal health care program business or to influence a beneficiary’s selection of a particular practitioner, provider, or supplier). Any analysis of donations by cybersecurity vendor firms would require an evaluation of the facts and circumstances to determine whether the Federal anti-kickback statute or the Beneficiary Inducements CMP is implicated.

Comment: Several organizations representing individuals and entities in the laboratory industry recommended making laboratories ineligible as protected donors. For example, a commenter stated that the same concerns surrounding inclusion of pathology practices and laboratories under the EHR safe harbor apply to cybersecurity donations. According to a commenter, when laboratories were protected donors under the EHR safe harbor, physicians implicitly or explicitly conditioned referrals on EHR donations, and EHR vendors encouraged physicians to request more costly EHR software and services from laboratories, putting laboratories in an untenable position. The commenter expressed concern that the same could happen with cybersecurity donations if laboratories were protected under this safe harbor. Another commenter added that protecting laboratories and pathology practices under the safe harbor could negatively affect access to health care services, quality, competition, costs to Federal health care programs, and utilization, and that the proposed condition related to the volume and value of referrals would not sufficiently curb the risk of abuse.

Response: We appreciate the concerns raised by commenters representing the laboratory industry, particularly in light of the industry’s experience with the EHR safe harbor. As finalized, the cybersecurity safe harbor does not contain any limitations on the type of individual or entity eligible for protection. All individuals and entities, including laboratories, play a role in protecting the health care ecosystem from cybersecurity threats. The promulgation of this regulation, however, does not require laboratories to donate cybersecurity technology or services, nor does it restrict laboratories from charging fair market value for any cybersecurity technology and services furnished.

To address the concerns about potential recipients conditioning referrals on donations, we are finalizing a condition at paragraph 1001.952(jj)(1)(ii) that prohibits recipients from conditioning referrals and future business on a cybersecurity donation. Donations or solicitations of cybersecurity technology and services conditioned on business or in exchange for Federal health care program referrals would not be protected by this new safe harbor and would be highly suspect under the Federal anti-kickback statute.

b. Permitted Recipients

Summary of OIG Proposed Rule: The proposed safe harbor would protect donations of cybersecurity technology and related services to any individual or entity without limitation, including when the recipient is a patient. We indicated that we were considering whether additional or different safeguards would be appropriate, particularly when the recipient is a patient, and solicited comments on this topic.

Summary of Final Rule: We are finalizing, without modification, our proposal to protect donations of cybersecurity technology and related services to any individual or entity without limitation and without any additional or different safeguards for any recipient.

Comment: A number of commenters agreed with the proposal to protect all potential recipients of cybersecurity donations, including patients. A commenter stated that it is valuable to provide patients with a limited amount of cybersecurity protection to protect patient medical records, particularly as patients and providers become more interconnected. Another commenter recommended protecting donations to patients to facilitate secure transmission of data from devices prescribed to patients and secure communication between the patient and the health care provider. A commenter noted that with the expected increase of patient-generated health data there will be an increased need to ensure that all data sources and endpoints, including remote monitoring systems used by patients, use good cybersecurity practices.

Response: We agree with commenters that the scope of protected recipients should be unrestricted and should include patients; in particular, cybersecurity donations to patients can serve as a valuable tool in protecting health information, devices, and communications in an increasingly interconnected environment.

Comment: Commenters suggested additional safeguards to ensure prevention of fraud and abuse with respect to donations to patients including: (i) A monetary limit on the donation; (ii) measures that would limit the donation to something the patient does not already possess; and (iii) restrictions against any type of multifunctional software or device. Another commenter perceived, with the growth of application programming interface (API) connections, a need to use techniques such as those outlined by the Open Web Application Security Project (OWASP) to protect the confidentiality and integrity of the patient’s health record. Conversely, another commenter suggested that it is unlikely that a patient would be incentivized to seek treatment from a provider solely because of the offer of cybersecurity protection due to the limited nature of these cybersecurity donations.

Response: We believe that the final rule has appropriate safeguards against fraud and abuse with respect to donations to patients without the addition of conditions specific to such donations. For example, we are finalizing the restrictions against donors and recipients conditioning referrals and other business on cybersecurity donations. We also are finalizing the requirement in the introduction paragraph to 1001.952(jj) that a donation be necessary and used predominantly for cybersecurity purposes, as explained in more detail section III.B.8.b.

If a patient already possesses appropriate technology and services, a donation of duplicative or equivalent technology and services likely is unnecessary for cybersecurity purposes, and multifunctional donations are unlikely to satisfy the predominant use standard. There may be specific facts and circumstances in which the safe harbor would protect replacement cybersecurity technology. For example, if a potential recipient’s technology is outdated and poses a security risk, replacement cybersecurity technology would likely be necessary depending on the specific facts and circumstances.

We have designed this safe harbor while recognizing the critical need to protect patient data and privacy from cyberattacks. The safe harbor conditions, as finalized, help ensure that cybersecurity donations to patients address that critical need and mitigate the risk of fraud or abuse stemming from such donations. Additional safeguards specific to donations to patients are not needed. This safe harbor also does not change other laws, regulations, or other requirements related to the privacy and security of patient data. Parties seeking to donate cybersecurity technology to a patient may have other obligations under other laws to safeguard patient data.

The safe harbor does not require donations to meet specific standards to protect patient data from cyberattacks or other cybersecurity threats. Parties are free to choose the cybersecurity technology or services that best meet their needs and achieve cybersecurity goals as long as the donation meets all conditions of the safe harbor. For example, while not required for safe harbor protection, parties could elect to agree that any donated technology must satisfy certain third-party standards, is certified by a third party, or is certified or approved through another method to ensure the donation can provide necessary cybersecurity safeguards. Voluntarily meeting a third-party standard does not mean the donation is protected by this safe harbor. To receive safe harbor protection, donated technology or services must otherwise satisfy the conditions of the safe harbor.

Comment: A commenter recommended that OIG consider limiting recipients to those entities with an “established relationship” with the donor, such that there is evidence that the donor and recipient interface. The commenter offered as an example a requirement that a physician practice has to have providers who are members of a health system’s medical staff in order for such practice to receive a protected donation from the health system. For a protected donation by a physician practice to a patient, the commenter suggested requiring the patient be an “established patient” of the practice.

Response: For this cybersecurity safe harbor, we are not adopting the commenter’s recommendation to require an established relationship between the donor and the recipient. Although we have incorporated a similar “established patient” concept in the local transportation safe harbor at paragraph 1001.952(bb), we believe such limitation might work against the stated goal of this safe harbor to enable widespread improvements to the cybersecurity of the connected health care ecosystem through appropriate donations. We note that other safeguards included in the final safe harbor, such as the requirement in the introduction paragraph to 1001.952(jj) that the donation be necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity, as well as restrictions against marketing or related to the volume and value of referrals and other business generated, serve to protect against the concerns addressed by the “established patient” concept in other safe harbors, such as the local transportation safe harbor, and are more workable for this safe harbor.

Comment: A commenter stated that donations of technology to a patient may need to be treated differently from donations to a practice or provider because any donation to a patient would rely on a single software use license, which is difficult to implement and manage. Furthermore, the commenter stated that a donation to a patient may require additional services to implement such technology on patients’ devices, which is not practical to offer on a large scale. According to the commenter, providers donating such technology may not have the resources to provide support services to patients and may wish to donate technical support services via third parties. But the commenter highlighted that using third parties to provide such services may create additional risks for providers and confusion for patients.

Response: We appreciate that cybersecurity technology and services donations to patients involve different considerations, and we anticipate that donors will evaluate those considerations before making donations to patients. Safe harbors are voluntary, and providers are under no obligation to donate cybersecurity technology and services to patients or to structure arrangements to satisfy the conditions of the safe harbor finalized here. As we stated in the OIG Proposed Rule, protected donations may include services associated with installing and updating cybersecurity software as well as cybersecurity training services, such as training recipients on how to use the technology and troubleshoot problems with the cybersecurity technology. The donor could furnish such donated services on its own or contract with a third party to furnish such services.

We reiterate that a donation to patients also must be necessary. The determination of which cybersecurity technology and services are necessary for patients likely will look much different than such determination with respect to health care entities. Patients’ interaction with or access to a health care provider’s system or network is often more limited than another health care provider’s interaction or access. For example, patients may interact or access a health care provider’s system through a patient portal or by authorizing a third party to access their electronic health data through a mobile application. In those instances, cybersecurity likely is built into the patient portal, the authentication mechanism, or the API services used by the mobile application. We expect that providers evaluating potential donations to patients would take into account existing cybersecurity measures and the nature of the patient’s interaction with or access to systems when determining whether any donation to the patient is necessary.

e. Definition of “Cybersecurity”

Summary of OIG Proposed Rule: We proposed to define “cybersecurity” as the process of protecting information by preventing, detecting, and responding to cyberattacks. The proposed definition was derived from the National Institute for Standards and Technology (NIST) “Framework for Improving Critical Infrastructure Cybersecurity” (NIST CSF).^[93] We intended to define cybersecurity broadly to avoid unintentionally limiting donations.

Summary of Final Rule: We are finalizing this definition with certain clarifications at paragraph 1001.952(jj)(5)(i).

Comment: Several commenters agreed with the proposed definition of “cybersecurity,” derived from the NIST CSF, and commenters generally agreed that the final rule should include a broad definition to provide sufficient flexibility. A commenter was generally supportive of the definition of “cybersecurity” but believed it should include the process of protecting information through “identifying” and “recovering” from cyberattacks, to account for the entire lifecycle of a cyberattack. The commenter surmised that the addition of “recovering” would protect “backup services” that support reestablishing cybersecurity and reduce the impact of ransomware extortion. Relatedly, several commenters noted that the OIG Proposed Rule omitted the word “reestablish” in the first condition at paragraph 1001.952(jj)(1), making it inconsistent with the parallel exception to the physician self-referral law as proposed by CMS.

Commenters urged OIG to adopt text that includes “reestablish” in the first condition at paragraph 1001.952(jj)(1). Specifically, several commenters recommended that paragraph 1001.952(jj)(1) read, “[t]he technology and services are necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity” (emphasis added). Commenters asserted that the inclusion of “reestablish” in the safe harbor would make explicit that the safe harbor protects post-incident activities, such as the donation of a consultant’s time to assist with conducting root cause analyses and identifying needed procedural improvements.

Response: We agree that we should rely on the NIST CSF as a basis to define “cybersecurity” and believe that this definition, as finalized, provides sufficient flexibility while also providing an appropriately defined scope of what is protected under the safe harbor consistent with the goals of the safe harbor. As explained in the OIG Proposed Rule, the goal of this definition is to broadly define cybersecurity and avoid unintentionally limiting the scope of donations. For this reason, we also removed the phrase “certain types of” before “cybersecurity technology and services” from the initial paragraph at 1001.952(jj) to avoid ambiguity; cybersecurity technology and services that meet all conditions of the safe harbor are protected.

We are not adding additional terms to the definition because the definition of “cybersecurity” is derived from the NIST CSF glossary.^[94] We believe the use of the NIST CSF definition, in combination with the conditions of this safe harbor, provides donors and recipients needed flexibility while also mitigating the risks of fraud and abuse. The NIST CSF is widely accepted across public and private sectors, all types of industries, and international organizations. It provides a commonly understood language for donors and recipients seeking to use this safe harbor to improve their cybersecurity posture. While this safe harbor does not condition protection of donations on compliance with the NIST CSF, we encourage potential donors and recipients to ensure a comprehensive, systematic approach to identifying, assessing, and managing cybersecurity risks.

The additional terms suggested by commenters, such as “identifying” and “recovering,” also appear in the NIST CSF. The NIST CSF organizes basic “cybersecurity activities” into five functions: Identify, protect, detect, respond, and recover.^[95] The definition of “cybersecurity” in this safe harbor likely would apply to donations of cybersecurity technology and services that are used predominantly and are necessary for these five functions and the related subfunctions and cybersecurity outcomes that are part of the NIST CSF. We have not been persuaded to adopt a more specific definition of cybersecurity by incorporating specific terminology from the NIST CSF and we are finalizing the definition as proposed for the policy reasons explained above.

In response to commenters who said that the term “reestablish” was not in the first condition at paragraph 1001.952(jj)(1), we are finalizing a clarification to extend protection to donations that are necessary and used predominantly to implement, maintain or reestablish effective cybersecurity. This change is reflected in the final version of the initial paragraph for 1001.952(jj). As we noted in the preamble to the OIG Proposed Rule, protected donations would include business continuity software that mitigates the effects of a cyberattack and data recovery services to ensure that the recipient’s operations can continue during and after a cyberattack. Additionally, as we stated in the OIG Proposed Rule, we intend to align closely with the corresponding CMS exception where appropriate.^[96]

We note that the safe harbor does not, however, protect payments of any ransom to or on behalf of a recipient in response to a cyberattack, which we would not view as “reestablishing” effective cybersecurity (nor would we view it as nonmonetary remuneration, as required for protection under the safe harbor). Although we believe the proposal sufficiently included this concept, for the reasons stated above we have added the word “reestablish” in the final version of the introductory paragraph to 1001.952(jj) to provide clarity and to align with CMS’s corresponding physician self-referral law exception for cybersecurity donations.

Comment: A commenter applauded the definition of “cybersecurity” for being fairly broad and including donations of APIs. The commenter requested, however, that the definition be modified to account for the so-called three pillars of information security: Confidentiality of information, integrity of information, and availability of information.

Response: We are not modifying the definition of cybersecurity. As discussed previously, our intention was to broadly define “cybersecurity” and use terminology within an industry-recognized standard. We believe the NIST CSF definition of cybersecurity meets those policy goals.

We recognize, however, that the three pillars of confidentiality, integrity, and availability of information are fundamental concepts to cybersecurity. The NIST CSF similarly recognizes these pillars. An outcome category under the “protect” function includes that data “are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.” ^[97] Therefore, the definition of “cybersecurity,” which includes “the process of protecting information,” accounts for these principles while also providing flexibility and certainty to donors as to the scope of protected cybersecurity donations.

Comment: A commenter stated that the proposed definition of cybersecurity seems oversimplified and is not comprehensive. The commenter suggested that the definition of “cybersecurity” should be inclusive of any unauthorized use, even without deliberate criminal activity or a specific cyberattack, and recommended broadening the definition accordingly. Another commenter noted that the proposed definition of “cybersecurity” includes the term “cyberattack,” which the commenter found both vague and representative of only one type of threat to electronic data. The commenter encouraged OIG to adopt the definition found on the Department of Homeland Security (DHS) website, which describes cybersecurity as “the process of protecting networks, devices, and data from unauthorized access or use and the practice of ensuring confidentiality, integrity, and availability of information.” The commenter requested that any change to the definition be employed consistently across other relevant safe harbors (e.g., paragraph 1001.952(y)).

Response: We decline to modify the definition. First, the safe harbor definition of “cybersecurity” does not limit donations of cybersecurity technology and services to those that prevent only criminal misconduct. The definition of “cybersecurity” is agnostic to the intent—criminal or otherwise—of an “unauthorized user.” We also believe the definition used in this final rule, derived from the NIST CSF, is broad enough to address the commenter’s concerns about “unauthorized users” as well as the definition from the DHS website. Specifically, our final regulatory definition of “cybersecurity” is broad enough to result in safe harbor protection for technology and services that protect networks, devices, and data from unauthorized access or use, including those that ensure the confidentiality, integrity, and availability of information.

Comment: One commenter stated that the proposed definition of “cybersecurity” fails to capture all aspects of security controls relevant to patient information, systems processing, or retention of patient information. The commenter recommended the following definition for cybersecurity: “[p]revention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation; or the prevention of damage to, unauthorized use of, exploitation of, and—if needed—restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity, and availability of these systems; or the process of protecting information by preventing, detecting, and responding to attacks.”

Response: We are not adopting this suggestion. Notwithstanding, we believe that the principles underlying the commenter’s definition, which are derived from NIST and other Federal Government sources, generally are included in the definition of “cybersecurity.” Further, we are not modifying the definition of cybersecurity as suggested by the commenter because some of the commenter’s proposed additions to regulatory text could be misread to protect multifunctional equipment. For example, “restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication,” could be misread by donors to protect donations of multifunctional hardware and other multifunctional donations (e.g., computers or entire communications systems) as part of restoration efforts, which are not protected by this safe harbor. The safe harbor protects donations of cybersecurity technology and services that are necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity.

Comment: Several commenters suggested that OIG finalize a broad and industry-neutral definition of “cybersecurity” to permit flexibility for future changes, adaptions, and variations in the dynamic world of cybersecurity. A commenter stated that the proposed safe harbor is shortsighted and should include a more comprehensive definition of potential technology solutions for cybersecurity attacks.

Response: We agree with commenters that the cybersecurity safe harbor should be broad and rely on an industry-neutral definition. Consequently, we are finalizing a definition derived from the NIST CSF. The NIST CSF is industry agnostic and applies to any critical infrastructure in the United States, which includes health care. We are not using a definition that would incorporate specific technology solutions for cyberattacks. Such an approach could make the safe harbor definition obsolete as new cybersecurity technologies are developed and implemented. We believe the broad, neutral definition finalized here allows donors and recipients the flexibility to determine which cybersecurity technology and services are necessary and predominantly used to implement, maintain, or reestablish effective cybersecurity. Additionally, we note that effective cybersecurity is broader than technology solutions. Protected donations of cybersecurity technology and services are just one component of cybersecurity. Regardless of the conditions of this safe harbor, we encourage parties to consult cybersecurity industry standards such as the NIST CSF to ensure a comprehensive, systematic approach to identifying, assessing, and managing cybersecurity risks.

f. Definitions of “Technology” and Protection of Hardware

Summary of OIG Proposed Rule: We proposed at proposed paragraph 1001.952(jj)(6) to define “technology” as any software or other type of information technology, other than hardware. In the preamble to the OIG Proposed Rule, we noted our concern about donations of valuable, multifunctional hardware being disguised as payments for referrals, but also recognized that some hardware may in fact be limited to cybersecurity functionality, such as two-factor authentication dongles, and indicated that we were considering including such hardware in the safe harbor.

Summary of Final Rule: We are finalizing, with modification, our proposed definition at paragraph 1001.952(jj)(5)(ii). Based on public comments, the modified final rule provides that donations of certain hardware will be permitted under the exception as long as the donation satisfies the other conditions of the safe harbor. In particular, we highlight that the introductory paragraph for 1001.952(jj) requires that donations be necessary and used predominantly for effective cybersecurity. In most cases, multifunctional hardware would not be used predominantly for effective cybersecurity and thus would fall outside the scope of protection of this safe harbor.

Comment: Some commenters agreed with using the NIST CSF as a basis for the definition of “technology” and recommended that any final regulation allow sufficient latitude for various types of technology classifications (software and certain hardware components) and not be limited to a one-size-fits-all paradigm. Some commenters agreed with excluding hardware from the definition of “technology” and, therefore, from protection under this safe harbor, citing program integrity risks. A large number of commenters objected to the exclusion of hardware from the definition of “technology.” Many commenters highlighted that the line between hardware, software, services, and other technology that is neither hardware, software, nor a service, is increasingly blurred and such technologies are often packaged together as a bundle. Others suggested that hardware donations are a foundational requirement to operationalize cybersecurity best practices. Some commenters noted that certain cybersecurity software requires specific hardware and sought protection for such hardware. For example, a commenter noted that firewalls involve the use of both hardware and software and suggested that many clinicians would not have the technical knowledge to configure the firewalls. A commenter recommended permitting donation of low-cost hardware and possibly adding a dollar threshold that could not be exceeded for the total donation.

Other commenters highlighted that failing to extend safe harbor protection to multifunctional cybersecurity hardware (or software) would limit the utility of the safe harbor because cybersecurity technology often is not standalone in nature. Commenters provided examples of multifunctional hardware they deemed beneficial to cybersecurity hygiene, such as encrypted servers, encrypted drives, upgraded wiring, physical security systems, fire retardant or warning technology, and high-security doors.

Response: Consistent with our solicitation of comments in the OIG Proposed Rule and in careful consideration of the responses from commenters, this final rule expands the definition to include certain hardware. To receive safe harbor protection, donations of such hardware must satisfy all of the conditions of the safe harbor, and specifically the requirement that the hardware be necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity. We intend this condition to make donations of multifunctional hardware ineligible for safe harbor protection in most cases, even if such hardware is low-cost, because such donations likely would not satisfy the predominant use condition. For instance, some of the examples provided by commenters would not satisfy the predominant use standard because by design they have functions that extend well beyond cybersecurity, including servers, drives, upgraded wiring, physical security systems, fire retardant or warning technology, and high-security doors. For example, although the donation of an encrypted server might improve the recipient’s cybersecurity, the server likely would not be used predominantly for effective cybersecurity because the recipient is likely to use it predominately for other purposes, such as hosting its computing infrastructure. We note, however, that the safe harbor protects services, including installing cybersecurity software. Therefore, if an entity donates cybersecurity software, it can also install and configure such software on a recipient’s system. We do not believe a monetary cap is necessary for this safe harbor.

Comment: A number of commenters urged OIG to expand protection for single-function hardware technologies that have limited or no functionality outside of cybersecurity, such as computer privacy screens, two-factor authentication dongles and security tokens, facial-recognition cameras for secure access, biometric authentication, secure identification card and device readers, intrusion detection systems, data backup systems, and data recovery systems. Some commenters opposed any such expansion.

Response: We agree with commenters that certain hardware is limited to cybersecurity uses and, as stated above, have finalized the definition of “technology” so that safe harbor protection includes such hardware. However, in order to receive safe harbor protection, donations of hardware must satisfy all of the conditions of the safe harbor and, specifically, the predominant use requirement in the initial paragraph to 1001.952(jj). Some of the examples provided by these commenters including computer privacy screens, two-factor authentication dongles, security tokens, facial-recognition cameras for secure access, biometric authentication, secure identification card and device readers, intrusion detection systems, data backup, and data recovery systems could be protected by the safe harbor if all conditions of the safe harbor are satisfied because their functionality could be predominantly for effective cybersecurity.

We are not finalizing the additional proposed condition that would have required donors and recipients to conduct a risk assessment prior to donating hardware as a means of attaining safe harbor protection for hardware. As finalized, the safe harbor protects hardware donations the same way that software and service donations are protected, that is by meeting all conditions of the safe harbor.

Comment: A commenter explained that it is important for OIG to recognize and make clear that typically it is not the actual software that is purchased by providers because the software is owned by the vendor. Instead, providers purchase the rights to use the software, which is accomplished through licensing. Therefore, with regards to donations, the software itself will not be donated; it will be the license to use that software. The commenter also recommended allowing installment and repairs to be among the types of technology and services, the donation of which is protected by the safe harbor.

Response: We also recognize that in some instances, providers purchase the rights to use the software, which is accomplished through licensing, and donate that use or license rather than the software itself. Donating such licenses can be protected under this safe harbor in the same way that donating software is protected, if all conditions of the safe harbor are met. We also agree with the commenter that installment and repairs can be included among the protected technology and services, provided that the donations of such installment and repairs squarely satisfy the safe harbor’s conditions, including that the donation is necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity.

g. Alternate Proposal

Summary of OIG Proposed Rule: We included an alternate proposal to allow parties to donate hardware, subject to the other conditions of the proposed safe harbor, if such hardware is reasonably necessary based on a risk assessment of the donor and recipient.

Summary of Final Rule: We are not finalizing this alternate proposal.

Comment: Several commenters supported including hardware and did not agree that a risk assessment should be required for protected donations of hardware. A commenter observed that while donors should be free to require and even donate a cybersecurity risk assessment, adopting such a requirement to protect donations of hardware could slow the proliferation of cybersecurity technology. A commenter objected to requiring a written risk assessment from either party, or in multiparty arrangements from any party. Another commenter stated that OIG should not adopt a security framework tying cybersecurity technology to particular industry standards and should not require the preparation of special security risk assessments or management documents. Instead, the commenter recommended that OIG recognize any safeguard that advances the HIPAA security standards.

Response: For the reasons stated above, we are not finalizing this alternative proposal. Parties may have other legal obligations to conduct risk assessments, and this safe harbor does not affect any such requirements. Furthermore, we are not requiring cybersecurity technology and service donations to meet specific standards. Parties also remain free to donate cybersecurity risk assessments under this safe harbor if all of the other conditions are satisfied. Parties are encouraged to perform risk assessments to determine donor and recipient vulnerability to cyberattacks and to assist in creating their own cybersecurity programs.

Comment: Several commenters recommended requiring a risk assessment to receive protected hardware or other donated cybersecurity products for various reasons. For example, a commenter highlighted that a risk assessment can determine what type of protection is needed when there are vulnerabilities and ensure that the cybersecurity product is effective once implemented. A commenter requested that it not be a requirement for the recipient to perform any risk assessment, as they may not have the appropriate knowledge and expertise to do so. Instead, the commenter suggested that the recipient have the option to perform the risk assessment if they have the knowledge and expertise to do so; otherwise, it could be completed by the donor or a qualified third party.

Several commenters suggested that any definition or scope of “risk assessments” should rely on definitions set out by NIST publications and further suggested that OIG should rely on the comprehensive NIST definition. Some commenters requested that OIG provide template risk assessment documentation.

A commenter suggested that parties be required to maintain the initial risk assessment, which could be used to compare the “baseline” risk assessment to a future risk assessment to help understand whether any previously identified gaps were resolved.

Response: For reasons previously stated, we are not requiring a risk assessment as a condition of this safe harbor. We agree that cybersecurity risk assessments are valuable tools that can evaluate vulnerabilities and identify cybersecurity solutions, and parties remain free to obtain such risk assessments, or to donate them as long as the conditions of this safe harbor are met. For example, one method parties might use to establish that a donation was necessary for cybersecurity is to utilize findings from a legitimate risk assessment to demonstrate that a recipient had a vulnerability that was necessary to mitigate.

h. Scope of Protected Technology and Services

Summary of OIG Proposed Rule: We proposed to protect a broad range of technology and services, excluding hardware, and solicited comments on this approach.

Summary of Final Rule: We are finalizing protection for a broad range of technology and services, including certain hardware. We provide additional clarity on the scope of this protection and several examples below.

Comment: Most commenters recommended that we finalize protection for a broad range of donations, and some requested specific language or clarifications. In particular, several commenters asked OIG to consider the implications of cloud-based and subscription-based products and services. Another commenter requested OIG provide clarity related to the scope of protected donations through examples of the types of software and services allowed (e.g., provision of a full-time cybersecurity officer). Some commenters also noted that a cybersecurity-specific help desk may not be realistic and recommended that OIG protect donations of general help desk services, whether through the donor’s IT department or the vendor’s help desk services. A commenter urged OIG to protect patches and software updates.

Response: As finalized, the safe harbor protects donations of a broad range of cybersecurity technology and services. This includes certain cybersecurity hardware, as discussed above, as well as a multitude of cybersecurity services and technology. Cybersecurity services and technology would include both locally installed cybersecurity software and cloud-based cybersecurity software, including patches and updates of such software or patches and updates of other software or programs if the patch or update is predominantly for cybersecurity purposes. Protected donations, however, are constrained by the initial paragraph to 1001.952(jj), which requires that the donation is necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity. This safe harbor is intended to cover a wide range of cybersecurity technology and services that have specific functionality, as constrained by the initial paragraph for 1001.952(jj). This approach means that most technology and services that include cybersecurity as one function of multiple functions will not be protected by this safe harbor. For instance, depending on the facts and circumstances of a particular arrangement, donating a virtual desktop that includes access to programs and services beyond cybersecurity software likely would not be protected because the donation likely would include functions not necessary and predominantly used to implement, maintain, or reestablish effective cybersecurity, such as claims and billing applications. We explicitly decided not to protect technology or services that may provide some beneficial cybersecurity effects as one feature of a broader suite of services because that broad scope of protection could apply to nearly any technology or service. We believe such a broad scope of protection under this safe harbor would elevate the risk that valuable donations could improperly influence the recipient. Understanding those tradeoffs, we conclude that the significant need for the health care system to improve cybersecurity is better served by this safe harbor only protecting cybersecurity technology and services that have specific functionality, as constrained by the initial paragraph to 1001.952(jj), but with fewer other conditions that would limit certain aspects of a donation (e.g., a monetary cap on the value of a donation).

Donors and recipients that would like to protect the donation of technology or services that are not necessary or are used predominantly to implement, maintain, or reestablish cybersecurity should assess those potential arrangements under the Federal anti-kickback statute as well as other potentially applicable safe harbors, such as the EHR safe harbor at paragraph 1001.952(y). Alternatively, the advisory opinion process remains available to parties seeking a legal opinion regarding the scope of the safe harbor as applied to a specific set of facts and circumstances.

For the same reasons, we are not extending protection for donations of general IT help desk services because cybersecurity is not the predominant use of such services. However, we are aware of cybersecurity-specific software and services that include customer service and help desk features for cybersecurity assistance. Such help desk services, if they are necessary and predominantly used for implementing, maintaining, or reestablishing cybersecurity, could meet the introductory paragraph for 1001.952(jj) and may be protected by this safe harbor if all other conditions are met. Relatedly, donating services through a donor organization’s primary service desk or IT help desk, limited to reporting cybersecurity incidents, could satisfy this requirement because the service or help desk responsibilities would be used predominately for cybersecurity incident reporting. Staffing a recipient’s practice with a full-time cybersecurity officer, however, would only be protected by this safe harbor if that officer’s duties were used predominately for implementing, maintaining, or reestablishing effective cybersecurity and were necessary. If the officer performed general information technology services or provided other non-cybersecurity value to the recipient’s business, then the donation may not meet the requirements in the initial paragraph for 1001.952(jj).

Comment: A commenter asked OIG to clarify that services such as assurance, assessment, and certification programs that incorporate cyber-risk management could receive safe harbor protection.

Response: To the extent the assurance, assessment, and certification programs that incorporate cybersecurity risk management suggested by the commenter satisfy all of the conditions of the safe harbor, including the requirements in the initial paragraph for 1001.952(jj), they could be protected. We note, however, that if cybersecurity is just one component or feature of the assurance, assessment, and certification programs referenced by the commenter, then the other features are not likely to be necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity, and the cybersecurity safe harbor would not protect the referenced services, although they could be protected under another safe harbor.

Comment: A commenter expressed concern that the OIG Proposed Rule would create separate safe harbors for various types of technology, resulting in a piecemeal approach to tools that must work together to drive care coordination. The commenter urged OIG to broaden the cybersecurity items and services safe harbor and the EHR safe harbor to be flexible enough to protect technology that can help facilitate the movement to value-based care. Several commenters specifically recommended that any final cybersecurity safe harbor protect data analytics and reporting functionalities. Another commenter asked that OIG clarify that arrangements involving sharing data and technology, including cybertechnologies that keep the data secure, are not illegal remuneration when used for care coordination purposes.

Response: We recognize that multiple safe harbors may protect various types of technology donations. Several safe harbors finalized elsewhere in this final rule protect certain remuneration to facilitate care coordination and the transition to value-based care, such as the value-based safe harbors at 1001.952(ee)-(gg). Data analytics, reporting functionalities, and other information technology used to facilitate the movement to value-based care may be protected under these safe harbors, provided the arrangement squarely satisfies the conditions of any applicable safe harbor. However, we note that cybersecurity items in and of themselves likely would not meet the definition of the “coordination and management of care,” as explained in the preamble above. Relatedly, data analytics and other information technology, when coupled with a cybersecurity donation, would not meet the requirement that the donation be necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity.

We emphasize that arrangements involving sharing data could potentially involve remuneration that implicates the Federal anti-kickback statute. For instance, while standing on its own, basic sharing of patient records for purposes of care coordination or treatment of patients is unlikely to implicate the statute, the provision of data analysis, data aggregation, or other services of independent value to the recipient likely would be the sort of remuneration that implicates the statute. Any assessment of Federal anti-kickback statute implications, available safe harbor protection, and potential liability under the statute, would require an analysis of the facts and circumstances specific to the particular arrangement.

Data analytics and other information technology that may be protected by the value-based safe harbors at 1001.952(ee)-(gg) can include built-in cybersecurity protections. For example, those safe harbors do not require the data analytics software to be free from cybersecurity protections to meet their conditions. Such software might normally include security features, such as a secure login and authentication, as part of the normal software development and could be protected by the value-based safe harbors, depending on the facts and circumstances.

Where parties seek safe harbor protection for the donation of technology, parties do not need to protect separate functions of that technology under different safe harbors if the donation meets the terms of a single safe harbor. This cybersecurity safe harbor is intended only to protect cybersecurity technology and services. Other safe harbors protect donations that may include cybersecurity features as part of a broader donation, without regard to whether the cybersecurity features would meet the requirements of the cybersecurity safe harbor (e.g., a donation of data analytics software that includes cybersecurity features may be protected by the value-based safe harbors at 1001.952(ee)-(gg), or an EHR system with cybersecurity features may be protected by the EHR safe harbor at 1001.952(y)).

Unless the data analytics and reporting functionality is predominantly used to analyze and report on cybersecurity threats or attacks (rather than more broadly facilitating the movement to value-based care), then it typically would not satisfy the initial paragraph for 1001.952(jj), which requires that the cybersecurity donation be necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity.

Comment: A commenter recommended that OIG clarify the scope of what the cybersecurity technology and services must protect, such as cybersecurity to protect electronic health records, medical devices, or other information technology that uses, captures, or maintains individually identifiable health information. The commenter stated that the proposed safe harbor was silent as to the “object” of the cybersecurity protection and an explicit statement setting broad parameters about the purpose of donated cybersecurity technology and services would provide guidance and cover future technology advances. Another commenter encouraged OIG to permit donations related to medical device cybersecurity, which the commenter identified as a growing area of vulnerability. The commenter posited that promoting the security of medical devices would create added protection for patient privacy and safety.

Response: We are not defining the “object” or “subject” of the cybersecurity protection. The safe harbor protects a wide range of cybersecurity technology and services that are necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity. If all other conditions of the safe harbor are satisfied, this could include cybersecurity donations in connection with medical devices, EHR, and other information technology.

Comment: A commenter supported the inclusion of a broad array of cybersecurity services as part of the safe harbor, including numerous examples from the OIG Proposed Rule. In addition, the commenter recommended adding services to the list included in the OIG Proposed Rule, such as consulting services deployed not to conduct only a risk assessment or analysis, but to work with the practice to develop and implement specific cybersecurity policies and procedures. The commenter also suggested protection for subscription fees to vendor security products that assist practices in developing policies and procedures in support of a risk assessment. Another commenter requested that OIG provide further examples of what would and would not be protected by the safe harbor.

Response: We provided examples of items and services that would be protected by this safe harbor in the preamble to the OIG Proposed Rule that are still valid under the final rule and provide additional examples in this final rule.^[98] The examples included in the OIG Proposed Rule apply to the safe harbor, as finalized, and continue to illustrate the scope of the technology and services potentially protected by the safe harbor. We emphasize that we intend for the safe harbor to protect a broad array of technology and services. Donations of services that meet all conditions of this safe harbor would be protected. That would include donations where the donor arranges for or otherwise pays for third-party vendors or consultants to provide cybersecurity services that are necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity. We note, however, that reimbursing a recipient or providing monetary remuneration for such services would not be protected by this safe harbor because the safe harbor only protects nonmonetary remuneration.

The advisory opinion process remains available for parties seeking a legal opinion regarding the scope of the safe harbor as applied to a specific set of facts and circumstances.

Comment: A commenter asked OIG to include protection for implementation, management, and remediation services within the scope of this safe harbor, as these will fully optimize donations.

Response: The safe harbor would protect donations that include implementation, management, and remediation services, including those provided through a third party, if all conditions of the safe harbor are satisfied. As we stated in the OIG Proposed Rule, the safe harbor may protect services such as developing, installing, and updating cybersecurity software, and training recipients how to use it. We also stated in the OIG Proposed Rule that “cybersecurity as a service” may be protected, which includes third-party services for managing and monitoring the cybersecurity of a recipient.

Comment: While many commenters expressed concern about the effectiveness of the safe harbor if it does not protect a broad scope of technology and services, other commenters recommended limiting the scope of protected technology and services. A commenter noted that effective cybersecurity protection could require a whole suite of services, such as active management, monitoring, and developing an effective response system if an issue arises, and it may not be possible for an outside entity to provide such a broad range of services.

Response: This safe harbor protects a wide range of cybersecurity technology and services that satisfy the conditions of the safe harbor. It is intended to remove one actual or perceived barrier to improving the cybersecurity posture of the health care industry. While this safe harbor does not and cannot solve all cybersecurity issues for the health care industry, OIG believes that cybersecurity donations are just one tool that the health care system can use to improve its cybersecurity. We encourage providers and other actors to engage in other cybersecurity efforts, consistent with industry standards and applicable laws, to improve the cybersecurity of the entire health care system.

i. Monetary Cap

Summary of OIG Proposed Rule: We solicited comments on whether the safe harbor should include a monetary value limit on the total amount of donations that a donor can make to a recipient.

Summary of Final Rule: We are not finalizing a condition imposing any monetary limit.

Comment: A commenter recommended that if the final safe harbor protects hardware, OIG should not impose any cap on the value of the donated hardware. Another commenter encouraged OIG to finalize the safe harbor without imposing a monetary limit on the value of applicable remuneration. Some commenters recommended a cap as a potential safeguard.

Response: We are not finalizing any monetary cap on the value of remuneration protected by this safe harbor. We believe most cybersecurity donations are made for purposes of self-preservation from the risk of cyberattack. Therefore, donors are incentivized to donate what is required to achieve effective cybersecurity and not make excessive donations beyond the scope of what is needed to protect themselves. Furthermore, the initial paragraph for 1001.952(jj) limits donations of technology and services to those necessary and used predominantly to implement, maintain, or reestablish cybersecurity, which also serves to limit any excessive value of donations. The conditions at paragraphs 1001.952(jj)(1) and (2) ensure that the cybersecurity safe harbor does not protect donations that are tied to Federal health care program referrals or are otherwise conditioned on Federal health care program business. These conditions help mitigate the risk that more valuable donations may lead to more referrals or future business.

The threat-reduction purpose of cybersecurity technology and the conditions of the safe harbor work together to limit the risk of fraud or abuse caused by improper donations and a monetary cap is not needed for the cybersecurity safe harbor.

j. Deeming Provision

Summary of OIG Proposed Rule: We solicited comments on whether to create a provision in the final rule that would allow donors and recipients to demonstrate compliance with the condition at paragraph 1001.952(jj)(1) by meeting certain additional standards. Specifically, we suggested a “deeming provision” that would allow donors or recipients to demonstrate that the donation satisfies proposed paragraph 1001.952(jj)(1) if it furthers a recipient’s ability to comply with a written cybersecurity program that reasonably conforms to a widely recognized framework or set of standards, such as one developed or endorsed by the National Institute of Standards and Technology (NIST) or another American National Standards Institute-accredited standards body, such as the International Organization for Standardization.

Summary of the Final Rule: We are not finalizing a “deeming provision.”

Comment: A number of commenters supported the inclusion of a “deeming provision” in the final rule and offered suggestions on how to implement such a provision. Several commenters suggested that the “deeming provision” should apply if the donation furthers a recipient’s compliance with a written cybersecurity program that reasonably conforms to a widely recognized cybersecurity framework, such as one developed by NIST, or guidelines developed by the Department of Health and Human Services Office for Civil Rights (OCR) in collaboration with the Office of the National Coordinator for Health Information Technology (ONC). One commenter recommended that any reference to cybersecurity standards, frameworks or risks be based on existing independent frameworks, ideally drawn from NIST standards.

Response: We are not finalizing a “deeming provision” for the cybersecurity safe harbor. We are concerned that a deeming provision could have the inadvertent effect of protecting multifunctional hardware, software, or other technology and services because the donation conforms to a written cybersecurity protocol following industry standards. Specifically, if a donor or recipient were to demonstrate that a donation of hardware furthered its compliance with a written cybersecurity program that includes items such as laptops, servers, or other types of multifunctional hardware, parties may use the “deeming provision” in attempting to protect hardware that is not necessary or used predominantly to implement, maintain, or reestablish effective cybersecurity. Although we are not finalizing a voluntary “deeming provision,” parties are encouraged to consider implementing cybersecurity programs that follow widely recognized industry frameworks. Parties may also voluntarily include their own standards to apply to donations.

However, even if donations further compliance with a written cybersecurity program that is consistent with a widely recognized industry cybersecurity framework or a party’s own standards, that does not automatically mean that any cybersecurity donation is “deemed” necessary or used predominantly to implement, maintain, or reestablish effective cybersecurity. Parties should undertake a careful analysis of any donations for which they seek safe harbor protection to ensure compliance with all conditions of the safe harbor.

Comment: Some commenters urged that any reference to standards or frameworks used in any “deeming provision” be illustrative and not exclusive, so as to avoid unnecessary constraints and allow for the application of future frameworks. Another commenter agreed with inclusion of a “deeming provision” but recommended that such provision remain voluntary. Several commenters objected to any “deeming provision,” noting that it would add an unnecessary burden without providing any meaningful protection against fraud and abuse. A commenter stated that physicians may struggle to understand what “reasonable conformance” looks like or when a framework or standard is considered “widely recognized.” A commenter stated that a stringent “deeming provision” could create additional barriers to mitigating the risks of cybersecurity threats. One commenter sought clarity on the “deeming provision,” asking whether the recipient must show financial need to satisfy the “deeming provision,” and another commenter supported a “deeming provision” when the cost of the donation of technology and services exceeds a specified monetary limit.

Response: Safe harbors are voluntary; this safe harbor does not require any individual or entity to offer free or discounted cybersecurity technology or services, nor does it require any individual or entity to structure any donations of cybersecurity technology and services to satisfy the conditions of the safe harbor. Notwithstanding, for the reasons stated above we are not finalizing a “deeming provision” in this safe harbor. We also agree with the commenter that parties may struggle to understand what “reasonable conformance” looks like or when a framework or standard is considered “widely recognized.” Without selection of one or more specific frameworks, any “deeming provision” could be subject to manipulation.

Comment: One commenter suggested that OIG adopt the same “deeming provision” that appears in the EHR safe harbor at paragraph 1001.952(y)(2).

Response: We decline to adopt the commenter’s suggestion. The “deeming provision” included in the EHR safe harbor at paragraph 1001.952(y)(2) relates to donations of EHR items and services satisfying the interoperability condition in paragraph 1001.952(y)(2) using ONC Certification standards rather than the “necessary and used predominantly” standard in this cybersecurity safe harbor. Therefore, the commenter’s suggested “deeming provision” is not applicable in this context and, for the reasons stated above, we are not finalizing any “deeming provision” in this safe harbor.

k. Volume and Value Condition

Summary of OIG Proposed Rule: We proposed at paragraph 1001.952(jj)(2) that donations would not be protected under this safe harbor if donors directly take into account the volume or value of referrals or other business generated between the parties when determining the eligibility of a potential recipient for the technology or services, or the amount or nature of the technology or services to be donated. Donations also would not be protected if donors condition donations of technology or services, or the amount or nature of the technology or services to be donated, on future referrals. Similarly, we proposed at paragraph 1001.952(jj)(3) that donations would not be protected if the recipient or the recipient’s practice (or any affiliated individual or entity) makes the receipt of technology or services, or the amount or nature of the technology or services, a condition of doing business with the donor.

Summary of Final Rule: We are finalizing, without modification, these conditions, but renumbering them as 1001.952(jj)(1) and (2).

Comment: Commenters generally supported the provision restricting donors from directly taking into account the volume or value of referrals or other business generated between the parties when determining the eligibility of a potential recipient for the technology or services, or the amount or nature of the technology or services donated. Commenters also supported OIG’s proposal that potential recipients should not be permitted to condition future business with the donor on the receipt of cybersecurity donations. A commenter recommended that OIG set guardrails to ensure that industry stakeholders do not donate cybersecurity in order to influence referral patterns. Some commenters also agreed that OIG should not finalize a list of selection criteria that, if met, would be deemed not to directly take into account the volume or value of referrals or other business generated between the parties, similar to the provision within the EHR safe harbor at paragraph 1001.952(y)(5). A commenter agreed that donations of cybersecurity technology and services do not present the same risks as donations of EHR software and information technology. Thus, a list is unnecessary.

Response: We are finalizing paragraphs 1001.952(jj)(1) and (2) as proposed. We agree with commenters who recommended that we not include a list of selection criteria deemed not to directly take into account the volume or value of referrals, similar to paragraph 1001.952(y)(5). We agree with the commenter who described such a list as unnecessary. Additionally, the safe harbor conditions we are finalizing, viewed in their totality, guard against donations to influence referral patterns, so additional guardrails are unnecessary.

Comment: A commenter representing hospitals and health systems expressed concern that the provision of cybersecurity technology and related services to physician practices could increase the risk of fraud and abuse if the donations are used as a bargaining chip, thus facilitating cost-shifting from entities in need of such services and potential donors, rather than cooperation between the entities. Another commenter representing the laboratory industry expressed concerns about physicians starting or encouraging “bidding wars” between laboratories, insinuating that the laboratory that offers or makes the most generous donation will get the physician’s referrals (and, likewise, some laboratories in fact may act inappropriately and promise a donation in exchange for future referrals).

Response: We acknowledge the commenters’ concerns about inappropriate donations designed to induce referrals. We are finalizing paragraphs 1001.952(jj)(1) and (2) as proposed to preclude such conduct from protection under this safe harbor. Like the commenters, we are concerned about the “bargaining chip” and “bidding war” scenarios, and we emphasize that donors that condition donations on referrals—and potential recipients who demand donations as a condition of doing business or continuing to do business—would not qualify for protection under this safe harbor. Furthermore, such offers and solicitations may violate the Federal anti-kickback statute.

Comment: A provider trade association noted that donations of cybersecurity technology and services are typically made by software developers and medical device manufacturers, not providers. The same trade association cautioned that cybersecurity-related donations should be based on risk to the donor’s own software, systems, or network, and suggested that such donations should be available to all similar entities with similar risk assessments and without regard to business relationships or affiliations.

Response: As we stated above, this safe harbor is agnostic to the types of individuals and entities donating the protected cybersecurity technology and services. We believe the requirement that donations be necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity, combined with requirements related to the volume and value of referrals and other business generated, provide safeguards to ensure that donations are made for necessary cybersecurity purposes.

In response to the commenter’s suggestion that donations should be made available to similarly situated entities, we note that the safe harbor is voluntary. A donor can choose the entities to which it donates. Furthermore, it is likely impracticable that donors would make donations available to all similar entities with similar risk assessments. Even in those circumstances, the donor and a potential recipient may have needs that are different than those for other similarly situated entities based on the specific cybersecurity needs inherent in connecting to the specific systems with which the donor interacts. We emphasize that determining whether a cybersecurity donation meets the conditions of the safe harbor requires an analysis of the specific facts and circumstances.

l. Recipient Contribution

Summary of OIG Proposed Rule: We did not propose a requirement that donors of cybersecurity technology and services collect a monetary contribution from recipients. In connection with our alternative proposal that would cover hardware, we solicited comments on whether we should require a contribution from a recipient if a donation included hardware.

Summary of Final Rule: We are not finalizing a contribution requirement as a condition to this safe harbor, regardless of whether hardware is included in the donation.

Comment: Many commenters agreed with our proposal not to require a recipient of protected cybersecurity technology and services to contribute to the overall cost of the donation. Commenters suggested that a contribution requirement in the context of this safe harbor may act as a barrier to donations because it may be: (i) Administratively burdensome to calculate or track contributions; (ii) imprecise; or (iii) cost-prohibitive for recipients who lack adequate resources to contribute. A commenter stated that the pressing requirement to upgrade the cybersecurity of the nation’s health care systems should not be held hostage to the ability of capital-constrained medical practices to pay money for such security. Several commenters agreed with our conclusion in the OIG Proposed Rule that forgoing a contribution requirement in this safe harbor would free recipients’ resources to invest in other technology not protected by the safe harbor, such as updating legacy technologies. Several commenters requested that donors have the option to require a contribution from recipients.

Response: We agree with commenters who recommended against including a contribution requirement in this safe harbor. Rather than investing resources in a contribution, the final rule frees up recipients to invest resources in other technology not protected by the safe harbor, such as updating legacy multifunctional hardware that may pose a cybersecurity risk or simply investing in their own computers, phones, and other hardware foundational to their businesses, caring for patients, and interacting with their providers. Additionally, we are finalizing only those conditions that are critical to guarding against fraud and abuse in the context of cybersecurity donations in order to provide regulatory flexibility for donations intended to counterbalance the significant cybersecurity threats against the nation’s health care ecosystem.

We have concluded that a contribution requirement would be burdensome in the context of cybersecurity donations because the necessity of donated services may vary unpredictably—varying weekly or even daily—in response to cybersecurity threats. We understand that cybersecurity patches and updates are frequent and would need to be applied or aggregated across an entire set of recipients using the same technology or services, further complicating contribution amounts for each end user. Also, we are concerned that recipients might be unwilling or unable to accept cybersecurity donations due to potentially unpredictable costs they might incur after the initial donation. In the context of cybersecurity donations, a contribution requirement would pose a barrier to donations that, on balance, is outweighed by the need for widespread improvement of cybersecurity hygiene in the health care industry.

As we stated in the OIG Proposed Rule, donors are free to require recipients to contribute to the costs of donated cybersecurity technology and services as long as the determination of a contribution requirement, or the amount of the contribution, does not take into account the volume or value of referrals or other business between the parties. For example, if a donor donates without any required contribution cybersecurity services to a high-referring physician practice but requires a low-referring physician practice to contribute to the cost of such services, the donor could violate the conditions at paragraph 1001.952(jj)(1)(i) and (ii).

Comment: Several commenters supported a contribution requirement for various reasons. One commenter representing the laboratory industry discussed that industry’s experience with the EHR safe harbor at paragraph 1001.952(y), concluding that absent a contribution requirement, vendors have little incentive to offer competitive pricing. The commenter stated that its experience with EHR donations may extend to cybersecurity donations, and cybersecurity technology vendors’ sales representatives may urge physicians that require cybersecurity software and services to direct their requests to laboratories likely to make a donation, increasing the demand for the vendors’ cybersecurity technology. Another commenter suggested that although recipients should have a vested interest in the products they are using, a 15 percent contribution may be too high for some providers, suggesting that a smaller contribution could be a fair compromise. A number of commenters requested a carve-out to any finalized contribution requirement for small and rural providers, those in medically underserved areas, and federally qualified health centers. Several commenters argued for consistency in any contribution requirement across safe harbors, noting that because cybersecurity is part and parcel of other technology it could impose undue complications to require recipients to contribute to some donations but not others. Several commenters asserted that OIG should consider a flexible contribution requirement that would provide for a comparable investment across provider types rather than a flat percentage contribution.

Response: For the reasons stated in the preceding response, we have concluded that a contribution requirement of any percentage is not appropriate for this safe harbor. Donations of cybersecurity technology and services do not present the same type or magnitude of risks as donations of electronic health records software and other information technology. As we stated in the OIG Proposed Rule, cybersecurity donations, if legitimate, are more likely to be based on considerations such as security risks—especially the exposure of the donor when connecting to the recipient—and are less likely to be based on considerations relating to the volume and value of referrals or other business generated. We believe the safeguards in the final safe harbor, including restrictions against recipients conditioning their referrals or business on donations, are sufficient to account for the potential pressure from vendors. Furthermore, suspected fraud and abuse can be reported to OIG’s hotline at https://oig.hhs.gov/​fraud/​report-fraud/​index.asp.

m. Patching and Updates

Summary of Proposed Rule: Related to the issue of recipient contribution, the OIG Proposed Rule discussed the unique, practical difficulties of a contribution in the context of cybersecurity patching and updates.

Summary of Final Rule: We are not finalizing any specific regulatory text relating to patching and updates. We view these as protected under the safe harbor if all other conditions of the safe harbor are satisfied.

Comment: Several commenters asked that we protect the costs or services associated with ongoing cybersecurity software updates and other patches. A commenter highlighted that patching and updates are critical to managing cybersecurity risks, and that prohibiting their donation could neutralize any benefits resulting from any final safe harbor. A commenter noted that, given the fast-paced nature of developments in cybersecurity, it is likely that new tools will need to be deployed on at least an annual basis. Another commenter requested clarification regarding whether accepting a routine or critical update would result in loss of safe harbor protection, noting that patching is sometimes given to providers for free (because it is built into the contracts with vendors) and some patches may be focused on security while others may be more general.

Response: We agree with commenters that patching and updates are critical to managing cybersecurity risks, and this final safe harbor protects such patches and upgrades if all conditions of the safe harbor are squarely satisfied. We note that this final rule does not require a contribution from the recipient, as discussed above, so routine patches and upgrades given for free to recipients will not result in loss of safe harbor protection, as long as all safe harbor conditions are met. Donors who collect a percentage contribution from any recipient, according to the written agreement with the recipient, may need to collect a contribution for any patches and updates pursuant to the terms of the parties’ agreement. It is possible for donors to structure any required recipient contribution in a number of ways as long as neither the decision to collect the contribution nor the amount or nature of the contribution is based on the volume or value of referrals or other business generated between the parties. For example, a donor is free to structure donations that require a percentage or sum certain contribution for the initial cybersecurity donation but not for subsequent patches and upgrades as long as the donor does so consistently and according to the terms of the written agreement.

n. Writing Requirement

Summary of OIG Proposed Rule: We proposed at proposed paragraph 1001.952(jj)(4) that a donor and recipient set forth a written agreement that is signed by the parties and that describes the technology and services being provided, and the amount of the recipient’s contribution, if any.

Summary of Final Rule: We are finalizing, with modification, a writing requirement at paragraph 1001.952(jj)(3). We are not requiring that the writing be a single document, and we made certain clarifications, including that the signed documentation must include a general description of the technology and services provided.

Comment: Commenters generally supported a writing requirement. A commenter asserted that a written agreement between donors and recipients of cybersecurity technology and services will bring transparency to the donation process. Another commenter agreed that a signed agreement is necessary to ensure that both parties understand what is being donated and the terms of the agreement, including long-term maintenance and support of the technology.

Response: We agree with commenters that a writing requirement will bring transparency to the donation process and ensure that the parties understand the scope of the donation and the responsibilities of both parties. The safe harbor’s writing requirement mandates that parties articulate in writing a general description of the donation, and if the donor will require a contribution the parties must specify that amount. We anticipate that parties would include in their general description of the donation some details about the initial technology or service provided as well as any provision of long-term maintenance, support, patching, or updates they intend to include within the scope of the donation. We do not anticipate that parties will specify every unforeseen item or service that might be necessitated by a future update.

Comment: A commenter stated that a written agreement between donors and recipients is an acceptable safeguard as long as any requirement for such agreement is reasonable in scope. The commenter stated that required terms and conditions in the agreement should be limited, given the nature of the donation and the relationship between the parties. For example, the commenter stated that the safe harbor’s writing requirement should not compel written terms other than to describe: (i) The technology, services, or both to be donated; (ii) commercial terms as necessary to meet the safe harbor; and (iii) warranties by each party to use such technology in compliance with applicable laws and regulations. The commenter also urged OIG to provide a publicly accessible template cybersecurity donation agreement or standard cybersecurity donation terms.

Response: We have designed the final writing requirement to be reasonable in the context of the other conditions in the cybersecurity safe harbor. We decline to add the specific examples of terms and conditions to regulation text or provide any template cybersecurity donation agreement or standard cybersecurity donation terms for parties to use, as suggested by the commenter. This condition requires that parties include a general description of the cybersecurity technology and services to be provided and, if any contribution is required, the parties must specify the amount. The parties are free to add other terms to their documentation related to a cybersecurity donation.

Comment: A commenter appreciated our preamble explanation of the safe harbor’s writing requirement but requested that the proposed regulatory text include the word “general” or “generally” so that donors and recipients do not unnecessarily include every item or potential service in a written agreement. The commenter urged OIG to revise the regulatory text of the writing requirement to read as follows: “[generally] describes the technology and services being provided. . . .” The commenter also requested clarification concerning any value-related writing requirements. The commenter stated that the proposed regulatory language includes the amount of the recipient’s contribution (if any), while the preamble states that the written agreement requires a reasonable estimate of the value of the donation. The commenter supported only including the recipient’s contribution (if any), but requested that if we include a writing requirement related to specifying the value of the donation, then OIG should require the writing to include a reasonable estimate of the value of the donation so as to not introduce any concept of fair market value or the need to hire a valuation consultant to determine a reasonable estimate.

Response: We appreciate the commenter’s concern about the language included in the proposed regulation text at proposed 1001.952(jj)(4), and we are finalizing a writing requirement that includes some changes suggested by the commenter. Specifically, the final regulatory text of this safe harbor’s writing requirement at paragraph 1001.952(jj)(3) requires that the signed writing include a general description of the technology and services being provided and the amount of the recipient’s contribution, if any. Through this final writing requirement, we do not intend to: (i) Introduce any fair market value requirement; (ii) force parties to determine the fair market value of the donation; or (iii) compel the parties to hire a valuation consultant. For purposes of this condition, we interpret “the amount of the recipient’s contribution, if any” to mean either the sum certain a donor will collect as contribution or, if the donor will collect a percentage of the total value of the donation, the percentage that will be applied. To be clear, this safe harbor does not include a recipient contribution requirement; however, if the donor chooses to require that the recipient contribute, that contribution must be documented in writing. We also note that if the scope of the donation changes materially over time, such as when a donor provides more or fewer technology or services than originally anticipated in the scope of the arrangement, or if the parties alter the contribution requirement (if any), we think that best practices would have the parties document such modifications in writing. If the donor requires a contribution that applies to the initial value of the donation but not the subsequent value of patching and upgrades, we anticipate that the writing would specify such terms.

Comment: A commenter objected to OIG’s proposed documentation requirement, stating that it should be scaled back to avoid imposing burdensome writing requirements on the parties. The same commenter argued that a simple acknowledgement that the software donation has been or will be made available should be sufficient.

Response: We do not believe the writing requirement should be scaled back. This condition, as finalized, imposes no greater—and indeed, may require less—burden on the parties to the written agreement than would otherwise be expected in a commercial transaction involving the exchange or use of cybersecurity technologies or services of this nature between parties, such as a user agreement or purchase order.

Comment: A commenter noted that the OIG safe harbor would require a signed written agreement between a donor and recipient, while the corresponding physician self-referral law exception would require only “written documentation.” The commenter recommended that OIG revise the safe harbor to require only written documentation, as opposed to a formal written agreement.

Response: The formality of a signed writing serves as an important safeguard by transparently documenting the parties’ donation and formal agreement to any obligations in connection with such donation. However, we are persuaded not to require that the writing be set forth in a single, written agreement. We have revised the writing requirement to permit a “collection of documents” approach. To receive safe harbor protection, the general description of the technology and services being provided and the amount of the recipient’s contribution, if any, must be set forth in writing and signed by the parties. The terms do not need to be set forth in a single, signed writing, although we believe this approach is a best practice from a compliance perspective. As explained in section III.A.1. of this preamble, some conditions of our safe harbors are different from CMS’s final rule by design in light of the different statutory schemes.

o. Cost-Shifting

Summary OIG Proposed Rule: We proposed at proposed paragraph 1001.952(jj)(5) that the donor not shift the costs of the technology or services to any Federal health care program.

Summary of Final Rule: We are finalizing, without modification, the condition at paragraph 1001.952(jj)(4). We received general support for the proposed safeguards in the safe harbor, but we did not receive specific comments on the proposed prohibition against cost-shifting. Donor Liability

Comment: Several commenters urged OIG to provide guidance on a donor’s potential liability for cybersecurity events affecting any recipients of cybersecurity donations. Several commenters, including an organization dedicated to serving chief information officers, chief medical information officers, chief nursing information officers, and other senior health care IT leaders asserted that without some way to protect cybersecurity donors from being held responsible for cybersecurity incidents involving recipients, providers would be reluctant to donate technology or services for fear of the downstream risk they might incur. A few commenters suggested that OIG create protections for donors that safeguard them from risks stemming from cybersecurity incidents experienced by recipients. Another commenter similarly urged OIG to collaborate with OCR to develop a mechanism to limit the donor’s liability for cybersecurity events that may occur at the recipient’s location. Commenters recommended that OIG create protections for donors that indemnify them from risks stemming from cybersecurity incidents experienced by donors and clarify whether a donor can be indemnified from an OCR action related to a breach when such indemnification provisions are included in the parties’ written contract.

Response: Issues relating to downstream liability, indemnification, or other contracting and business tort issues are beyond the scope of this rulemaking. However, we highlight that the safe harbor does not prevent parties from addressing these issues through contracts or other agreements, and we note that the facts and circumstances of any remuneration under such agreements may require separate analysis under the Federal anti-kickback statute.

Comment: One commenter characterized the safe harbor as protecting recipients from liability concerning fines, ransom, and litigation risk.

Response: We agree that the general effect of a cybersecurity donation should help improve a recipient’s cybersecurity, thereby potentially reducing the recipient’s liability risk for fines, ransom, and litigation stemming from a cyberattack. We clarify, however, that donations protected under this safe harbor do not include monetary remuneration to a recipient, or on behalf of a recipient, for any fines, ransom, or litigation stemming from a cyberattack.

p. Other Comments

Comment: A provider trade association cautioned that hospitals and health systems that donate or subsidize cyber products and services should not use those as a pretext for discouraging or inhibiting the exchange of patient health information between providers.

Response: We note that this safe harbor does not exempt entities and individuals from other applicable State and Federal laws and regulations related to the commenter’s concerns about entities’ conduct that may inappropriately interfere with, prevent, or materially discourage the exchange of patient health information between providers. The ONC regulation entitled “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program” ^[99] implements provisions of the 21st Century Cures Act ^[100] (Cures Act) that are designed to address occurrences of information blocking. If patients, providers, or others believe that a health care provider, health IT developer of certified health IT, or health information network or health information exchange is engaging in information blocking, we encourage reporting complaints to HHS through the Report Information Blocking portal (https://healthit.gov/​report-info-blocking).

Comment: In the preamble to the OIG Proposed Rule related to this safe harbor, we distinguished certain features of cybersecurity donations from EHR donations. A commenter asked OIG to clarify its statement that electronic health record donations “present a greater risk that [sic] one purpose of the donation is for the donor to secure additional referrals from the recipient or otherwise influence referrals or other business generated.” ^[101] Specifically, the commenter urged us to clarify that this reference to “one purpose” is not intended to introduce the one-purpose test into the rulemaking.

Response: The Federal anti-kickback statute has been interpreted to cover any arrangement in which one purpose of the remuneration was to obtain money for the referral of services or to induce further referrals, and nothing in this final rule changes such interpretation. In other words, offering remuneration to a purchaser or referral source potentially implicates the Federal anti-kickback statute if one purpose is to induce the purchase or referral of Federal health care program business. Donations of EHR, like any other thing of value, constitute remuneration for purposes of the Federal anti-kickback statute. Whether a particular arrangement including a donation of EHR or cybersecurity technology and services violates the statute would depend on the facts and circumstances of such an arrangement, including whether the arrangement complies with a safe harbor.

With respect to the statement the commenter cited from the OIG Proposed Rule, we confirm that we are not introducing the so-called one-purpose test as a condition of the safe harbor at 1001.952(jj).

9. Electronic Health Records Items and Services (42 CFR 1001.952(y))

Summary of OIG Proposed Rule: We proposed changes to the EHR safe harbor at paragraph 1001.952(y), which protects certain arrangements involving the donation of interoperable EHR software or information technology and training services. First, we proposed to amend the safe harbor to clarify that safe harbor protection has always been available for certain cybersecurity software and services, and to expand the safe harbor’s potential protection of the donation of software and services related to cybersecurity. Next, we proposed to update the condition at paragraph 1001.952(y)(2) to specify that for software to be “deemed” interoperable, it must be certified by a certifying body on the date it is donated. We proposed to modify paragraph 1001.952(y)(3), which already prohibited conduct similar to “information blocking” to align with the proposed information blocking definition and related exceptions in the ONC, HHS Notice of Proposed Rulemaking “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program” (ONC NPRM).^[102] We also proposed to eliminate: (i) The condition at paragraph 1001.952(y)(7) that prohibits the donation of equivalent items or services to allow donations of replacement technology; and (ii) the sunset provision at paragraph 1001.952(y)(13) to make the safe harbor permanent. Finally, we proposed to revise the definitions of “interoperable” and “electronic health record” and add a definition of “cybersecurity,” and include all definitions relevant to the safe harbor at proposed paragraph 1001.952(y)(14). We also solicited comments on whether we should modify or eliminate the 15 percent contribution requirement and whether we should expand the scope of protected donors.

Summary of Final Rule: We are finalizing, with modifications, the changes we proposed to paragraph 1001.952(y). We are finalizing our proposal to eliminate the sunset provision and the provision that prohibits the donation of equivalent EHR items and services. We are finalizing the language explicitly protecting cybersecurity software and services and the definition of “cybersecurity.” We also are finalizing our revision to paragraph 1001.952(y)(2) to update the deeming provision, with a minor clarification. We are not finalizing paragraph 1001.952(y)(3) related to information blocking or our proposed modifications to the definition of “electronic health record.” We are finalizing our modifications to the definition of “interoperable,” but we are not including the phrase “without special effort on the part of the user.” This final rule also revises paragraph 1001.952(y)(1) to expand the scope of protected donors to certain entities such as accountable care organizations and health systems. The final rule maintains the 15 percent contribution requirement but also includes flexibilities in connection with administering that requirement.

a. Cybersecurity

Summary of OIG Proposed Rule: To clarify that the safe harbor protected cybersecurity software and services related to EHRs, we proposed to amend the introductory language of paragraph 1001.952(y) by including the phrase “including certain cybersecurity software and services” and adding the term “protect.” We also proposed to include in paragraph 1001.952(y)(14) a definition for “cybersecurity” to mean “the process of protecting information by preventing, detecting, and responding to cyberattacks.”

Summary of Final Rule: We are finalizing, without modification, the introductory language of paragraph 1001.952(y) except for a technical correction by not including the word “certain.” We also finalize the definition of “cybersecurity,” as proposed.

Comment: We received several comments in support of expressly providing safe harbor protection for certain cybersecurity software and services that protect electronic health records.

Response: We are finalizing protection for cybersecurity software and services, as described in more detail below. We note that, to avoid confusion, we made a technical correction by removing the term “certain” in the introductory paragraph of the EHR safe harbor. This change has no substantive effect. This safe harbor protects cybersecurity software and services as long as the donation meet all conditions.

Comment: A commenter expressed concern that the EHR safe harbor’s cybersecurity proposal and the separately proposed cybersecurity safe harbor (proposed at paragraph 1001.952(jj)) have significant overlap and could lead to confusion if both were finalized. As such, the commenter suggested that if OIG were to finalize a separate cybersecurity safe harbor, the proposed cybersecurity-related clarifications to the EHR safe harbor would not be necessary. The commenter requested that if OIG were to finalize protection for certain cybersecurity software and services within the EHR safe harbor, the agency clarify that the predominant purpose of the software or service must be cybersecurity associated with the electronic health records. Similarly, another commenter suggested that creating separate safe harbors for electronic health records and cybersecurity is taking a piecemeal approach to tools that must work together for care coordination.

Response: We recognize that there is a certain amount of overlap between the cybersecurity safe harbor finalized in this rule and the EHR safe harbor amended by this final rule. Regardless of this acknowledged overlap, it is useful to clarify in the EHR safe harbor that cybersecurity software and services with the predominant purpose of protecting electronic health records can be protected under the EHR safe harbor provided the donation satisfies all other safe harbor conditions. For example, if one party is donating an EHR system that could be protected under the EHR safe harbor and that EHR system includes cybersecurity functions to protect the electronic health records that might not have appeared to meet the safe harbor’s previous standard of being necessary and used predominantly to create, maintain, transmit, or receive electronic health records, then parties seeking safe harbor protection may want to structure the donation arrangement to satisfy the conditions of the EHR safe harbor rather than potentially also looking to the cybersecurity safe harbor. However, the new cybersecurity safe harbor also would remain available for the protection of cybersecurity technology and services if conditions of that safe harbor were met. If, in contrast to the example above, the cybersecurity donation were to include a broader suite of products and services that do not have a predominant purpose to protect the electronic health records (but are used predominantly to implement, maintain, or reestablish effective cybersecurity), then parties seeking safe harbor protection may want to evaluate the arrangement in the context of the standalone cybersecurity safe harbor.

Comment: Some commenters asked us to broaden the scope of cybersecurity protection within the EHR safe harbor to, for example, protect cybersecurity hardware such as network appliances. One commenter asked that the safe harbor protect without exception cybersecurity hardware, software, infrastructure, and services. Another commenter suggested that if the expanded safe harbor does not protect hardware, it should permit donors to place cybersecurity hardware at the recipient’s location as long as the donor retains title to or a leasehold interest in the equipment. A commenter noted that in order to protect donors from cyberattacks, the safe harbor should protect the donation of any cybersecurity technology and related services without a contribution requirement to protect any protected health information shared for groups of patients.

Response: We are not expanding this safe harbor to protect additional services or hardware, regardless whether the hardware is donated or loaned to a recipient. The EHR safe harbor is designed to protect donations of EHR software and services, and expressly excludes hardware. By including the word “protect” in paragraph 1001.952(y), we are clarifying that the scope of the safe harbor applies to cybersecurity software or information technology and training services that are necessary and used predominantly to protect electronic health records. There is a separate, standalone safe harbor intended to protect broader cybersecurity donations available at paragraph 1001.952(jj). That safe harbor, as finalized in this rule, protects cybersecurity hardware and does not have a contribution requirement.

b. Deeming Provision

Summary of OIG Proposed Rule: We proposed minor modifications to the deeming provision at paragraph 1001.952(y)(2) by changing “it has been certified by a certifying body” to read “it is certified by a certifying body.” We also proposed to remove reference to “editions” of certification criteria to align with proposed changes to the certification program.

Summary of Final Rule: We are finalizing, with modification, our proposal to revise the condition at paragraph 1001.952(y)(2). We are clarifying that for software to be “deemed” interoperable, it must be certified by a certifying body authorized by ONC to certification criteria identified in the then-applicable version of 45 CFR part 170. We are making a technical edit to conform the terminology in our deeming provision to the terminology used in 45 CFR part 170. Specifically, we are removing the phrase “electronic health record” preceding “certification criteria” because it has been removed from 45 CFR 170 as of June 30, 2020. We are also deleting the word “editions.”

Comment: Commenters generally agreed with our proposal to clarify that software would be deemed interoperable under the safe harbor if, on the date it is donated, it “is certified” by a certifying body authorized by ONC rather than “has been certified.” Some commenters had questions about our removal of the phrase “an edition” before “the electronic health record certification criteria” and inquired whether we should specify that the criteria are the “latest” or “current” certification criteria.

Response: We agree with comments that we should clarify our intention for the software to be certified to the then-current certification criteria. However, rather than inserting new language the deeming provision will read: “[f]or purposes of this paragraph (y)(2), software is deemed to be interoperable if, on the date it is provided to the recipient, it is certified by a certifying body authorized by the National Coordinator for Health Information Technology to certification criteria identified in the then-applicable version of 45 CFR part 170.” The version of paragraph 1001.952(y)(2) being finalized maintains nearly identical language from OIG’s 2013 final rule addressing the electronic health records safe harbor (2013 EHR Final Rule) except that we changed “it has been certified by” to “it is certified by” ^[103] and, as noted above, we removed the phrase “electronic health record” before “certification criteria.” We note that this latter change does not alter the scope of remuneration protected under this safe harbor; despite removing the phrase in the deeming provision, the safe harbor continues to protect only items and services that are used predominantly to create, maintain, transmit, receive, or protect electronic health records that meet all criteria of the safe harbor.

Comment: A commenter opposed the concept of an “optional” deeming provision, asserting that it is critical to require that software be certified by a certifying body authorized by ONC to further support the goal of value-based arrangements.

Response: We agree that interoperability is a critical condition of the EHR safe harbor, but we disagree with the commenter that certification by a certifying body authorized by ONC should be the only way of meeting this standard. This certification provides donors and recipients with assurance that their product is interoperable for purposes of this safe harbor, but such certification is not a requirement for safe harbor protection.

Comment: A commenter suggested that the proposed change to the deeming provision creates compliance uncertainty in the context of an ongoing software donation. In particular, the commenter was concerned that the proposed wording change would mean that any time after the initial donation the EHR software loses its certification, the continued provision of the software including maintenance would implicate the fraud and abuse laws. Other commenters supported the proposal to require software to be certified at the time it is provided to a recipient, with a commenter noting that any updates to donated systems should also be certified to the most recent standards. A commenter asked that physicians not participating in the Quality Payment Program be granted a 5-year grace period under the interoperability deeming provision so that their donated EHR software need only be certified to the 2015 edition.

Response: The deeming provision in paragraph 1001.952(y)(2) is optional. Certification of donated software by a certifying body authorized by ONC is not required to meet the terms of the safe harbor; the safe harbor requires that, to receive protection, the software must be interoperable at the time it is provided to the recipient. To the extent physicians or other health care providers are seeking protection of donated EHR items and services under the safe harbor, the donated EHR software need only be interoperable (as defined at paragraph 1001.952(y)(14)(iii)) to satisfy the condition at paragraph 1001.952(y)(2).

If an EHR item or service loses its certification, it would no longer satisfy the deeming provision. Therefore, new donations of such EHR items or services, including updates and patches of the software would not satisfy the safe harbor’s deeming provision. However, if the EHR items or services were still interoperable (as defined at paragraph 1001.952(y)(14)(iii)), then the safe harbor would protect continued donation of such software and services, including patches, as long as all other conditions are met.

c. Information Blocking

Summary of OIG Proposed Rule: We proposed modifying paragraph 1001.952(y)(3) by incorporating a reference to the information blocking definition and related exceptions in 45 CFR part 171. We solicited comments on this approach.

Summary of Final Rule: We are not finalizing the proposed modification to paragraph 1001.952(y)(3) and instead are deleting this condition from the safe harbor.

Comment: We received a number of comments about our proposal to incorporate the “information blocking” prohibition from the 21st Century Cures Act (Cures Act) ^[104] or the ONC NPRM into the safe harbor at paragraph 1001.952(y)(3). While commenters did not necessarily disagree that information blocking should be prohibited, commenters raised a number of questions and concerns regarding how such a provision would work in a safe harbor. For example, although we received from commenters support for our proposal to update the safe harbor to include a condition that would preclude safe harbor protection for arrangements that lead to “information blocking” as that term is used in the Cures Act, a number of commenters expressed concern about relying on the ONC NPRM, which was not yet final. Commenters were particularly concerned about the array of exceptions to the definition of “information blocking” and incorporation of the definition of “electronic health information” as proposed in the ONC NPRM.

Some commenters asked that we clarify which party is responsible to ensure that information blocking does not occur. For example, some commenters noted that a donor cannot control what happens to software after it is donated. Similarly, several commenters recommended removing or revising the condition that a donor (or any person on a donor’s behalf) does not engage in a practice constituting information blocking, explaining that a vendor may engage in information blocking without the donor’s knowledge. Commenters expressed contrasting opinions about the proposed knowledge standard, with some commenters recommending that it apply to both health care providers and health plans that voluntarily use the safe harbor to protect donations under this safe harbor, while others recommending that health plans be subject to the “knows, or should know” standard because health plans are not health care providers and do not have direct patient care responsibilities.

Another commenter noted that if a determination of information blocking against either a donor or recipient occurs at some time after a donation, the recipient may be vulnerable to unexpected costs or lose access to its health information technology if the arrangement suddenly ends.

Another commenter suggested that, rather than including a prohibition on information blocking (as such term is defined in the Cures Act or in 45 CFR part 171) as a safe harbor condition, OIG should assume that information blocking will not be tolerated and will be enforced through other authorities.

Response: Based on the comments and assessing the final rule published by ONC, “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program” (ONC Final Rule),^[105] we are not finalizing the proposed information blocking condition, and we are removing the existing paragraph 1001.952(y)(3), which prohibits the donor or any person on the donor’s behalf from taking any action to limit or restrict the use, compatibility, or interoperability of the donated EHR items or services. This condition, when originally implemented in OIG’s 2006 final rule creating the electronic health records safe harbor (2006 EHR Final Rule),^[106] was intended to help ensure that transfers of health information technology will further the policy goal of fully interoperable health information systems and will not be misused to steer business to the donor.^[107] The 2013 EHR Final Rule also explained that the Department was considering other policies to improve interoperability, and noted that those policy efforts are better suited than this anti-kickback statute safe harbor to consider and respond to evolving functionality related to the interoperability of electronic health record technology.^[108] At that time, the Department had few other authorities to directly address information blocking. However, there are now other enforcement authorities designed to address information blocking. For example, the Cures Act gave ONC and OIG more direct authority to address information blocking.^[109] Additionally, CMS has separate authority to require certain providers and suppliers to attest that they have not knowingly and willfully limited or restricted the compatibility or interoperability of their certified electronic health record technology.^[110]

In addition, the Cures Act and the ONC Final Rule recognize that certain practices likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information may nonetheless be reasonable and necessary. That is why the Cures Act directed the Secretary to identify exceptions to the definition of “information blocking.” The ONC Final Rule implements eight exceptions that apply to practices likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information provided the practice meets the conditions of an exception. However, the condition at paragraph 1001.952(y)(3) as implemented by the 2006 EHR Final Rule conditioned safe harbor protection on a party not taking “any action to limit or restrict the use, compatibility, or interoperability” of the donated EHR items or services. The condition did not account for actions that may be reasonable and necessary, such as implementing privacy and security measures.

Recognizing these developments, we agree with the commenter that these new authorities are better suited than a safe harbor condition to deter information blocking and penalize individuals and entities that engage in information blocking. We also agree with commenters that a recipient is unlikely to have the capabilities to determine whether a donor (or someone on the donor’s behalf) engaged in information blocking, which includes a level of intent set by statute, or met an exception to information blocking as set forth in the ONC Final Rule.

Given these potential issues with the proposed modifications to paragraph 1001.952(y)(3) and limitations of the original condition in paragraph 1001.952(y)(3) discussed previously, the condition may no longer be an effective way to achieve the policy goals that served as the original basis for this condition. Removing the condition at paragraph 1001.952(y)(3) is responsive to commenters that had questions about the scope of information blocking practices, how OIG would determine the party responsible, how the information blocking knowledge standard in the Cures Act and ONC Final Rule would be assessed in context of this safe harbor, and how the condition would apply to parties that may not be subject to the information blocking provision in section 3022 of the Public Health Service Act (PHSA).

We emphasize, however, that we are maintaining the interoperability condition in paragraph 1001.952(y)(2). We believe this condition and the optional deeming provision will ensure that donations of EHR items and services that meet the conditions of this safe harbor further the Department’s policy goal of an interoperable health system and prevent donations being made with the intent to lock in referrals by limiting the flow of electronic health information.

OIG remains committed to taking action against individuals and entities that engage in information blocking, using specific authorities to do so. Separate from this rule, OIG published a notice of proposed rulemaking related to information blocking enforcement.^[111] That proposed rule, among other things, proposes the basis and procedures for information blocking enforcement. As stated in that proposed rule, addressing the negative effects of information blocking is consistent with OIG’s mission to protect the integrity of HHS programs as well as the health and welfare of program beneficiaries.^[112]

d. Sunset Provision

Summary of OIG Proposed Rule: We proposed to eliminate the sunset provision at paragraph 1001.952(y)(13). As an alternative, we also proposed an extension of the sunset date for the final rule.

Summary of Final Rule: We are finalizing this proposal by deleting the sunset provision at paragraph 1001.952(y)(13).

Comment: We received nearly universal support for removing the sunset provision in paragraph 1001.952(y)(13), which requires that all protected EHR donations must occur on or before December 31, 2021. Commenters asserted that the elimination of the sunset date would provide certainty for the ongoing protection of donations of EHR items and services. One commenter who generally supported making the safe harbor permanent recommended that OIG delay doing so until the ONC NPRM is finalized and available for stakeholder consideration.

Response: We agree that eliminating the sunset provision provides certainty, and we are finalizing our proposal to make this safe harbor permanent and, as we note above, the ONC Final Rule was issued on May 1, 2020.

e. Contribution Requirement

Summary of OIG Proposed Rule: We did not propose specific changes to the 15 percent contribution requirement at paragraph 1001.952(y)(11). Instead, we considered and solicited comments on three alternatives: (i) Eliminating or reducing the percentage of the contribution required for small or rural practices; (ii) reducing or eliminating the 15 percent contribution requirement in this safe harbor for all recipients; or (iii) modifying or eliminating the contribution requirement for updates to previously donated EHR software or technology.

Summary of Final Rule: We are retaining the 15 percent contribution requirement at paragraph 1001.952(y)(11) but removing the requirement that payment of the contribution be made in advance for updates to existing EHR systems. To make this modification, we have added new paragraphs at 1001.952(y)(11)(i) and (ii). Paragraph 1001.952(y)(11)(i) describes that contributions for initial and replacement EHR items and services must be made in advance of the donation and contributions for updates to previously donated EHR item and services need not be paid in advance. Paragraph 1001.952(y)(11)(ii) is the new location of the condition that the donor does not finance the recipient’s contribution amount; it does not include any substantive changes.

Comment: A large number of commenters on this topic recommended that we remove the 15 percent contribution requirement for all donations and for all recipients. Commenters provided several reasons to remove the contribution requirement (paragraph 100.952(y)(11)). For example, some commenters suggested that this requirement restricts the use of EHRs with interoperable capabilities; that this is not an effective deterrent to inappropriate EHR donations; and that the percentage is an arbitrary amount that limits the use of important patient tools. Commenters noted that any transition to improve EHR technology can streamline physicians’ workflows; alleviate burdens; allow physicians to spend more time with their patients; and allow (assuming that the donated technology is truly interoperable) the sharing of patient records with near equal ease with other providers using certified EHR technology. Some commenters questioned whether a recipient contribution reduces the risk of steering and inappropriate referrals.

Commenters noted that the donation of EHR technology can be beneficial to recipients who may be unsatisfied with their EHR platform but lack the resources to transition to a new platform. A commenter noted that the contribution requirement may be an unreasonable constraint on how health systems and hospitals finance the needed infrastructure to implement new value-based payment models and promote the coordination of care. Commenters cited the added burden involved in setting the contribution amount in writing and the necessary, ongoing monitoring to ensure compliance. Commenters also highlighted that eliminating the requirement would align this safe harbor with the proposed cybersecurity safe harbor at paragraph 1001.952(jj) for which OIG did not propose to include a contribution requirement.

Commenters that supported eliminating the contribution requirement as a condition to this safe harbor still supported allowing the donor to require a contribution. For example, a commenter suggested that any contribution requirement should be left up to market forces and negotiation between the parties. Another commenter stated that the contribution amount should be at the discretion of the donor as long as the donor consistently and fairly applies their policy to all recipients. Finally, a commenter suggested that the contribution requirement should only be eliminated if the scope of protected donors remains the same.

Response: We understand the donation recipients’ desires to eliminate the 15 percent contribution requirement. However, after careful consideration, we continue to believe that the contribution requirement is an important safeguard against fraud and abuse in light of the specific risks of inappropriate generation of referrals presented by donation of EHR items and services. When recipients of valuable remuneration have some responsibility to contribute to the cost of the items or services, they are more likely to make economically prudent decisions and accept only what they need or will use. As we note below, however, we are adding some flexibilities in connection with administering the contribution requirement.

Comment: Some commenters raised concerns about eliminating the contribution requirement. For example, one commenter believed that physician adoption and use of an EHR system is improved when they have a certain level of buy-in and share in the financial cost. Similarly, other commenters suggested that 15 percent represents a fair contribution amount, serves as a reasonable safeguard to reduce wasteful spending, and that it is important for recipients to have a stake in the purchased technology.

Response: We agree with commenters that the contribution amount is fair and provides a reasonable safeguard. For these and other reasons discussed in this final rule, we are maintaining the 15 percent contribution requirement.

Comment: We received support for eliminating the recipient contribution requirement for at least a subset of recipients. Some commenters specifically referenced removing the requirement for all physicians. A majority of these commenters recommended removing the contribution requirement for at least small and rural providers or providers serving underserved populations. Some commenters expressed concern about how we would define “small” or “rural” if we limited the exception to those classes of individuals or entities. A number of commenters requested that the concept of “small and rural” practices be defined broadly and to specifically include free clinics, charitable clinics, and charitable pharmacies. We also received a recommendation to adopt the definition of “small practice” used in the CMS Quality Payment Program.^[113] Various commenters requested that the contribution requirement be eliminated for safe harbor protection applicable to Indian health care provider recipients. We also received comments regarding other potential recipients for whom the contribution requirement may be a financial burden, such as critical access hospitals, disproportionate share hospitals, and essential hospitals. A commenter recommended that “underserved practices” should be defined as those in: (i) Medically underserved areas, as designated by the Secretary under section 330(b)(3) of the PHSA; (ii) primary health care geographic health professional shortage areas, as designated by the Secretary under section 332(a)(1)(A) of the PHSA; or (iii) a critical access hospital. A commenter recommended defining “rural practices” as those located in rural areas, as defined in the local transportation safe harbor at paragraph 1001.952(bb).

Commenters noted that for cash-strapped entities, the contribution requirement is a financial burden. For example, certain tribal organizations highlighted the financial burden of the EHR safe harbor’s contribution requirement for Indian health care providers and asserted any contribution requirement may inappropriately divert funding away from patient care. Some commenters noted that the 15 percent contribution can be a significant barrier for physician adoption of EHR technology, even for practices that may not qualify as small or rural practices. Some commenters noted that the burden is not only in the actual cost of the contribution but also the administrative tasks associated with tracking and calculating the 15 percent.

Response: As we explain above, we are retaining the 15 percent contribution requirement for all recipients seeking protection for EHR donations under the EHR safe harbor. We agree with the commenters who expressed concern about defining subgroups of entities to exempt from this requirement. Even if we were to adopt certain definitions existing in other regulations or definitions suggested by commenters, some of those designations can change over time (e.g., a physician practice may qualify as a “small practice” at some but not other points in time depending on staffing changes), which could create confusion about implementation of the contribution requirement and raise corresponding safe harbor compliance concerns. In addition, the fraud and abuse risks associated with EHR donations apply regardless of the geography or size of the donation recipient. If cost is a barrier for a particular recipient, the recipient could request an advisory opinion about an arrangement without a 15 percent contribution requirement.

Comment: In response to our solicitation of comments on possibilities to reduce any uncertainty and administrative burden associated with assessing a contribution for each update, some commenters addressed other aspects of the contribution requirement. For example, a commenter expressed concern about the requirement that contributions must be made in advance. This commenter noted that recipients may unintentionally fall outside the safe harbor due to inadvertent late payments and requested that OIG add a remedy period for mistakes to be corrected without losing safe harbor protection. Another commenter recommended eliminating the requirement that fees be collected prior to the receipt of services and recommended instead to require a commercially reasonable collections process.

Response: Consistent with our solicitation of comments on uncertainty and administrative burden, and our statement in the OIG Proposed Rule that we were considering modifying the contribution requirement as it relates to updates, we are removing the requirement that payment of the contribution be made in advance for updates to existing EHR systems. We recognize that updates may need to take place quickly to remedy security or other problems in an EHR system, and we understand the commenter’s concern about inadvertent late payments under such circumstances. We believe it is reasonable and does not create additional risk to bill a recipient for its contribution after providing the update. The safe harbor does not require a specific billing method. In other words, a donor could choose to bill a recipient separately for each update or could bill the recipient monthly or quarterly to combine the contribution claims for all updates during a select period of time.

We are not, however, removing the requirement that contributions be made in advance of an initial donation (including the donation of a replacement system). Parties seeking safe harbor protection can effectively plan for an initial donation, with all expenses known up front, so that there is not the same administrative burden or uncertainty that parties may experience when invoicing for periodic updates, and, therefore, there is less risk of inadvertent late payments. Because the need for safe harbor protection would not be triggered until the initial donation happens, and the parties have the ability to wait to make the donation until the contribution is paid, we are not adopting a cure period for late payments associated with initial or replacement donations.

Comment: A number of commenters asked that if OIG retains a contribution requirement on the initial EHR donation, the contribution requirement be eliminated for updates to the original donation. Commenters noted that the updates may ensure that the donation continues to function as needed and to meet current Federal standards for data exchange. In contrast, a commenter recommended OIG consider retaining a contribution requirement only for the provision of replacement technology while eliminating it for the original donation and any updates to that original system.

Response: As explained above, we are retaining the contribution requirement for updates but will no longer require that the contribution for updates be made in advance. We recognize that updates are crucial for the continuing functionality of a system. However, we do not think it is feasible to retain a contribution requirement for certain donations and eliminate it for others. If we were to adopt that policy, parties might structure donations to game the difference between donation types. For example, if a recipient were not required to contribute to updates, parties could structure the “initial” donation to consist of a functionality with a small cost and consequently a small required contribution, with the most valuable functionality deemed to be an “update” with no required contribution. We believe the risk posed by such arrangements would reduce the effectiveness of the contribution requirement as a safeguard against fraud and abuse. For this reason, all donations protected by this safe harbor require a recipient contribution.

Comment: A commenter requested that if a contribution requirement is retained, the parties use either the fair market value or the underlying cost of the donation as the base amount from which the contribution is calculated. The commenter believed that this would reduce the administrative burden of compliance, which might allow smaller providers to donate protected EHR.

Response: The relevant standard in the safe harbor is that “the recipient pays 15 percent of the donor’s cost for the items and services.” We did not propose to change this cost-based standard and are not finalizing any change. In 2006, when we initially finalized the EHR safe harbor, we provided an explanation about calculating the cost of these items and services.^[114] The cost should be clear when a donor is purchasing an item or service from a vendor. However, we recognized some software or other modules may be internally developed. We recommended that parties should use a reasonable and verifiable method for allocating costs and maintain documentation of such allocation. We explained there, and maintain here, that the method for allocating costs would be scrutinized to ensure that they do not inappropriately shift costs in a manner that provides an excess benefit to the recipient or results in the recipient effectively paying less than 15 percent of the donor’s true cost for the technology.^[115]

Comment: A commenter encouraged HHS to study whether the 15 percent recipient contribution requirement has in fact prevented some or many physicians practices from adopting EHR technology, whether the safe harbor has produced lasting partnerships and ongoing incentives to use technology, and whether technology donations potentially protected by the safe harbor have resulted in market consolidation or channel capture that has led to increased costs for consumers.

Response: Any decision by HHS to study the effectiveness or other impact of the safe harbor and its conditions is outside the scope of this rulemaking.

Comment: A commenter recommended not requiring the 15 percent contribution for cybersecurity donations under this safe harbor. The commenter noted that some organizations will permit practices to use their EHR systems only if the practice has certain cybersecurity protections, and thus the commenter suggested that the party requiring the cybersecurity protection should pay any costs associated with it.

Response: We are not finalizing separate requirements for different types of donations within this safe harbor. If a party seeks to protect a donation of cybersecurity software or services under the conditions of the EHR safe harbor, then a contribution is required. However, parties that seek to protect a cybersecurity donation without a recipient contribution could structure the donation to meet the safe harbor for cybersecurity technology and related services at paragraph 1001.952(jj).

f. Equivalent Technology and Scope of Protected Donations

Summary of OIG Proposed Rule: We proposed to delete the condition that prohibits the donation of equivalent items or services at paragraph 1001.952(y)(7) to allow donations of replacement EHR technology.

Summary of Final Rule: We are finalizing this proposal by deleting paragraph 1001.952(y)(7).

Comment: Commenters broadly supported removing the safe harbor condition at paragraph 1001.952(y)(7) that prohibits the protection of EHR donations if a recipient possesses items or services equivalent to those to be donated. Commenters provided a number of reasons for their support of the elimination of this condition, highlighting that some physician practices may be working with an EHR system that no longer meets their needs, is outdated, or is otherwise substandard because they cannot afford the full cost to replace the system. A commenter recommended that OIG eliminate this condition but require a documented rationale for a need for replacement technology.

Response: We agree with the commenters and are finalizing our proposal to remove the condition at paragraph 1001.952(y)(7) that prohibits the donation of equivalent items and services. We recognize that there may be valid business or clinical reasons for a recipient to replace an entire system rather than update existing technology. Under this safe harbor, replacement technology is treated the same as a new donation and would need to meet all conditions of the safe harbor to receive protection. For example, a recipient of replacement technology would be required to pay at least 15 percent of the donor’s cost for the items and services before receiving the items and services. We believe that treating a donation of replacement technology the same as a new donation strikes an appropriate balance by making necessary replacements financially feasible for recipients while maintaining safeguards to limit the risk of recipients inappropriately soliciting or accepting unnecessary technology.

Comment: Commenters recommended revisions to the language related to the scope of protected donations. For example, a commenter requested that the safe harbor be expanded to include training, maintenance, and upgrades of EHRs. Similarly, a commenter recommended revising the language to items and services in the form of software, other information technology, and related services, including implementation, training and support services. A commenter asked whether the safe harbor would still potentially protect the “services” listed as examples in the 2006 EHR Final Rule such as connectivity, broadband, wireless, clinical support, information services related to patient care, and maintenance. Another commenter was concerned that the safe harbor protected only donations of technology that have been certified by ONC. Other commenters asked for a significantly expanded scope of potentially protected donations including but not limited to: (i) Hardware; (ii) technology related to information sharing; (iii) cloud-based items and services; (iv) practice management and revenue cycle systems and services; (v) clearinghouse services; and (vi) industry-supported data collection and analytics.

Response: As we note elsewhere in this section, we are removing the condition at 1001.952(y)(7) from the safe harbor to protect donations of replacement technology and clarifying the safe harbor to explicitly protect cybersecurity software and services if all safe harbor conditions are satisfied. The safe harbor already could protect some of the items or services suggested by commenters, such as maintenance and training. The modifications to this safe harbor as finalized, do not narrow the scope of items or services that could receive safe harbor protection; the examples listed in the 2006 EHR Final Rule could still receive safe harbor protection under the amended safe harbor finalized in this rule.^[116] We also wish to highlight, as we explain elsewhere, that the safe harbor does not require that donated software is certified as interoperable by a certifying body authorized by ONC; the safe harbor requires that donated software is interoperable. Per the terms of the “deeming provision,” certified software is deemed to be interoperable. The scope of electronic health record items and services protected by this safe harbor and the optional deeming provision give donors and recipients appropriate flexibility to determine which items and services should be donated given their circumstances. For example, long-term care and post-acute care recipients may need different types of electronic health record items and services than a physicians group practice needs.

We did not propose and thus are not finalizing in this safe harbor any expansion that would protect donated hardware. For any of the other software or services for which commenters requested safe harbor protection, the standard remains as we proposed, i.e., that the items or services must be necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records. For example, some technology related to information sharing could meet this standard, such as the donation of software or services related to application programming interfaces (APIs) used to support the exchange of electronic health information. Parties seeking to rely on the safe harbor need to analyze the EHR donation arrangement to ensure that it squarely meets all of the safe harbor’s conditions.

g. Protected Donors

Summary of OIG Proposed Rule: We solicited comments on either removing the restrictions on protected donors in paragraph 1001.952(y)(1)(i) or revising the paragraph to protect donations from entities with indirect responsibilities for patient care, such as health systems or accountable care organizations that are neither health plans nor submit claims for payment.

Summary of Final Rule: This final rule expands the scope of protected donors to certain entities that are comprised of the types of individuals or entities listed as protected donors in paragraph 1001.952(y)(1)(i)(A). To effectuate this change, we added paragraphs 1001.952(y)(1)(i)(A) and (B), which describe the entities previously considered protected donors to include the new entities considered protected donors as established by this final rule.

This final rule expands the scope of protected donors to certain entities that are comprised of the types of individuals or entities listed as protected donors in paragraph 1001.952(y)(1)(i)(A), as described in more detail below.

Comment: We received a range of comments in response to our suggestion that we may consider expanding the scope of protected donors. At one end of the spectrum, we received a suggestion not to change the scope of protected donors at all. At the other end, a commenter stated that the safe harbor should protect donations from all entities. However, the most common recommendation from commenters on this topic was to expand the scope of protected donors to entities with indirect responsibility for patient care such as health systems, accountable care organizations, clinically integrated entities, and other entities that bear financial risk in patient outcomes. Commenters noted that these types of entities have little incentive to abuse the safe harbor and that protecting donations from certain entities that do not bill the Federal health care programs would facilitate expanded use of technology that may reduce the cost of care and increase care coordination. We also received a request to continue excluding laboratories from the scope of protected donors.

Response: We agree with commenters who recommended expanding the scope of protected donors to include entities comprised of the types of entities currently covered as protected donors (e.g., parent companies of hospitals, health systems, and accountable care organizations). We see little added risk to protecting donations of interoperable electronic health records software or information technology and training services by entities such as health systems or accountable care organizations. These entities may have financial risk for patient outcomes and generally do not directly receive referrals. However, we believe the risk is too high to expand safe harbor protection to donations from all entities. We continue to have concerns about protecting EHR donations made by laboratories or manufacturers or suppliers of items. Accordingly, donations made by these entities will continue to be ineligible for protection under the EHR safe harbor.

Comment: A commenter asked whether the safe harbor protects donations from pharmaceutical manufacturers that participate in Federal health care programs.

Response: Pharmaceutical manufacturers generally do not bill Federal health care programs and are not comprised of entities that bill Federal health care programs and therefore are not protected donors under the safe harbor. While we recognize that some manufacturers have implemented programs that include more direct contact with patients and payors, the concerns we expressed in the preamble to the 2006 EHR Final Rule ^[117] continue to exist today. If a manufacturer that operates its business in a way that it believes would meet the terms of this safe harbor has questions about whether any donation would be protected by the safe harbor or present a low risk of fraud and abuse under the Federal anti-kickback statute, the advisory opinion process remains available.

Comment: A commenter requested that the safe harbor protect donations made only by donors that provide EHR access to pharmacists. The commenter stated that some health information technology systems block pharmacists’ visibility into relevant clinical information from other health care providers.

Response: The safe harbor does not limit the scope of protected donors to donors that grant EHR access to a specified range of providers or suppliers. However, for a donation to be protected, it must be interoperable and should not inappropriately interfere with, prevent, or materially discourage access, exchange, or use of electronic health information (e.g., inappropriately limit visibility to relevant clinical information). To the extent that patients, providers, or others believe that a health care provider, health IT developer of certified health IT, health information network, or health information exchange is engaging in information blocking, we encourage reporting complaints to HHS through the Report Information Blocking portal, which is available at https://healthit.gov/​report-info-blocking.

Comment: A commenter requested that the EHR safe harbor protect donations made by multiple donors for different types of technology to a single recipient, as long as the technology meets the interoperability requirements. The commenter recommended the safe harbor specifically protect the donation of supplemental, nonequivalent EHR applications that supplement a recipient’s current EHR system and noted that such applications could come from different donors. The commenter further proposed the safe harbor require a clinical necessity analysis for “add-on” EHR applications in addition to replacement technology.

Response: Nothing in the amended safe harbor, as it is being finalized, would prevent safe harbor protection of donations of “add-on” EHR applications or donations from multiple donors. Protection offered by this safe harbor is not limited to EHR products that include within a single product a sufficiently comprehensive array of functions to constitute an “EHR system.” Instead, as explained in the 2006 EHR Final Rule, the safe harbor also applies to donations of software that serve a specific function related to electronic health records, such as interface and translation software and secure messaging. In some instances, those functions may be part of a larger EHR software product, or they may be implemented via standalone software that interacts with a provider’s electronic health record system. If each donation squarely satisfies the requirements of the amended safe harbor—including the requirement that the software is or the information technology and training services are necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records—such donations could be protected regardless of whether the technology is donated by one or multiple donors.

We did not propose and thus are not finalizing a condition that requires a clinical necessity analysis of donations. Such condition would not be necessary in the safe harbor given the totality of its conditions.

h. Definitions

i. Electronic Health Record

Summary of OIG Proposed Rule: We proposed to modify the definition of “electronic health record” in paragraph 1001.952(y)(14)(iv) to mean: “a repository of electronic health information that: (A) Is transmitted by or maintained in electronic media; and (B) relates to the past, present, or future health or condition of an individual or the provision of healthcare to an individual.”

Summary of Final Rule: We are not finalizing the proposed definition of electronic health record and instead retain the previous definition. This final rule moves the definition of “electronic health record” to paragraph 1001.952(y)(14)(iv).

Comment: Several commenters expressed general support for our proposed revision to the definition of “electronic health record,” particularly to the extent that the definition would align with the definition included in the Cures Act. However, a number of commenters were concerned about our proposal to use the term “electronic health information” as the ONC NPRM proposed to define such term. Commenters asserted that the regulatory definition proposed by ONC is overly broad and may extend far beyond what Congress intended under the Cures Act. For example, a commenter argued that under the proposed definition a patient’s computer or mobile telephone could be considered an electronic health record if the patient obtained a copy of their health record through electronic transmittal. Commenters also made several suggestions to limit the scope of “electronic health information.”

Response: As we stated in the OIG Proposed Rule, we did not intend for our proposed modifications to the definition of “electronic health record” to make a substantive change to the scope of protection.^[118] We thank commenters for highlighting the complexities that our changes inadvertently might have introduced. To remain true to our intent, we are not finalizing any proposed changes to the definition of “electronic health record.” We will retain the existing definition in the safe harbor, which appears at paragraph 1001.952(y)(14)(iv).

Comment: A commenter recommended that the definition of “electronic health record” should be standardized across all Federal regulations, as permitted by the relevant statutory framework. However, the commenter expressed doubt that changing the definition of “electronic health record” as OIG proposed would keep up with a dynamic redefinition of how electronic health care is provided.

Response: A suggestion to standardize definitions across Federal regulations is outside the scope of this final rule. As noted above, we are not finalizing any changes to the definition.

Comment: A commenter recommended that OIG define the parameters of the EHR safe harbor to ensure that the scope of covered technology under the “electronic health record” definition protects products beyond those that are standalone EHRs (e.g., products that connect to, amplify the capabilities of, or leverage the data in EHRs to promote coordination and management of care). According to the commenter, there are emerging technologies that leverage data in EHRs without creating new records and enable patients to leverage technology to maintain longitudinal records. To modernize the safe harbor to accommodate these developments, a commenter asked that OIG clarify that the term “repository” in the current and proposed definition of EHR is not limited to existing models of EHR. The commenter also recommended that OIG delete “predominantly” from the safe harbor or otherwise broaden the remuneration protected by the safe harbor by adding the italicized words in the following phrase from the EHR definition: “software or IT functionality necessary and used predominantly to support or improve [italics added] the creation, maintenance, transmission, receipt or use of EHR.”

Response: By proposing to revise the definition of “electronic health record,” we did not intend to change the scope of protection under the safe harbor. We are retaining the existing definition of “electronic health record” and are not adopting the commenter’s suggestion. Emerging technologies that leverage EHR data may be protected by the safe harbor. The term “repository” carries its common meaning: A place where something such as data can be stored and managed. If emerging technologies are necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records, and all of other conditions of the safe harbor are met, then donations of such technologies would be protected.

Donations of software or information technology services do not need to be necessary and used predominately for all five functions listed in paragraph 1001.952(y)(1) to be protected. Rather, the software or information technology services must meet at least one of the five functions. For example, if software is not used to create an electronic health record but is necessary and used predominately to transmit electronic health records, donations of such software may be protected by this safe harbor if all other conditions are met. If an entity has questions about whether specific technology donations would be protected by the safe harbor or present a low risk of fraud and abuse under the Federal anti-kickback statute, the advisory opinion process remains available.

Comment: A commenter supported the current definition of “electronic health record” rather than the proposed revisions to the definition. However, the commenter asked OIG to further clarify this definition so that it would include a longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting that automates and streamlines the clinician’s workflow.

Response: We are adopting the recommendation to retain our current definition of “electronic health record.” We agree that the commenter’s example of a longitudinal electronic record appears to meet this definition. However, we recommend that parties conduct their own analysis of the particular facts and circumstances of any arrangement as applied to the definition. The advisory opinion process remains available for parties that seek an individualized determination.

ii. Interoperable

Summary of OIG Proposed Rule: We proposed to update the definition of the term “interoperable” to align with the statutory definition of “interoperability” added by the Cures Act to section 3000(9) of the PHSA and move it to paragraph 1001.952(y)(14)(iii). We proposed to define “interoperable” as able to “(A) securely exchange data with, and use data from other health information technology without special effort on the part of the user; (B) allow for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law; and (C) does not constitute information blocking as defined in 45 CFR part 171.”

Summary of Final Rule: We are finalizing, with modifications, an updated definition of “interoperable” in paragraph 1001.952(y)(14)(iii). We are removing the phrase “without special effort on the part of the user” in paragraph 1001.952(y)(14)(iii)(A), and we are not finalizing proposed paragraph 1001.952(y)(14)(iii)(C) that would have incorporated the information blocking regulations in the definition of interoperability.

Comment: We received general support for our effort to update the definition of “interoperable.” However, some commenters asked for further clarification of the phrase “without special effort on the part of the user.”

Response: First, we are finalizing the first two proposed criteria of the “interoperability” definition except, as explained below, we are removing the phrase “without special effort on the part of the user.” We are removing the third criterion we proposed in the “interoperable” definition: “[d]oes not constitute information blocking as defined in 45 CFR part 171.” That criterion raises similar issues that we discussed in section 9.c above regarding the information blocking condition at former paragraph 1001.952(y)(3). Removal of that condition is consistent with our rationale described in more detail above.

We had proposed for the first prong of the definition of “interoperable” that it mean able to “[s]ecurely exchange data with and use data from other health information technology without special effort on the part of the user.” While the phrase “without special effort on the part of the user” is used in the definition of “interoperability” in the Cures Act,^[119] the phrase “without special effort” also is used in conditions of certification in the Cures Act.^[120] As we make clear above in section 9.b, while software certified by ONC is “deemed” to be interoperable, certification is not required for safe harbor compliance. Therefore, to avoid any implication that we are incorporating a certification requirement into the definition of “interoperable” as it is used in this safe harbor, we are removing the reference to “without special effort on the part of the user.”

Comment: A commenter expressed concern about the Federal Government’s definition of “interoperability,” as defined in the ONC NPRM, which the commenter believes inappropriately focuses solely on high volumes of data transferred or access to every piece of health information ever collected. The commenter asserted that we should prioritize the transfer of and access to secure, meaningful data in order to avoid: (i) Confusing patients who lack context; and (ii) overburdening physicians with irrelevant information.

Response: First, as we note elsewhere in this section, we are revising this safe harbor such that the definition of “interoperable” no longer refers to the definition proposed in the ONC NPRM. Second, interoperability of donated EHR items and services is an important condition of the safe harbor. The definition adopted in this final rule states that “interoperable” means “able to” securely exchange data and “allow for complete access, exchange, and use of” certain health information. In other words, this definition does not require the transfer of massive quantities of data; it requires that such transfers be possible.

i. Other Comments

Comment: A commenter suggested that OIG continue to consider how data is being shared and ensure that information blocking is not occurring. The commenter specifically recommended that the safe harbor require that all VBE participants be able to review and have access to information on different EHR systems used in any value-based arrangement and have the ability to import and export data that can help further the purpose of the value-based arrangement. In addition, the commenter recommended that physicians and others providing care to beneficiaries under value-based arrangements should have the ability to select the EHRs that are best suited for the applicable patient population.

Response: The safe harbor does not mandate how or which types of EHR software or information technology services a donor or recipient may select. Because we are finalizing a change to eliminate the restriction on donations of equivalent technology, we hope that parties will have more flexibility to receive protected donations of EHR software that best suit the needs of the parties. However, we emphasize that this safe harbor is not specific to or limited to EHR software or information technology services donated in the context of value-based arrangements. The value-based safe harbors finalized here at paragraphs 1001.952(ee),(ff), and (gg) could be available to protect the donation of health information technology pursuant to a value-based arrangement, provided all conditions of an applicable safe harbor are squarely satisfied. In addition, for the reasons that we explain in detail above, we are not finalizing information blocking provisions as conditions of this safe harbor.

OIG remains committed to addressing information blocking through other authorities. Parties should submit information blocking complaints to HHS through the Report Information Blocking portal (https://healthit.gov/​report-info-blocking).

Comment: A commenter asked OIG to clarify when certain arrangements such as data sharing arrangements could implicate the Federal anti-kickback statute. The commenter posited that when technology is shared for transitions of care or to streamline and improve the referral process as a matter of CMS policy, it does not implicate the Federal anti-kickback statute.

Response: A “data sharing arrangement” can vary greatly in the scope of data or services being exchanged. Simply transmitting individual patient data for transitions of care between, for example, an acute care provider and post-acute care provider would not implicate the statute. However, sharing specific patient data for care of that patient is distinct from a data sharing arrangement that involves aggregating data for research, marketing, or other purposes unrelated to treating the specific patients whose data is being shared. With respect to technology for data sharing, many types of “technology” would constitute remuneration under the Federal anti-kickback statute but, as we have repeatedly stated, certain limited-use technology that is integral to the services an individual or entity provides would not implicate the statute.^[121] The parties to a particular data sharing arrangement would need to perform an analysis of the facts and circumstances to determine whether any data or technology shared constitutes remuneration under the statute and, if so, whether a safe harbor such as the EHR safe harbor could protect the donation. The advisory opinion process is also available for a legal opinion regarding the facts and circumstances of a particular arrangement.

10. Personal Services and Management Contracts and Outcomes-Based Payment Arrangements (42 CFR 1001.952(d))

Summary of OIG Proposed Rule: We proposed to modify the existing safe harbor for personal services and management contracts at paragraph 1001.952(d). For paragraph 1001.952(d)(1) we proposed to: (i) Substitute for the requirement that aggregate compensation under these agreements be set in advance a requirement that the methodology for determining compensation be set in advance; (ii) eliminate the requirement that if an agreement provides for the services of an agent on a periodic, sporadic, or part-time basis, the contract must specify the schedule, length, and the exact charge for such intervals; and (iii) change the paragraph numbering. These proposals are summarized at sections III.B.10.a and b below.

We also proposed to create new paragraphs 1001.952(d)(2) and (3) to protect certain outcomes-based payments (as defined). The proposals for this new protection are summarized at section III.B.10.c, d, and e below.

Summary of Final Rule: We are finalizing the modifications to the existing safe harbor for personal services arrangements at paragraph 1001.952(d)(1), as proposed. We are finalizing the new provisions for outcomes-based payments at paragraphs 1001.952(d)(2) and (3), with modifications summarized at sections III.B.10.c, d, and e below.

a. Elimination of Requirement To Set Aggregate Compensation in Advance

Summary of OIG Proposed Rule: We proposed to substitute for the requirement that aggregate compensation under these agreements be set in advance a requirement that the methodology for determining compensation be set in advance in paragraph 1001.952(d)(1).

Summary of Final Rule: We are finalizing this modification as proposed.

Comment: Commenters on this topic overwhelmingly supported the proposed removal of the requirement to set aggregate compensation in advance and its replacement with a requirement that the compensation methodology be set in advance. Commenters offered a variety of reasons for their support. For example, a commenter valued these changes because they provide enhanced flexibility to independent medical groups and other providers seeking to develop innovative care delivery models. Another commenter suggested that this change allows for greater flexibility in personal services arrangements while continuing to incorporate safeguards that limit potential abuse.

Another commenter explained a view that incentive compensation in comanagement arrangements or bundled payment arrangements often has to be structured in a formulaic manner, and it is not possible for hospitals and physicians to know at the beginning of the arrangement whether and to what extent the physicians may meet the requirements for earning incentive compensation or the actual amount of compensation available. The commenter believed the proposed change would address this existing impediment to safe harbor protection. The commenter also appreciated that the proposed change would more closely parallel the set-in-advance requirement under the physician self-referral law exception for personal services arrangements at 42 CFR 411.357(d), which would simplify a stakeholder’s analysis of protection under the safe harbor and exception when both laws apply to an arrangement.

Response: We are finalizing this provision as proposed. This change modernizes the safe harbor and should provide enhanced flexibility to the health care industry to undertake innovative arrangements, including arrangements that support the transition to value and better coordinated care for patients.

Comment: A commenter expressed concern that certain proposed changes to this safe harbor were not specific enough. In particular, the commenter warned that replacing a requirement to set aggregate compensation in advance with a requirement to identify the methodology for determining compensation could allow entities to structure agreements that look acceptable on the surface, but actually take into account the volume and value of referrals.

Response: We agree with the commenter that implementing a more flexible approach to specifying compensation could protect arrangements that differ in structure from arrangements the safe harbor currently protects. However, we believe that other safe harbor conditions mitigate the risk identified by the commenter, namely the protection of arrangements that take into account the volume and value of referrals. For example, we continue to require parties seeking protection under the safe harbor to adhere to the safe harbor’s other conditions (e.g., aggregate compensation must be consistent with fair market value in an arm’s length transaction and may not be determined in a manner that takes into account the volume or value of any referrals or other business generated between the parties). Arrangements that do not squarely satisfy these conditions would not be protected by the safe harbor. In other words, despite the safe harbor’s increased flexibility related to specifying compensation, the safe harbor would not protect an arrangement by which the aggregate compensation is determined in a manner that takes into account the volume or value of referrals or other business generated.

Comment: Some commenters requested further guidance on whether a payment methodology based on “actual expenses incurred” constitutes a methodology that is sufficiently set in advance to satisfy the safe harbor condition as proposed. For example, a commenter inquired about compensation in an arrangement wherein a hospital leases an employed clinician from a physician practice on a full- or part-time basis. Specifically, the commenter sought clarification regarding whether the safe harbor would protect compensation under the employee lease from the hospital to the practice based on a methodology related to the physicians practice’s actual expenses incurred for employing such clinician (e.g., salary, benefits, bonus, liability insurance, overhead). Another commenter requested guidance as to whether payment based on annual aggregate costs could be prorated to an hourly rate and charged based on completion of time records.

Response: We appreciate the commenter’s examples of potential arrangements that may be structured to comply with the personal services safe harbor as finalized. It is possible to structure an arrangement to fit within the safe harbor by using an hourly rate or other set, verifiable formula provided that all other conditions of the safe harbor are met. However, whether compensation under an employee lease that is based on actual expenses incurred would satisfy the requirement that the compensation methodology be set in advance or otherwise meet the safe harbor would depend on the facts and circumstances. The commenter specifically cited salary, benefits, liability insurance, overhead expenses, and a bonus. For example, assume that the hospital leases the physician part-time from the physician’s practice and agrees to pay the practice the percent of the practice’s actual expenses in employing that physician that correlate to the percentage of the physician’s work actually performed for the hospital. We would expect that an employee’s salary, benefits, and liability insurance typically would be set in advance; overhead expenses possibly also would be set in advance. Consequently, the parties could structure these elements of the part-time employee’s expenses to satisfy the condition that the compensation methodology be set in advance. However, depending on the structure and criteria for receiving a “bonus,” that portion of the practice’s expenses—and therefore, the compensation methodology for the part-time employee lease—might not be set in advance and might not meet other criteria of the safe harbor. For example, if a bonus that took into account the volume or value of referrals between the parties was part of the compensation under the lease, the hospital’s compensation to the practice for the part-time employee lease would not be protected by the safe harbor.

The intent behind these modifications is to provide enhanced flexibility while mitigating the risk of parties periodically adjusting the agent’s compensation to reward referrals or to promote unnecessary utilization of services. Parties seeking protection under this safe harbor must evaluate the specific facts and circumstances of their arrangement to determine whether the compensation methodology over the term of the agreement is set in advance before any payment under the arrangement is made. Any remuneration also must meet all other conditions of the safe harbor for protection.

Comment: Some commenters agreed with our proposals but asked OIG to define certain terminology under the safe harbor such as “fair market value” and “does not take into account the volume or value of referrals,” and asked OIG to harmonize OIG’s interpretations of this terminology under the Federal anti-kickback statute with CMS’s interpretations of this terminology under the physician self-referral law in the proposed rule CMS issued in connection with the Regulatory Sprint (CMS NPRM),^[122] to the extent possible given the differences in the two laws. For example, a commenter recommended that OIG adopt CMS’s interpretation of the volume or value standard as proposed by CMS in the CMS NPRM. Another commenter sought clarification from OIG that incentive compensation paid to a physician under a comanagement, bundled payment, or internal cost savings arrangement would not take into account the volume or value of referrals under the Federal anti-kickback statute if the physician is paid a percentage of savings per “case.” According to the commenter, the more cases performed may result in more savings, more losses, or something in between. A commenter asserted that “value” in the construct of “fair market value” should not solely relate to what an entity would pay regardless of the outcome. According to the commenter, OIG should consider defining “fair market value” in a manner that recognizes the value of savings attributable to the services to the entity paying the incentive compensation rather than the time value of the services or the value of the services based on metrics, or any relevant fee schedule. A commenter recognized that OIG cannot opine on “fair market value” in an advisory opinion but requested that OIG explain whether certain compensation methodologies (e.g., using an hourly rate as a compensation methodology or a percentage of savings attributable to an agent) could constitute fair market value under the Federal anti-kickback statute.

Another commenter sought confirmation that OIG interprets the term “commercially reasonable” consistent with CMS’s proposed interpretation in the CMS NPRM, specifically “that the particular arrangement furthers a legitimate business purpose of the parties and is on similar conditions as like arrangements. An arrangement may be commercially reasonable even if it does not result in profit for one or more of the parties.”

Response: We did not propose to define or interpret fair market value, commercially reasonable, or the phrase “takes into account the volume or value of referrals or business otherwise generated,” nor are we adopting the commenter’s suggestion that we interpret these terms, for purposes of applying the Federal anti-kickback statute and safe harbor regulations, consistent with CMS’s interpretations of such terms. These terms have long existed throughout our existing safe harbors at section 1001.952 without further definition or interpretation by OIG and are well-established. Whether or not fair market value is or was paid or received for any personal services provided by an agent to a principal under this safe harbor depends on the specific arrangement’s facts and circumstances, and we decline to interpret examples with limited information.

Comment: Certain commenters were concerned that Indian health care service providers cannot utilize this safe harbor because of the requirement that each party in the arrangement pay fair market value for services. According to commenters, the fair market value for Indian health facility jobs and services may not align with the fair market value elsewhere. Some of these commenters recommended that the fair market value for Indian health facilities be lowered and relate more to the economic realities of provider recruitment and retention in tribal communities. Commenters also noted that some part-time contractors currently use the fair market value standard to extract pay that exceeds the fair market value for jobs within Indian health programs.

Response: We understand the commenters’ concerns with respect to establishing personal services arrangements in facilities or regions where salaries might be lower than the fair market value found in other nearby areas. We are not defining fair market value or further specifying the appropriate methodologies for parties to use when determining fair market value in this final rule. Based on our law enforcement experience, arrangements in which parties offer or provide free or below fair market services to those in a position to refer federally payable business to the offeror can be problematic under the Federal anti-kickback statute. However, we agree that fair market value can vary by region, setting, or other factors. For example, an hourly rate for certain specialist services in Manhattan likely would be higher than the hourly rate for the same services in rural Mississippi or at an Indian health facility.

Comment: A commenter recommended that OIG expand the writing requirement within the safe harbor to include contemporaneous documentation rather than a signed agreement. The commenter noted that the CMS NPRM proposed to remove the formality of a signed agreement and modified this requirement in certain physician self-referral law exceptions to allow documentation that constitutes an agreement under applicable state law, which the commenter believes will ease the regulatory burden for stakeholders to document the arrangement.

Response: We did not propose to modify the requirement that an agency agreement be set out in writing, thus we are not finalizing any change to that requirement. As we explained above, the physician self-referral law and the Federal anti-kickback statute are different laws with different standards for liability. Having a signed, written agreement that meets all requirements of the safe harbor is a core safeguard that is necessary for parties to demonstrate that they intend to comply with all requirements of the safe harbor, have structured the compensation methodology appropriately, and have a meeting of the minds on the services and payment to be provided under the arrangement. However, we note that the safe harbor does not specify a particular format for the agreement. The written agreement requirement can be met either through a single, formal, signed agreement or through a collection of documents if such collection of documents includes all of the required elements of the safe harbor and is signed by the parties (e.g., by signing each document that makes up the agreement, or by signing a single signed document that incorporates separate documents by reference).

b. Elimination of Requirement To Specify Schedule of Part-Time Arrangements

Summary of OIG Proposed Rule: We proposed to eliminate the condition in the safe harbor paragraph 1001.952(d)(5) that requires that if an agreement provides for the services of an agent on a periodic, sporadic or part-time basis, the contract must specify the schedule, length, and the exact charge for such intervals.

Summary of Final Rule: We are finalizing this modification as proposed.

Comment: Commenters generally appreciated the proposed removal of the requirement that, for part-time arrangements, the contract must specify the schedule, length, and the exact charge for such intervals. Multiple commenters stated that eliminating the requirement that part-time contractual arrangements specify exact interval schedules allows for greater flexibility in protected personal services arrangements, while the safe harbor continues to incorporate safeguards that limit potential abuse. For example, a commenter noted the proposal could apply to dialysis facility medical directors who provide their services on a part-time basis. The commenter highlighted the unpredictable nature of dialysis care and that the frequent need to respond to urgent medical emergencies can impede the ability of nephrologists serving as dialysis facility medical directors to adhere to predetermined schedules. In contrast, a commenter expressed concern that eliminating this requirement may increase the risk that either services will not be rendered or that the payment for services may vary based on referrals and recommended additional documentation requirements.

Response: We are finalizing the removal of the requirement to specify the exact schedule of part-time arrangements, as proposed. We note that this change to the safe harbor should accommodate a broad range of part-time or sporadic-need value-based payment and care arrangements in furtherance of the Department’s goals in connection with the Regulatory Sprint. We did not propose additional documentation requirements, and we continue to believe, as we stated in the OIG Proposed Rule, that other conditions sufficiently safeguard against the harms mentioned by a commenter.^[123]

c. Proposal To Protect Outcomes-Based Payments

Summary of OIG Proposed Rule: At proposed paragraphs 1001.952(d)(2) and (3), we proposed to protect outcomes-based payment arrangements between a principal and an agent that reward improving patient or population health by achieving one or more outcome measures that effectively and efficiently coordinate care across care settings, or by achieving one or more outcome measures that appropriately reduce payor costs while improving, or maintaining the improved, quality of care. We proposed several safeguards. Under proposed paragraphs 1001.952(d)(2), protected payments would be between parties collaborating to measurably improve or maintain improvement in quality of care or appropriately and materially reduce costs of payments (without diminution of the quality of care), and the agent receiving the payment would need to meet at least one evidence-based, valid outcomes measure meeting specified criteria, including selection based on credible medical support. Under proposed paragraph 1001.952(d)(2)(iii), the payment methodology would be set in advance, commercially reasonable, consistent with fair market value, and not determined in a manner that directly takes into account the volume or value of referrals or other business generated between the parties.

Additionally, at paragraph 1001.952(d)(2), we proposed safeguards to protect clinical decision-making, guard against stinting on care, and ensure written documentation, monitoring, periodic rebasing of outcome measures, and corrective action of deficiencies in the quality of care. The term of protected arrangements would be at least 1 year. At proposed paragraph 1001.952(d)(3), we proposed making certain entities ineligible for safe harbor protection under the outcomes-based payments provisions in a manner similar to the proposed definition of VBE participant at proposed paragraph 1001.952(ee)(12), and we proposed that outcomes-based payments would exclude payments related solely to achievement of internal cost savings for the principal. We indicated that we were considering excluding payments based on patient satisfaction or convenience measures.

Summary of Final Rule: We are finalizing, with modifications, the new protection for outcomes-based payments at paragraphs 1001.952(d)(2) and (3). We revised the definition of “outcomes-based payment” in paragraph 1001.952(d)(3)(ii) to clarify that the payment may be a reward for successfully achieving an outcome measure or a recoupment or reduction in payment for failure to achieve an outcome measure. Paragraph 1001.952(d)(2)(i) consolidates and streamlines proposed paragraphs 1001.952(d)(2)(i) and (ii) related to acceptable outcomes measures; to receive a protected outcomes-based payment, the agent must achieve one or more legitimate outcome measure selected based on clinical evidence or credible medical support and with specified benchmarks related to quality of care, a reduction in costs, or both. At paragraph 1001.952(d)(2)(vii)(B), we revised our proposal related to “rebasing” of outcomes measures to clarify that the parties must periodically (i) assess and (ii) revise benchmarks and remuneration under the agreement as necessary to ensure that any remuneration is consistent with fair market value in an arm’s-length transaction as required by paragraph 1001.952(d)(2)(ii).

We finalize the proposed requirements related to fair market value, commercial reasonableness, and the volume or value of business at paragraph 1001.952(d)(2)(ii). At paragraph 1001.952(d)(2)(iii), we finalize the writing requirement proposed at paragraph 1001.952(d)(2)(viii). In paragraph 1001.952(d)(2), we finalize additional safeguards related to clinical decision-making, stinting on care, a 1-year term, monitoring, and counseling and promotion of unlawful business, as proposed.

At paragraph 1001.952(d)(3)(iii), we finalized the scope of entities ineligible for safe harbor protection for making outcomes-based payments to include: (i) Pharmaceutical companies; (ii) PBMs; (iii) laboratory companies; (iv) pharmacies that primarily compound drugs or primarily dispense compounded drugs; (v) manufacturers of a device or medical supply, as defined in paragraph (ee)(14)(iv); (vi) medical device distributors or wholesalers that are not otherwise manufacturers of a device or medical supply, as defined in paragraph (ee)(14)(iv) of this section; or (vii) DMEPOS companies. In the same paragraph, we finalize our policy to exclude payments for internal cost savings or payments based solely on patient satisfaction or patient convenience measures.

We clarify in both paragraph 1001.952(d)(2)(ii) and paragraph 1001.952(d)(3)(ii) that the remuneration may be “between or among” the parties, rather than being limited to remuneration from the principal to the agent. We reordered the provisions from paragraphs (d)(2)(iii)-(vii) without making additional substantive changes. We made technical corrections in paragraph 1001.952(d)(2) to replace the word “satisfy” with the word “achieve” in order to use a consistent term throughout the safe harbor.

Comment: Many commenters supported OIG’s proposal to expand the existing safe harbor for personal services and management contracts by creating new provisions at paragraphs 42 CFR 1001.952(d)(2)-(3) to protect certain outcomes-based payments. Some expressed support for protection for outcomes-based payments but encouraged OIG to provide greater specificity regarding the types of payment arrangements, specific outcome measures, and specific requirements for measuring achievement of outcomes that would qualify for protection under these proposed provisions to the safe harbor. A commenter asked OIG to clarify that the list of examples in the OIG Proposed Rule’s preamble was not all-inclusive, but merely a representative list of the types of arrangements that may be protected under the safe harbor. Another commenter cautioned against referencing or creating an exhaustive list of specific types of payments that could qualify as “outcomes-based payments” because that approach would be too limiting. Another commenter requested that OIG reiterate its recognition that outcomes-based payment arrangements may vary in structure and that the safe harbor should provide flexibility for arrangements designed to achieve appropriate quality of patient care as well as appropriate efficiency and cost-saving goals. Many commenters believed the proposals were unnecessarily limited, overly complex, and potentially difficult for physicians to implement, and another commenter found the monitoring of arrangements overly burdensome.

Response: We intend for the outcomes-based payments safe harbor to support outcomes-based payments that facilitate care coordination, encourage provider engagement across care settings, and advance the transition to value. At the outset, we note that in response to general comments regarding the complexity of this safe harbor and for the sake of clarity, we streamlined the language we had proposed in paragraphs 1001.952(d)(2)(i) and (ii) such that the safe harbor still expressly specifies that the agent must achieve one or more legitimate outcome measures selected based on clinical evidence or credible medical support, but we are not finalizing the proposed language relating to the measures being specific, evidence-based, and valid. As we explain in greater detail in section III.B.3.b above in our discussion of outcome measures in the care coordination safe harbor, based on public comment, we changed the terms “evidence-based” and “valid” to “clinical evidence” and “legitimate” to offer some additional flexibility while reflecting our intention that measures be credible and appropriate. In selecting outcome measures, parties have broad latitude under this safe harbor to identify opportunities for improving or maintaining the improvement of patient care and reducing costs to payors in ways that are scientifically valid, measurable, and transparent.

We are not limiting protection under the safe harbor to a specific set of arrangements such as value-based arrangements. In the OIG Proposed Rule, we listed certain arrangements that may be protected under the safe harbor, provided the arrangement meets every requirement of the safe harbor.^[124] We are not limiting the protection provided by this safe harbor to a particular list of arrangements or particular types or structures of arrangements or measures.

We take a broader approach by providing additional protection to a variety of stakeholders, which should facilitate innovation in designing compensation arrangements that are value-based. As we stated in the OIG Proposed Rule, we strive to provide flexibility in this safe harbor, but we also must include appropriate safeguards, such as monitoring and assessment requirements, to protect patients and Federal health care programs.

Comment: We received comments on our proposed definition of “outcomes-based payment” and its interaction with other requirements. For example, a commenter recommended that we remove the language in the “outcomes-based payment” definition that appears to make effectively and efficiently coordinating care across care settings a required factor in an outcome measure. A commenter also asked that we harmonize the terms we use to describe “outcome measures” throughout the safe harbor. For example, a commenter indicated that the definition of “outcomes-based payment” is not consistent with the way payments are made under existing alternative payment models. A commenter recommended a technical change to paragraph 1001.952(d)(2) to specify that the safe harbor protects outcomes-based payments made by a principal to an agent as compensation for the services of the agent.

Response: We are not making the change to paragraph 1001.952(d)(2) suggested by a commenter to refer to payments from a principal to an agent. However, we note that the safe harbor protects any “outcomes-based payment,” and that term is defined in paragraph 1001.952(d)(3). In this final rule, we revised that definition to protect payments “between or among a principal and an agent” that meet certain criteria, as described in more detail below.

In addition, we removed the language in the definition of “outcomes-based payment” regarding effectively and efficiently coordinating care across care settings, and instead rely on a reference to paragraph 1001.952(d)(2)(i) in which outcome measures are described. We believe that this change also addresses the commenter’s concern about different terminology in those two sections. We also are revising the proposed requirement that the outcome measure measurably improves quality of patient care or appropriately and materially reduces payor costs to provide that the measure must be used to quantify: (i) Quality improvements (or maintenance of improvements in quality); (ii) material reductions in payor costs or expenditure growth while maintaining or improving the quality of care for patients; or (iii) both. Finally, we note that this safe harbor is not the only option for protecting payments under alternative payment models. Participants in such models may be able to look to the safe harbor for CMS-sponsored models at paragraph 1001.952(ii), or the value-based safe harbors at paragraphs 1001.952(ee)-(gg).

Comment: A commenter urged OIG to use “outcome measures” under paragraph 1001.952(d)(2) consistently with the use of the term under paragraph 1001.952(ee) to reduce complexity.

Response: We interpret the term “outcome measure” under this safe harbor to have the same meaning as under any other safe harbor that uses it, including paragraph 1001.952(ee). We note, however, that different safe harbors protect different types of remuneration, include different safeguards, and use additional terms. For example, in the safe harbor for care coordination arrangements, the “outcome or process measure” must have a benchmark related to improving or maintaining improvements in the coordination and management of care for the target patient population, while “outcome measures” under this safe harbor must have benchmarks that relate to improving or maintaining the quality of patient care, reducing costs or growth in expenditures to payors, or both. If a party seeks safe harbor protection for a particular arrangement, the arrangement need only meet one safe harbor to qualify for protection but the arrangement must comply with all conditions of the chosen safe harbor.

Comment: A commenter urged that outcomes-based payments should include a service component to prevent sham arrangements that simply maintain the status quo. Similarly, a few commenters suggested that OIG limit parties that may pay outcomes-based payments to parties participating within a VBE to prevent fraud and abuse, such as sham arrangements through which no service is provided. A commenter asked whether an outcomes-based payment agreement that requires exclusive or minimum level of use of a product (e.g., product standardization) to achieve an outcomes-based payment could be protected by the safe harbor as long as the principal makes a determination that such the requirement for exclusivity or minimum use will not preclude it from making decisions in its patients’ best interests.

Response: As we stated in the OIG Proposed Rule, measures that simply seek to reward the status quo would not meet the safe harbor condition that requires parties to select legitimate outcome measures.^[125] However, we are not limiting the scope of entities that may make outcomes-based payments to VBEs or VBE participants. We believe that the conditions parties must meet for safe harbor protection will sufficiently mitigate the risk of fraud and abuse.

We agree that the safe harbor does not necessarily preclude product standardization. If the product standardization measures selected by the parties under the outcomes-based payment arrangement do not limit any party’s ability to make decisions in their patients’ best interest and meet the other terms of the safe harbor, then they could be part of an outcomes-based payment arrangement.

Comment: A trade association commented that only sophisticated health systems with advanced data analytics have the capability to internally develop outcome measures while small, underserved, and rural practices would not have the resources to develop these measures internally. For example, a commenter noted that measuring outcomes can be a challenging and resource-intensive process that takes time to evaluate, especially on the individual participant level in a large entity with significant numbers of participants and multiple specialty areas.

Response: We recognize that structuring and implementing outcomes-based payment arrangements that satisfy the conditions of this safe harbor may be more onerous than structuring and implementing traditional personal service arrangements under the existing personal services and management contracts safe harbor (e.g., a party striving to satisfy the outcomes-based payment arrangements provisions must determine legitimate outcome measures, establish the types of services to be performed to achieve an outcome measure, set benchmarks, monitor and assess achievement, and ultimately achieve outcome measures). We understand the commenter’s concern regarding the potential administrative and financial impact that developing outcome measures may have on small, underserved, and rural providers. Participation in an outcomes-based payment arrangement is entirely voluntary, as is structuring outcomes-based payments to satisfy the conditions of this safe harbor. To the extent that parties wish to enter into an outcomes-based payment arrangement and structure such arrangement to satisfy the conditions of this safe harbor, the parties have discretion in the selection of outcome measures. Providers serving small, underserved, or rural communities may select outcome measures that would not impose an inappropriate financial burden on the parties to effectuate.

Comment: A commenter asked OIG to include process measures (e.g., providing or not providing a specific treatment) that are supported by strong evidence of improving an outcome within the types of valid outcome measures that may serve as the basis for payment under the safe harbor. Another commenter recommended that we require outcomes-based arrangements to include a service component.

Response: We agree that process measures supported by strong evidence of improving an outcome may serve as a component of outcome measures that an agent must achieve to receive an outcomes-based payment. For example, an outcomes-based payment arrangement may measure the agent’s compliance with certain steps of a care process (e.g., providing mammograms) to improve a specific health outcome. In section III.B.3.b above, we explain the rationale for permitting process measures to be included in the care coordination arrangements safe harbor but not in the outcomes-based payment provisions discussed here (although a process measure could be included as part of an outcomes measure); that rationale focuses on the different remuneration permitted under the two safe harbors and the different standards set forth by each safe harbor.

Under the modified regulatory text, outcome measures must be selected based on clinical evidence or credible medical support and be used to: (i) Quantify improvements or maintenance of improvements in the quality of patient care; (ii) quantify a material reduction in costs to, or growth in expenditures of, payors while maintaining or improving quality of care for patients; or (iii) both. In addition, as we proposed in the OIG Proposed Rule a “measure” related to patient satisfaction or convenience would not meet the criteria of an outcome measure.^[126] For similar reasons to those we discuss in connection with outcomes measures for paragraph 1001.952(ee), the final rule at paragraph 1001.952(d)(3)(iii)(C) provides that an outcomes-based payment based solely on patient satisfaction or patient convenience measures would not be protected. We recognize that patient satisfaction and patient convenience can be relevant factors in patient care. However, we do not consider these types of measures, standing alone, to provide adequate protection against abusive or sham payment arrangements for purposes of granting safe harbor protection.

We anticipate that most outcomes-based arrangements would include certain services to meet the conditions of the safe harbor, and the regulatory text includes several references to services. However, we believe that adding a separate requirement specific to performing services could add confusion, and that existing conditions in paragraph 1001.952(d)(2) safeguard against sham arrangements.

Comment: A commenter asked OIG not to require outcome measures to measurably improve the quality of patient care once the quality of care metric has been achieved. Instead, the commenter suggested that OIG focus on payment incentives that reduce costs after quality targets are met. On the other hand, a commenter expressed concern that allowing payment for “maintaining improvement” would invite sham arrangements that disguise payments in exchange for referrals for merely maintaining the status quo.

Response: We share the concern about the potential for sham arrangements associated with maintaining cost or quality. However, we also recognize that parties may succeed in reaching the desired outcome on quality or cost containment but need to be incentivized to maintain it to prevent subsequent reductions in attained quality or cost containment. To achieve the desired outcome, parties may need to invest resources at the beginning of an arrangement (e.g., to develop new protocols and engage in training). However, a continued expenditure of resources also may be necessary to avoid regression from any progress made. These are the types of issues we would expect parties to assess and, as necessary, revise benchmarks and remuneration under the arrangement to benchmarks to continue to achieve the desired outcome on a periodic basis. For example, if parties had an outcome measure related to reducing falls to a certain level from a starting benchmark point in a skilled nursing facility, and they eventually achieve a fall rate benchmark that no longer has room for improvement, a revised outcome measure might be to maintain that low fall rate (i.e., the new fall rate becomes the starting benchmark, and the outcome measure is to maintain it rather than reduce it). Any outcomes-based payment made for a new outcome measure would still have to meet all conditions of the safe harbor, including that the methodology for setting compensation is consistent with fair market value. For example, the fair market value of an outcomes-based payment made to an agent to maintain the desired level of quality of care may be lower than the fair market value of an initial outcomes-based payment made for implementing operational changes necessary to achieve the quality of care outcome measure.

Comment: A commenter indicated that it currently operates outcomes-based payment arrangements and suggested that OIG impose the following three requirements to ensure that all outcomes-based payments are legitimately made toward advancing the clinical and cost-saving goals of the arrangement and not merely payments for referrals: (i) Require outcome measures to be well-defined, meaningful to patients, achievable in a defined timeframe, and agreed upon by the parties; (ii) require outcome measures to be tracked through claims data, existing registries, EHRs, or other low-cost mechanisms; and (iii) require the arrangement to deliver measurable outcomes that improve patient quality of care and other benefits to the health care system through lower cost of care, other efficiencies, or shared accountability, or both.

Response: We appreciate the commenter’s helpful suggestions. While we are not using the precise wording offered by the commenter, we believe the language finalized in the regulation captures many of the concepts suggested by the commenter. Similar to the commenter’s suggestion of requiring meaningful, well-defined outcome measures, we require that the outcome measures be selected based on clinical evidence or other credible medical support and be used to quantify improvements to or maintenance of improvements in the quality of care or material reductions in cost to (or growth in expenditures of) payors, while maintaining or improving the quality of care of patients. We are not setting a timeline by which parties must achieve outcomes or requiring that parties must specify a timeline under which outcomes must be achieved because we recognize that the timeframe necessary to achieve certain outcome measures can vary greatly, depending on the measure and other characteristics, and that it may be challenging for parties to specify a certain timeline to achieve outcomes. Likewise, we do not specify any particular mechanism for tracking progress toward meeting outcome measures. We are not requiring parties to track outcome measures through claims data. However, the parties must regularly monitor and assess the agent’s performance under the specified outcome measure(s), including its impact on patient quality of care and make any necessary adjustments. Parties also must periodically assess and, as necessary, revise the benchmarks and remuneration under the arrangement to ensure remuneration is consistent with fair market value. We do not believe mandating specific documentation methods is a necessary safeguard against fraud and abuse; parties may conduct and document such monitoring in any way that makes sense for the particular arrangement.

Comment: A commenter asked OIG to remove the proposed requirement that an outcome measure “appropriately and materially” reduce costs or growth in expenditures for payors because the commenter believed this provision was too subjective. A commenter requested that OIG provide greater certainty to stakeholders by establishing concrete methods that parties could use to determine whether an outcome measure improves quality of care under an arrangement. Another commenter disagreed with the proposed safe harbor requirement that the agent achieve the outcome measure in order to receive payment, asserting that constant achievement of any outcome measure is not practical in health care.

Response: We are making certain changes to ensure that parties appropriately measure and quantify the results of the arrangement on patient quality of care and costs. We are finalizing our proposal requiring the agent to achieve the outcome measure for the payment to be protected.^[127] We believe this requirement serves as an important safeguard to ensure that remuneration is for legitimate outcomes anticipated through implementing the arrangement and is not a vehicle for rewarding referrals. We are not requiring particular methods to evaluate quality improvements (or maintenance of improvements in quality) under any protected arrangement because we believe that evaluation methods may be specific to each arrangement and may evolve in the future as parties innovate in new ways. We are modifying the proposed language by replacing “appropriately and materially” with a requirement that the agent achieve one or more legitimate outcome measures that meet conditions described elsewhere in this preamble. We believe this modification will allow parties additional flexibility to determine how to quantify quality improvements (or maintenance of improvements in quality) to accommodate different types of outcomes-based payment arrangements among a variety of stakeholders.

Comment: Numerous commenters urged OIG to broaden its proposal to protect payments that solely provide cost savings to a payor to include cost savings to providers. Some commenters argued that limiting protection to arrangements that achieve cost savings to a payor would make the safe harbor unworkable in practice and encouraged OIG to include arrangements that achieve cost savings to a provider to incentivize changes in physician behavior that are necessary to facilitate the transition to value-based care. A commenter posited that outcomes-based payments by nature involve standardization on a given system, protocol, or both to improve efficiencies and better coordinate and deliver care.

A few commenters indicated that cost savings arrangements for cost-reporting providers would not immediately produce cost reductions for payors but may eventually lower Medicare costs because the cost reductions may be reflected in future bundled payment rates.

Response: Having considered the comments, we decline to broaden the safe harbor to protect outcomes-based payments for arrangements that reduce internal costs only to the providers making the payments. We are concerned that such payments, while potentially beneficial in generating efficiencies, pose risks to patient care that outweigh the potential for the arrangements to further the care coordination and efficiency goals of this rulemaking if protected.

In some cases, such as hospital-physician gainsharing, arrangements that reduce internal costs may benefit only the hospital making the payments without necessarily contributing to better care coordination, improvements in quality of care, or appropriate reductions in costs. We are concerned that some payments, such as a payment to select a less expensive device or to discharge a patient more quickly, could lead to reductions in the quality or safety of patient care. Moreover, apart from quality of care concerns such payments would not offer a corresponding reduction in the payments made by Medicare or another Federal health care program. In the absence of a potential efficiency benefit to Federal health care programs, and in light of patient care concerns, we are not protecting payments that relate solely to the achievement of internal cost savings for the principal making the payment as an “outcomes-based payment.”

However, properly structured arrangements that compensate physicians for services performed and achieve hospital internal cost savings can serve legitimate business and medical purposes. Depending on the specific facts and circumstances, such arrangements could potentially be structured in a manner that complies with paragraph 1001.952(d)(1), as finalized.

Comment: Numerous commenters opposed the proposed safe harbor requirement that the methodology for determining the aggregate compensation (including any outcomes-based payments) paid between or among the parties over the term of an agreement be consistent with fair market value, commercially reasonable, and not be determined in a manner that directly takes into account the volume or value of referrals or other business generated between the parties, arguing that there are no industry standards applicable to outcomes-based payments available to date. A commenter expressed concern about only prohibiting the aggregate compensation from being determined in a way that “directly” takes into account the volume or value of referrals. Others supported these safe harbor requirements but asked for clarification from OIG on these terms, or asked OIG to align OIG’s view of these standards to be consistent with the definitions of these terms proposed in the CMS NPRM as they relate to the physician self-referral law.

Others argued that legitimate, outcomes-based arrangements should be able to take into account the volume or value of referrals within the payment methodology. A few commenters suggested that OIG remove the fair market value requirement.

Response: We recognize that the process of evaluating whether an outcomes-based payment arrangement is consistent with fair market value may evolve and adapt as the health care industry shifts to value-based care payment models and outcomes-based payments. However, we believe that ensuring that the aggregate remuneration is consistent with fair market value helps ensure that monetary remuneration is paid for services that achieve legitimate outcome measures rather than referrals.

We are not adopting any particular standard for determining that the aggregate compensation methodology is consistent with fair market value to provide parties sufficient flexibility to analyze fair market value as applicable to specific arrangements and in arrangements that may not currently exist today. As explained above in our discussion of the elimination of the requirement to set aggregate compensation in advance, we decline to adopt the fair market value standard proposed by CMS under the physician self-referral law. We are finalizing our proposal to require that the compensation methodology for determining the outcomes-based payment not directly take into account the volume or value of referrals or other business generated between the parties. We believe this will provide parties flexibility to structure arrangements that incentivize providers to achieve an outcome measure, even if the methodology indirectly takes into account the volume or value of referrals.

Comment: A commenter questioned whether the safe harbor protects “reverse-flow payments” from an agent to a principal and recommended that OIG revise the definition for “outcomes-based payment” to protect payments from an agent to a principal when a targeted outcome or cost metric has not been achieved (i.e., shared-losses payments).

Response: In the OIG Proposed Rule, we explained that a shared-losses payment could constitute an “outcomes-based payment.” ^[128] We are finalizing this position through revisions to the regulatory text at paragraph 1001.952(d)(3)(ii) to clarify that an outcomes-based payment is a payment “between or among a principal and an agent” that meets the criteria listed in paragraphs 1001.952(d)(3)(ii)(A) and (B), and includes payments in the form of recoupment from or reduction in payment to an agent.

Comment: Several commenters objected to the safe harbor including a specific timeframe after which parties seeking protection for outcomes-based payments would have to rebase their benchmarks. Commenters noted that any such time limits would be artificial. A commenter concerned with the negative effects of annual rebasing on preventive care provided the following example: One clinician takes preventive care steps to prevent colon cancer or to identify cancer at an earlier stage (e.g., through colonoscopies, blood work) in the first year, which has the effect of reducing the risk of cancer for 5 years, while another clinician does not take any preventive care steps for a patient and the patient develops cancer 4 years later. According to the commenter, if rebasing is done on an annual basis, the second clinician would be rewarded for providing care at no cost and good outcomes during that 1 year, while the first clinician would not be rewarded because the clinician provided high-cost care with no discernible improvement of outcomes during that limited timeframe.

Some commenters noted that finalizing a safe harbor condition that specifies timeframes for rebasing may have a negative impact on participation in outcomes-based arrangements. For example, because margins for improvement against benchmarks may be more challenging or impossible to meet over time, parties may be disincentivized to enter into these arrangements in the first place, or incentivized to unwind them after initial improvements, due to concerns about having an arrangement structure that does not squarely meet a safe harbor. Some of the commenters noted that, if there must be a specific timeframe in the safe harbor, that timeframe should be at least 5 to 10 years. In contrast, a commenter recommended that benchmarks be adjusted at least yearly to limit the risk that “evergreen” arrangements could be used as a vehicle to evade legitimate outcome obligations and instead to reward referrals.

Several commenters supported the standard we proposed in the OIG Proposed Rule requiring outcome measures to be periodically rebased, as applicable, during the term of the agreement. As an alternative, a commenter suggested that OIG revise this provision to require that the parties periodically reevaluate whether an outcome measure should be rebased throughout the term or expressly state that under some circumstances it may be appropriate upon review to maintain an existing outcome-based measure. In support of a nonspecific periodic review approach, commenters noted that the time period for implementing interventions and other actions needed to influence outcome measures can vary greatly, as can the time period needed for results to fully appear in outcome measures data. In addition, commenters asserted that some outcomes measures may not be tied to a baseline performance level at all. Commenters also highlighted that outcomes-based payments may be made for maintaining improvement in quality of patient care, in which case the targets for the outcomes-based payment would not be altered. A commenter noted that providers and collaborators continually analyze their results, and value-based purchasing programs incentivize parties to adjust outcome measures in a timely manner. We also received a request for clarification on any durational limits on outcome-based payments or if there are parameters related to when they must end (i.e., whether an arrangement must end upon achieving the initial outcome measure or if it can continue through implementing a new outcome measure or maintaining the initial achievement).

Response: We note first that for an agent to receive a protected outcomes-based payment under the final safe harbor, the agent must have achieved a specified, legitimate outcome measure. For an outcome to be measurable, there must be some sort of benchmark, whether that benchmark is a starting point (e.g., a 10 percent reduction from X) or reflects an end point (e.g., 90 percent of the time, X happened or was avoided). We agree with commenters that a one-size-fits-all approach is not appropriate for assessing benchmarks. However, we also agree with the commenter who highlighted the concern we raised in the OIG Proposed Rule about “evergreen” arrangements ^[129] in which outcome measures are not properly monitored and the remuneration is paid in exchange for referrals, after any intended benchmarks have been met (or without determining that the outcome measure was achieved).

To illustrate, we point to the example from a commenter as it is summarized above, with two clinicians taking different approaches to patients with respect to colon cancer prevention and detection. Setting aside the potentially disparate impact on patient health, health outcomes, and quality of care, and looking only at costs for purposes of this example, one clinician may increase costs to payors in the short term by increasing preventive care but may save money in the longer term, while the other clinician may have limited costs in the short term, but by failing to detect the cancer early may increase costs to payors in the long term. However, it is not clear in the example what the outcome measure might be. By way of example for illustrative purposes, the U.S. Preventive Services Task Force recommends colon cancer screening beginning at age 50. A reasonable outcome measure might be a specific percentage increase in the practice’s patient population first getting screened between age 50 and 55. Parties would need to evaluate an appropriate benchmark year (i.e., a percentage increase in first screenings from which year), and whether over time the percentage change should be updated, the benchmark year should be changed, or both. In addition, the amount of remuneration paid for achieving the outcome measure should be reassessed to determine whether it is fair market value. For example, a practice may need to develop new processes, training, and take other steps initially to achieve an outcome measure. While certain work must continue in future years to continue achieving the desired outcomes (whether it is for continuing to improve quality of patient care or materially reduce cost, or to maintain the achieved improvements in those areas), the outcomes-based payment may be less than it was during the initial year(s). If the outcome measure was based on the cost savings over the course of a year, an annual reassessment of the benchmark and remuneration would be appropriate to meet that safe harbor requirement. We also recognize that some outcome measures might be on a longer timetable for reassessment (e.g., a percentage reduction in costs over a 5-year time span). Therefore, the outcome measure might not need to be reassessed for 5 years (but an outcomes-based payment also would not be protected by this safe harbor until such outcome is achieved).

We have revised the regulatory text in the final rule to address many of the issues the commenters raised. These revisions are consistent with the substance of what we proposed in the OIG Proposed Rule. In the OIG Proposed Rule, we had solicited comments on defining the term “rebasing” and had described the fraud and abuse risk we were trying to prevent (e.g., arrangements in which outcome measures are not properly monitored or assessed and could be used as a vehicle to reward referrals well after the desired provider behavior change or savings benchmark has been met ^[130] ). Specifically, in this final rule, rather than stating that, for each outcome measure, the parties must “rebase during the term of the agreement, to the extent applicable,” we are stating that the parties must “[p]eriodically assess and, as necessary, revise benchmarks and remuneration under the agreement to ensure that the remuneration is consistent with fair market value in an arm’s-length transaction as required by (d)(2)(ii).” Thus, for safe harbor protection, all parties must assess the arrangement periodically (e.g., determine whether continued use of a benchmark or a measure is appropriate and whether the remuneration is appropriate for achieving that outcome measure), and then the parties should make any adjustments to benchmarks or remuneration that may be necessary to meet other conditions of the safe harbor.

d. Outcomes-Based Payments: Entities Not Eligible for Protection

Summary of the OIG Proposed Rule: We proposed making certain entities ineligible for safe harbor protection under the outcomes-based payments provisions, as described in section III.B.10.c.

Summary of the Final Rule: We are finalizing our policy to make certain entities ineligible for safe harbor protection. Specifically, the following entities will be ineligible to use the safe harbor: (i) Pharmaceutical companies; (ii) PBMs; (iii) laboratory companies; (iv) pharmacies that primarily compound drugs or primarily dispense compounded drugs; (v) manufacturers of a device or medical supply, as defined in paragraph (ee)(14)(iv); (vi) medical device distributors or wholesalers that are not otherwise manufacturers of a device or medical supply, as defined in paragraph (ee)(14)(iv) of this section; and (vii) DMEPOS companies. In addition, the final rule clarifies that DMEPOS companies do not include a pharmacy or a physician, provider, or other entity that primarily furnishes services.

Comment: Numerous commenters, including stakeholders representing pharmaceutical and medical device manufacturers and laboratories, opposed carving out pharmaceutical and medical device manufacturers, manufacturers, distributors, and suppliers of DMEPOS, and laboratories from the protection under the safe harbor. For example, a commenter suggested that medical device manufacturers should be protected because they can make valuable contributions to value-based care. Other commenters supported OIG’s proposal, with some commenters requesting that we make additional entities ineligible for protection, such as device manufacturers, distributors, wholesalers, PBMs, and pharmacies.

Response: As laid out in the OIG Proposed Rule, we remain concerned that pharmaceutical and medical device companies, DMEPOS companies, and laboratories may inappropriately use outcomes-based payment arrangements to market their products or divert patients from a more clinically appropriate item or service, provider, or supplier without regard to the best interests of the patient or to induce medically unnecessary demand for items and services.^[131] In the OIG Proposed Rule, we proposed to exclude from safe harbor protection payments made directly or indirectly by a pharmaceutical manufacturer; a manufacturer, distributor, or supplier of durable medical equipment, prosthetics, orthotics, or supplies, or a laboratory. We proposed to exclude these parties based on our enforcement and oversight experience and for reasons similar to the reasons for proposed exclusion of these entities from the definition of VBE participant (for further discussion of these reasons, readers are referred to section III.B.2.e.ii above). We explained that this provision reflected our concerns that these types of entities are heavily dependent on prescriptions and referrals and might use outcomes-based payments primarily to market their products to providers and patients. We further said we were considering excluding pharmacies (including compounding pharmacies), PBMs, wholesalers, and distributors for the same reasons we proposed to exclude them from the definition of VBE participant. With respect to PBMs, wholesalers, and distributors, their businesses are closely connected to the sale of manufacturer products, which provides an additional reason to exclude them along with manufacturers.

Additionally, we said in the OIG Proposed Rule that we were considering for the final rule the exclusion of medical device manufacturers from participation in the outcomes-based payments arrangements safe harbor.^[132] We explained our historical law enforcement experience with matters involving kickbacks paid to physicians, hospitals, and ambulatory surgical centers to market various medical devices, such as devices used for invasive procedures; in some cases, these schemes resulted in patients getting medically unnecessary care. We also explained our longstanding concern with physician-owned distributorships of medical devices because of financial incentives to perform more (or more extensive) procedures than are medically necessary and to use the devices sold by the distributorship instead of more clinically appropriate devices.^[133]

For the reasons stated in the OIG Proposed Rule, we are finalizing the provision as follows: Outcomes-based payments made directly or indirectly by the following entities are ineligible for protection under this safe harbor: (i) A pharmaceutical manufacturer, distributor, or wholesaler; (ii) a pharmacy benefit manager; (iii) a laboratory company; (iv) a pharmacy that primarily compounds drugs or primarily dispenses compounded drugs; (v) a manufacturer of a device or medical supply, as that term is defined in paragraph 1001.952(ee)(14)(iv) of this section; (vi) a medical device distributor or wholesaler that is not otherwise a manufacturer of a device or medical supply, as defined in paragraph (ee)(14)(iv) of this section; or (vii) an entity or individual that sells or rents durable medical equipment, prosthetics, orthotics, or supplies covered by a Federal health care program (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services). We are not making payments made by pharmacies ineligible for safe harbor protection (except with respect to pharmacies that primarily compound drugs or primarily dispense compounded drugs for the reasons described in section III.B.2.e.ii.f above), although we suspect outcomes-based payments made by pharmacies might be relatively rare. As noted in a comment and response summarized in section III.B.2.e.iv above, pharmacies often serve as the key point of contact between patients and the health care system and provide many services to patients. For the same reasons we describe in that section, we do not believe that program integrity concerns warrant excluding them from protection under this safe harbor. We have modified the language describing DMEPOS companies to clarify that a pharmacy (other than a compounding pharmacy) or physician, provider, or other entity that primarily furnishes services remains eligible to make protected payments even if they also have some DMEPOS business. We did not propose, and did not intend, to exclude physicians or other providers.

We are mindful that there may be legitimate uses for outcomes-based payments by these sectors. However, we are concerned that the proposed safe harbor conditions were not intended to be, and are not, tailored to outcome-based contracting or payments in these sectors. As noted in the OIG Proposed Rule, we may consider outcomes-based contracting for pharmaceutical products and medical device manufacturers in future rulemaking. Outcomes-based payment arrangements involving these sectors should be analyzed for compliance with the Federal anti-kickback statute based on their facts and circumstances, including the intent of the parties. The entities that are ineligible to receive protection under this safe harbor for making outcomes-based payments remain eligible to use the modified personal services and management contracts safe harbor at paragraph 1001.952(d)(1).

e. Writing and Monitoring

Summary of OIG Proposed Rule: With paragraph 1001.952(d)(2)(viii), we proposed a requirement of a signed writing evidencing the outcomes-based payments agreement. We proposed at paragraph 1001.952(d)(2)(vii) a requirement that the parties regularly monitor and assess the agent’s performance for each outcome measure, including the impact of the outcomes-based payments arrangement on quality of care, and rebase outcomes measures periodically.

Summary of Final Rule: We are finalizing, with modifications, the writing requirement for outcomes-based payments and we moved the requirement from paragraph 1001.952(d)(2)(viii) to paragraph 1001.952(d)(2)(iii). As modified, the written agreement must include at a minimum a general description of the types of services to be performed under an outcomes-based payment arrangement. We are also finalizing the monitoring and assessment requirement with clarification regarding the rebasing requirement. Under the final rule parties must periodically assess and, as necessary revise, benchmarks and remuneration under the agreement to ensure that any remuneration is consistent with fair market value in an arm’s-length transaction as required by paragraph 1001.952(d)(2)(ii).

Comment: Commenters generally agreed that some type of written agreement should be required for safe harbor protection, but commenters did not necessarily agree with the specific condition OIG proposed. On the one hand, a commenter was concerned about arrangements losing safe harbor protection by not technically meeting the requirement of all services being documented, considering the need for some arrangements to be flexible. On the other hand, a commenter recommended that the safe harbor include additional documentation requirements, such as: Documentation of benchmarking methodologies; metrics for how to assess objectively its outcome measure(s) and documentation of the execution of any such assessment; records created at the time they entered into the agreement identifying the basis for the determination of compensation and the clinical evidence or credible medical support considered; and contemporaneous documentation of the services performed and the outcomes achieved. This commenter asserted that these additional documentation requirements would help prevent post-hoc justifications for conduct that the parties did not actually believe was permissible at the time, and that a lack of documentation is a way individuals and entities try to hide lack of compliance with a safe harbor.

Response: We understand the need for flexibility in outcomes-based arrangements. However, the safe harbor must include safeguards to avoid protecting arrangements that reward referrals. In the OIG Proposed Rule, we proposed that the written agreement include at a minimum: (i) The services to be performed by the parties for the term of the agreement; (ii) the outcome measure(s) the agent must achieve to receive an outcomes-based payment; (iii) the clinical evidence or credible medical support relied upon by the parties to select the outcome measure(s); and (iv) the schedule for the parties to regularly monitor and assess the outcome measure(s). We believe it is critical for parties to include the outcome measures, the basis for selecting the outcome measures, and the monitoring and assessment schedule in an agreement at the outset of the arrangement.

However, we are modifying the requirement that the agreement specify the services to be performed over the term of the agreement. We recognize that the parties may not be aware of every step necessary to achieve a certain outcome measure when the agreement becomes effective and that the needed services might change over time to achieve the desired outcome measure. Protected remuneration under paragraph 1001.952(d)(2) is dependent upon meeting the outcome measure, not necessarily the specific steps a party may have taken to achieve that measure. Therefore, we are modifying the regulatory text to specify that the agreement must include at a minimum a general description of the types of services to be performed. We note, however, that other conditions of the safe harbor (e.g., monitoring the arrangement to assess the agent’s performance and impact on patient care) would necessitate some type of documentation of services or other activities performed to achieve the outcome measure. We believe that requiring a general description of the anticipated services, coupled with the other required elements of the written agreement, strikes the appropriate balance between transparency needed to protect patients and Federal health care programs and flexibility for parties to create innovative arrangements that may need to evolve to achieve the desired results.

Comment: A commenter asked whether an agreement to provide outcomes-based payments can be signed in advance of the establishment of the outcome measure(s) and whether the parties’ eligibility for compensation commences on the date the outcome measure(s) are mutually agreed upon in writing signed by the parties or at some other time.

Response: There may be certain other existing written agreements between the parties in advance of commencing an outcomes-based payment arrangement. But for purposes of meeting the writing requirement for protection under this safe harbor, the parties must agree to the outcome measure(s) in writing and sign such an agreement in advance of, or contemporaneous with, the commencement of the terms of the outcomes-based payment arrangement. Furthermore, eligibility for protected compensation under this safe harbor commences after achievement of the outcomes measure (or failure to achieve it by the designated time in the case of a shared losses payment), assuming all safe harbor conditions are met.

11. Warranties (42 CFR 1001.952(g))

Summary of OIG Proposed Rule: We proposed to modify the existing safe harbor for warranties at paragraph 1001.952(g) to: (i) Protect certain warranties for one or more items and related services upon certain conditions, such as all federally reimbursable items and services subject to bundled warranty arrangements must be reimbursed by the same Federal health care program and in the same payment (“same program/same payment requirement”); (ii) exclude beneficiaries from the reporting requirements applicable to buyers; and (iii) define “warranty” directly and not by reference to 15 U.S.C. 2301(6).

Summary of Final Rule: We are finalizing the modifications to the warranties safe harbor as proposed in the OIG Proposed Rule. In addition, in response to concerns raised by commenters, we are clarifying in this preamble the scope of buyers’ reporting obligations to make clear the safe harbor is designed to accommodate the various reimbursement systems under which buyers may report price reductions.

a. Inclusion of Services in Bundled Warranties

We are finalizing our proposal to protect warranties that warranty a bundle of items or a bundle of items and services. This revision protects, for the first time, warranties covering services, although the safe harbor does not provide protection to warranties that warranty only services. As explained in the OIG Proposed Rule, we believe warranties for services that are not tied to one or more related items could present heightened fraud and abuse risks.

Comment: Commenters generally supported our proposal to revise the warranties safe harbor to protect bundled warranties for one or more items and related services. A commenter noted sellers and buyers, such as health systems, would have greater flexibility under the safe harbor to protect related services that are often integral to determining whether the terms of a warranty, such as a clinical outcome, have been met. According to the commenter, such services might include, for example, data collection and analytics, verification of product use consistent with labeling and governing clinical protocols (including through confirmatory laboratory testing), and monitoring patient adherence to prescribed treatment regimens.

Response: We agree with commenters that the revised safe harbor will offer greater flexibility to buyers and sellers to enter into innovative arrangements that warranty the value of an entire bundle of items or that include bundled items and services. We would highlight, however, that this revision to the warranties safe harbor does not protect free or reduced-priced items or services that sellers provide either as part of a bundled warranty arrangement or ancillary to a warranty arrangement. Instead, it merely protects the offer and exchange of warranty remedies under a warranty arrangement, provided all of the safe harbor’s conditions are satisfied. As discussed further below, items and services provided either as part of or ancillary to a warranty arrangement may not need safe harbor protection or may be protected by other safe harbors.

Comment: A commenter supported our proposal not to protect warranties covering only services. Another commenter, however, recommended that OIG should protect warranties that cover services only, explaining that medical device manufacturers can play a role in offering data analytics via software solutions, for example to predict post-treatment health care conditions and costs and thereby reduce utilization of higher-acuity post-acute services. According to the commenter, offering warranties that guarantee outcomes from using such services would provide an incentive for investment from both parties—the vendor and the provider.

Response: We appreciate the commenter’s explanation regarding the potential benefits of services offerings. As we discussed in the OIG Proposed Rule, however, we believe services-only warranty arrangements present a heightened risk of fraud and abuse. In particular, we noted that the determination of whether services meet a clinical outcomes goal established by a warranty arrangement can be more subjective than warranties involving items. We also expressed concern that the potential to receive a monetary remedy under a services-only warranty could induce patients to select a particular provider, particularly if the clinical results are not easily achievable. Parties seeking to enter into outcomes-based arrangements for only services may look to the revised personal services and management contracts and outcomes-based payment arrangements safe harbor at paragraph 1001.952(d) for potential protection.

Comment: A commenter requested that if OIG finalizes limitations on the items and services that may qualify for bundled warranties, OIG should clarify that a warrantied bundle of items and services could encompass limited support services offered by the manufacturer that are not federally reimbursable and are offered free of charge. The commenter asked for this clarification in light of preamble language from the OIG Proposed Rule stating that the modified safe harbor would not protect free or reduced-priced items or services that sellers provide either as part of a bundled warranty arrangement or ancillary to a warranty arrangement. As an example, the commenter asked OIG to confirm that the safe harbor would protect a manufacturer’s warranty of the clinical effectiveness of a self-injected drug contingent on the patient receiving product administration and use education through nurse support offered by the manufacturer.

Response: We confirm that, under the safe harbor as modified, a warrantied bundle of items and services could encompass services offered by the manufacturer that are not federally reimbursable and are offered free of charge, although we emphasize that the safe harbor only protects remuneration provided as a warranty remedy; services offered for free by manufacturers would not themselves be protected under this safe harbor. The same program/same payment requirement does not prohibit the inclusion of non-federally reimbursable items or services in the bundle of items and services being warrantied. Therefore, under the safe harbor, a manufacturer could offer a bundled warranty that warranties the clinical effectiveness of a self-injected drug contingent on the patient receiving post-prescribing product administration and use education through nurse support offered by the manufacturer. We also want to confirm and clarify that the modified safe harbor does not protect free or reduced-priced items or services that sellers provide either as part of a bundled warranty arrangement or ancillary to a warranty arrangement. The modifications to the safe harbor provide protection for warranty remedies stemming from warranties covering more than one item or more than one item and service, whereas the original safe harbor for warranties provided protection for warranty remedies stemming from warranties on only one item. If non-reimbursable items or services offered for free as part of a bundled warranty have independent value to a buyer, the parties to the warranty arrangement may look to other safe harbors to protect the exchange of those items and services, such as the personal services and management contracts and outcomes-based payments safe harbor.

Comment: In response to our solicitation of comments regarding the potential anticompetitive effects that bundled warranties may have—including barriers to entry for manufacturers and suppliers that cannot offer bundled warranties—a commenter stated that it did not believe competitive barriers to entry were a likely outcome, and that any risks of anticompetitive behavior that may exist are better addressed through the government’s other enforcement authorities to police anticompetitive behavior. According to the commenter, it is not uncommon for vendors to partner in selling and offering a warranty for a bundle of products containing items from different vendors.

Response: We appreciate this comment and recognize that a variety of models exist in the marketplace for bundled-sale arrangements. We are not finalizing additional safeguards designed to limit the potential anticompetitive effects of bundled warranties. We continue to believe, however, that anticompetitive risks can be reduced by the safe harbor’s provisions prohibiting exclusive-use or minimum-purchase requirements as a condition of a warranty offering.

Comment: A commenter warned that bundled warranties may harm competition and limit clinician and patient choice because, even with the prohibition on exclusivity and minimum-purchase requirements, sellers could condition a warranty on the purchase of a bundle of products and services. The commenter suggested that OIG include language in the safe harbor that no warranty shall interfere with a health care provider’s autonomy and responsibility to make clinical decisions with regard to patient care and safety.

Response: We appreciate the commenters’ concerns and recognize that providing protection for bundled warranties could result in some anticompetitive effects. However, the safeguards we are finalizing in this rule, including prohibiting exclusivity and minimum-purchase requirements and limiting the scope of what may be included in a bundled warranty, provide meaningful protection against anticompetitive behavior that otherwise may occur. As noted in the OIG Proposed Rule, protection for bundled warranties may foster beneficial arrangements that facilitate the use of higher-value items and services. While we have not included an express requirement that protected warranties cannot interfere with a health care provider’s autonomy and responsibility to make clinical decisions with regard to patient care and safety, we emphasize that the modifications to the safe harbor that we are finalizing are not intended to—and should not—affect providers’ ongoing responsibilities to make clinical decisions in the best interests of their patients.

Comment: Some commenters recommended that we include other additional safeguards within the safe harbor. For example, a commenter urged OIG to consider a safeguard that would prohibit any unfair or deceptive practice in the marketing of a service warranty. Another commenter urged us to add a requirement that for a warranty to be protected under the safe harbor, the manufacturer or supplier must determine that the warranty is reasonably related to an evidence-based clinical improvement objective and is commercially reasonable.

Response: As noted above, we believe the safeguards in the OIG Proposed Rule strike the right balance between protecting beneficiaries and Federal health care programs while promoting beneficial and innovative arrangements, such as bundled warranties. In particular, we have not added a separate prohibition against unfair or deceptive practices because deceptive commercial practices are already prohibited by numerous State and Federal laws. We do not believe providing a separate requirement here is necessary.

We also decline to impose a requirement that warranty arrangements relate to evidence-based clinical improvement objectives. Although some warranties may relate to evidence-based clinical improvement outcomes, many warranty arrangements that the safe harbor could protect, such as those guaranteeing that an item is defect-free or otherwise functions as intended, may not have an evidence-based clinical improvement component.

Finally, we decline to impose a commercial reasonableness requirement within the warranties safe harbor for the same reasons articulated above. It is not clear that a commercial reasonableness requirement would provide additional, meaningful protection against fraud and abuse in the context of the warranties safe harbor, given the limited scope of protected remuneration and, in particular, that a seller may not pay any individual (other than a beneficiary) or entity for any medical, surgical, or hospital expense incurred by a beneficiary other than for the cost of the items and services subject to the warranty.

Comment: Some commenters opposed restrictions on the manner in which sellers could provide warrantied medication adherence services as part of a bundled warranty, with those commenters pointing to the importance of medication adherence services generally and the alignment that exists between manufacturers’ incentives and patients’ health outcomes. Commenters noted that adherence programs can play an important role in helping patients follow their prescribed treatment regimens, which has been shown to lead to better patient outcomes, including fewer hospitalizations and emergency room visits. Commenters also pointed out that medication nonadherence—the problem of patients not taking medications in accordance with their health care providers’ directions or otherwise not following their providers’ treatment recommendations—is a major health problem, leading to poor clinical outcomes and increased health care spending. Commenters also asserted that the fraud and abuse risks of manufacturers providing medication adherence services is low because manufacturers have financial, regulatory, reputational, ethical, and legal incentives to ensure their products are used only to the extent that they continue to be safe and effective for patients. Commenters further noted that, when medication adherence programs are included in outcomes-based contracts, manufacturers are rewarded for their product working as intended to promote patients’ health and safety and penalized for their product not working well for patients, which improves the alignment between manufacturer incentives and patient health and safety.

Although most commenters on the topic did not support restrictions on the manner in which sellers could provide warrantied medication adherence services, a few commenters expressed support for a possible safeguard discussed in the OIG Proposed Rule. In particular, a commenter expressed support for OIG’s proposal to require sellers’ use of independent intermediaries for direct patient adherence activities, while another commenter supported a prohibition on any direct patient outreach by a seller offering a warranty. A commenter who shared the concerns expressed in the OIG Proposed Rule regarding patient outreach services being provided by manufacturers and suppliers recommended a safeguard requiring that warrantied patient outreach services be approved by a licensed medical professional. In doing so, the commenter expressed concern that drug manufacturers may abuse any safeguard requiring sellers to use independent intermediaries to perform direct patient outreach services.

Response: OIG agrees that medication adherence services can have a significant beneficial impact on patient health and health care costs. Although we also recognize the potential for greater alignment of manufacturers’ incentives and patient health outcomes in value-based arrangements, at this time most arrangements for the sale of a drug reimbursed by a Federal health care program are not outcome-driven, and we continue to have concerns regarding the direct provision of medication adherence services by sellers of warrantied items because their financial incentive to sell their products could result in medication adherence services that increase fraud and abuse risks, such as patient harm and overutilization.

Despite these risks, we are not imposing any restriction in this final rule on the manner in which warrantied medication adherence services may be provided when offered as part of a bundled warranty. A limitation on the manner in which sellers of one or more warrantied items provide such services as part of a bundled warranty may not materially reduce any fraud and abuse risks, particularly because a limitation on warranties would not affect the provision of medication adherence services in contexts other than bundled warranties. For the same reason, we are declining to impose a requirement that warrantied medication adherence services must either be provided via an independent intermediary or subject to the approval of a licensed medical professional. We emphasize that the warranties safe harbor would not protect the provision of free or reduced-cost medication adherence services furnished by a seller.

Comment: A few commenters asserted that, consistent with existing OIG guidance, medication adherence services do not constitute remuneration because they do not have independent value to a buyer but rather are integrally related to the underlying product. A commenter noted that, although OIG has expressed concern that manufacturer-sponsored adherence supports could replace actions that a health care provider might otherwise take to support medication adherence, the likelihood of manufacturer adherence supports leading providers to reduce their own efforts to improve their patients’ medication adherence is very small.

Response: We disagree with the assertion that medication adherence services never constitute remuneration and thus never implicate the anti-kickback statute. For example, in Advisory Opinion No. 11-07, we noted that the vaccine reminder program offered by a manufacturer could have independent value to health insurers and health care entities and could confer an additional financial benefit on physicians because the vaccine reminders were intended to encourage the recipients to schedule an appointment with their children’s health care practitioners, who likely would be reimbursed for administering the vaccine and possibly for an associated office visit. As highlighted in this example, medication adherence services could result in a provider’s opportunity to earn income. We also recognize that medication adherence services provided to beneficiaries as part of warranty arrangements could have independent value to the beneficiary, depending on how those arrangements are structured.

Although the OIG Proposed Rule stated that the provision of free or below fair market value medication adherence services “would implicate the anti-kickback statute,” ^[134] we clarify in this final rule our position that such services could implicate the statute but would not necessarily implicate the statute in all circumstances, and that such analysis would be dependent upon the facts and circumstances of a specific offering.

Comment: A commenter urged OIG to ensure that pharmacies can continue to provide adherence and medication therapy management services, including when such activities are compensated at fair market value by payors, manufacturers, and others within the supply and payment chain.

Response: The modifications to the warranties safe harbor set forth in this final rule do not change pharmacies’ ability to provide adherence and medication therapy management services. Any financial arrangement between pharmacies and payors, manufacturers, and others within the supply and payment chain could implicate the anti-kickback statute and should be analyzed on a case-by-case basis for compliance with the statute. Depending on the facts, other safe harbors may be available, including the personal services and management contracts and outcomes-based payments safe harbor.

Comment: A commenter expressed support for a standalone safe harbor protecting manufacturer-supported patient adherence programs, and other commenters asked OIG to promulgate an additional rule that expressly defines how value-based arrangements for drugs can include all relevant health care entities (including manufacturers, payors, providers, and patients) and medication adherence programs without running afoul of the Federal anti-kickback statute.

Response: We appreciate the commenters’ requests for further rulemaking. However, they are outside the scope of this rulemaking.

Comment: A commenter expressed concern regarding the statement in the OIG Proposed Rule regarding the provision of free or reduced-price laboratory testing as part of a warranty arrangement. The commenter asserted that the inclusion of confirmatory laboratory testing under a warranty arrangement could fit within the revised warranties safe harbor where a seller engages an independent laboratory under a fair market value arrangement to perform testing solely to determine whether the terms of a clinical outcome or other value-based warranty have been met.

Response: Regardless of whether items and services used to determine the efficacy of a warranty have independent value to the buyer, the warranties safe harbor provides protection only for sellers’ offer and provision of warranty remedies, not the offer or sale of the items and services being warrantied or any items or services used to determine whether a clinical outcome or other value-based outcome has been achieved. We recognize that warranty arrangements in some circumstances may require laboratory testing or other data to determine, for example, whether clinical or other outcomes have been met or whether the buyer or patient has adhered to the terms of the warranty.

We did not intend to suggest in the OIG Proposed Rule that, in all instances, confirmatory laboratory testing for purposes of determining whether warrantied outcomes have been achieved would implicate the anti-kickback statute. Where a seller provides free items and services ancillary to a warranty arrangement that could have independent value to the buyer, sellers should analyze such arrangements on a case-by-case basis to determine whether they implicate the anti-kickback statute and may look to other safe harbors, such as the safe harbor for personal services and management contracts and outcomes-based payments, for protection. In the case of confirmatory laboratory testing relating to a warranty arrangement, such testing could have independent value to the buyer if, for example, it alleviates administrative or financial burdens the buyer otherwise would incur to obtain laboratory testing for purposes other than the warranty.

b. Requirement for Federally Reimbursable Items and Services Subject to Bundled Warranty Arrangements To Be Reimbursed by the Same Federal Health Care Program and in the Same Payment

We recognize the possibility that bundling of one or more items and related services that are reimbursed under different methodologies or different payments could create incentives for overutilization or the potential for cost-shifting. The final rule protects warranties that apply to one or more items and related services only if the federally reimbursable items and services subject to the warranty arrangement are reimbursed by the same Federal health care program and in the same Federal health care program payment. The same program/same payment requirement provides important protection against these risks.

Comment: A number of commenters objected to the condition that federally reimbursable items and services in a bundled warranty arrangement must be reimbursed by the same Federal health care program and in the same Federal health care program payment in order to qualify for protection under the safe harbor. Commenters expressed concern that this condition would constrain innovation by limiting what items may or may not be included in a bundle based on reimbursement status, rather than focusing on clinical efficacy. A trade association representing providers noted that care coordination arrangements often require payments from different reimbursement methodologies. For example, a joint replacement can occur in a hospital or ambulatory surgical center and then a patient may be discharged to a skilled nursing facility or to home health care. The commenter expressed concern that a warranty covering this episode of care would not be eligible for safe harbor protection because of the different payment methodologies. The commenter recommended OIG implement alternative safeguards in lieu of the same program/same payment requirement, such as limiting application of the safe harbor to medically necessary items and services, prohibiting stinting, and requiring the warranty to be part of a written care plan by a licensed medical professional.

Other health care providers commented that the proposed same program/same payment requirement is outdated and unworkable in light of value-based arrangements that utilize a combination of items, services, or both, and that it is impracticable to determine that the same program/same payment requirement will be satisfied for every patient. Commenters also noted that warranties allow manufacturers to help providers manage risk when testing out new combinations of devices and supports, even if they are reimbursed under separate prospective or composite rate systems.

Response: Although the warranties safe harbor could be used to protect a wide range of innovative arrangements, it is not designed to protect warranties involving items purchased by multiple buyers across different care settings or reimbursed by different payment systems. As explained further in this final rule, we believe a bundle of products paid for separately and potentially across different payment systems poses an increased risk of inappropriate utilization and overutilization. Such arrangements may qualify for protection under the value-based safe harbors described in this final rule, such as the safe harbors for care coordination arrangements (paragraph 1001.952(ee)), value-based arrangements with substantial downside financial risk (paragraph 1001.952(ff)), and value-based arrangements with full financial risk (paragraph 1001.952(gg)). We do not believe that the proposed alternative safeguards would be as effective—or as straightforward to apply and interpret—as the same program/same payment requirement we are finalizing.

Comment: A commenter noted that a manufacturer or supplier seldom knows all of the ways in which providers might be reimbursed for items and services included in a bundled warranty arrangement.

Response: As noted above, the warranties safe harbor is not designed to protect warranty arrangements that span different care settings or that involve multiple payment systems. Sellers should be able to craft warranty offerings that meet the terms of the safe harbor, even if a particular bundle of items or items and services could potentially be reimbursed in different ways. For example, a seller’s written warranty could specify that warranty remuneration is available only in circumstances in which the bundle is reimbursed under the same Federal health care program and in the same payment.

Comment: Commenters noted that the bundled warranty arrangement approved under Advisory Opinion No. 18-10 would not meet the revised safe harbor because some of the items in the bundle were separately reimbursable under certain States’ Medicaid programs. Commenters also observed that various State Medicaid programs employ different reimbursement methodologies and that even within a single State, reimbursement methodologies can differ depending on whether beneficiaries are covered by the State’s fee-for-service program or a Medicaid managed care plan.

Response: We acknowledge that Medicaid programs reimburse items and services with a variety of payment methodologies, which can include separate, unbundled reimbursement for some items. We remain concerned, however, that providing safe harbor protection to warranties containing separately reimbursable items would introduce a higher risk of fraud and abuse in the form of potential overutilization, inappropriate steering, or inappropriate utilization. For example, a buyer may have an incentive to purchase separately reimbursable items in order to receive the benefit of a warranty on those items because the buyer will be reimbursed for each item separately, and if even one item does not meet the specified level of performance, the buyer could receive the cost of all items in the bundle. By comparison, if a buyer receives one warranty payment for all items covered by a bundled warranty, the buyer has a greater incentive to contain its costs and not purchase unnecessary items (or services).

The arrangement described in Advisory Opinion No. 18-10 included the possibility that bundled devices could be separately reimbursed by State Medicaid programs, although the opinion specified that these instances would be infrequent and that Medicaid-reimbursed cases represented a very small part of the requestor’s business. Although warranty remuneration paid resulting from the failure of a separately reimbursable item or service would not be covered by the warranties safe harbor, the advisory opinion process remains available for a legal opinion regarding facts and circumstances that may not be protected by the safe harbor.

Although we solicited comments on instances when an exception may be necessary to the provision requiring reimbursement by the same Federal health care program payment, upon further consideration we do not believe an exception is necessary. The modified safe harbor requires that federally reimbursable items and services covered by a bundled warranty must be reimbursed by the same Federal health care program payment—not that the items and services be only reimbursable by one Federal health care program payment. In other words, the possibility that an item or service is reimbursable under a different program or by a different payment does not foreclose a manufacturer or supplier from offering a bundled warranty covering the item or service as long as the item or service is in fact reimbursed by the same Federal health care program payment as the other item(s) and service(s) comprising the warranty bundle.

Although we recognize that it may be difficult for a seller to know under which reimbursement methodology a particular item or service will be reimbursed, we believe parties entering into bundled warranty arrangements could specify in the warranty’s written terms that only items and services reimbursed by the same Federal health care program payment will be eligible for the warranty. Because warranty remedies are by their nature furnished after the use of items and services, a buyer likely knows before making a warranty claim whether the items and services are or will be reimbursed by the same Federal health care program payment. Consequently, a warranty undertaking could explicitly state that warranty remedies are available only for patients or procedures in which the bundled items and services are reimbursed by the same program and same payment even where alternative reimbursement methodologies for those items and services exist.

Comment: A commenter noted that in many cases items or services included in a bundle are not reimbursed specifically but might be deemed reimbursed indirectly as part of a payment for another item or service. In such cases, there might be numerous potential payments or reimbursement methodologies which could be viewed as providing such indirect reimbursement.

Response: The warranties safe harbor does not attempt to address every possible variation in reimbursement methodologies. We continue to believe that limiting safe harbor protection to warranties involving bundled items and services reimbursed under the same program and same payment is an important safeguard to protect against inappropriate steering, inappropriate utilization, or overutilization of federally reimbursable health care items and services. We believe that, in most circumstances, health care providers can identify the reimbursement source for a particular item and can also determine whether items and services subject to a bundled warranty are reimbursed by the same payment.

Comment: A commenter urged OIG to abandon the same program/same payment requirement and instead extend protection for bundled warranties involving items and services reimbursed under multiple prospective payment or composite rate systems, which the commenter asserted would protect a broader range of warranties but pose a low risk of fraud and abuse due to cost-shifting because no warrantied items would be separately reimbursable. Another commenter suggested that the safe harbor should protect bundled warranties involving items and services that are not specifically reimbursed under bundled or fee-for-service payments but that could be reflected in some manner in a provider’s Medicare cost report.

Response: Although we recognize that warrantying only bundled items and services reimbursed under prospective payment bundles or composite rate systems could reduce the risk of cost-shifting between Federal health care programs, we remain concerned that protecting bundled warranties across such methodologies could complicate both the administration of warranties and reporting obligations, and we decline to expand the safe harbor provision according to the commenter’s suggestion.

Comment: A commenter stated that the same program/same payment requirement would not protect a warranty bundle consisting of a particular federally reimbursed drug product when used in conjunction with a companion diagnostic. According to the commenter, the drug would be reimbursed under Medicare at the negotiated price (for a Part D drug) or at ASP plus 6 percent (for a Part B drug), while the companion diagnostic would be reimbursed under the clinical laboratory fee schedule.

Response: We appreciate the commenter’s concern and acknowledge that the safe harbor would not protect the type of arrangement described in this comment. However, the safe harbor could protect a warranty covering a drug product, and where the seller wants to provide a companion diagnostic to determine if a warrantied outcome has been achieved, the seller could look to other safe harbors to protect the provision of the companion diagnostic to the extent the provision of the companion diagnostic implicates the anti-kickback statute.

Comment: A commenter asserted that the same program/same payment requirement could foreclose protection for even one-drug warranties because drugs are virtually always reimbursed by Medicare, Medicaid (and usually additional Federal health care programs), with each program having different payment methodologies for outpatient drugs.

Response: As noted in proposed paragraph 1001.952(g)(5), the same program/same payment requirement would only apply when a manufacturer or supplier offers a warranty for more than one item or one or more items and related services. This requirement would not apply to single-item warranties.

Comment: A number of commenters expressed concern that the requirement that federally reimbursable bundled items and services be reimbursed by the same Federal health care program payment could inhibit innovative warranties based on the performance of warrantied items and related services across a patient population (population-based warranties). A commenter argued that the safe harbor should accommodate value-based arrangements that study a representative sample of a patient population and use the results observed from the sample to determine the price or price concession that is appropriate for product utilization more broadly. Another commenter asserted that warranties offered across a patient population have a low risk of fraud and abuse where none of the items or services is separately reimbursable.

Response: As discussed in the preamble to the OIG Proposed Rule, we believe the expanded warranties safe harbor will facilitate beneficial and innovative arrangements between buyers and sellers, such as bundled warranties. While population-based warranties would not necessarily pose the same fraud and abuse risk of problematic cost-shifting between Federal health care programs as warranties covering a bundle of items and services that are reimbursable under different Federal health care programs, population-based warranties could pose different fraud and abuse risks. Specifically, population-based warranties may result in steering to particular products in a manner that inappropriately limits patient choice and providers’ clinical decision-making and could result in overutilization or inappropriate utilization of items or services where a buyer feels compelled to use a certain quantity of a seller’s product in order to be eligible for a warranty remedy. We appreciate the commenter’s request for the warranties safe harbor to protect value-based arrangements that could inform the price of a product, and while the modified safe harbor does not specifically protect population-based warranties, we emphasize our statement in the OIG Proposed Rule that we may consider specifically tailored safe harbor protection for value-based contracting and outcomes-based contracting for the purchase of pharmaceutical products (and potentially other types of products) in future rulemaking.

c. Capped Amount of Warranty Remedies

The existing safe harbor for warranties contains the limitation that a manufacturer or supplier must not pay remuneration to any individual (other than a beneficiary) or entity for any medical, surgical, or hospital expense incurred by a beneficiary other than for the cost of the item itself. In the OIG Proposed Rule, at proposed paragraph 1001.952(g)5), we proposed to adapt this limitation to accommodate the safe harbor’s expanded protection of bundled warranties. In the modifications to the safe harbor we are finalizing here, warranty remuneration for any medical, surgical, or hospital expense incurred by a beneficiary is capped at the cost of the items and services subject to the warranty.

This cap plays an important role in safeguarding against sellers providing excess remuneration to providers to induce referrals. The revised safe harbor offers sellers more flexibility by protecting both a broader scope of warranties and a potentially higher amount of warranty remuneration reflecting the cost of the entire bundle of items or bundle of items and services. This adaptation allows sellers to offer a valuable remedy to their customers if a product fails to meet a specified level of performance.

Comment: Although some commenters expressed support for OIG’s proposal to limit the remuneration a manufacturer or supplier may pay to any individual (other than a beneficiary) or entity for any medical, surgical, or hospital expense incurred by a beneficiary other than for the cost of items and services subject to the warranty, several commenters objected to this proposed safeguard. For example, a commenter argued that warranty remedies that exceed the aggregate value of the warrantied items and related services are likely to be the key drivers in realizing the potential of value-based care. Another commenter stated that capping the warranty remedy based on the collective cost of the warrantied items and services is insufficient because providers expect vendors offering warranties addressing long-term population health issues to be financially accountable for costs greater than the cost of the items and services subject to the warranty.

Response: As proposed, the revised safe harbor would protect warranties in which vendors offer to reimburse any medical, surgical, or hospital expense incurred, up to the cost of the warrantied items and services incurred by the buyer to acquire those items and services. The safe harbor could be used to protect reimbursement for hospital expenses incurred as a result of, for example, a bundle of items that failed to meet the clinical outcomes guaranteed by a warranty arrangement. The total warranty remuneration provided, however—including the cost of any replacement items—would be limited to the original cost of the items and services incurred by the buyer. We believe the proposed expansion of this safe harbor provides a significant and sufficient opportunity for vendors to offer a meaningful and valuable remedy to their customers to account for the failure of an item, a bundle of items, or a bundle of items and services to meet warrantied standards.

Comment: Commenters stated that capping the amount of warranty remuneration will negatively impact patient care and unnecessarily stifle innovative value-based arrangements because vendors will not be able to offer appropriate remedies if warrantied outcomes are not achieved, such as the provision or payment for medical, surgical, hospital, or other services and related items in connection with the replacement or supplementation of a warrantied item, or as an alternative or supplemental treatment.

Response: We continue to believe that the proposed cap strikes an appropriate balance between protecting remuneration for warrantied products and safeguarding against excessive remuneration paid by vendors to induce referrals. Furthermore, as we explained in the preamble to the OIG Proposed Rule, the safe harbor, as finalized, already is broad enough to protect certain value-based arrangements, such as warranties that offer a clinical outcomes guarantee, as long as the safe harbor’s other requirements are met.

Comment: A commenter stated that there is negligible risk that manufacturers and suppliers would use warranties to provide excess remuneration because vendors entering into warranty arrangements face steep exposure and will take all possible precautions to avoid future payments under such warranties.

Response: We continue to believe that without limiting the amount of protected warranty remuneration there is a risk of vendors paying excessive remuneration to induce further Federal health care business. For example, without a cap on warranty remuneration, a vendor could pay for a wide range of consequential expenses resulting from the failure of a device including, for example, hospitalization expenses, revision surgery, and other downstream expenses, in addition to providing a replacement for the faulty device. We believe that would provide too great an opportunity for sellers to offer generous remuneration to buyers.

d. Prohibition on Exclusivity and Minimum-Purchase Requirements

We proposed a new safeguard at proposed paragraph 1001.952(g)(6) that would preclude warranty arrangements from being conditioned on the exclusive use or minimum purchase of one or more items or services. We are finalizing this safeguard because we believe it provides important protection against patient steering that could interfere with clinical decision-making and against potential anticompetitive effects.

Comment: Some commenters expressed support for the proposed prohibition on warranties conditioned on a buyer’s exclusive use of any of the manufacturer’s or supplier’s items or services. Other commenters argued that these safeguards are unnecessary and possibly contravene the intent of the proposal. For example, a commenter noted that warranties constitute a means by which sellers compete against one another by providing assurances of performance. In addition, commenters noted that providers can standardize their use of any one of a number of similar, competitive products, and that such standardization through exclusivity and minimum-purchase requirements can promote competition and lower costs without triggering any concerns regarding patient access to medically necessary items.

Response: We are finalizing the prohibition against sellers conditioning a warranty on a buyer’s exclusive use or minimum purchase of any of the seller’s items or services. Although exclusivity and minimum-purchase requirements may allow for certain efficiencies, we view exclusivity and minimum-purchase requirements tied to the offer of a warranty as potentially abusive steering practices that could result in, among other things, interference with clinical decision-making, overutilization or inappropriate utilization, or anticompetitive effects. Because warranty arrangements can be valuable tools for buyers to defray the costs associated with an item (and under the modified safe harbor, multiple items or items and services) that does not function as expected, the potential for sellers to require exclusivity and minimum-purchase requirements in exchange for a warranty may lock buyers into a particular item (and under the modified safe harbor, multiple items or items and services) and thereby could result in, for example, a buyer using a particular item in a given case that is not in the patient’s best interest.

Comment: A commenter asserted that exclusivity and minimum-purchase requirements are features that can promote competition and lower costs, as in the case of purchase discounts conditioned on the volume of products purchased. The commenter observed that a warranty might be conditioned on a minimum- or exclusive-purchase requirement, and that such requirement would not preclude a buyer from purchasing competitive products in violation of the requirement; the provider would simply lose the benefit of the warranty by doing so.

Response: Because warranties can be valuable tools for buyers to defray the costs associated with an item (or items and services) that do not function as expected, we reiterate our concerns that conditioning warranties on exclusivity or minimum-purchase requirements increases certain fraud and abuse risks, as described above, and thus we are finalizing the modifications to the safe harbor with the prohibition on conditioning warranties on such requirements.

Comment: A number of commenters urged OIG to omit or revise the prohibition against conditioning warranties on minimum-purchase or exclusivity requirements. In particular, commenters asserted that population-based warranties typically require that there be some minimum level of use of the product (and any related services) so as to make the outcomes measure statistically meaningful. For example, a manufacturer might state in a warranty, consistent with clinical studies, that use of its device will produce the warrantied outcome a given percentage of the time, but that the warranty is only available if the device has been used on a large enough number of patients (typically determined through a minimum-purchase requirement) to produce a statistically relevant outcomes measure.

Response: We agree that population-based warranties could require a certain amount of use of a product and any related services to make the outcomes measure(s) set forth in a warranty undertaking statistically meaningful. However, for the reasons set forth in this preamble, we are finalizing the same program/same payment requirement, which means that protection under the safe harbor as modified does not extend to warranties for items used across a patient population. Particularly given this limitation in the safe harbor, we do not believe conditioning warranties on exclusivity or minimum-purchase requirements is necessary for sellers to engage in beneficial warranty arrangements that promote the value of the items and services being warrantied.

Comment: A commenter urged OIG to adopt a permissive approach, which would protect warranties conditioned upon exclusive-use arrangements under the safe harbor as long as manufacturers or suppliers: (i) Have good-faith reasons for adopting exclusive-use requirements; (ii) take and document reasonable precautions to avoid stinting on care, cherry-picking, lemon-dropping, or inappropriate utilization; and (iii) otherwise ensure that neither clinical decision-making nor patient care choices are adversely impacted.

Response: We appreciate the commenter’s recommended safeguards and the commenter’s focus on reducing the fraud and abuse risks associated with exclusivity requirements. However, for the reasons articulated above, we view certain risks as an inherent part of warranties conditioned on the exclusive use of any of a seller’s products or services, and thus we are finalizing a safe harbor provision restricting warranties conditioned on exclusivity requirements.

Comment: Commenters noted that sellers of items reimbursed under Federal health care programs are not subject to any general prohibitions on imposing exclusivity or minimum-purchase requirements as a condition of making discounts available or otherwise.

Response: To the extent that the commenter refers to the discount safe harbor and the warranties safe harbor, those safe harbors were designed to protect remuneration paid under different circumstances, and therefore it is appropriate to include different safeguards in the safe harbors.

Comment: A number of commenters asserted that many of the innovative, risk-based warranty arrangements proposed by manufacturers may include equipment and consumables that must be used together, resulting in a requirement to exclusively utilize a manufacturer’s goods in order to obtain warranty protection. The proposed limitation on exclusive use could hinder these manufacturers from creating and proposing such warranty-based risk-sharing arrangements.

Response: The revised warranties safe harbor, consistent with the description in the OIG Proposed Rule, would expand the safe harbor to explicitly protect warranties in which a bundle of items or a bundle of items and services must be used together to obtain warranty protection. The exclusive-use and minimum-purchase prohibitions provide meaningful protections against inappropriate steering practices and anticompetitive effects without impacting the ability of manufacturers and suppliers to offer bundled warranties.

Comment: A commenter requested clarification on how OIG will interpret the exclusive-use limitation if, for example, a provider enters into an arrangement to purchase an “exclusive” or “preferred” product independent of any potential unrelated bundled warranty offered by the product’s manufacturer.

Response: OIG is aware that arrangements exist in which providers agree to the exclusive purchase of a particular item or designate an item as “preferred” in exchange for favorable commercial terms. The revised safe harbor is not intended to impact those arrangements. Rather, the exclusive-use and minimum-purchase provisions in the revised safe harbor prevent a manufacturer or supplier from receiving safe harbor protection for a warranty that is conditioned on the buyer’s exclusive use or minimum purchase of items or services offered by the manufacturer or supplier. We interpret the “conditioned on” standard to mean that a causal connection exists between receiving a warranty (or continuing eligibility for warranty coverage) and maintaining exclusivity or minimum-purchase levels. The safe harbor does not prohibit exclusive-use or minimum-purchase provisions that are conditioned upon commercial terms unrelated to the offer of a warranty.

e. Reporting Requirements

As discussed in the OIG Proposed Rule, industry stakeholders have expressed concern that the safe harbor’s existing reporting requirement could limit the ability of sellers to offer innovative warranty arrangements, including warranties that span multiple years. Stakeholders also have noted that the reporting requirement could make safe harbor protection unavailable for providers that lack specific reporting obligations under Federal health care programs or providers that do not file cost reports.

We are addressing these concerns in this final rule by: (i) Clarifying in the preamble discussion below that the safe harbor can be used to protect warranty arrangements that span multiple years; (ii) changing references in the safe harbor from “the price reduction” to “any price reduction” to make clear that more than one price reduction may occur pursuant to a warranty arrangement; and (iii) clarifying in this preamble that buyers are obligated to report price reductions in a manner compatible with the reimbursement methodology for the warrantied items or services, including circumstances in which a provider does not submit cost reports or a formal “claim for payment” unless the payor does not provide a reporting mechanism. Lastly, we are making a technical, non-substantive correction to paragraph 1001.952(g)(3) to remove a comma after “and” and before “when any price reduction becomes known.”

Comment: A commenter noted that many items and services are reimbursed by Medicare Advantage plans or Medicaid managed care organizations, and therefore buyers have no obligations to report price reductions in a “cost reporting mechanism” or “claim for payment,” as referenced in the warranties safe harbor. The commenter asked OIG to clarify that a buyer should only be required to report a price reduction or replacement product obtained as part of a warranty if it has an obligation to do so under applicable requirements of the Federal health care program payor making payment for the warrantied item or service to which the price reduction relates.

Response: In the preamble to the OIG Proposed Rule, we solicited comments on the burden of current reporting requirements and the need for more flexible reporting requirements for warranties tied to clinical outcomes. We emphasize that buyers, other than beneficiaries, are obligated under the safe harbor to report price reductions in a manner compatible with the reimbursement methodology for the item(s) or service(s) which, as a commenter pointed out, may not in all circumstances be reported in a “cost reporting mechanism” or a “claim for payment.” We affirm that this requirement applies to buyers even when buyers do not have an express obligation to report a price reduction or replacement product under applicable requirements of the Federal health care program payor making payment for the warrantied item or service to which the price reduction relates. In the event that a payor does not provide any mechanism for reporting of costs, such reporting is not required in order for a buyer to obtain safe harbor protection.^[135]

Comment: In light of our preamble discussion regarding the timing of reporting requirements, including the protection for outcomes-based warranty arrangements in which buyers could receive return payments from manufacturers over several years, commenters requested additional clarification with respect to reporting requirements. In particular, commenters requested clarification that multiple warranty payments related to the same item or bundle of items and services could be reported at various points throughout a warranty arrangement, and that buyers are obligated to report such payments at the time they are received. A commenter suggested that OIG revise the manufacturer reporting requirements such that price reductions must appear either on an invoice or a statement, or on a series of invoices or statements. The commenter also suggested revising paragraph 1001.952(g)(3)(ii) such that the manufacturer is obligated to provide the buyer with documentation of the price reduction calculation in the same fiscal year as the purchase or the following fiscal year.

Response: We agree with the commenters that, under the warranties safe harbor, buyers can report multiple warranty payments related to the same item or bundle of items and services at various points throughout a warranty arrangement. Paragraph 1001.952(g)(1) already requires buyers to report “any price reduction” obtained as part of the warranty. We are finalizing corresponding revisions to paragraph 1001.952(g)(3) to change all references to “the price reduction” to “any price reduction” to make clear that more than one price reduction may occur pursuant to a warranty arrangement. With respect to the commenter’s suggestion to allow sellers to report price reductions on a series of invoices or statements, we believe this expansion of the safe harbor is unnecessary because sellers must either: (i) Report price reductions on the initial invoice or statement the manufacturer sends to the buyer; or (ii) when the amount of any price reduction is not known at the time of sale, report the existence of the warranty on the invoice or statement, and later provide the buyer with documentation of the calculation of any price reduction resulting from the warranty. Therefore, sellers must provide information regarding all price reductions to the buyer regardless of whether sellers report them on an invoice or statement or otherwise. Lastly, the modifications to the warranties safe harbor set forth in this final rule do not include a requirement for the seller to provide the buyer with documentation of the price reduction calculation in the same or following fiscal year of the buyer. We expect buyers and sellers to fulfill their reporting obligations under paragraphs 1001.952(g)(1) and 1001.952(g)(3) in a timely manner but are not otherwise prescribing a timeline for doing so.

Comment: A commenter requested clarification that buyers are entitled to use any reasonable methodology for purposes of allocating a rebate that does not relate to a specific item or service across all bundled items and services to which the warranty rebate relates.

Response: We understand that, in some circumstances, remuneration paid pursuant to a bundled warranty will be related to more than one item or service that fails to meet the specifications set forth in the warranty undertaking. The safe harbor does not set forth a specific methodology to allocate reporting across multiple items or a combination of items and services. OIG believes that in most cases a warranty remedy paid pursuant to a bundled warranty should be reported proportionately to the cost of each bundled item or service, but we wish to provide flexibility for buyers to adopt different but reasonable allocation methodologies in circumstances in which, for example, the failure of the bundle to meet the agreed specifications results disproportionately from the failure of a particular item or service.

Comment: A commenter supported the proposal to expressly exclude beneficiaries from the reporting requirements applicable to other buyers.

Response: We appreciate the commenter’s support, and we are finalizing revisions to the warranties safe harbor to exempt beneficiaries from the reporting requirement for buyers.

Comment: A commenter noted that a cost reduction under a warranty might be received long after the warrantied item has been purchased by a provider, particularly when the clinical outcome from the use of the item may be measured several years after the initial purchase of the item. Accordingly, the commenter recommended that OIG specifically provide for safe harbor purposes that such a rebate must be reported only after it is received.

Response: We agree that the reporting requirement is not triggered until remuneration is received under the warranty arrangement. We also recognize that the failure of an item or service to meet specifications might not occur until a period of years after purchase.

f. Definition of “Warranty”

We proposed and are finalizing at paragraph 1001.952(g)(7) to define “warranty” directly and not by reference to 15 U.S.C. 2301(6). By defining “warranty” directly, we clarify that the warranties safe harbor is available for drugs and devices regulated under the Federal Food, Drug, and Cosmetic Act, whereas the definition set forth in 15 U.S.C. 2301(6) potentially excludes FDA-regulated drugs and devices. The safe harbor protects not only warranties covering a “product” but warranties covering an item or bundle of items, or services in combination with one or more related items. Finally, the new definition parallels the prior definition’s language requiring a written promise that an item, bundle of items, or bundle of items and services is defect-free or will meet a specified level of performance over a specified period of time.

As we explained in the OIG Proposed Rule, we interpret the definition of “warranty” to apply to warranty arrangements conditioned on clinical outcomes guarantees, provided other safe harbor requirements are met.

Comment: Commenters expressed support for the proposed revisions to the warranties safe harbor, including adopting a new definition of the term “warranty.” Several commenters offered proposed revisions to the types of remuneration articulated in proposed paragraph 1001.952(g)(7)(ii). In particular, commenters urged OIG to confirm that a partial refund or retrospective rebate resulting in a price adjustment would constitute a “refund” or “other remedial action,” as those terms are used in paragraph 1001.952(g)(7)(ii).

Response: As explained in the preamble to the OIG Proposed Rule, OIG’s proposed definition is largely modeled after the definition of “warranty” in the Magnuson-Moss Act, codified at 15 U.S.C. 2301(6), which defines “refund” as refunding the actual purchase price (less reasonable depreciation based on actual use where permitted by rules of the Commission). Although we have not explicitly adopted this definition, it provides persuasive guidance as to how we would interpret the term “refund.”

Regardless of how “refund” is defined, our proposed safe harbor contemplates that manufacturers or suppliers may “take other remedial action” if an item fails to meet the specifications set forth in the written arrangement. It is conceivable that a partial refund or retrospective rebate resulting in a price adjustment would constitute “other remedial action” as long as all other conditions of the safe harbor were met.

Comment: Several commenters recommended that OIG expand the list of permissible types of remuneration in paragraph 1001.952(g)(7)(ii) to allow for “reperformance of services.”

Response: Our definition of “warranty” includes an arrangement “to refund, repair, replace, or take other remedial action. . . .” If a warranty arrangement is connected to the sale of a bundle of items and services, “reperformance of services” likely would be an “other remedial action” under the safe harbor as long as all other safe harbor conditions were satisfied, including that the total remuneration provided (in whatever form) cannot exceed the cost of the items and services subject to the bundled warranty arrangement.

Comment: A commenter recommended that in addition to protecting warranty arrangements that provide remuneration in the event of product failure, the safe harbor should allow vendors to receive success payments in the event legitimate value-based objectives are achieved.

Response: The warranties safe harbor is designed to protect warranty arrangements in which vendors offer remuneration to their customers in the event one or more items, or a bundle of one or more items and related services, fails to meet a specified level of performance. The safe harbor does not by its terms protect arrangements in which customers pay success fees to vendors contingent upon achieving certain outcomes. Depending on how such an arrangement is structured, remuneration paid by a customer to a vendor might not implicate the anti-kickback statute, or it might fall within a different safe harbor, such as the revised safe harbor for personal services and management contracts and outcomes-based payment arrangements. Any such arrangements should be reviewed and analyzed under the anti-kickback statute on a case-by-case basis.

Comment: A commenter urged OIG to provide examples of the types of clinical outcomes guarantees that could be protected under the warranties safe harbor. Another commenter expressed concern regarding whether outcomes can properly be guaranteed by suppliers or manufacturers of warrantied items.

Response: As noted above, we believe the expanded warranties safe harbor could be used to protect a wide range of warranty arrangements including, as we discussed in the preamble to the OIG Proposed Rule, warranty arrangements conditioned on clinical outcomes guarantees. In this final rule, we decline to provide specific examples of the types of clinical outcomes guarantees that might be protected because we do not wish to narrow the scope of innovative arrangements that might seek coverage under the safe harbor.

Comment: A commenter asked OIG to clarify that the warranties safe harbor would protect an arrangement in which a warranty payment could vary depending on the product’s performance on one or more dimensions specified in the warranty arrangement, as opposed to the warranty payment being a fixed amount.

Response: The warranties safe harbor—both in its existing form and as modified by this final rule—is silent on whether a warranty arrangement protected under the safe harbor can have a single triggering condition or multiple triggering conditions in order to qualify for safe harbor protection. We believe, however, that a warranty arrangement could have multiple triggering conditions based on specifications set forth in the warranty undertaking. In such an arrangement, the seller must still comply with paragraph 1001.952(g)(4) in determining the maximum amount of remuneration it could offer for any given item, bundle of items, or bundle of items or services.

Comment: Some commenters encouraged OIG to make clear that a “buyer” as referenced in the safe harbor includes an indirect buyer such as a payor or pharmacy benefit manager. Another commenter asked OIG to coordinate with CMS to recognize that reimbursement for or replenishment of items and services, pursuant to a warranty arrangement, is excludable from price reporting under CMS’s government pricing regulations and guidance, including determining how warranty arrangements involving pharmaceutical products and manufacturer-supported adherence programs impact CMS’s determination of best price.

Response: The warranties safe harbor does not contain a definition of the term “buyer,” and the modifications to the safe harbor that we are finalizing do not affect the scope of individuals and entities that may receive protection under the safe harbor as buyers. Consistent with our approach elsewhere in this final rule, we decline to label certain individuals or entities as “buyers” in order to encourage innovation. The commenter’s request regarding price reporting under CMS pricing regulations and guidance is outside the scope of this rulemaking.

Comment: A commenter expressed concern that the safe harbor’s definition of warranty is not sufficiently broad to protect warranties that guarantee achievement of value-based outcomes.

Response: As modified, the safe harbor protects arrangements that guarantee “a specified level of performance” of an item, a bundle of items, or a bundle of items and services. We clarified in the preamble to the OIG Proposed Rule that the warranties safe harbor’s protection could extend to arrangements conditioned on clinical outcomes guarantees, which could include warranties conditioned upon “value-based” outcomes that meet the safe harbor’s other requirements. We believe this offers buyers and sellers significant flexibility to structure arrangements that guarantee achievement of value-based objectives in the context of a warranty. The advisory opinion process remains available for parties seeking OIG’s legal opinion on a specific arrangement.

12. Local Transportation (42 CFR 1001.952(bb))

Summary of OIG Proposed Rule: We proposed to modify the existing safe harbor for local transportation at paragraph 1001.952(bb) to: (i) Expand the distance limitations applicable to residents of rural areas from 50 to 75 miles (including for shuttle services); and (ii) remove any mileage limitation for a patient transported from an inpatient facility from which the patient has been discharged after admission as an inpatient to the patient’s residence or another residence of the patient’s choice. We indicated that we were considering and solicited comments on whether to eliminate the mileage limitation for patients discharged from certain settings and to extend the safe harbor to protect transportation for nonmedical purposes that may improve or maintain patient health. We provided preamble guidance to clarify that we believe nothing in the language of the safe harbor precludes protection for transportation offered through ride-sharing services and invited commenters to share any basis for disagreement. We also proposed a technical change to move undesignated definitions set forth in the note to paragraph 1001.952(bb) to a new paragraph 1001.952(bb)(3).

Summary of Final Rule: We are finalizing the proposed modifications to the safe harbor at paragraph 1001.952(bb), with modifications. With respect to transportation following an inpatient admission, we clarify that the mileage limits do not apply when the patient is discharged from an inpatient facility following inpatient admission or released from a hospital after being placed in observation status for at least 24 hours. We retain our guidance regarding rideshare programs and do not extend protection under the safe harbor to transportation for non-medical purposes. We finalize the technical reorganization.

a. Expansion of Mileage Limit for Patients Residing in Rural Areas

Comment: Many commenters supported our proposal to increase the mileage limit for safe harbor protection of transportation of residents of rural areas to 75 miles. One such commenter explained that an expansion to 75 miles would meaningfully “capture” the communities and patients it serves and enable those patients who live farther away to access specialty services such as cancer care, neurology, transplant, and other specialties that are typically concentrated in larger hospitals located in urban areas. Another commenter stated that because many rural residents must travel more than 50 miles to obtain medically necessary services, increasing the limit to 75 miles likely would improve access to health care for many rural residents.

However, not all commenters agreed. A commenter explained that rural areas are increasingly reporting shutdowns of local health care providers, which increases the distance traveled to receive necessary care. The commenter pointed to examples of closings of nursing homes resulting in patients being moved farther away. The commenter explained that a mileage limitation of 75 miles in rural areas would be insufficient because it is not uncommon for skilled nursing facilities and assisted living facilities to be located 150 miles or more from hospitals, physician’s offices, outpatient facilities, and other clinical locations. The commenter advocated for OIG to expand the mileage limitation to 150 miles in rural areas; alternatively, the commenter suggested that OIG expand to 75 miles for all patients and 150 miles for transports originating in a rural area as defined under the U.S. Census Bureau’s classification guidelines.

Response: We are finalizing the proposed expansion to 75 miles for residents of rural areas. In the OIG Proposed Rule, we explained that commenters to the OIG RFI stated that the existing local transportation safe harbor’s 50-mile limit for rural areas was insufficient because many residents of rural areas needed to travel more than 50 miles to obtain medically necessary services. We proposed to increase the mileage limit for rural areas to 75 miles and solicited comments on whether this increase would be sufficient. We further solicited data and evidence about appropriate distances, as well as information about patients needing transportation and how longer distance transportation would be provided. We indicated that we would use the information to assist us in determining whether an increased distance limit is necessary and practical and whether it is likely to be subject to abuse.

For the following reasons, we have determined that an increase to 75 miles is necessary and practical, and we are finalizing the 75-mile limit. In combination with all of the conditions of the safe harbor, we conclude that the increased mileage limit is not likely to be subject to abuse. Commenters on this topic universally supported an expanded mileage limit for rural areas, and many supported our specific proposal of 75 miles. The final safe harbor will expand safe harbor protection and facilitate access to health care for residents of rural areas, including those seeking types of specialty care often concentrated in urban areas. The expanded mileage limit facilitates access to care for rural area patients whose travel distances have increased due to provider closings.

The existing safe harbor contains a single, uniform mileage limit for rural areas, offering a bright line standard that is practical and clear to administer from a compliance perspective. Our final rule preserves this structure. Accordingly, we are not adopting the suggestion to create a longer distance standard applicable only to transports originating in rural areas. Nor are we adopting the suggestion to extend the mileage limit for rural areas to 150 miles. The safe harbor is intended for local transportation and this limit to local transportation is rooted in the legislative history in connection with the Beneficiary Inducements CMP. In enacting the CMP provision prohibiting inducements to Federal and state health care program beneficiaries, Congress intended that the statute not preclude the provision of complimentary local transportation of nominal value.^[136] We are concerned that 150 miles would be neither local nor appropriately address risks of abuse, such as inducing beneficiaries to travel long distances for care when they might prefer and be able to obtain comparable care more locally.

We are mindful of the disruptions and burdens on patients in rural areas when local providers close and patients are transferred or must seek care at more distant locations. The news reports cited by the commenter describe some patients being transferred from closed nursing facilities between 50 and 75 miles away and others moving longer distances. We believe the expanded limit we are finalizing should help many patients facing longer travel distances. We recognize that the safe harbor will not protect every instance of needed transportation. This does not mean that programs offering transportation for rural area patients at greater distances are unlawful. To the contrary, such programs may be lawful depending on their facts and circumstances and would need to be evaluated on a case-by-case basis under the statute, including with respect to the intent of the parties. We remind stakeholders that the OIG advisory opinion process remains available for parties seeking to determine whether a particular arrangement complies with the law. We note that our further modification of the safe harbor to eliminate any distance limit for beneficiaries needing transportation from hospital inpatient or observation stay services to their residences, which can include nursing facilities, will also assist residents in rural areas facing longer travel distances to obtain health care.

Comment: While some commenters found the increase of the limit for transportation of residents of rural communities to 75 miles to be sufficient to address patient needs, many commenters advocated for OIG to expand the mileage limit further for certain categories of patients, such as those patients who live in areas without public transportation, those who have no health care facilities within 75 miles of their home, or those who lack access to specialty health care services due to the closures of nearby rural hospitals. For example, a transportation company shared OIG’s desire to expand transportation access in rural areas and explained that 20 percent of Americans live in rural areas but that rural hospital closures have increased significantly in recent years. The commenter suggested that OIG remove the distance limit so that it could provide transportation for rural patients who now have to travel longer distances to receive care. According to the commenter, rural communities face limited transportation options, and reliable transportation could effectively close gaps in access to care.

Commenters suggested various options that generally would tie protection for transportation beyond 75 miles to a patient’s medical need. For example, a commenter recommended that we protect transportation that is greater than 75 miles if the eligible entity determines that a patient requires a medical procedure and the nearest provider of such procedure is more than 75 miles from the patient’s residence. At least one commenter suggested that we impose additional monitoring requirements when transportation in excess of the proposed mileage limit is necessary.

Another commenter suggested protection for transportation exceeding 75 miles when the provider certifies in writing that there is no alternative provider available within 75 miles of the patient’s home and that the transportation is furnished based on patient need using a good faith, individualized determination that the transport is necessary to facilitate the patient’s access to medically necessary items or services. However, some commenters expressed concern that requiring a demonstration of need for transportation exceeding 75 miles would unnecessarily complicate the provision of transportation services, could lead to administrative burden, and would not further the objectives of the safe harbor. At least one of these commenters suggested that, if it does impose such a condition, OIG should recognize a range of need assessment tools.

Another commenter suggested that OIG should expand the mileage limitation beyond 75 miles for “frontier areas” (which the commenter recommended that we define using selected levels from either commuting codes or frontier and remote codes), but it recommended that we include safeguards to prohibit bypassing locally available health care. At least one commenter asserted that no demonstration of financial, medical, or transportation need should be required for transportation above the current limits because the requirement for transportation to be for medically necessary items or services serves as sufficient protection.

Response: For the reasons in the prior response, we are finalizing our proposal to increase the rural area mileage limit from 50 miles to 75 miles but are not extending it farther. For the reasons that follow, we are not adopting the suggestions to expand safe harbor protection for distances beyond 75 miles in the specific circumstances suggested by commenters (e.g., instances where eligible entities determine or certify that there is a medical need, areas lacking public transportation or access to specialty health care services, or areas where rural hospitals have closed).

We are maintaining the current safe harbor design of a single, uniform mileage limit for rural areas, which offers bright-line guidance and reduces administrative burden, including the administrative burden associated with the need to obtain certifications and/or other evidence of need determinations. We acknowledge and agree with commenters’ concerns that imposing a patient need standard for exceptions to the general mileage limitations in the safe harbor could be administratively burdensome, and we are not adopting a patient need standard as a condition of the safe harbor. In the 2016 rule finalizing the local transportation safe harbor, we stated that while we understand that a set mileage limit is not a one-size-fits-all solution, we believe that a bright-line rule is easier for all parties to apply.^[137] This remains true. Specifically, the expansion of the mileage limitation combined with the bright-line rule should benefit many patients in rural and underserved areas and should be easy for eligible entities to apply in practice.

Furthermore, if we were to expand the mileage limit for specific types of patient need, we are concerned that providers could develop arbitrary criteria that do not reflect legitimate need and are subject to abuse. We are also concerned that, in many instances, exceptions could swallow the mileage-limitation rule, which we view as a fundamental safeguard and consistent with the safe harbor’s intended focus on local transportation.^[138] On balance, including additional monitoring or certification conditions would not mitigate these concerns sufficiently to warrant the extra administrative burden.

In finalizing this proposal, we aim to balance the needs of rural patients to have access to quality health care with our concerns that patients could be transported for unnecessary care or be swayed to use a more distant provider even when they may prefer to receive items or services from a local provider. Transportation arrangements in rural areas or to address specific fact patterns such as hospital closures, lack of public transportation, or access to specialty health care services are not necessarily unlawful and would be evaluated for compliance with the statute on a case-by-case basis, including with respect to the intent of the parties. Individuals and entities that participate in value-based enterprises as VBE participants may look to the patient engagement and support safe harbor paragraph 1001.952(hh) as an additional or alternative avenue of protection for certain transportation services. Parties may also use OIG’s advisory opinion process for specific facts and circumstances that may fall outside safe harbor protection.

Comment: Some commenters requested wholesale exemption from any mileage limitations under the safe harbor. Several commenters representing Indian health care providers asked that the safe harbor not include any mileage limitations for transportation provided by Indian health care providers; in addition, some of these commenters advocated removing any restrictions regarding the use of Federal funds by Indian health care providers for the cost of transportation furnished to their beneficiaries. Some of these commenters recommended that OIG expand the safe harbor to protect free emergency transportation and air transportation for patients of Indian health care providers.

A commenter that represents community health centers recommended that OIG exempt certain health centers from the mileage limits because Federal regulations issued by the Health Resources and Services Administration require certain health centers to provide transportation services as needed for adequate patient care.^[139]

Another commenter suggested that OIG expand the safe harbor for transportation for homeless individuals in a manner that aligns with California Health and Safety Code section 1265.2(o), which requires documentation that a hospital prior to discharge of a homeless patient has offered the homeless patient transportation to a specified destination if that destination is within a maximum travel time of 30 minutes or a maximum travel distance of 30 miles of the hospital. Numerous commenters suggested that OIG expand the mileage limit for “special patient populations,” such as patients undergoing cancer or behavioral health treatment or receiving dialysis services, regardless of whether such patients reside in a rural or urban area. According to these commenters, these special patient populations often need transportation services to care facilities over much greater distances than 25 or 75 miles in order to access quality care to treat their medical conditions. At least one such commenter recommended that OIG require providers to use “reasonable measures” (e.g., a shortage of appropriate medical facilities or health care professionals in a geographic area) that would be evaluated based on the totality of the circumstances for each individual.

Response: In developing this final rule, we considered the comments offered by entities that provide services for communities with unique health care needs. The commenters raise important considerations about access to care for Tribal, rural, and underserved communities, an area of ongoing interest for OIG in our work to look at the effectiveness of HHS programs. Here, however, we have concerns regarding the fairness of eliminating the mileage limitation for populations of patients with specific health conditions while imposing mileage restrictions on patients with other health conditions. It would also be difficult to craft a fair and sufficiently bright-line rule allowing for exceptions to the mileage limitation based on “reasonable measures” evaluated on a case-by-case basis. Furthermore, any such exception would be difficult to administer.

We note that lack of access to care in a particular geographic area could be a relevant factor in determining on a case-by-case basis whether a particular local transportation arrangement involves an improper inducement to a beneficiary under the Federal anti-kickback statute or Beneficiary Inducements CMP. Depending on the specific facts and circumstances of the arrangement, arrangements could comply with the statutes even if they do not fit in the safe harbor. OIG’s advisory opinion process is better suited than the local transportation safe harbor to evaluate arrangements on a case-by-case basis.^[140] Moreover, depending on the specific facts of the arrangement, transportation furnished by a VBE participant to patient populations including those identified by the comments summarized above could be structured to qualify for protection under the patient engagement and support safe harbor paragraph 1001.952(hh) that we are finalizing in this rule.

In response to commenters that requested OIG remove any restrictions regarding the use of Federal funds for the cost of transportation furnished to their patients, we did not propose to modify the existing prohibitions on shifting the cost of protected transportation to any Federal health care program, other payors, or individuals, and we are not finalizing any such changes here. The existing prohibition serves important program integrity purposes, as described in the 2016 final rule.^[141] In addition, we recognize that other statutes or regulations may govern an entity’s provision of transportation to patients and may impact the ability of an entity to structure an arrangement that squarely satisfies the conditions of the local transportation safe harbor.

Where parties are required by Federal or State law to provide transportation services to certain patients or to provide transportation services as part of a service covered by a Federal health care program or other Department program, those arrangements might not implicate the Federal anti-kickback statute. If the patient is entitled to receive services under their Federal health care program coverage, the parties should assess whether there is any remuneration passing to the patient; providing a covered item or service paid for by a Federal health care program alone would not result in an exchange of any remuneration under the Federal anti-kickback statute. However, there could be circumstances under which a provider or supplier, when furnishing a covered item or service, does give a Federal health care program beneficiary something of value, or remuneration, thereby implicating the Federal anti-kickback statute. For example, the Federal anti-kickback statute would be implicated by a provider waiving or reducing any required cost-sharing obligations for the covered item or service incurred by a Federal health care program beneficiary or providing “extra” items and services for free that are not part of the covered item or service. Furthermore, we remind stakeholders that an arrangement that does not satisfy all conditions of the local transportation safe harbor does not necessarily violate the Federal anti-kickback statute. The advisory opinion process remains available to stakeholders seeking prospective protection for transportation arrangements that do not fit within the four corners of the safe harbor.

As an initial matter, we note that this safe harbor, as finalized, does not modify existing Federal law regarding IHS appropriations for transportation services furnished to its beneficiaries. While some commenters sought safe harbor protection for air transportation furnished to certain populations, we note that we exclude protection for free or discounted air transportation under the existing local transportation safe harbor and we did not propose changes to this provision. Although we are not adopting this suggestion, we are promulgating clear mileage limits to provide additional flexibilities to stakeholders to benefit all patients, including patients served by Indian health care providers and community health centers. With respect to the comment requesting protection for free emergency transportation, we did not propose changing the safe harbor’s restriction on ambulance-level transportation and are not making this change. To the extent free emergency transportation means waiving beneficiary cost-sharing—cost-sharing waivers based on good faith—individualized determinations of the beneficiary’s financial need have long been acceptable under OIG guidance.

Comment: A commenter asked OIG to consider protecting transportation to an alternative health care provider without a mileage limitation in the event that one of a provider’s locations must divert scheduled patients with urgent needs due to a disaster or similar emergency circumstances.

Response: We are not adopting this recommendation to remove the mileage limitation for the reasons noted above with respect to other commenter suggestions for specific exceptions to the mileage limit based on various types of need. OIG is mindful of the need to protect patients whose availability of care is impacted by natural disasters, public health emergencies, and other exigent circumstances. For example, in response to the COVID-19 public health emergency, OIG has publicly answered inquiries from the health care community regarding the application of OIG’s administrative enforcement authorities under the Federal anti-kickback statute and the Beneficiary Inducements CMP, including to transportation arrangements.^[142] It is important to note that the presence of exigent circumstances can be a relevant factor in determining whether the Federal anti-kickback statute would be implicated or violated by a particular transportation arrangement.

Comment: Numerous commenters encouraged OIG to expand the mileage limitation for transportation furnished to patients that reside in urban areas, as defined by the existing safe harbor. A commenter asserted that many Metropolitan Statistical Areas extend beyond 25 miles, and some health care providers in those communities have developed evidenced-based clinical quality intervention strategies for high-risk patients that rely on free patient transportation. At least one commenter suggested that providing urban patients with safe, reliable transportation over a distance greater than 25 miles is a low-cost, high-value way to ensure access to care, and advocated for OIG to expand the mileage limit for urban areas from 25 miles to at least 50 miles. Another commenter urged OIG to add flexibility in instances when the nonrural patient demonstrates a financial, medical, or transportation need.

Response: We did not propose to expand the mileage limits for protected transportation furnished to patients residing in urban areas and, therefore, we are not finalizing any such expansion here.

b. Elimination of Distance Limitations on Transportation of Discharged Patients to Their Residence

Comment: Many commenters strongly supported OIG’s proposal to eliminate any distance limit on transportation furnished to a patient who has been discharged from a facility after admission as an inpatient, regardless of whether the patient resides in an urban or rural area, if the transportation is to the patient’s residence or another residence of the patient’s choice. Numerous commenters recommended that OIG clarify in the final rule that a “residence” includes custodial care facilities, including but not limited to nursing facilities, which can serve as a patient’s residence on a permanent basis. Another commenter asked OIG to confirm that a patient’s residence may include a homeless shelter.

Response: We confirm that we intend for the term “residence” as used in paragraph 1001.952(bb)(1)(iv)(B) to include custodial care facilities that may serve as a patient’s permanent or long-term residence provided that the patient established the custodial care facility as a residence before receiving treatment by the facility from where the patient is being transported. In addition, we intend the term “residence” to include a homeless shelter when a patient is homeless or established the homeless shelter as a residence prior to hospital admission. While not raised by commenters, we also affirm our statement in the OIG Proposed Rule that a residence of the patient’s choice can include the residence of a friend or relative who is caring for the patient post-discharge.^[143] As long as the other requirements of this safe harbor are met, transportation to these locations would be protected. We also confirm our intention, as noted in the OIG Proposed Rule’s preamble and raised in the comment above, that this post-discharge analysis is not dependent on whether the patient resides in a rural or urban setting.^[144]

c. Transportation to Locations Other Than a Patient’s Residence or a Residence of the Patient’s Choice

Comment: Many commenters, including multiple associations representing health care providers, advocated for OIG to modify the safe harbor to protect transportation to any location of the patient’s choice, including to another health care facility when there is a medical need for the transfer. Commenters provided various examples of instances when they believe hospitals, other providers, and patients could benefit when patients are transferred to other facilities. For example, some commenters explained that individuals seen in the emergency room may require transportation to another health care facility, while a trade association representing hospitals stated that a patient’s medical needs may require being discharged from an inpatient facility directly to post-acute care.

Another commenter expressed concern that, without the ability to provide transportation to another health care facility, skilled nursing facilities may be limited in their ability to transport discharged patients to a hospital, to a hospice, or to other long-term care facilities. Another commenter added that SNF patients often require transportation services following discharge to accommodate any mobility limitations.

Response: After considering the comments, we are not extending safe harbor protection to transportation of patients to any location of their choice or another provider or facility. In developing this final rule, we reviewed and weighed the examples provided by commenters of situations when they believed it would be beneficial for a patient to be transported to another provider following discharge as an inpatient from a facility. We agree that the examples described by the commenters could benefit patients in many circumstances. However, we believe that protecting transportation between health care providers in a position to refer to each other is not sufficiently low risk to warrant safe harbor protection because of the risk that such transportation arrangements could be used to steer patients to health care facilities that may not be in the patients’ best interests; for instance, the entity sponsoring the transportation might limit transportation improperly to affiliated facilities to generate system revenue and as a result may interfere with patient choice. Arrangements that do not fit in the safe harbor are not necessarily prohibited under the anti-kickback statute. Under the final rule, patients discharged from inpatient facilities may be offered transportation to a nursing facility if it is their residence.

In this final rule, OIG is finalizing a new safe harbor at paragraph 1001.952(hh) that may protect certain patient engagement tools and supports including transportation when the offeror of the transportation is a VBE participant. As long as all of the safe harbor’s conditions are satisfied, the safe harbor at paragraph 1001.952(hh) could protect transportation of patients from an inpatient hospital to another health care facility for post-acute care treatment.

In addition, we emphasize that safe harbors are voluntary and that any assessment of liability under the Federal anti-kickback statute requires an analysis of the facts and circumstances specific to the arrangement, including the intent of the parties. For arrangements that do not meet all requirements of the safe harbor, the party could seek an advisory opinion.

d. Elimination of Distance Limitations for Patients Other Than Those Discharged After an Inpatient Admission

Comment: Numerous commenters requested that OIG expand the proposed exemption from distance limitations beyond discharged hospital inpatients to include patients treated in a hospital outpatient department, ambulatory surgery center, or hospital emergency room, as well as patients held in observation status at the hospital for a substantial period of time but who are not admitted. For example, a trade association representing hospitals asserted that patients may travel a significant distance to obtain treatment that does not require an admission, and the commenter believed that transportation home for these patients without a limitation on distance would be appropriate. The commenter suggested that OIG could provide parameters for protected transportation so that it is not used as a workaround to the mileage limitations that otherwise serve as a condition of the safe harbor. To this point, a commenter suggested that an appropriate safeguard to limit potential fraud concerns would be to require a medical justification to receive transportation home for reasons other than an inpatient discharge (e.g., after a colonoscopy or after receiving stitches, a licensed medical professional could determine that a patient is unable to travel home safely).

Response: As finalized in this rule, the mileage limitation of this safe harbor does not apply in two circumstances. First, we confirm our intention, as noted in the OIG Proposed Rule’s preamble, that the elimination of the mileage limitation applies after admission as an inpatient. Second, we are persuaded by commenters that we should expand the safe harbor by removing the mileage limitation when a patient is discharged after spending 24 hours in observation status. We indicated in the OIG Proposed Rule that we were considering including transportation for patients who have been under observation status for a timeframe of at least 24 hours. We are including this provision in the final rule because we believe that transportation home following an extended stay in observation status at a hospital is sufficiently similar to transportation home following an inpatient discharge and to prevent any safe harbor compliance challenges resulting from a patient’s status as an inpatient or outpatient in the hospital.

We also solicited comments regarding transportation home for patients seen in the emergency department or following a procedure at an ambulatory surgery center. We are mindful that available transportation home for these patients could help address a legitimate need. However, we are not removing the mileage limitation for other patients categorized as outpatients, including patients who are seen in the emergency room but not under observation for at least 24 hours, or patients discharged from an ambulatory surgical center. It is not clear that we could define acceptable medical justifications or make distinctions about categories in this safe harbor. Moreover, creating an exception to the mileage limitations in the safe harbor for local transportation for these categories of patients would make the exception so expansive and overly broad so as to limit the utility of the mileage limitations as safeguards against potentially abusive arrangements. The OIG advisory opinion process remains available for particular transportation programs not covered by this safe harbor.

In promulgating this safe harbor, we observed that Congress did not intend to preclude the provision of local transportation of nominal value in the context of beneficiary inducements. Although the Federal anti-kickback statute has no such exception for remuneration of nominal value, we stated that protection of complimentary local transportation that met certain requirements that limit the risk of fraud and abuse was warranted.^[145] We believe that transportation home following inpatient discharge or a stay in observation status at a hospital for at least 24 hours poses a sufficiently low risk of inducing patient referrals to the hospital, provided all safe harbor conditions are met.

e. Local Transportation for Health-Related, Nonmedical Purpose

Comment: Commenters generally supported extending protection under this safe harbor to transportation furnished for nonmedical purposes. For example, some commenters, including trade associations whose members are hospitals or nurse practitioners, encouraged OIG to protect transportation to obtain services that address social determinants of health (e.g., nutrition counseling, chronic disease counseling services, housing services), even if those services do not constitute medical care. The commenters posited that these services have a direct effect on a patient’s health outcomes and well-being and are critical to achieving effective care transitions and improved outcomes, including reduced readmissions. One such commenter asked OIG to support hospitals’ efforts to connect patients to nonmedical care and foster innovative community collaboration.

Another commenter advocated for protection of transportation to access nutritious foods, suggesting that patients living in a “food desert” may have difficulties obtaining such foods, which the commenter asserted could potentially lead to increased health care costs later if the patients develop nutritional issues that require medical attention. A commenter also suggested that transportation to food stores, food banks, other non-health care social services (e.g., housing assistance), or agencies that offer employment or vocational training would be appropriate for safe harbor protection. A commenter asked OIG to clarify the types of non-medical purposes that OIG believes should not be protected by any expansion of the safe harbor.

Some commenters suggested potential safeguards for expanded safe harbor protection for transportation for non-medical purposes. Recognizing the need to minimize the risk of fraud and abuse that may arise in conjunction with non-medical transportation, such as inducing beneficiaries to receive unnecessary health care items and services, these commenters suggested a variety of safeguards such as: (i) Imposing restrictions on an entity’s ability to condition receipt of non-medical transportation support on continued receipt of health care services from a particular provider; (ii) requiring the entity to utilize an independent transportation vendor to arrange for transportation; (iii) requiring the entity to tie any transportation service to a specific quality improvement, social determinant of health, or public health initiative; (iv) requiring that the transportation is unlikely to interfere with, or skew, clinical decision-making; and (v) requiring providers to document the patient’s need for such non-medical transportation (e.g., patient’s income, medical condition).

Another commenter suggested the existing conditions of the safe harbor, combined with an appropriately tailored scope of nonmedical transportation purposes (e.g., a direct connection to the coordination and management of care), would be a sufficient safeguard against abusive transportation initiatives.

Response: We are not expanding the local transportation safe harbor to protect patient transportation for nonmedical purposes. In response to the OIG RFI, we received comments suggesting that transportation for nonmedical purposes may improve patient health, and we solicited comments on whether the safe harbor could be expanded to protect transportation for these purposes without creating an unacceptable risk of fraud and abuse, such as inducing beneficiaries to receive unnecessary health care items and services. Some commenters suggested potential safeguards (e.g., requiring the entity to tie any transportation service to a specific quality improvement, social determinant of health, or public health initiative). While we do not doubt that properly structured transportation for non-medical needs can help patients maintain or improve their health, we believe that protecting transportation for non-medical purposes under paragraph 1001.952(hh), which limits protection of transportation to tools and supports furnished by VBE participants, rather than under the safe harbor for local transportation, presents the lowest risk approach to protecting patients and Federal health care programs from fraudulent and abusive transportation schemes.

We continue to believe that the risk of beneficiaries being improperly induced to obtain items or services is too high for safe harbor protection when the transportation is for non-medical purposes. As we explained in the 2016 final rule establishing the local transportation safe harbor, a transportation program offered by a provider or supplier inherently poses a risk both of inducing patients to get items or services that they might otherwise not have obtained and to get services from that provider or supplier. In the case of transportation for medically necessary items and services, we think that risk is acceptable. However, we believe the risk is too high when the transportation is for non-health-related purposes.^[146] We noted that it would be difficult to determine whether non-medical transportation is related to the patient’s health care (e.g., transportation to a shopping center that includes both a grocery store and a movie theater). We went on to say that transportation for nonmedical purposes very well might be more frequent than transportation for medical appointments, which would give larger providers a significant competitive advantage over smaller entities or individual suppliers.^[147] We explained that transportation for nonmedical purposes would not violate the statute if it is not for the purpose of inducing individuals to obtain federally reimbursable items and services.

Notwithstanding the foregoing, we are mindful of the importance of addressing social determinants of health, and for this reason among others we are finalizing a new safe harbor at paragraph 1001.952(hh) that protects nonmedical transportation offered by VBE participants if such transportation has a direct connection to the coordination and management of care of the target patient population and meets the other conditions of the safe harbor. In promulgating paragraph 1001.952(hh), we recognize that transportation to address social determinants of health could improve patients’ overall health and reduce health care costs. However, without the safeguards embedded within the VBE framework, including accountability for advancing value-based purposes, we are concerned that transportation for non-medical purposes could be used improperly to recruit patients or incentivize overutilization of items or services; therefore, OIG is not extending the local transportation safe harbor to include transportation for nonmedical purposes.

f. Use of Ride-Sharing Services

Comment: Commenters supported OIG’s clarification in the OIG Proposed Rule that transportation furnished through ride-sharing services could be protected by the safe harbor and that, for purposes of this safe harbor, there is no difference between taxis and ride-sharing services. A commenter emphasized the importance of these services with respect to patients with driving restrictions, cognitive impairments, and mobility limitations. While some commenters did not believe a change to the regulatory text was needed, at least one commenter recommended that we amend the safe harbor to protect transportation via ride-sharing services explicitly; according to this commenter, the safe harbor is ambiguous with respect to ride-sharing services, which discourages some providers from entering into arrangements with ride-sharing services.

A commenter recommended that OIG clarify whether a ride-share service can advertise a partnership with a hospital or health system to promote patient awareness and utilization of such services. Another commenter urged OIG not to make providers responsible for knowing or controlling the advertising practices of taxi companies, ride-sharing services, or other transportation providers.

Response: We support the use of ride-sharing services or other patient transportation services similar to a taxi service by eligible entities to make local transportation available for their patients. The safe harbor protects certain free or discounted local transportation made available by an eligible entity, and we confirm that an eligible entity may make such transportation available through ride-sharing arrangements or through other means of local transportation that may exist in the future (e.g., self-driving cars). We do not believe an amendment to the regulatory text is necessary. Indeed, nothing in the language of the safe harbor prevents the use of ride-sharing services by eligible entities as long as all other conditions of the safe harbor are met. As we explained in the OIG Proposed Rule, although we do not explicitly refer to ride-sharing services within the safe harbor, we see no meaningful differences between these services and taxis, or other similar technology that serve as a taxi service should they become available in the future.^[148] We are not explicitly including specific transportation methods within the regulatory text to avoid being overly proscriptive and to allow eligible entities sufficient flexibility to outsource these services appropriately while satisfying every condition of the safe harbor.

We note that eligible entities that make transportation services available to patients by using ride-sharing or other similar transportation service providers must meet all requirements of the safe harbor and ensure such service providers also meet all requirements of the safe harbor to receive protection, including for example the prohibitions against luxury transportation and publicly marketing or advertising the free or discounted local transportation services.

In the OIG Proposed Rule, we explained that a taxi company, ride-sharing service, or other provider of transportation could advertise that it provides transportation to medical appointments and suggest to patients that they contact their medical providers to determine whether free or discounted transportation is available to their facilities. We stated, however, that it cannot advertise that it provides free or discounted transportation to a particular health care provider or group of providers because such customer-specific advertising is within the control of the customer (i.e., the eligible entity paying for the transportation) to prohibit, and therefore would be imputed to the customer and would disqualify transportation furnished by the customer from safe harbor protection.^[149] Accordingly, we strongly suggest that eligible entities that furnish local transportation to patients and choose to rely on this safe harbor have mechanisms in place to ensure this condition of the safe harbor is satisfied.

13. Accountable Care Organization (ACO) Beneficiary Incentive Program (42 CFR 1001.952(kk))

Summary of OIG Proposed Rule: We proposed at proposed paragraph 1001.952(kk) to codify the statutory exception to the definition of “remuneration” at section 1128B(b)(3)(K) of the Act, as added under section 50341 of the Budget Act of 2018, for ACOs operating a CMS-approved beneficiary incentive program under the Medicare Shared Savings Program, as defined under section 1899(m) of the Act. We proposed to clarify that an ACO may furnish incentive payments only to assigned beneficiaries and to interpret the statutory language in the Budget Act of 2018 stating, “if the payment is made in accordance with the requirements of such subsection [section 1899(m) of the Act],” to mean “if the incentive payment is made in accordance with the requirements found in such subsection.” We did not propose any additional safe harbor conditions that incentive payments made by an ACO to an assigned beneficiary under an ACO Beneficiary Incentive Program established under section 1899(m) of the Act would have to satisfy, and we solicited comments on the proposed lack of additional conditions.

Summary of Final Rule: We are finalizing the safe harbor without modifications.

Comment: Several commenters expressed support for the ACO Beneficiary Incentive Program safe harbor. For example, a commenter posited that incentivizing patients to attend primary care appointments may improve patient outcomes and reduce downstream medical expenses. Another commenter agreed with OIG’s proposal not to establish additional safe harbor conditions to protect incentives under an ACO Beneficiary Incentive Program that satisfies the statutory exception and regulatory requirements.

Response: We are finalizing the regulation text as proposed. We note that we do not interpret the statutory exception found at section 1128B(b)(3)(K) of the Act, nor the safe harbor finalized at paragraph 1001.952(kk), to require satisfaction of any requirements found outside section 1899(m) of the Act (e.g., the regulatory requirements established by CMS implementing the ACO Beneficiary Incentive Program found at 42 CFR 425.304(c)).

Comment: A commenter supported the codification of the ACO Beneficiary Incentive Program exception in a safe harbor but recommended that OIG broaden the exception to protect any future beneficiary incentives covered under CMS-sponsored payment models and beneficiary incentive options that may be available in the future. According to the commenter, the ACO Beneficiary Incentive Program is too limited and the commenter has advised CMS that ACOs, and alternative payment models (APM) more broadly, should be able to provide beneficiary incentives to subsets of their population. Another commenter requested that OIG expand the safe harbor to protect ACOs participating in any Innovation Center demonstration, noting that several ACO demonstrations have risk-bearing standards that exceed those in the Medicare Shared Savings Program.

Response: This safe harbor codifies a statutory safe harbor that is specific to ACO Beneficiary Incentive Programs; the commenters’ suggestions are beyond the scope of the statute and our proposal. To the extent the commenters are requesting safe harbor protection for beneficiary incentives provided through existing CMS-sponsored models developed pursuant to section 1115A(d)(1) of the Act, any fraud and abuse waiver applicable to beneficiary incentives under the relevant model would potentially provide protection as long as the beneficiary incentive arrangement squarely satisfies the conditions of the applicable waiver. Moreover, we are finalizing a new safe harbor for CMS-sponsored models at paragraph 1001.952(ii) that protects certain CMS-sponsored model patient incentives under models for which CMS has determined that paragraph 1001.952(ii)(2) should apply. This new safe harbor is described more fully in section III.B.7 of this preamble.

Comment: A trade association representing community pharmacists recommended that pharmacists be included in the definition of an “ACO professional” and that pharmacy services should constitute qualifying services for purposes of the ACO Beneficiary Incentive Program safe harbor. According to the commenter, including pharmacy services as qualifying services would give pharmacists more resources to provide medication adherence services more efficiently to further enhance care coordination.

Response: The commenter’s suggestion is beyond the scope of the ACO Beneficiary Incentive Program statutory exception found at section 1128B(b)(3)(K) of the Act that OIG proposed to codify at paragraph 1001.952(kk). Section 1899(h) of the Act defines an ACO professional for purposes of the Medicare Shared Savings Program, and section 1899(m) of the Act sets forth the scope of qualifying services. CMS administers the Medicare Shared Savings Program on behalf of the Secretary, which includes promulgating regulations interpreting the statutory definition of ACO professional and the scope of qualifying services; for this reason, any requests to expand these terms should be directed to CMS.

Comment: A commenter supported the proposed safe harbor but recommended that OIG consider the administrative burden associated with the ACO Beneficiary Incentive Program. In particular, the commenter noted that several requirements of the ACO Beneficiary Incentive Program (e.g., recordkeeping requirements) are burdensome.

Response: The commenter’s suggestion is beyond the scope of this rulemaking. Section 1899(m) of the Act contains certain programmatic reporting and documentation requirements for beneficiary incentives under the Medicare Shared Savings Program, and CMS has promulgated additional regulations implementing the ACO Beneficiary Incentive Program.^[150] The new safe harbor at paragraph 1001.952(kk) does not alter existing documentation requirements or impose any additional documentation requirements. Furthermore, section 50341(b) of the Budget Act of 2018 does not give OIG authority to waive programmatic documentation requirements set forth in section 1899(m) of the Act or in CMS regulations.

Comment: A commenter requested additional guidance on the specifics of the protected remuneration under this safe harbor.

Response: The new safe harbor at paragraph 1001.952(kk) protects incentive payments made by an ACO to an assigned beneficiary under a beneficiary incentive program established under section 1899(m) of the Act if the incentive payment is made in accordance with the requirements found in section 1899(m) of the Act. We interpret the statutory language in the Budget Act of 2018 stating, “if the payment is made in accordance with the requirements of such subsection [section 1899(m) of the Act]” to mean “if the incentive payment is made in accordance with the requirements found in such subsection.”

We read this provision broadly to incorporate all the requirements found in section 1899(m) of the Act as requirements of the ACO Beneficiary Incentive Program statutory exception to the definition of “remuneration” under the Federal anti-kickback statute. In other words, as we stated in the preamble to the OIG Proposed Rule, we interpret this statutory requirement to mean that for an incentive payment to satisfy the ACO Beneficiary Incentive Program statutory exception, and the corresponding safe harbor interpreting the statutory exception, all of the requirements enumerated at section 1899(m) of the Act—related both to ACO Beneficiary Incentive Programs and incentive payments made pursuant to such programs—must be satisfied. We do not interpret the statutory exception at section 1128B(b)(3)(K) of the Act to require satisfaction of any requirements found outside of section 1899(m) of the Act. For instance, CMS, which administers the Medicare Shared Savings Program, has promulgated programmatic regulations setting forth more detailed requirements for implementing an ACO Beneficiary Incentive Program in accordance with section 1899(m) of the Act. While compliance with these regulations is not a condition of satisfying the safe harbor, it would be prudent for ACOs to review these regulations to ensure that their ACO Beneficiary Incentive Programs meet all applicable programmatic requirements.

C. Civil Monetary Penalty Authorities: Beneficiary Inducements CMP

1. Exception for Telehealth Technologies for In-Home Dialysis (42 CFR 1003.110)

Summary of OIG Proposed Rule: We proposed to amend the definition of “remuneration” under the Beneficiary Inducements CMP by codifying the statutory exception enacted as part of the Budget Act of 2018. Specifically, we proposed to add an exception to the definition of “remuneration” in paragraph 1003.110 at proposed paragraph 1001.110(10) for the provision of certain telehealth technologies related to in-home dialysis services. The proposed exception would protect the provision of telehealth technologies by a provider of services or renal dialysis facility to an individual with end-stage renal disease (ESRD) who is receiving home dialysis paid for by Medicare Part B, provided the donation meets conditions proposed in the OIG Proposed Rule. We proposed a condition that would require uniform provision of technology. In addition, we proposed to define “telehealth technologies” as multimedia communications equipment that includes at a minimum audio and video equipment permitting two-way, real-time interactive communication between the patient and distant site physician or practitioner used in the diagnosis, intervention, or ongoing care management—paid for by Medicare Part B—between a patient and the remote healthcare provider.

Summary of Final Rule: We are finalizing this provision with several modifications at paragraph 1003.110(10) to align with the statutory exception in 1128A(i)(6)(J). As explained in more detail below, we are removing most of the additional proposed conditions and proposed regulatory text language that were not in the statutory exception. Additionally, the final rule modifies the definition of “telehealth technologies” and includes physicians as a type of practitioner that can donate telehealth technologies to a patient. We are not finalizing the other proposed conditions on which we solicited comments.

a. General Comments

Comment: Commenters on this topic overwhelmingly supported our proposed exception, in many cases as proposed. For example, a commenter stated that the exception would enhance access to telehealth services for vulnerable patients, including those who are immobile or located in rural areas, and would encourage patients to appropriately address their chronic condition. Commenters observed that telehealth technologies will provide an important tool for dialysis facilities and other providers to ease patients’ adoption of home dialysis as their treatment modality of choice and that increased use of telehealth services benefit patients, including through reduced travel to and from physician visits. A commenter expressed that broad protection under the Beneficiary Inducements CMP would be consistent with policy priorities of Congress and the Department, as well as under the Executive Order entitled “Advancing American Kidney Health.” Another commenter noted the Administration’s policy goal of increased rates of uptake and retention of in-home dialysis and urged OIG to consider the impact technologies have outside of an isolated clinical visit, such as dialysis modality education and support group access.

Some commenters raised concerns about the need for safeguards against risks such as inappropriate steering, lemon-dropping, and cherry-picking of patients by providers and the use of free at-home technologies to entice patients to use a particular provider, especially when the technology could also be used for other purposes beyond the provision of telehealth services. Some commenters urged us to adopt the statutory exception without any additional conditions that could create barriers to patients accessing telehealth services, more administrative burden, or additional duties on staff. A commenter stated that the additional conditions and other potential safeguards in the OIG Proposed Rule preamble are unnecessary.

Response: We have made several modifications to the final exception that address the commenters’ general concerns. Consistent with the statutory exception at section 1128A(i)(6)(J) of the Act and the OIG Proposed Rule, these modifications finalize a broader definition of “telehealth technologies,” reduce the number of conditions from the OIG Proposed Rule, and modify the proposed conditions to more closely align to the statute. The final exception incorporates the statutory text from section 1128A(i)(6)(J) and the two statutory conditions at 1128A(i)(6)(J)(i) and (ii). We describe the specific rationale for each of these modifications in greater detail below.

These modifications reflect our understanding as stated in the OIG Proposed Rule that this is a narrow exception to the CMP beneficiary inducement statute. Primarily, the exception is limited to a subset of patients receiving in-home dialysis and certain, enumerated providers in the statutory exception.^[151] Because the exception finalized here is only available to established patients who are receiving specific services paid for by Medicare Part B, the potential for fraud and abuse is reduced. Similar to our rationale related to the definition and use of target patient population in the patient engagement and support safe harbor at paragraph 1001.952(hh), we believe that remuneration connected to an objectively defined set of patients decreases the risk that valuable remuneration will be offered to patients as an inducement to seek care or as a reward for receiving care. For the purposes of this exception, Congress established the patient population as those receiving in-home dialysis paid for by Medicare Part B.

Additionally, the two statutory conditions address common risks of fraud and abuse associated with remuneration furnished to beneficiaries. The first, which bars telehealth technologies from being offered as part of any advertisement or solicitation, protects against improper marketing schemes that entice beneficiaries to receive unnecessary services or select providers or services based on promises of valuable gifts rather than medical best interests. The second statutory condition requires that the telehealth technologies are provided for the purpose of furnishing telehealth services related to the recipient’s ESRD; this condition tailors the statutory protection to arrangements that assist beneficiaries in managing their ESRD, reducing risk that the provision of telehealth technologies induce orders or purchases of other, unrelated items and services. These statutory limitations reduce the risks of fraud and abuse associated with providing certain beneficiaries with free telehealth technologies.

We share commenters’ concerns that offering valuable technology for free to patients has the potential to impact a patient’s selection of a provider, and we agree that this exception should not be used to effectuate inappropriate steering, lemon-dropping, or cherry-picking of patients. The risk of fraud and abuse associated with selectively deciding which patients receive telehealth technologies is mitigated by conditions finalized in this rule (e.g., telehealth technologies are protected if provided to a beneficiary already receiving in-home dialysis paid for by Medicare Part B and if that patient initiated contact or scheduled an appointment with the donor (paragraphs (10)(i) and (ii) in 42 CFR 1003.110)).

This final rule strives to foster the policy goal of: (i) Ensuring that beneficiaries can choose and benefit from medically appropriate in-home dialysis care, as determined by the beneficiary and their provider, physician, or renal dialysis facility; (ii) protecting beneficiaries against coercive marketing schemes that do not serve their best interests; and (iii) ensuring that providers, physicians, and renal dialysis facilities are seeking the protection of the exception use telehealth technologies for purposes related to beneficiaries’ ESRD as contemplated in the statutory exception. We have endeavored to reduce administrative and staff burden wherever possible, consistent with these goals.

b. Definition of “Telehealth Technologies”

Summary of OIG Proposed Rule: Using the definition of “interactive telecommunications system” pursuant to 42 CFR 410.78(a)(3) as a basis,^[152] we proposed to define “telehealth technologies” as multimedia communications equipment that includes, at a minimum, audio and video equipment permitting two-way, real-time interactive communication between the patient and distant site physician or practitioner used in the diagnosis, intervention, or ongoing care management—paid for by Medicare Part B—between a patient and the remote healthcare provider. We proposed to exclude telephones, facsimile machines, and electronic mail systems from the definition. However, we proposed that smartphones with two-way, real-time interactive communication through secure video conferencing applications would not be considered “telephones.” We sought comments on this definition and whether “telehealth technologies” should include technologies such as software, a webcam, data plan, or broadband internet access that facilitates the telehealth encounter.

Summary of Final Rule: We are finalizing, with modifications, the regulatory text defining “telehealth technologies” in response to comments and in a way that is technology agnostic, as described further below.

Comment: Several commenters agreed with our proposed definition of “telehealth technologies” based on 42 CFR 410.78(a)(3), including our proposal to exclude smartphones from our interpretation of what consists of a “telephone” for the purposes of our proposed “telehealth technologies” definition because it would help expand access to medically necessary care. A commenter suggested OIG finalize a technology-neutral definition of “telehealth technologies” and urged us not to detail specific technologies or services, which are likely to change over time to facilitate the development of more efficient means of delivering the same services. While a commenter agreed with excluding telephones, facsimile machines, and electronic mail systems from the definition of “telehealth technologies” because the commenter did not view them as providing the required services, other commenters asserted that these technologies should not be included. For example, a commenter explained that these technologies do not constitute “telehealth technologies” as standalone items but can be used to supplement a telehealth encounter.

Several commenters were supportive of including the broader range of technologies considered in the OIG Proposed Rule (e.g., software and data plans). Commenters suggested that these technologies, which alone will not facilitate a telehealth encounter, may be required by some patients to access telehealth services. A commenter asserted that the exception should protect any type of technology as long as it contributes to accomplishing the telehealth service. The commenter also urged OIG to consider that software protected under the exception must be easily downloadable, be easy to use for patients, and meet HIPAA standards.

Another commenter supported narrowly defining “telehealth technologies” as the “interactive communications system” necessary for the telehealth service. According to the commenter, a broader definition could inappropriately induce a beneficiary to consider in-home dialysis because of the availability of technology benefits rather than the clinical appropriateness of the treatment approach. A commenter also suggested that if necessary we include a list of items ineligible for protection under this exception.

Response: We agree with those commenters that recommended a broader definition that includes items and services that facilitate telehealth services because the goal of this exception, as explained in the OIG Proposed Rule, is to protect a wide range of technologies to better support in-home dialysis. Specifically, this final rule modifies the definition of “telehealth technologies” by removing references to specific types of technology, limits on the type of communication, and a requirement that telehealth services be paid for by Medicare Part B. We are revising language to clarify that the definition means technology used to support communication between providers and patients in instances when the communication is distant or remote, and when the communication is for diagnosis, intervention, or ongoing care management. For purposes of the telehealth technologies exception to the definition of “remuneration” authorized under section 1128A(i)(6)(J) of the Act, this final rule defines “telehealth technologies” to mean hardware, software, and services that support distant or remote communication between the patient and provider, physician, or renal dialysis facility for the diagnosis, intervention, or ongoing care management. We note that the revised definition includes all of the technologies that we proposed would constitute telehealth technologies and be protected if all conditions of the exception were met: that is, multimedia communications equipment, including audio and video equipment permitting two-way, real-time interactive communication with the patient.

The revised definition also now includes technologies that we proposed to specifically exclude from the definition: Telephones, facsimile machines, and electronic mail systems. The final definition is technology agnostic. We emphasize that the revised definition retains the element that the technology supports provider and patient communication for diagnosis, intervention, or ongoing care management. Additionally, for a donation of technology to be protected it must meet all conditions of this exception, not just satisfy the revised definition of “telehealth technologies.” This includes the condition at paragraph (10)(i) in 42 CFR 1003.110 that requires the telehealth technology be provided for the purpose of furnishing telehealth services related to the recipient’s end-stage renal disease. If a provider, physician, or facility determines that a fax machine meets this condition and the revised definition (and the donation meets all other conditions) then it would be protected by this exception.

This modification is consistent with the statutory exception and our solicitation of comments in the proposed rule. In the OIG Proposed Rule, we proposed to define “telehealth technologies” to encompass “multimedia communications equipment” that included at a minimum audio and video equipment with distant site, interactive communications functionality between patients and physicians or practitioners. We considered whether to broaden the definition to include technology such as software, webcams, data plans, and broadband internet access that facilitate a telehealth encounter and solicited specific comments on the treatment of telephones, facsimile machines, and electronic mail systems.

We are modifying the definition to focus on the functionality of the technology to support telehealth rather than specific types. The revised definition is technology neutral to provide flexibility to providers, physicians, and renal dialysis facilities to determine what telehealth technology is needed for the purpose of furnishing telehealth services related to an individual’s ERSD. By “technology agnostic,” we mean that the technology is not limited to specific technologies or services, which are likely to change over time. For telehealth and virtual care specifically, we believe a technology-agnostic approach is especially important given, for example, the widespread and rapid changes to telehealth during the response to the COVID-19 public health emergency. This approach will also allow the exception to continue to be available to support telehealth services for ESRD beneficiaries as technology evolves. We recognize that the revised definition will allow for a wider range of technology to be provided to beneficiaries than the proposed regulatory text. We also recognize the potential for “telehealth technologies” as defined more broadly in this final rule to inappropriately induce patients to pursue in-home dialysis over a dialysis facility or select a particular provider or physician. However, we believe the risk is mitigated because the exception is available for a defined set of patients already receiving in-home dialysis, marketing is not allowed, and other conditions provide safeguards against fraud and abuse.

The revised definition is supported by the statutory exception in section 1128A(i)(6)(J) of the Act. The statute gives the Secretary authority to define “telehealth technologies” and protects technologies provided for the purpose of furnishing telehealth services related to the individual’s ESRD. The statute did not limit the telehealth technology or technology services under the exception to any related Medicare definitions. In contrast, section 1128A(i)(6)(J) of the Act states that a provider of services or a renal dialysis facility are defined as those terms are used in title XVIII (Medicare). “Telehealth technologies” in section 1128A(i)(6)(J) and the term “telehealth services” in 1128A(i)(6)(J)(ii) do not include a reference to specific statutory or regulatory definitions. Therefore, the statute provides the Secretary additional flexibility to interpret these terms differently than any related Medicare definitions. We similarly interpret the term “telehealth services” differently than the scope of telehealth services paid for by Medicare Part B. For a more detailed discussion of the term “telehealth services” used in paragraph (10)(ii) in 42 CFR 1003.110, see section III.C.1.e below.

Based on the statutory exception and flexibility afforded by the statutory exception and the response to our solicitation on the appropriate scope of technology covered by this exception, we are modifying the definition in the regulatory text of “telehealth technologies” to focus on core functionality to support telehealth services and be technology agnostic. As several commenters noted, telehealth technologies are ineffective without the ability to connect any device facilitating telehealth services, and the purpose of this exception would not be advanced without those capabilities. We agree and have expanded the definition of telehealth technologies to include services that support distant or remote communication between the patient, provider, or renal dialysis facility for diagnosis, intervention, or ongoing care management. For example, the finalized definition would include internet service or data plans.

We emphasize that although this definition would encompass various technologies, to receive protection under the exception arrangements for providing telehealth technologies to beneficiaries must squarely satisfy the other conditions in the exception, including that the technologies are provided for the purpose of furnishing telehealth services related to the recipient’s ESRD.

In this preamble we offer examples of technology we view as within the scope of the final definition of “telehealth technologies.” We are not providing an exhaustive list in regulatory text or preamble to avoid inadvertently limiting telehealth technologies that donors determine are best suited to facilitate telehealth services to beneficiaries with ESRD and to allow for the evolution of technology. We are not including a condition related to ease of use for telehealth technologies furnished to patients, which we believe is a consideration for the patient and the clinician and is not needed as a fraud and abuse safeguard. Parties would need to comply with any other applicable government regulations that address ease of use or functioning of telehealth technology. Similarly, HIPAA and other Federal and State privacy and security laws apply notwithstanding this exception; therefore, we do not believe an additional condition within this exception is necessary.

Comment: Several commenters asserted that limiting “telehealth technologies” to two-way, real-time interactive communications equipment is overly narrow and could bar protection of many beneficial technologies that pose no greater risk than technologies included in the proposed definition. As an example, some commenters suggested that equipment used to monitor and report data to physicians and dialysis facilities (e.g., Bluetooth-enabled stethoscopes and thermometers) would not qualify under the proposed definition but could provide valuable clinical benefits. A commenter suggested that OIG follow the example provided in the current Kidney Care Choices Model operated by the Innovation Center that allows the use of asynchronous store-and-forward technologies and the forwarding of health history to a clinician for review outside of a real-time interaction. Several commenters recommended including real-time (synchronous) and store-and-forward (asynchronous) audio and video platforms. A commenter stated that an audio-only platform may be appropriate to assess whether the patient’s condition necessitates an office visit.

Response: We agree with commenters who suggest revising the definition to include broader forms of technology, including technologies that enable asynchronous communications between the patient and a distant site physician or practitioner. We have revised the definition of “telehealth technologies” to cover a more expansive range of technology than the proposed definition. This modification to the definition would cover technology based on its function, rather than specific types of technology. This would include equipment that could be used to monitor and report data to physicians and dialysis facilities (e.g., Bluetooth-enabled stethoscopes and thermometers) where appropriate, provided such technologies satisfy the other conditions of the exception. We believe the donor of any protected telehealth technologies—who per the terms of the exception must be currently providing the in-home dialysis, telehealth services, or other ESRD care to the patient—is in the best position to determine whether real-time or asynchronous information is appropriate and whether such technologies serve the purpose of furnishing telehealth services related to the recipient’s ESRD. We do not believe the distinction between two-way, real-time technology and asynchronous technology materially changes the fraud and abuse analysis associated with providing patients valuable technology. Relatedly, we agree that some audio-only technology may be appropriate to assess whether the patient’s condition necessitates an office visit and could contribute substantially to the provision of telehealth services to a patient.

As explained above, the definition of “telehealth technologies” set forth in this final rule is technology agnostic and is not limited, for example, to technologies used for two-way, real-time interactive communication. We believe this final definition will extend protection to many of the specific technologies identified by commenters as long as other conditions of the exception are met.

Comment: A commenter encouraged OIG to define the minimum set of capabilities required for a telehealth physician visit to include at least real-time bidirectional video interaction with audio. The commenter recommended the definition for “telehealth technologies” include tools such as peripheral devices or applications that the physician deems necessary to complete a proper assessment of the patient during a telehealth service, including remote monitoring and asynchronous messaging.

Another commenter recommended OIG adopt the full definition of “interactive telehealth system” at 42 CFR 410.78 in lieu of the proposed “telehealth technologies” definition but expand the definition to protect the use of asynchronous technologies in certain geographic areas (e.g., areas that are medically underserved). The same commenter also recommended including peripheral or supporting technology in the definition, which could support the use of remote patient monitoring.

Response: As described above, we have modified the definition of “telehealth technologies” to clarify the scope of technologies with telehealth capabilities protected by this exception. With respect to real-time bidirectional video interaction with audio, we view such technology as within the scope of the proposed definition as well as the definition finalized here. We also agree with the commenter that the definition should include tools such as peripheral devices or applications that the physician deems necessary to complete a proper assessment of the patient during a telehealth service. The definition of “telehealth technologies” encompasses the peripheral or supporting technologies for remote patient monitoring noted by the commenter. Asynchronous technologies would also meet the definition of telehealth technologies and could be protected if all conditions of the exception are met. For example, many types of remote patient monitoring technology are asynchronous and used to support remote communication between a patient and their physician for diagnosis, intervention, and ongoing care management. We did not propose and are not adopting any geographic limitation. Such restrictions are not necessary due to the other safeguards in the safe harbor, and further narrowing the limited statutory exception is not consistent with the statutory text (e.g., section 1128A(i)(6)(J) of the Act is not connected to telehealth services paid for by Medicare Part B, which are historically subject to geographic limitations).

We note that policies regarding what constitutes a physician telehealth service are outside the scope of this rulemaking because it is limited to requirements for an exception to the Beneficiary Inducements CMP.

Comment: Another commenter recommended aligning the exception with the list of services payable under the Medicare Physician Fee Schedule when furnished via telehealth by expanding the definition of “telehealth technologies” to include communications-based technologies in addition to telehealth technologies.

Response: We believe the commenter is referring to the telehealth technologies used to furnish “communications technology-based services” such as virtual check-in and remote assessment services that are separately billable under Medicare Part B. As discussed above, we have revised the definition of “telehealth technologies,” and it would include technologies that facilitate communications for these services including, by way of example, virtual check-in services. This exception protects a wide range of telehealth technologies that are provided for the purposes of furnishing remote or distant services through various modalities, including telehealth services, virtual check-in services, e-visits, monthly remote care management, and monthly remote patient monitoring.

Consistent with this approach, as explained more fully above, we have modified the telehealth technologies definition so that it is not dependent on Medicare Part B payment for telehealth services. Relatedly, as explained more fully below, we are also modifying paragraph 10(iii) under the definition of “remuneration” in 42 CFR 1003.110 so that protection of telehealth technologies is not conditioned on their being provided for the purpose of furnishing “telehealth services” paid for by Medicare Part B.

c. Furnished by Specified Individuals and Entities Currently Providing Care to the Patient

Summary of OIG Proposed Rule: Section 1128A(i)(6)(J) of the Act limits the exception to technologies provided “by a provider of services or a renal dialysis facility (as such terms are defined for purposes of title XVIII) to an individual with end-stage renal disease who is receiving home dialysis for which payment is being made under part B of such title . . . .” We proposed to implement this statutory provision in two ways. First, we proposed to use the precise statutory text in the introductory text in paragraph (10) under the definition of “remuneration” in 42 CFR 1003.110. Second, we proposed a condition at paragraph (10)(i) that interprets the statutory language so that the exception would be available only to the provider of services or the renal dialysis facility that is currently providing in-home dialysis, telehealth services, or other ESRD care to the patient. We explained that the intent of this condition was to ensure that the exception only protected the provision of telehealth technologies to patients with whom the provider or renal dialysis facility had a prior clinical relationship. A beneficiary has a prior clinical relationship with the donor if the patient is receiving home dialysis, telehealth services, or other ESRD care from the donor. We also specifically solicited comment on this interpretation recognizing that this limitation may pose challenges.

We also sought comment on but did not propose specific regulatory text for whether we should interpret the statutory exception to apply not only to the “provider of services or the renal dialysis facility (as those terms are defined in title XVIII of the Act)” but also “suppliers,” as defined in title XVIII of the Act, so that the exception would be consistent with the broader goals to expand patient access to in-home dialysis care furnished by their physician in section 50302(b) of the Budget Act of 2018.

Summary of Final Rule: We are finalizing, with modifications, the proposed condition at paragraph (10)(i) that interprets the statutory language so that the exception would be available only to the provider of services or the renal dialysis facility that is currently providing in-home dialysis, telehealth services, or other ESRD care to the patient. The final rule limits the exception to telehealth technologies furnished by a provider of services, physicians, or a renal dialysis facility currently providing in-home dialysis, telehealth services, or other ESRD care to the patients or has been selected or contacted by the patient to schedule an appointment or provide services.

Comment: Several commenters supported both of our proposals implementing section 1128A(i)(6)(J) of the Act, including the interpretation that the provision of telehealth technologies is limited to patients with whom the donors have a prior clinical relationship. Several commenters shared OIG’s concern that expanding the exception to protect the provision of telehealth technologies to new patients or to patients who are not currently receiving ESRD services or care from the individual or provider of services or the facility may result in inappropriate steering.

However, another commenter expressed concern that this interpretation would be operationally difficult to implement and could reduce the benefits of the otherwise permissible telehealth technologies. According to the commenter, once patients have selected a provider, they should not have to wait for telehealth services furnished through protected arrangements until they are already receiving in-home dialysis. The commenter asserted that delaying telehealth technologies in this context may disrupt normal care delivery methods.

Response: Consistent with section 1128A(i)(6)(J) of the Act and our proposed interpretation, limiting the exception to telehealth technologies furnished by a provider of services, physicians, or a renal dialysis facility currently providing in-home dialysis, telehealth services, or other ESRD care to the patients is consistent with the statutory language and an appropriate safeguard against inappropriate steering and patient recruitment. As such, we are finalizing the introductory language of paragraph (10) under the definition of remuneration in 42 CFR 1003.110 as proposed.

We also are finalizing the condition at paragraph (10)(i) under the definition for “remuneration” in 42 CFR 1003.110 with modifications. Specifically, we have modified this condition by adding the following clause: “or has been selected or contacted by the individual to schedule an appointment or provide services.”

We agree with the commenter who suggested that once a patient has selected a provider, physician, or facility, the patient should be eligible to receive telehealth technologies. The purpose of the proposed condition was to limit the risk of the technologies being used as a recruiting tool or to facilitate the provision of unnecessary services. However, because protected telehealth technologies may not be offered as part of any advertisement or solicitation, we believe that making telehealth technologies available to patients who contact the provider, physician, or facility on their own initiative is sufficiently low risk to warrant protection by this exception. Thus a provider, physician, or facility may offer or furnish telehealth technologies to a patient with ESRD who is receiving home dialysis paid for by Medicare Part B after the patient selects and initiates contact with a provider, facility, or physician to schedule an appointment or other services.^[153] This approach is consistent with our intent in the OIG Proposed Rule to prevent arrangements from being protected by the exception where the donor does not have a preexisting clinical relationship with the patient and to reduce the risk of inappropriate patient recruitment or marketing schemes.

We view a patient reaching out to schedule an appointment or other services and asking whether assistance in facilitating telehealth services might be available as low risk in light of the other conditions in the exception, such as the limitation on advertisement and solicitation discussed further below. Patient-initiated contact is also distinguishable from a provider, facility, or physician initiating contact with a new patient (or to the patient’s case manager) and soliciting the patient to elect in-home dialysis or to switch providers, coupled with an offer of telehealth technologies. The former would be protected (if all other conditions of the exception are met) and the latter would not.

Comment: Several commenters opposed extending the exception to apply to suppliers as defined in title XVIII of the Act because it could result in telehealth technologies being offered to patients without any provider reviewing whether the technology is an appropriate offering for the particular patient’s clinical condition and, more generally, increases the risk for inappropriate use or offering of technologies. A commenter also asserted that expanding protected donors to include protection for suppliers is not consistent with congressional intent. A commenter asserted that protection under the exception should be limited only to nephrologists and dialysis providers who are directly responsible for the provision of care to home dialysis patients.

Response: This final exception, consistent with our solicitation in the OIG Proposed Rule, protects telehealth technologies provided by physicians as defined in title XVIII of the Act who are providing in-home dialysis, telehealth services, or other ESRD care to the recipient. This modification will be included in the introductory language of paragraph (10) and in paragraph (10)(i) under the definition to remuneration in 42 CFR 1003.110. As explained in the OIG Proposed Rule and further below, this modification is consistent with section 50302 of the Budget Act of 2018. In particular, physicians—notably but not exclusively nephrologists—are central to the provision of telehealth services related to ESRD care that would be furnished using the telehealth technologies, as described in the statute. For example, without the inclusion of physicians, telehealth technologies furnished by a patient’s nephrologist could not receive protection under this exception.

As part of the Creating High-Quality Results and Outcomes Necessary to Improve Chronic Care Act of 2018,^[154] section 50302 of the Budget Act of 2018 amends section 1881(b)(3) of the Social Security Act to permit an individual with ESRD receiving home dialysis to elect to receive their monthly ESRD-related clinical assessments via telehealth, if certain other conditions are met. CMS implemented these statutory changes through amendments to 42 CFR 410.78 and 414.65.^[155] Under those CMS rules, the newly covered monthly ESRD-related clinical assessments furnished via telehealth would be provided by a physician at the distant site who is licensed under State law to furnish the covered monthly ESRD-related clinical assessments.^[156] It is consistent with the OIG Proposed Rule and section 50302 of the Budget Act of 2018 that this exception protect the provision of telehealth technologies offered by physicians (e.g., nephrologists) furnishing monthly ESRD-related clinical assessments via telehealth for patients receiving home dialysis. Under the new CMS rules, the physicians performing these clinical assessments are well positioned to understand what telehealth technologies should be provided to the ESRD patient for the purpose of furnishing telehealth services.

We agree with commenters that expanding the exception to a broad range of practitioner types by using “suppliers” poses risk and, upon further review, we see no support in the statute for doing so. Section 1128J(i)(6)(J) of the Act conditions protection on the connection between the provider of services or renal dialysis facility and caring for an individual with ESRD. The definition of “suppliers” in title XVIII includes a physician or other practitioner, a facility, or other entity (other than a provider of services) that furnishes items or services under this title. That definition covers numerous practitioner and entity types, many of which are not providing ESRD services. We are concerned that including these practitioners and entities would not further the ESRD-related purposes of the exception, were not contemplated by Congress, and could pose risk that these parties would offer telehealth technologies to steer beneficiaries to select them as a supplier or to their products and services. In light of that risk and consistent with the section 1128J(i)(6)(J) of the Act, we are finalizing the exception by including “physicians” but not “suppliers” (as that term is defined in title XVIII).

Section 1861(r) of the Act defines the term “physician.” That definition includes a limited set of practitioners including doctors of medicine or osteopathy, doctors of dental surgery, doctors of podiatric medicine, doctors of optometry, and chiropractors. Under this final exception, a physician must meet this definition in 1861(r) of the Act and, consistent with paragraph 10(i) in 42 CFR 1003.110, be providing in-home dialysis, telehealth services, or other ESRD care to the patient. Consequently, it is unlikely that all practitioner types under 1861(r) would be eligible for protection for providing telehealth technologies under this exception. For example, it is unlikely that dental surgeons, doctors of podiatric medicine, or chiropractors would be providing telehealth services to ERSD patients.

d. Prohibition on Advertisement or Solicitation

Summary of OIG Proposed Rule: We proposed to incorporate the statutory requirement in section 1128A(i)(6)(J)(i) of the Act that the telehealth technologies are not offered as part of any advertisement or solicitation. We proposed to interpret the terms “advertisement” and “solicitation” consistent with their common usage in the health care industry.

Summary of Final Rule: We are finalizing this condition as proposed.

Comment: A commenter expressed support for the proposal precluding the protection of telehealth technologies offered as part of an advertisement or solicitation.

Response: We are including this protection in the final rule, consistent with the statute. As stated in the OIG Proposed Rule, we interpret the terms “advertising” and “solicitation” consistent with prior rulemakings. We emphasize that whether a particular means of communication constitutes an advertisement or solicitation will depend on the facts and circumstances.^[157]

Additionally, consistent with our interpretation in the OIG Proposed Rule, we note that it is important for patients to receive information about their health care options, and that not all information provided to beneficiaries is advertising or solicitation. Stakeholders should interpret the terms “advertisement” and “solicitation” consistent with their common usage in the health care industry.

e. Provided for the Purpose of Furnishing Telehealth Services Related to an Individual’s End Stage Renal Disease

Summary of OIG Proposed Rule: We proposed to interpret the condition at section 1128A(i)(6)(J)(ii) of the Act that the telehealth technologies are provided “for the purpose of furnishing telehealth services related to the individual’s [ESRD]” to mean that the technologies: (i) Contribute substantially to the provision of telehealth services related to the individual’s ESRD; (ii) are not of excessive value; and (iii) are not duplicative of technology that the beneficiary already owns if that technology is adequate for telehealth purposes. We proposed to interpret “telehealth services related to the individual’s ESRD” to mean only those telehealth services paid for by Medicare Part B. We stated that we would consider technology to be of excessive value if the retail value of the technology were substantially more than required for the telehealth purpose.

We sought comment on but did not propose regulatory text on the following issues: (i) Whether we should require that the person furnishing the telehealth technologies make a good faith determination that the individual to whom the technology is furnished does not already have the necessary technology and that such technology is necessary for the telehealth services provided; (ii) whether we should adopt a more restrictive exception that would protect technologies that provide the beneficiary with no more than a de minimis benefit for any purpose other than furnishing telehealth services related to the individual’s ESRD; (iii) whether we should adopt a different standard that would protect telehealth technologies only when furnished predominantly for the purpose of furnishing telehealth services related to the individual’s ESRD; and (iv) whether the exception should require the provider or facility to retain ownership of any hardware and make reasonable efforts to retrieve the hardware once a beneficiary no longer needs it for the permitted telehealth purposes.

Summary of Final Rule: We finalizing this condition, with modification, to use the statutory language in section 1128J(i)(6)(J)(ii) of the Act. We are finalizing this condition consistent with the statutory exception to read: The telehealth technologies are provided for the purpose of furnishing telehealth services related to the individual’s end-stage renal disease.

Comment: Several commenters supported our interpretation of section 1128A(i)(6)(J)(ii) of the Act as proposed. Commenters appreciated what they believed to be meaningful guardrails to ensure that the provision of telehealth technology does not serve as an inducement to select a particular provider and shared our concerns regarding the potential for providers to offer such remuneration to steer patients with whom they do not have a prior clinical relationship to themselves.

Some commenters argued that our proposed interpretation of “for the purpose of furnishing telehealth services related to the individual’s [ESRD]” was more restrictive than the statutory language required. For example, a commenter supported removing the word “substantially” from the phrase “contributes substantially to the provision of telehealth services,” observing it adds a restriction that does not appear expressly in the statute.

A commenter noted that certain telehealth technologies may have some benefit to a patient beyond facilitating telehealth services related to the individual’s ESRD, but most uses can be limited from a technical standpoint. For those services for which it would not be feasible to limit use, such as data services, the commenter believed that such services could be provided based on a patient’s clinical need, geographic need, or both, and removed when the patient no longer has a clinical or geographic need for the services (e.g., the patient is no longer treated in the home).

Response: We are not finalizing our proposed language. Instead, we are modifying this condition to use the statutory language in section 1128J(i)(6)(J)(ii) of the Act. We agree with commenters that the proposed condition added additional requirements not included in the statute. To the extent that the exception needed additional safeguards, the Secretary has the authority to implement those under section 1128J(i)(6)(iii) of the Act. Therefore, we are finalizing this condition consistent with the statutory exception to read: The telehealth technologies are provided for the purpose of furnishing telehealth services related to the individual’s end-stage renal disease.

As explained in the OIG Proposed Rule, we have concerns about the provision of valuable technology improperly inducing a beneficiary to choose a particular provider, physician, or facility. The limited nature of the exception and the conditions finalized in this rule provide reasonable and necessary safeguards against fraud and abuse. For example, the conditions at paragraphs 10(i) and (ii) work together to prevent protection under the exception if the provider, physician, or renal dialysis facility is marketing or using the potential provision of technology to induce and obtain new patients.

Based on the statutory language and matching condition finalized here, we believe a wide range of technologies could be protected. However, we emphasize that a determination regarding whether the provision of telehealth technologies meets the condition at paragraph 10(ii) in the definition of “remuneration” at 42 CFR 1003.110 requires a case-by-case assessment of the functionality of the technologies to be provided and telehealth services being furnished to the ESRD patient.

We are not including a condition as suggested by the commenter that would require a donor to technically limit the telehealth technologies provided. Under this condition and the definition of “telehealth technologies” as finalized, technologies that are multifunctional and have purposes in addition to furnishing telehealth services related to the individual’s ESRD are not precluded and may be protected. For example, this condition could protect a tablet that a patient would use to access telehealth services for their ESRD care, even though the tablet has other purposes or functionalities (e.g., ability to download any mobile application) as long as such provision meets all conditions of the exception.

Comment: Several commenters opposed OIG’s considered interpretation of this statutory condition—“the telehealth technologies are provided for the purpose of furnishing telehealth services related to the individual’s [ESRD]”—that would restrict telehealth technologies to those that do not provide the beneficiary with more than a de minimis benefit outside of the telehealth services related to the individual’s ESRD. Commenters suggested that such a condition would limit access to needed technology, add unnecessary burden and uncertainty, or impede the objective of expanding in-home dialysis patients’ use of telehealth services. A commenter recognized that allowing devices with non-health care functions could be considered an inducement but highlighted that patients who receive such devices also must accept the obligations and responsibilities of home dialysis, which the commenter believes serves as an appropriate safeguard.

Another commenter expressed concerns that the de minimis benefit standard might create complications for patients with multiple health needs that could be fulfilled by the same device, and the commenter asserted that it would not be a good use of resources for a patient to be prescribed two separate digital health tools when one would meet all of the patient’s clinical needs.

Response: We agree with commenters and are not finalizing a de minimis benefit standard in this exception.

Comment: Several commenters supported prohibiting providers from giving patients telehealth technologies for home dialysis that are of excessive value or duplicative of technology that the beneficiary already owns. A commenter found these guardrails particularly important given the limited number of vendors currently offering home dialysis equipment and supplies. The commenter asserted that the limited competition in the home dialysis market would make acquisition costs of telehealth technologies particularly significant for small and independent providers who lack market share advantages used in negotiations with vendors. Another commenter requested further clarification on what donations would be considered of “excessive value.”

Response: For the reasons noted above, we are finalizing paragraph (10)(iii) in 42 CFR 1003.110 to mirror the statutory language at section 1128J(i)(6)(J)(ii) of the Act, without a requirement that the telehealth technologies not be of excessive value. Additionally, we are not finalizing a condition elsewhere that requires the telehealth technologies not be of excessive value. The limited nature of the exception and the other conditions provide appropriate safeguards.

The value of the telehealth technologies provided to a patient may be a fact or circumstance used to assess whether the provision of such technology meets the finalized condition at paragraph 10(iii) in the definition of “remuneration” at 42 CFR 1001.130. In other words, depending on the facts and circumstances, technology of excessive value could indicate that the technology is not being provided for the purpose of furnishing telehealth services related to the individual’s ESRD. Excessively valuable technology beyond what is reasonable for furnishing telehealth services related to ESRD could also indicate that the technology is part of a prohibited advertisement or solicitation under paragraph (10)(ii).

As stated in the OIG Proposed Rule, providing telehealth technology with substantial independent value might serve to inappropriately induce the beneficiary. In the context of this exception, that risk materializes because excessive value of the telehealth technology may make the purpose of the donation suspect and call into question whether it is related to furnishing telehealth services. For example, if a $50 per month data plan would facilitate the connection needed for the patient to access telehealth services, the provision of a $100 per month data plan might raise concerns that the data plan is being offered for a purpose other than access to telehealth services. Similarly, if the donor knows that the patient already has a data or internet service plan that would facilitate the furnishing of telehealth services and furnishes such a plan anyway, a question could arise about the purpose of the remuneration to the patient.

Comment: A commenter stated that if telehealth technologies are provided for the purpose of furnishing telehealth services related to the individual’s end-stage renal disease, and if the donated telehealth technologies meet the other elements of the exception, no dollar value limit should be necessary because the purpose cannot be to induce beneficiaries to select particular providers. Two other commenters recommended including a condition requiring the recipient’s payment of at least 15 percent of the offeror’s cost for the in-kind remuneration. Another commenter recommended a $500 annual cap to ensure the technology did not act as an inducement for referrals.

Response: We did not propose a contribution requirement or an annual monetary cap. We believe the combination of safeguards we are finalizing implement the statutory conditions in section 1128A(i)(6)(J) of the Act and safeguard against risks of fraud and abuse.

Comment: Related to the proposed requirement that the telehealth technologies be necessary and nonduplicative of technology the patient already has, a commenter stated that a patient’s existing personal use technology may have some of the necessary capabilities but also may lack all components necessary to be reliable and fully functional for accessing telehealth services. The commenter further asserted it would not be efficient or practical to require that the provider furnish additional necessary components to the patient’s existing technology—and any associated installation and support services—to make it fully capable of accessing telehealth services. For example, the commenter referenced a patient who has a personal computer without video capabilities. The commenter surmised that it is more logical and cost-effective to provide a ready-to-use integrated device focused solely on their ESRD clinical assessments and related ESRD care support to the patient instead of trying to retrofit the computer, which could involve identifying and installing missing components and providing technological support for this personal-use equipment. The commenter recommended that if the patient’s personal technology does not have all the necessary components for telehealth, provision of fully integrated telehealth technology should be protected under the exception.

Response: We are not finalizing a requirement that the telehealth technologies not be duplicative of technology that the beneficiary already owns in paragraph 10(iii) in the definition of “remuneration” at 42 CFR 1001.130. This condition is being finalized consistent with the statutory condition at section 1128J(i)(6)(J)(ii) of the Act. Additionally, we are not finalizing a condition elsewhere that requires the telehealth technologies not be duplicative of technology that the beneficiary already owns. The limited nature of the exception and the other conditions provide appropriate safeguards.

Assessing whether telehealth technologies would be duplicative of technology that the beneficiary already has may be a fact or circumstance used to determine whether the provision of such technology meets the finalized condition at paragraph 10(iii) in the definition of “remuneration” at 42 CFR 1001.130. For example, if a patient has existing telehealth technology and is already able to receive telehealth services, providing the patient with additional telehealth technology may not have the purpose of furnishing telehealth services. A true determination would have to be based on the specific facts and circumstances of the additional provision of telehealth technologies, including the telehealth services provided to the patient and the patient’s condition.

We highlight that if a patient’s existing technology does not have all the necessary components or capabilities to support the telehealth services, then those facts are favorable in determining that the provision of telehealth technology to that patient meets the condition at paragraph (10)(iii). With respect to the decision between “retrofitting” a patient’s existing technology or providing fully integrated telehealth technology, meeting this exception is not specifically conditioned on whether the technology is fully integrated or retrofitted. In making a determination about the technology to provide and potential protection under this exception, providers, physicians, and renal dialysis facility will have to assess the particular facts and circumstances for that patient and the potential technology. To be clear, we do not intend for this exception to result in providers, physicians, and renal dialysis facilities that provide telehealth technologies attempting to retrofit a patient’s existing technology. To the extent that technology already owned or used by a patient with ESRD would not be adequate for the telehealth services, that fact weighs favorably in determining that providing new telehealth technology meets the condition at 10(iii) under the definition of “remuneration” in 42 CFR 1003.110.

Comment: Many commenters objected to the proposed additional requirement that the party furnishing the technology make a good faith determination that the individual to whom the technology is furnished does not already have the necessary telehealth technology. Some commenters stated that the primary proposal—that the technology is not of excessive value and is not duplicative of technology that the beneficiary already owns if that technology is adequate for the telehealth purposes—provides adequate protection against technologies being used as inducements for duplicative or unnecessary telehealth services. Other commenters supported the proposed “good faith determination” requirement. Another commenter asked us to clarify what a “good faith” effort to determine that the patient does not have the necessary technology means, because the commenter is concerned that this provision could lead to increased physician burden. A commenter stated that requiring facilities or providers to make a good faith determination regarding whether the recipient already has access to telehealth technologies places a potentially ongoing burden to investigate a home dialysis patient’s personal life to ensure that they do or do not possess such technology. The commenter asked whether a facility or provider must consistently audit patient technology access to ensure that the loaned or donated technology does not become duplicative over time. The commenter suggested that patients should be able to opt out of telehealth technologies furnished by a provider or facility, even if specified in their plan of care, because they already have access to such technology. In this way, the responsibility falls to the patient to report access to technology, not on the facility or provider to ensure that the patient does or does not possess such a device. Some commenters supported the proposed additional “good faith determination” requirement.

Response: We are not including a condition in this final exception that requires a good faith determination that the individual to whom the technology is furnished does not already have the necessary telehealth technology. Consistent with the discussion related to the condition on duplicative technology, we note that assessing whether providing telehealth technologies would be duplicative of technology that the beneficiary already has may be a fact or circumstance used to determine if the provision of such technology meets the finalized condition at paragraph 10(iii) in the definition of remuneration at 42 CFR 1003.110.

In response to the commenters’ questions regarding what constitutes a good faith effort, we want to clarify that this exception does not condition protection on investigating the patient’s personal life or auditing the technology that a patient may already have available. When determining whether the provision of telehealth technology meets this condition, specific facts and circumstances about the patient will need to be considered. This would include the patient’s health condition, telehealth services provided to the patient, and how the telehealth technologies support furnishing telehealth services relating to the patient’s condition. Most of the information about the patient is likely gathered as part of the clinical and monthly assessments that patients receiving in-home dialysis receive or is gathered through the normal course of patient and provider interaction about the patient’s condition and treatment.

That said, nothing in this exception prevents physicians, providers, and facilities from asking patients about their existing technology needs and capabilities; nothing requires patients to answer such inquiries. We would expect that conversations about patients’ existing technology would inform donors’ decision-making with respect to furnishing telehealth technologies consistent with this exception. We do not prescribe how providers, physicians, and facilities make the determination whether providing telehealth technologies meets the condition that the technology be for the purpose of furnishing telehealth services related to the patient’s ESRD.

As modified, we do not believe this final exception will increase provider, physician, or renal dialysis facility burden, nor expose patients to unwarranted intrusions. Conditions of this exception implement the statutory exception in section 1128A(i)(6)(J) of the Act. The statutory exception gives providers, physicians, and renal dialysis facilities the flexibility to provide telehealth technologies for the purpose of furnishing telehealth services related to patients’ ESRD. This may help increase options for ESRD patients to manage their care by making telehealth more widely available. We also note that use of this exception is voluntary.

Comment: A commenter recommended that as a condition for protection, the telehealth technology provided to the patient should be necessary for the provision of the telehealth services and, where possible, restricted to the functions that facilitate the provision of care (e.g., a tablet that can only be used for telehealth services), and ensure a secure, safe, and satisfactory user experience. However, the commenter explained that some telehealth technologies may be duplicative or overlap with technology the patient may already have access to and that the condition may result in an overly burdensome patient intake process, to include an accounting of all of the patient’s technology (e.g., items in a patient’s possession as well as the operating systems and compatibility with the telehealth offering). The commenter suggested that instead of protecting only nonduplicative telehealth technologies, OIG limit protected telehealth technologies to what is reasonably necessary for the furnishing of telehealth services and require that providers, suppliers, and facilities provide the patient with disclosure language that the telehealth equipment is provided for their ESRD-related treatment and care, and that it is the responsibility of the patient to use the device for these specific purposes only.

Response: We did not propose a condition that the telehealth technology be necessary for the provision of telehealth services and are not finalizing such a condition. As explained above, we are also not finalizing a condition that requires a good faith determination that the individual to whom the technology is furnished does not already have the necessary telehealth technology. We emphasize telehealth technology is not protected unless the technology is provided for the purpose of furnishing telehealth services related to the individual’s end-stage renal disease.

We are not finalizing the condition that would require the person who furnishes the telehealth technologies to take reasonable steps to limit the use of the telehealth technologies by the individual to the telehealth services described on the Medicare telehealth list. We agree with the commenter that there may be practical and operational challenges with such a requirement. Additionally, the combinations of safeguards finalized in this rule appropriately protect against potential fraud and abuse and this condition, which we considered in the OIG Proposed Rule, is not necessary.

Comment: A commenter expressed support for our proposal to interpret “telehealth services related to the individual’s [ESRD]” to mean telehealth services paid for by Medicare Part B because the proposal ensures that all Part B telehealth services are treated consistently by defaulting to the statutory definition for telehealth services. Another commenter suggested that we clarify that, in order to qualify for protection under the exception, the telehealth technologies must be used for the Part B clinical assessment and also may be used for additional clinical support and patient monitoring directly related to the ongoing ESRD care.

Many other commenters urged us not to adopt this interpretation, asserting that it was too narrow. Commenters noted that patients with ESRD could benefit from telehealth services that might not be covered by Part B—including patient education, dietary counseling, and monitoring vital signs—that may assist with managing comorbidities (which may or may not be related to the patient’s ESRD) and preventing further progression of kidney disease. A commenter stated that while the care provided via telehealth technologies should be primarily related to the management of ESRD, dialysis providers are well-suited to treat the “whole person” with the assistance of telehealth technologies. The commenter sought to provide telehealth technologies that might support virtual ESRD management (e.g., nurse assessment, social worker support, dietician care), as well as telehealth technologies that may address ESRD-related issues and comorbidities possibly included in value-based care models (e.g., fistula evaluation and specialty visits for comorbidity management). Commenters also asserted that protecting a broader range of telehealth services would further the Department’s goal of encouraging care coordination and Congress’ intent in enabling in-home dialysis. Some commenters asserted that the statute does not require limiting the telehealth services to those paid for by Medicare Part B. A commenter also noted that payment for ESRD services under Medicare Part B is through a bundled payment and it is therefore impossible to have the technology tied to any particular reimbursed service.

Response: We are not finalizing our proposed interpretation of “telehealth services related to the individual’s [ESRD]” to mean telehealth services paid for by Medicare Part B. We did not propose regulatory text to implement this interpretation, and therefore, are not making corollary modifications to the regulatory text. We explain in more detail below that we broadly interpret the term “telehealth services” to apply a wide range of services that are provided with telehealth technologies. However, we are not adopting a specific definition of “telehealth services” for this exception. We provide additional explanation about our interpretation of the term “telehealth services” below.

We agree with commenters that section 1128A(i)(J)(6) of the Act does not limit telehealth services to those paid for by Medicare Part B. The definition of “telehealth technologies” in section 1128A(i)(6)(J) and the term “telehealth services” in 1128A(i)(6)(J)(ii) are not limited to related definitions in Medicare. The statute provided the Secretary flexibility to interpret these terms differently than the Medicare definitions in Title XVIII of the Act.

Consistent with the statutory exception and for the purpose of this exception, we are not limiting the term “telehealth services” to those that would be paid for by Medicare Part B. We recognize that this means providers, physicians, and renal dialysis facilities will have flexibility to determine whether telehealth technologies are provided for the purpose of furnishing telehealth services related to the individual’s ERSD. The limited nature of the exception and the other safeguards appropriately limit the risk of fraud and abuse. For example, one risk of inappropriate beneficiary inducements is that they will lead to a practitioner providing medically unnecessary services to the patient. The limited nature of this exception mitigates that risk (e.g., this exception is limited to Medicare Part B beneficiaries receiving in-home dialysis). It is unlikely that a beneficiary could be induced to receive medically unnecessary in-home dialysis to receive free telehealth technologies. In-home dialysis is invasive treatment and requires significant up-front training.

Additionally, under the same sections the beneficiary must be receiving in-home dialysis paid for by Medicare Part B. That mitigates and provides additional protection against providers, physicians, and renal dialysis facilities that seek to use telehealth technologies to induce and bill for medically unnecessary telehealth services related to the patient’s ESRD condition. If the provider is seeking to bill Medicare for telehealth services that use telehealth technologies protected by this exception, those services must meet all Medicare requirements, including medical necessity. This exception does not affect Medicare requirements for ESRD services or telehealth services. Furthermore, billing for medically unnecessary telehealth services is not protected by this exception and such conduct would implicate criminal and civil health care fraud statutes. Therefore, this exception does not need to link the term “telehealth services” to those paid for by Part B as an additional safeguard for the purposes of this exception. To the contrary, we agree with commenters that limiting telehealth services to services currently paid for by Medicare Part B would unnecessarily limit the utility of the exception to support patients’ ESRD care and use of home dialysis. To the extent that the telehealth services are not billable to Medicare, there is reduced risk that free telehealth technology is being offered as an inducement for billable services.

We are not finalizing a definition of “telehealth services” specific for this exception. Instead, we are providing an interpretation of the term in the preamble of this rule. The exception protects the provision of a broad range of telehealth technologies, as we explained above in the discussion of that definition. If we were to limit the term to telehealth services paid for by Medicare Part B, then the types of technology would be limited to those identified in section 1834(m) of the Act and 42 CFR 410.78 (i.e., audio and video equipment permitting two-way, real-time interactive communication). Similarly, if we were to define “telehealth services,” we might inadvertently limit the scope of the telehealth technologies definition that is intended to be broad.

As stated previously, we intend for this exception to apply to all types of telehealth technology that are provided for the purposes of furnishing distant or remote services through various modalities. At a minimum, such services include the following types covered by Medicare: Telehealth services, virtual check-in services, e-visits, remote care management, and remote patient monitoring. To receive protection, telehealth technologies do not need to be provided for the purpose of furnishing a payable Medicare service related to the individual’s end-stage renal disease.

To provide additional examples, this exception would protect telehealth technology provided for the purpose of furnishing the following types of telehealth services raised by commenters as long as the arrangement meets all conditions of the exception: Virtual ESRD management (e.g., nurse assessment, social worker support, dietician care), patient education, dietary counseling, and monitoring vital signs. Other services not listed here may also be considered telehealth services for the purposes of this exception based on the facts and circumstances of the care being provided. Accepted clinical and care practices for use of telehealth, physician judgment, and patient and caregiver needs and preferences with respect to modalities would be relevant considerations in assessing the telehealth services under this specific condition. This exception provides significant flexibility to providers, physicians, and renal dialysis facilities to assess how telehealth technologies can be provided to support a wide range of telehealth services related to an individual’s ESRD.

Again, this exception does not change the coverage or payment requirements related to the provision of these services or submitting claims for reimbursement. Even though this exception may protect a physician, provider, or renal dialysis facility from CMP liability for providing a patient telehealth technology for the purpose of furnishing telehealth services, that does not mean the physician, provider, facility, or any other individual or entity can bill for those services.

The other limitation in this condition is that the telehealth technologies be provided for the purposes of furnishing telehealth services related to the individual’s ESRD. In response to commenters who recommended that this include telehealth services that address ESRD-related issues and comorbidities, we agree that this language is not specifically limited to ESRD. We recognize that patients with ESRD are likely receiving care for comorbidities that affect their ESRD. It would be difficult to define in this Beneficiary Inducement CMP exception criteria that a provider, physician, or renal dialysis facility could apply to assess whether a telehealth service is or is not related to an individual’s ESRD. We believe the appropriate approach is to give health care providers flexibility to make this determination reasonably based on the specific facts and circumstances of the patient’s condition and telehealth services furnished to care for such condition. Although not required, we believe it would be a best practice for the donor to document contemporaneously how the telehealth services relate to the individual’s ESRD care, such as to management of care, monitoring of health, or treatment, potentially including reference to appropriate clinical or other relevant health or patient-reported indicators.

Furthermore, we note that several other exceptions and safe harbors may apply to certain items and services for which commenters sought protection under this exception, depending on the facts and circumstances, such as the patient engagement and support safe harbor finalized in this rule at 42 CFR 1001.952(hh) and the exception to the definition of “remuneration” under the Beneficiary Inducements CMP for certain remuneration that poses a low risk of harm and promotes access to care, 42 CFR 1003.110.

f. Ownership and Retrieval of Technology

Summary of OIG Proposed Rule: In the OIG Proposed Rule, we considered and sought comment on a condition that would require the provider or facility to retain ownership of any hardware and make reasonable efforts to retrieve the hardware once the beneficiary no longer needs it for the permitted telehealth purposes.

Summary of Final Rule: After a consideration of relevant comments, we are not finalizing this condition.

Comment: Many commenters on this topic expressed support for the overall concept of requiring the provider or facility to retain ownership and make reasonable efforts to retrieve the hardware once the beneficiary no longer needs it. Some commenters did not support a requirement that the provider or facility retain ownership. Some of these commenters noted that the concept of ownership in this context may be rendered moot because the useful life of the device may expire during the period of use by the patient. Some commenters also questioned the utility of requiring retrieval of items that are no longer state-of-the-art or otherwise have minimal value. Many commenters also expressed concern regarding the administrative burden associated with tracking and monitoring compliance with a retrieval requirement.

Many commenters on this topic described potential scenarios in which technology may be provided to a patient who then ceases to need it (e.g., the patient receives a transplant). In these circumstances, commenters were generally supportive of requiring the provider or facility to retrieve the technology. Several commenters supported requiring “reasonable efforts” to retrieve the hardware in circumstances when it will not harm the patient, with exceptions for circumstances when retrieval is impractical, the hardware has greatly reduced utility or value, or the patient has died. A commenter also asserted that if the hardware is provided in such a way that the use is limited to telehealth services, it will not provide substantial independent value to the beneficiary, and thus the failure to retrieve after reasonable recovery efforts does not create meaningful inducement risks.

Response: We are not finalizing a requirement that a provider, physician, or facility retain ownership of the technology. We also are not finalizing a retrieval requirement. We note that the condition that the telehealth technologies be provided to an individual with ESRD and who is receiving home dialysis for which payment is being made under Medicare Part B would necessitate termination of technology services (e.g., recurring monthly data plan fees or applications that require ongoing subscription fees) if the individual is no longer receiving home dialysis payable by Medicare Part B. Likewise, technology services would need to be terminated if the patient is no longer using them for ESRD-related telehealth services. Further, the exception does not protect sham donations of technology given to individuals to keep indefinitely.

g. Prohibition on Cost-Shifting

Summary of OIG Proposed Rule: We proposed to require as a condition of protection under the exception that the provider of services or a renal dialysis facility not separately bill Federal health care programs, other payors, or individuals for the telehealth technologies, claim the costs of the telehealth technologies as a bad debt for payment purposes, or otherwise shift the burden of the costs of the telehealth technologies to a Federal health care program, other payors, or individuals.

Summary of Final Rule: We are not finalizing this condition.

Comment: Commenters expressed support for the proposed prohibition on cost-shifting. No commenters expressed opposition.

Response: Upon consideration of the combination of safe harbor conditions implemented by this final rule, we are not finalizing the proposed cost-shifting prohibition. We have concluded that the combination of final conditions and the limited-nature of this statutory exception will adequately protect against fraud and abuse risks, and an additional safeguard related to cost-shifting is not necessary.

We proposed the cost-shifting condition to protect against the telehealth technologies resulting in inappropriately increased costs to Federal health care programs, other payors, and patients. However, we do not want to exclude arrangements from this exception that involve furnishing telehealth or other service to the ESRD patient receiving in-home dialysis and that are also billable to Medicare. We recognize that those services, as long as applicable Medicare rules are met, may appropriately result in Medicare paying for costs of certain telehealth technologies or an appropriate increase in certain Medicare costs.

We did not intend to suggest any limit on appropriate billing of Federal health care programs or other payors for medically necessary items and services furnished in connection with telehealth technologies provided to ERSD patients receiving in-home dialysis. If a provider furnishes items or services that are covered as part of a Federal health care program, the provision of those items or services alone would not implicate the Federal anti-kickback statute at all. However, there could be circumstances under which a provider, when furnishing covered items or services, does give a Federal health care program beneficiary something of value, or remuneration, thereby implicating the Federal anti-kickback statute. For example, the Federal anti-kickback statute would be implicated by a provider waiving or reducing any required cost-sharing obligations for the covered items and services incurred by a Federal health care program beneficiary or providing “extra” items and services—that is, that are not part of the covered item or service—for free. Furthermore, nothing in this rule exempts parties from responsibility for compliance with all applicable coverage and billing rules.

Additionally, this final exception covers a wider range of telehealth technologies used to support the furnishing of telehealth services than types of technology used to provide Medicare Part B covered “telehealth services.” There may be other Medicare covered services that would cover the costs of telehealth technologies, as defined in this exception, as part of a service provided to a beneficiary receiving in-home dialysis. For example, the remote patient monitoring services described by the chronic care remote physiologic monitoring family of codes are covered by Medicare Part B but are not “telehealth services” within the meaning of the Medicare statute. However, remote patient monitoring technologies would meet the definition of “telehealth technologies” in this final exception.

h. Other Potential Safeguards

i. Consistent Provision of Telehealth Technologies

Summary of OIG Proposed Rule: The OIG Proposed Rule considered several other potential conditions for this exception, including prohibiting providers and renal dialysis facilities from discriminating in the offering of telehealth technologies. We solicited comments on this potential safeguard and whether it would limit the ability of providers and facilities to offer technologies due to the potential cost of furnishing the technology to all qualifying patients rather than a small subset. We also solicited comments on why offering technology to a smaller subset of qualifying patients might be appropriate and not increase the risk of fraud and abuse.

Summary of Final Rule: We are not finalizing this condition.

Comment: A few commenters supported some form of a nondiscrimination standard as appropriate. On the other hand, several commenters raised concerns regarding a possible condition to the exception requiring that a provider or facility provide the same telehealth technologies to any Medicare Part B patient receiving in-home dialysis, or to otherwise consistently offer telehealth technologies to all patients, including that the uniform provision of telehealth technologies would be cost-prohibitive for many providers and facilities and could result in their decision not to offer any telehealth technologies. Several commenters encouraged us to adopt more flexible standards that would allow the provider or facility to exercise discretion in offering telehealth technologies to ensure that the patients to whom they offer the technologies are most likely to benefit from them.

At least one of these commenters suggested that providers and facilities be permitted to provide telehealth technologies differentially to patients based on clinical risk assessments, clinical appropriateness determinations from the patient’s physician, or other clinical or means-based criteria, with another commenter noting that it is common for providers and payors to focus interventions on higher risk or higher cost patients. A dialysis provider specified that they would like the exception to protect the deployment of certain technologies, such as remote monitoring or wearable devices, to specific patient populations that may have higher assessed clinical risk, such as patients that have experienced a recent hospitalization event.

Other commenters supported the approach of requiring providers or facilities to consistently offer telehealth technologies to all patients satisfying specified, uniform criteria, and a commenter requested that we make clear that a provider or facility would have flexibility to establish criteria under which only a subset of patients would be offered telehealth technologies. A commenter noted that legitimate criteria may include for example patient mobility, access to transportation options, financial status, and health condition. A commenter suggested that we identify and carve out criteria that would not be appropriate, such as the patient’s payor or provider.

A dialysis provider encouraged OIG to ensure flexibility to provide and customize certain telehealth technology offerings to patients based on for example means-based or rural location needs, and to allow for changes resulting in the development of new technology. The commenter noted that the availability and cost of data plans and devices with wireless cellular service may vary from location to location, and thus a requirement to furnish the same telehealth technologies to all patients may not be feasible.

Response: We appreciate the comments that explain why providing the same telehealth technologies to any Medicare Part B eligible patient receiving in-home dialysis may be impractical or impossible, and we are not finalizing that condition. We also are not finalizing a condition that would require providers, physicians, and facilities to consistently offer telehealth technologies to all patients satisfying specified, uniform criteria. As stated in section III.C.1.a above, this is a narrow statutory exception to the Beneficiary Inducement CMP. Because the exception finalized here is only available to established patients who are receiving specific services paid for by Medicare Part B, the potential for fraud and abuse is reduced.

We recognize that patient need for technology may vary based on location, availability of transportation, financial status, diagnosis and treatment plan, or other legitimate and appropriate factors. We believe the donor is in the best position to identify whether provision of the technology is appropriate only to a subset of patients receiving in-home dialysis paid for by Medicare Part B. We are providing additional flexibilities to donors to determine which beneficiaries receive telehealth technologies by not finalizing this condition. The risk of fraud and abuse associated with selectively deciding which patients receive telehealth technologies is mitigated by other conditions finalized in this rule (e.g., telehealth technologies are protected only if provided to beneficiary already receiving in-home dialysis). Additionally, providers, physicians, and facilities must still meet Medicare requirements for services provided to the beneficiary; they cannot bill for medically unnecessary services. Schemes to submit false claims would implicate other criminal and civil fraud statutes and would not be protected by this exception to the Beneficiary Inducement CMP.

Comment: Several commenters encouraged us to adopt a standard that allows for providing technology on an as-needed basis, recognizing that some patients may choose not to have telehealth services and some patients may prefer to use their own technology. Other commenters encouraged us to ensure patients retain the right to choose whether to participate in telehealth services or utilize telehealth technology.

Response: The design of the final rule allows providers to take into account patient choice and preferences. We are not finalizing a condition that would have required physicians, providers, and facilities to provide telehealth technologies in accordance with specified criteria applied uniformly. We agree with commenters that patient choice is paramount, and the decision to select a home dialysis modality or telehealth services related to the patient’s ESRD rests with the patient. Patients are under no obligation to dialyze in the home or to receive telehealth services, notwithstanding the availability of telehealth technologies. We emphasize that protected telehealth technologies cannot be offered as part of an advertisement or solicitation, nor should offers of free telehealth technology be made for the purpose of persuading patients to make clinical decisions about treatment modalities. In such cases, the telehealth technologies are not being provided for the purpose of furnishing telehealth services as required by the statute and this exception.

ii. Notice to Patients

Summary of OIG Proposed Rule: In the OIG Proposed Rule, we stated that we were considering adding a condition that would require providers or facilities to provide a written explanation of the reason for the technology and any potential “hidden” costs associated with the telehealth services to any patient who elects to receive telehealth technology. We considered this condition in response to concerns raised in comments submitted in response to the OIG RFI ^[158] that patients may be confused by the technology or the reason they are receiving a piece of technology and may be unaware of costs associated with telehealth services. We sought comment on these perceived risks to patients, whether to include a written notice requirement in the final rule and, if so, what that notice should state.

Summary of Final Rule: For the reasons stated below, we are not finalizing this requirement.

Comment: Most commenters on this topic supported the principle of providing information to patients, but commenters disagreed as to whether we should adopt a formal notice requirement as a standard for meeting the exception. Some commenters asserted that there was no need for a formal notice requirement as a condition of the exception because this type of communication should be a part of the normal physician-patient relationship. Others stated that conveying this type of information is the current standard of medical practice for home dialysis patients. Other commenters supported having a formal notice requirement as a condition of the exception, emphasizing the need to ensure patients have a clear and transparent understanding of the care they are receiving and the costs of such care. A commenter requested that OIG provide a sample of any required notice.

Response: We agree that patients need to have a clear understanding of the care they are receiving and the costs of such care. However, we also agree with commenters that this information should be conveyed through the physician-patient relationship or in the normal facility-patient communications for patients dialyzing at home. We are not finalizing any notice requirement as part of the exception. Parties are free to provide written notice explaining the reason for the technology and any potential costs associated with the telehealth services if they so choose.

iii. Patient Freedom of Choice

Summary of OIG Proposed Rule: The OIG Proposed Rule considered a condition to the telehealth technologies exception designed to preserve patient freedom of choice among health care providers and the manner in which a patient receives dialysis services (i.e., in-home or in a facility). Specifically, we considered adding a condition to the exception that would require offerors of telehealth technologies to advise patients when they receive such technology that they retain the freedom to choose any provider or supplier of dialysis services and receive dialysis in any appropriate setting.

Summary of Final Rule: As explained below, we are not finalizing this requirement.

Comment: Several commenters, while supportive of patient autonomy and ensuring that patients are aware of the right to choose practitioners, providers, suppliers, and dialysis modalities, disagreed with additional documentation requirements related to informing patients of these rights for a number of reasons. For example, one commenter suggested that patients may not wish to receive this information. The commenter advocated instead for broader protections for freedom of choice, such as a prohibition on restricting referrals. Other commenters highlighted the administrative burden of additional documentation. Commenters stated that notice already is part of the provider and patient relationship, noting that for certain facilities any additional documentation requirement would be duplicative of the notice requirements found in the ESRD Conditions for Coverage (CFCs). A commenter requested a carve-out for facilities that meet the requirement under the CFCs. A commenter asserted that it would not add sufficient value that outweighs the burden of providing a written explanation of the reason for the technology and any potential “hidden” costs associated with the telehealth services to any patient who elects to receive telehealth technology.

Other commenters supported the proposed requirement and asserted that patients should be informed that they have the choice whether to use technologies and that their choice will not in any way influence the care to which they are entitled. Another commenter suggested that this should be standard information given to patients receiving ESRD-related care, regardless of the treatment modality they use. The commenter shared a concern raised that some patients may be persuaded to opt for telehealth services due to generous telehealth technologies and services being offered rather than clinical appropriateness, and believes this step could prevent any such inappropriate care from occurring. One commenter proposed to further clarify that the patient notice or patient consent for use of telehealth technologies include that the patient is not required to utilize or accept the provision of such technologies.

Response: We are not finalizing this condition because we believe in part that existing laws are better suited to protecting patient freedom of choice and the patient’s best interest than a statutory-based exception to the Beneficiary Inducement CMP, including those discussed by the commenters. Furthermore, discussion of clinical appropriateness of in-home dialysis and telehealth services related to a patient’s ESRD is inherent in the physician-patient relationship or facility-patient relationship, which serves first-and-foremost to protect the patient’s best interest and preserve patient choice. The condition finalized at paragraph (10)(i) in 1003.110 limits the offer or furnishing of telehealth technologies to a patient that initiates contact with the provider, facility, or physician to schedule an appointment or other service also supports patient autonomy, and marketing is not allowed by the condition at paragraph (10)(ii) in 1003.110. These conditions will help preserve a patient’s choice to select any provider, physician, or facility without inappropriate influence from such entities.

Comment: A commenter supported informing recipients of their freedom to choose any provider or supplier of dialysis services but requested clarification regarding whether telehealth technologies furnished to certain in-home dialysis patients would also be covered under the exception to the definition of “remuneration” for items or services that promote access to care and pose a low risk of harm to Federal health care programs at 1128A(i)(6)(F) of the Act.

Response: As stated above, we believe existing laws are better suited to protecting patient freedom of choice and nothing in this rule limits patient’s freedom of choice. As we stated in the OIG Proposed Rule, the provision of telehealth technologies might qualify for protection under other existing exceptions or safe harbors. Whether a particular arrangement for the provision of telehealth technologies meets the requirements of, for example, the exception for arrangements that promote access to care and poses low risk of harm at 1128A(i)(6)(F) of the Act (and the corresponding regulatory exception at 42 CFR 1003.110) is a fact-specific analysis beyond the scope of this rulemaking. We note that parties are also free to request an OIG advisory opinion.

iv. Materials and Records Requirement

Summary of OIG Proposed Rule: We did not propose a condition related to the development or retention of materials and records or another documentation requirement but solicited comments on the fraud and abuse risks presented by not including such a condition in this exception.

Summary of Final Rule: We are not finalizing a materials and records retention requirement.

Comment: Commenters agreed with our approach to omit a materials and records or other documentation requirement. A commenter noted that this approach reduces unnecessary administrative burden. Another commenter pointed to other documentation requirements required by law, highlighting that these obviate the need for a documentation requirement in this exception.

Response: We agree that omitting a documentation requirement for this exception may reduce administrative burden for donors of telehealth technologies. We believe that in the case of telehealth technologies provided to individuals with ESRD under this exception, the absence of a documentation requirement does not materially impact the attendant fraud and abuse risks. We note, however, that while this exception is voluntary, parties that rely on it have the burden of demonstrating that all the conditions are met. Maintaining documentation that the provision of telehealth technologies satisfies the exception’s conditions may be prudent for compliance purposes.

a. Other Offerors

Comment: Several commenters stated that free and charitable clinics and charitable pharmacies, especially in rural areas, rely on the use of telehealth technologies to provide access to specialty care to uninsured and medically underserved patients. The commenters posited that eliminating barriers to allow free and charitable clinics and charitable pharmacies to furnish telehealth technologies to patients without implicating the physician self-referral law or the Federal anti-kickback statute would enhance their ability to serve the target population of uninsured and medically underserved. The commenters suggest that expanded access to telehealth technologies would enhance health equity and care coordination, specifically for those who are uninsured and in rural areas. Another commenter was supportive of the exception and suggested expansion to allow for the provision of telehealth technologies by behavioral health providers.

Response: We appreciate the commenters’ suggestion that telehealth technologies may benefit a broader range of patients. Charitable clinics or charitable pharmacies that meet the conditions in paragraphs (10)(i) and (ii) (e.g., a provider, physician, or renal dialysis facility that is currently providing the in-home dialysis, telehealth services, or other end-stage renal disease care to the patient or has been selected or contacted by the individual to schedule an appointment or provide services) may be eligible to protect the provision of telehealth technologies under this exception. Such a determination must be based on the facts and circumstance of the specific clinic or pharmacy, and whether the provision of the telehealth technology meets all conditions of the exception.

We note that several other exceptions and safe harbors may apply to the provision of telehealth technologies to patients, depending on the facts and circumstances, such as the patient engagement and support safe harbor, finalized in this rule at 42 CFR 1001.952(hh), and the exception to the definition of “remuneration” under the Beneficiary Inducements CMP for certain remuneration that poses a low risk of harm and promotes access to care, found at 42 CFR 1003.110.

j. Recipient

Comment: A commenter stated that it is critical to ensure that the provision without charge of these same technologies to nephrologists and other treating physicians of home dialysis patients is permissible under anti-kickback statute. The commenter highlighted that every dialysis patient is required to have an attending nephrologist, and the nephrologist is the only individual who is part of the required care team who is not otherwise employed by the dialysis provider. Accordingly, the commenter urged us to clarify that the dialysis provider can also provide members of the care team who are not employed by the dialysis provider with the technology and software necessary to accommodate telehealth for dialysis patients.

Response: We appreciate the commenter’s concerns, but the commenter’s recommendations are outside the scope of the statutory exception we codify here, which is an exception to the definition of “remuneration” under the Beneficiary Inducements CMP. Specifically, the regulatory exception we finalize here implements the corresponding statutory exception in section 50302 of the Budget Act of 2018, which protects the provision of telehealth technologies “to an individual with end-stage renal disease. . . .” This exception does not protect remuneration between a dialysis provider and other members of a patient’s care team. As the commenter notes, remuneration among and between providers and practitioners may implicate the Federal anti-kickback statute. Parties seeking to protect such arrangements may seek protection under a safe harbor, such as the care coordination arrangements safe harbor finalized in this rule at 1001.952(ee). Parties are also free to request an advisory opinion pursuant to 42 CFR 1008 et seq. related to the facts and circumstances described in this comment.

Comment: A commenter requested clarity regarding situations in which technologies provided to beneficiaries could also result in potential indirect benefits to other providers who may be in a referral source relationship with the donor of the telehealth technologies, including in the context of an integrated care delivery system.

Response: We appreciate the commenter’s concern. The Federal anti-kickback statute is a criminal statute that serves as an important sanction against fraud when parties intentionally offer or pay kickbacks to influence referrals. Any indirect benefit to a provider who may be a referral source for a donor would need to be analyzed under the Federal anti-kickback statute which, as explained above, is outside the scope of the statutory exception to the Beneficiary Inducements CMP that we codify here. As a matter of law, arrangements that fit in an exception to the Beneficiary Inducements CMP are not automatically protected from liability under the Federal anti-kickback statute. Parties seeking to protect remuneration implicating the Federal anti-kickback statute should assess arrangements to determine if the arrangement qualifies for protection under a safe harbor.

IV. Provisions of the Final Regulation

This final rule incorporates the regulations and amendments we proposed in the OIG Proposed Rule, but with changes to the regulatory text. In this final rule, we modify existing as well as add new safe harbors pursuant to our authority under section 14 of the Medicare and Medicaid Patient and Program Protection Act of 1987 by specifying certain payment practices that will not be subject to prosecution under the Federal anti-kickback statute. We also codify into our regulations a statutory safe harbor for patient incentives offered by ACOs to assigned beneficiaries under ACO Beneficiary Incentive Programs and a statutory exception to the definition of “remuneration” in 42 CFR 1003.110 for certain telehealth technologies furnished to in-home dialysis patients.

The following is a list of the safe harbors and the exception that we are finalizing: Modifications to the existing safe harbor for personal services and management contracts at 42 CFR 1001.952(d); modifications to the existing safe harbor for warranties at 42 CFR 1001.952(g); modifications to the existing safe harbor for electronic health records items and services at 42 CFR 1001.952(y); modifications to the existing safe harbor for local transportation at 42 CFR 1001.952(bb); a new safe harbor for care coordination arrangements to improve quality, health outcomes, and efficiency at 42 CFR 1001.952(ee); a new safe harbor for value-based arrangements with substantial downside financial risk at 42 CFR 1001.952(ff); a new safe harbor for value-based arrangements with full financial risk at 42 CFR 1001.952(gg); a new safe harbor for arrangements for patient engagement and support to improve quality, health outcomes, and efficiency at 42 CFR 1001.952(hh); a new safe harbor for CMS-sponsored model arrangements and CMS-sponsored model patient incentives at 42 CFR 1001.952(ii); a new safe harbor for cybersecurity technology and related services at 42 CFR 1001.952(jj); a new safe harbor for accountable care organization (ACO) beneficiary incentive program at 42 CFR 1001.952(kk); and an exception for telehealth technologies for in-home dialysis at 42 CFR 1003.110.

V. Regulatory Impact Statement

As set forth below, we have examined the impact of this final rule as required by Executive Order 12866, the Regulatory Flexibility Act (RFA) of 1980, the Unfunded Mandates Reform Act of 1995, Executive Order 13132, and Executive Order 13771. In section A, we provide an overview of our analysis of the impact of this final rule. We also provide additional supporting analysis in section F.

Summary of OIG Proposed Rule: We determined that the aggregate economic impact of the proposals would be minimal and would have no effect on the economy or on Federal or State expenditures. We also determined that the proposals would not significantly affect small providers. Further, we determined that the rule was neither regulatory nor deregulatory under Executive Order 13771.

Summary of Final Rule: We are finalizing the determinations set forth in the OIG Proposed Rule except for the determination under Executive Order 13771. Here we explain that this final rule is a deregulatory action under Executive Order 13771. In addition, we provide additional explanation about our determinations here.

A. Overview of Analysis

By making available the new protections established in this final rule, we expect health care industry stakeholders will realize increased flexibility and legal certainty when entering into value-based, care coordination, and other arrangements that have the potential to reduce Federal health care program expenditures and improve the quality of care without sacrificing program integrity. However, we are unable to quantify—with certainty—the overall aggregate impact or effect on small providers related to changes in industry behavior that we can reasonably expect following the effective date of this final rule. Even so, we believe that our final policies are reasonably likely to permit, if not encourage, behavior that will reduce waste in the U.S. health care system, including Medicare and other Federal health programs, and that these changes will result in lower costs for both patients and payors, and generate other benefits, such as improved quality of patient care and lower compliance costs for providers and suppliers. Below we describe: (1) The need for new and modified safe harbors and exceptions; (2) an overview of the estimated impact of the final rule; (3) anticipated outcomes of the final rule; (4) expanded protections under the final rule and examples of anticipated arrangements; (5) anticipated beneficial impact of value-based, care coordination, and patient engagement and support arrangements; (6) anticipated beneficial impact of the new safe harbor for cybersecurity technology and services; and (7) anticipated costs.

1. Need for New and Modified Safe Harbors and Exceptions

The Federal anti-kickback statute provides for criminal penalties for whoever knowingly and willfully offers, pays, solicits, or receives remuneration to induce or reward, among other things, the referral of business reimbursable under any of the Federal health care programs, including Medicare and Medicaid. Health care providers and others may voluntarily seek to comply with safe harbors so that they have the assurance that their business practices will not be subject to any Federal anti-kickback enforcement action. Compliance with an applicable safe harbor insulates an individual or entity from liability under the Federal anti-kickback statute. Parties may use any applicable safe harbor into which they can squarely fit.^[159] However, failure to fit in a safe harbor does not mean that an arrangement violates the law.

The Beneficiary Inducements CMP provides for the imposition of civil monetary penalties against any person who offers or transfers remuneration to a Medicare or State health care program (including Medicaid) beneficiary that the benefactor knows or should know is likely to influence the beneficiary’s selection of a particular provider, practitioner, or supplier of any item or service for which payment may be made, in whole or in part, by Medicare or a State health care program (including Medicaid). Compliance with an applicable exception to the definition of “remuneration” under the Beneficiary Inducements CMP or compliance with an exception or safe harbor to the Federal anti-kickback statute protects such practice from liability under the Beneficiary Inducements CMP.

In many cases, emerging coordinated care and value-based delivery and payment arrangements, which encourage functional integration and coordination between and among providers and other industry stakeholders, often using financial incentives, may not fit easily or at all under current safe harbors to the Federal anti-kickback statute, exceptions to the Beneficiary Inducements CMP, or both. Many value-based and care coordination arrangements also rely on improving patient engagement in care through tools or supports (e.g., free or reduced-cost technology, free local transportation services), potentially implicating both the Federal anti-kickback statute and the Beneficiary Inducements CMP. Such tools or supports may not fit easily (or at all) under existing safe harbors to the Federal anti-kickback statute or exceptions to the definition of “remuneration” under the Beneficiary Inducements CMP.

Public stakeholders have asserted—through comments to both the OIG RFI and OIG Proposed Rule, as well as other public forums—that this lack of clear legal protection has a chilling effect on the development of effective care coordination arrangements, value-based arrangements, and arrangements engaging or supporting patients. As a consequence, this final rule provides greater certainty and protection for care coordination arrangements, value-based arrangements, patient engagement tools and supports, and other beneficial arrangements from potential liability under the Federal anti-kickback statute and Beneficiary Inducements CMP (as applicable), if the arrangements are properly structured to satisfy an applicable safe harbor’s or exception’s conditions (as applicable).

2. Overview of Estimated Impact of the Final Rule

There is not enough available information to estimate this final rule’s effect on the economy, Federal or State expenditures, or small providers. In other words, we are not able to provide quantitative estimates of savings to or expenditures for the Federal health care programs, providers, and others that will result from this final rule. More specifically, we lack a basis for determining the scope and magnitude of financial arrangements for which parties may seek safe harbor protection.

We lack a basis for making any quantitative estimates for the following reasons. First, we cannot estimate how many providers and other industry stakeholders will enter in value-based and care coordination arrangements or other arrangements protected by these final safe harbors and exception. This is in part because using and complying with the safe harbors and exception to the definition of “remuneration” under the Beneficiary Inducements CMP finalized here are voluntary. Indeed, providing remuneration in the context of a care coordination arrangement and engaging Federal health care program beneficiaries through the provision of tools and supports are voluntary as well. Stated otherwise, parties are not required either to enter into financial relationships that implicate the Federal anti-kickback statute and Beneficiary Inducements CMP, or to structure any financial relationships that implicate these statutes to satisfy a safe harbor or exception, as applicable. Failure to satisfy a safe harbor or exception, as applicable, does not mean that an arrangement is illegal under the Federal anti-kickback statute or Beneficiary Inducements CMP. Parties are free to conduct financial arrangements that do not fit within the protections set forth in these final regulations provided that they otherwise comply with the law. Further, while parties often use safe harbors and exceptions as tools to structure compliant arrangements, parties may also wait to assert compliance with a safe harbor as a defense should the Government bring an enforcement action. For this reason, it is further difficult to estimate usage of these regulations.

Second, while we can provide examples—as noted below—of arrangements we believe health care industry stakeholders may enter into under the protection of these final safe harbors and exception, we cannot predict the form of all of the arrangements, nor which industry stakeholders will enter into what form of arrangements. More specifically, based on comments submitted by stakeholders, our understanding of currently existing value-based and care coordination arrangements, and our assumption that there will be continued innovation, we expect significant heterogeneity in value-based and care coordination arrangements that seek protection under these safe harbors and exception. Applying a “conceptual framework” developed by RAND Corporation in an assessment of value-based programs illuminates how the attributes of value-based care and care coordination arrangements could vary across the industry, making any basis for quantitative estimates regarding the impact of the regulatory flexibilities set forth in this final rule highly speculative.^[160]

In particular, the RAND conceptual framework highlights how various aspects of the arrangements for which parties may seek safe harbor and exception protection could differ, including: (1) Overarching program design features with respect to the value-based arrangement (e.g., measures, incentive structure, targets for incentives, and quality improvement support and resources); (2) the characteristics of the providers and the settings in which they practice, including whether or not the providers are employees, as well as the characteristics of other parties to the arrangement; and (3) external factors (e.g., other payment policies, other quality initiatives, consumer behavior, market characteristics, and regulatory changes) that can enable or hinder any response to the incentive. In addition, we expect wide variation in the patient populations served and their particular needs with respect to care coordination and tools and supports. To provide an example related to external factors, whether a provider might need to use the patient engagement and support safe harbor (paragraph 1001.952(hh)) may depend on whether the beneficiary’s Federal health care program covered the desired tool and support. An arrangement for the provision of digital technology that is a covered item or service, when provided in accordance with coverage and payment rules, does not likely require safe harbor protection and additional regulatory flexibility in this final rule. On the other hand, an arrangement for the provision of noncovered tools and supports for free to a Federal health care program beneficiary likely implicates the Federal anti-kickback statute and may implicate the Beneficiary Inducements CMP, may need safe harbor protection, and would benefit from such flexibility. Variation in coverage and payment rules and changes in such rules over time impact the analysis of the application of the statutes to arrangements and whether parties would seek to use the final regulations.

In sum, any estimation of behavioral change—and any resulting increases or decreases in costs to Federal or State health care programs, providers and other stakeholders, or patients—would be highly speculative and too uncertain to be appropriately quantifiable. While we cannot gauge with certainty savings or costs that may result from this final rule, the rule reflects our effort to remove barriers impeding wider adoption of beneficial care coordination and value-based arrangements identified by stakeholders, while prohibiting arrangements that would improperly increase utilization, promote anti-competitive behavior, or result in fraud or abuse. Below we elaborate on the intended and anticipated beneficial outcomes related to the final rule as well as some potential costs.

3. Anticipated Outcomes of the Final Rule

We can reasonably predict, however, that the final rule likely will result in changes to stakeholder behavior. The rule may increase providers’ or others’ participation in beneficial value-based, care coordination, patient engagement and support, and other arrangements to the extent that providers or others have been concerned that such arrangements would otherwise implicate the Federal anti-kickback statute and Beneficiary Inducements CMP. In this regard, and with respect to the intended outcomes and benefits related to this final rule, we anticipate that the policies in this final rule may: (1) Remove barriers to robust participation in beneficial value-based health care delivery and payment systems, including those administered by CMS and non-Federal payors; (2) facilitate arrangements for beneficial patient care coordination among affiliated and unaffiliated health care providers, practitioners, suppliers, and others; (3) remove barriers to providing tools and supports to patients to better engage them in their care and improve health outcomes; (4) provide certainty for participants in the Medicare Shared Savings Program and Innovation Center models; (5) facilitate the continued adoption and use of electronic health records by making permanent the safe harbor for the donation of such items and services; and (6) promote more robust cybersecurity throughout the health care system. Some of the benefits that we anticipate will arise from these intended outcomes are: (1) Improved care coordination for patients, including Federal health care program beneficiaries; (2) improved quality of care and outcomes for patients, including Federal health care program beneficiaries; (3) potential reduction in compliance costs to individuals and entities to which the Federal anti-kickback statute’s and Beneficiary Inducements CMP’s prohibitions apply; (4) reduction in administrative complexity and related waste from continued progress toward interoperability of data and electronic health records; (5) protection against the corruption of or access to health records and other information essential to the safe and effective delivery of health care; and (6) reduction in impacts of cybersecurity attacks, including the improper disclosure of protected health information (PHI), and reduction in costs associated with cybersecurity attacks, including ransom payments, costs to patients whose PHI is improperly disclosed, and costs to providers, suppliers, and others to reestablish cybersecurity.

With respect to the final rule’s impact on parties currently participating in the Medicare Shared Savings Program and Innovation Center models, we have determined that this Final Rule would not significantly alter the conditions upon which such providers and suppliers operate. Such parties currently must comply with the fraud and abuse statutes and receive fraud and abuse waivers as needed for CMS to operate the Medicare Shared Savings Program and test models, as authorized by statute. Finalizing safe harbors protecting value-based arrangements, care coordination, and certain patient engagement tools and supports would not significantly alter these conditions. This is particularly true in light of the new final safe harbor for CMS-sponsored models, which is designed to streamline the current fraud and abuse waiver process and make model participation more uniform with respect to compliance with fraud and abuse laws.

4. Expanded Protections Under Final Rule and Examples of Anticipated Arrangements

As explained in greater detail in the preamble above, this final rule expands safe harbor protection under the Federal anti-kickback statute to protect the following types of arrangements that, in most cases, would not fit squarely or with certainty in existing safe harbors:

• Certain remuneration exchanged between or among eligible participants in a value-based arrangement that fosters better coordinated and managed patient care.
• Certain tools and supports furnished to patients to improve quality, health outcomes, and efficiency.
• Certain remuneration provided in connection with a CMS-sponsored model.
• Certain donations of cybersecurity technology and services.
• Certain donations of electronic health records items and services.
• Certain outcomes-based payments and remuneration in connection with part-time personal services and management contracts arrangements.
• Certain remuneration in connection with bundled warranties for one or more items and related services.
• Certain free or discounted local transportation given to Federal health care program beneficiaries.

In addition, this final rule extends protection under the Beneficiary Inducements CMP to protect certain “telehealth technologies” furnished to certain in-home dialysis patients.

Based on the Department’s experience with the Medicare Shared Savings Program and Innovation Center models, information provided by commenters on the OIG RFI and the OIG Proposed Rule, and information shared publicly by providers, suppliers, practitioners, health plans, and others, following the issuance of this final rule we reasonably expect parties may seek protection under the final safe harbors and exception such as the following:

• A hospital—in recognition that new reimbursement models may extend hospital accountability for a patient’s health beyond inpatient or outpatient care—may wish to provide recently discharged patients with free health coaching, technology that facilitates remote monitoring, a non-reimbursable home visit, or nutritional supplements to promote the best health outcomes after discharge.
• A hospital, recognizing that clinical collaboration and care coordination may improve patient transitions from one care delivery point to the next, may wish to provide care coordinators that furnish individually tailored case management services for patients requiring post-acute care.
• A medical device manufacturer may wish to offer a physician practice or hospital a data analysis service to track clinical practices, clinical outcomes, and patient impact as they relate to hospital- or health-care-acquired pressure injuries.
• A hospital may wish to provide support and to reward institutional post-acute providers for achieving outcome measures that effectively and efficiently coordinate care across care settings and reduce hospital readmissions. Such measures would be aligned with a patient’s successful recovery and return to living in the community.
• A physician may wish to offer—for free— a prescription pickup service to retrieve filled prescriptions from the pharmacy and get them to the patient to expedite the patient’s adherence to the physician’s ordered treatment.
• A primary care physician, dialysis facility, or other provider could furnish a smart tablet that is capable of two-way, real-time interactive communication between the patient and his or her physician. In turn, the Federal health care program beneficiary’s access to a smart tablet could facilitate communication through telehealth and the provision of in-home dialysis services.

5. Anticipated Beneficial Impact of Value-Based, Care Coordination, and Patient Engagement and Support Arrangements

As explained further below, to the extent that providers and others elect to use these safe harbors and exception to the definition of “remuneration” under the Beneficiary Inducements CMP to protect care coordination, value-based, and other arrangements, there could be significant beneficial impacts should the intended effect of the regulatory flexibilities afforded by this final rule—promoting the adoption of beneficial value-based arrangements and improved care coordination—come to fruition.

As noted above, we are unable to quantify with certainty any impact related to the changes in industry behavior that we can reasonably expect following the effective date of this final rule. Despite the inability to quantify impact, we believe that the value-based arrangements, care coordination arrangements, and patient engagement and support arrangements protected by this final rule ultimately will reduce waste in the U.S. health care system.

In particular, a recent review of literature from January 2012 to May 2019 focusing on unnecessary spending, or waste, in the U.S. health care system (the 2019 study) indicates that waste related to the failure of care coordination alone results in annual costs of $27 billion to $78 billion.^[161] Much of the research on waste and improvement reviewed in the 2019 study was conducted in Medicare populations. The 2019 study noted empirical evidence that interventions, such as aligning payment models with value or supporting delivery reform to enhance care coordination, safety, and value, can produce meaningful savings and reduce waste by as much as half. The 2019 study also identified waste from administrative complexity (resulting from fragmentation in the health care system) as the greatest contributor to waste in the U.S. health care system at an estimated $266 billion annually, and highlighted the opportunity to reduce waste in this category from enhanced payor collaboration with health care providers and clinicians in the form of value-based payment models. According to the 2019 study, as value-based care continues to evolve, there is reason to believe that such interventions can be coordinated and scaled to produce better care at lower cost for all U.S. residents. Moreover, in value-based and care coordination arrangements, improvements could reduce waste related to overtreatment and low-value care, a separate category of waste in the U.S. health care system.

OIG studies regarding the Medicare Shared Savings Program and participating ACOs have found beneficial impacts through improved quality of care and reduced spending. A June 2019 evaluation found that Medicare Shared Savings Program ACOs have developed a number of strategies that the ACOs found successful in reducing Medicare spending and improving quality of care.^[162] These strategies include, among others, engaging beneficiaries to improve their own health, reducing avoidable hospitalizations and improving hospital care through better care coordination, and using technology for information sharing. For example, one ACO in the study used tablets to issue medication reminders and digital scales to transmit information directly to care coordinators to help manage the health of beneficiaries with end-stage congestive heart failure. The ACO reported that hospitalizations for this group declined, on average, from four times a year to one time. The evaluation observes that the successful strategies can apply not only to ACOs but also to other providers committed to transforming the health care system toward value.

An August 2017 OIG report analyzed spending and quality data from the first 3 years of the Medicare Shared Savings Program to determine the extent to which ACOs reduced Medicare spending and improved quality.^[163] During the period studied, most of the 428 participating ACOs (serving 9.7 million beneficiaries) reduced Medicare spending compared to their benchmarks, achieving a net spending reduction of nearly $1 billion. At the same time, ACOs generally improved their performance on most of the individual quality measures. ACOs also outperformed fee-for-service providers on most of the quality measures. A small subset of ACOs showed substantial reductions in Medicare spending while providing high-quality care. These high-performing ACOs reduced spending by an average of $673 per beneficiary for key Medicare services during the review period. This included significant spending reductions for high‐cost services such as inpatient hospital care and skilled nursing facility care. These ACOs also maintained high use of primary care services, which can lower utilization and costs for other care, and reduced the use of costly services such as emergency department visits. In contrast, other Medicare Shared Savings Program ACOs and the national average for fee-for-service providers showed an increase in per beneficiary spending for key Medicare services.

In addition, we are aware that certain other innovative value-based and care coordination arrangements exist that have resulted in cost savings for third-party payors, quality of care improvements, or both.^[164] While we cannot extrapolate these results to the possible impact of this final rule, we believe the reported success of some of these programs suggests the promising nature of value-based care and improved care coordination. In describing the results below, we do not mean to suggest that this rule prescribes or endorses the interventions inherent to these results. Further, we emphasize that this final rule simply removes certain regulatory barriers to implementing value-based and care coordination arrangements that may be similar to those described below.

For example, a case study targeted at determining the specific factors that reduce Medicare payments and lead to hospital savings in bundled payment models for lower extremity joint replacement surgeries (which provide a lump sum payment to be shared among providers for an episode of care instead of payment for every service performed) in one Texas health system found that, between July 2008 and June 2015, the system’s five hospitals were able to reduce total Medicare spending per episode of care by $5,577, or 20.8 percent, in cases without complications, and by $5,321, or 13.8 percent, in cases with complications.^[165] The hospitals also recognized $6.1 million in internal cost savings, along with slight decreases in emergency room visits and readmission rates, and a decrease in cases with a prolonged length-of-stay admission. Over half of the internal cost savings were attributable to reduced implant costs.^[166] We note that the product standardization incentive programs that contribute to such internal cost savings involve compensation arrangements between hospitals and physicians which, depending on their structure, may not satisfy the requirements of any current safe harbors to the Federal anti-kickback statute, but to which the new and modified safe harbors may apply. Relatedly, in 2018, a large health plan announced that it was expanding a bundled payment program for spinal surgeries and hip/knee replacements to new markets, after finding savings of $18,000 per procedure,^[167] and a health network reported over $10 million in savings in 2017 with more anticipated savings in 2018.^[168]

As another example of the potential for cost savings associated with value-based arrangements, a recent survey of more than 100 commercial payors showed that, in 2018, “pure FFS” payment—where each medical service is billed and paid for separately—accounts for only 37.2 percent of reimbursement and is expected to drop to 26 percent by 2021.^[169] According to the payors surveyed, payors that adopted value-based health care delivery and payment models reduced health care costs by an average of 5.6 percent, improved provider collaboration, and created more impactful member engagement.

Further, there are studies that suggest that improved care coordination may decrease costs and enhance health outcomes. One randomized, controlled trial evaluated the cost‐effectiveness of a home‐based care coordination program that targeted older adults with problems self‐managing their chronic illnesses.^[170] Study participants in the test group received care coordination services from a nurse and a pill organizer. The results of this study showed that, for those beneficiaries who participated in the study for more than 3 months, total Medicare costs were $491 lower per month than in the control group. Another study conducted by the Centers for Disease Control and Prevention demonstrated that certain interventions, such as team-based or coordinated care, increase patient medication adherence rates.^[171] Specifically, in a 2015 study, patients assigned to team-based care—including pharmacist-led medication reconciliation and tailoring, pharmacist-led patient education, collaborative care between pharmacist and primary care provider or cardiologist, and two types of voice messaging—were significantly more adherent with their medication regimen 12 months after hospital discharge (89 percent) compared with patients not receiving team-based care (74 percent).

In addition, there are reported examples of value-based health care delivery and payment programs developed and implemented by commercial health plans that report success. For example, one health plan recently reported that it saved $1 billion through avoided costs in 3 years of its recent primary care pay-for-value program that offers primary care practices rewards for their performance on quality, cost, and utilization measures, while also improving outcomes for the plan’s members.^[172] According to this plan, members treated by a primary care provider in the program had 11 percent fewer emergency room visits in 2017 than members treated by a primary care physician not in the program. The plan also stated that members with a primary care physician in the program experienced 16 percent fewer inpatient admissions in 2017 compared to members seeing a primary care physician not in the program, potentially saving the plan $224 million in inpatient care costs.^[173]

A collaboration between a physician-led ACO and a health plan in North Carolina similarly reportedly reduced costs while improving quality of care.^[174] Specifically, an analysis conducted by the plan concluded that the 47 primary care practices that participated in the collaboration: (1) Reduced the total cost of care by 4.7 percent for commercial patients; (2) reduced the total cost of care by 6.1 percent for Medicare Advantage patients; and (3) improved their Medicare star ratings, on average, from 3 to 4.5 stars. Another analysis by a different health plan determined that primary care physicians paid under global capitation improved certain patient outcomes related to preventive care and chronic conditions, such as higher screening rates for colorectal and breast cancer, higher rates of medication review, and higher controlled blood sugar levels.^[175]

6. Anticipated Beneficial Impact of New Safe Harbor for Cybersecurity Technology and Services

The health care sector is among the most targeted industries for cyberattacks and is also under-resourced to prevent such attacks and data breaches. As a result, the cost of cybersecurity attacks and breaches within the health care industry is significant. A study estimated that data breaches may have cost U.S hospitals $6.2 billion between 2015 and 2016.^[176] Additionally, other estimates indicate that a health care organization that is breached faces $8 million dollars in costs on average as a result of the breach, or $400 per patient record involved.^[177] The impact of cyberattacks extends beyond increased and unnecessary recovery and ransom costs. It may limit patient access to a provider or directly affect patient care. For example, a September 2020 cyberattack on a large health care system in the United States reportedly affected nearly 400 facilities, causing hospitals to divert ambulances during the initial stages of the attack. In addition, staff reported that some lab test results were delayed. The system responded by suspending user access to its information technology applications related to operations across the United States, requiring the use of backup processes, including paper medical record charting and labeling medications by hand, for nearly 3 weeks.^[178]

According to the Health Sector Cybersecurity Coordination Center (HC3), health care organizations should consider implementing strong risk management practices to help prevent data breaches and minimize any disruptions or loss if a breach occurs.^[179] HC3 highlights that adequate prevention and preparation for data breaches will protect patients, minimize direct and indirect costs, and allow for more efficient operations of a health care organization.^[180] Separately, the HCIC Task Force’s June 2017 report, among other things, highlighted its review of many concerns related to potential constraints imposed by the physician self-referral law and the Federal anti-kickback statute. The report encouraged Congress to evaluate an amendment to these laws specifically for cybersecurity software that would allow health care organizations the ability to assist physicians in the acquisition of this technology, through either donation or subsidy.^[181] The HCIC Task Force noted that the existing regulatory exception to the physician self-referral law (42 CFR 411.357(w)) and the safe harbor to the Federal anti-kickback statute (42 CFR 1001.952(y)) applicable to certain donations of EHR items and services could serve as an ideal template for an analogous cybersecurity provision.^[182]

Further substantiating the need for increased flexibility related to the donation of cybersecurity technology and services, in 2018, the American Medical Association surveyed over 1,300 physicians in a cybersecurity-related survey. Approximately 83 percent of the participants reported having experienced some sort of cybersecurity attack.^[183] The study also highlighted that 50 percent of the surveyed physicians wished they could receive donations of security-related hardware and software from other providers, and recommended that OIG develop a safe harbor to permit it.

As described in section III.B.8 of this final rule, we received overwhelming support from across the health care industry in response to our proposal to establish the new safe harbor for cybersecurity items and services, and we anticipate significant expansion of cybersecurity efforts through donations following the effective date of this final rule, similar to the expanded adoption of EHR items and services reported by stakeholders following the establishment of the EHR safe harbor in 2006. Support for the new cybersecurity safe harbor came from many well-resourced organizations that are potential future donors of cybersecurity technology, such as health plans and large health systems, as well as from likely recipients of donations and trade groups representing practitioners.

Because of the cost of cybersecurity attacks to organizations that wish to donate or receive cybersecurity technology and services, and the general support among donors and recipients for the new cybersecurity exception, we anticipate significant investment in improvements to the cybersecurity hygiene of the health care industry. An organization’s cybersecurity posture is only as strong as its weakest link, including weaknesses of downstream providers, suppliers, and practitioners that wish to receive donations; thus, donors are incented to protect themselves by donating cybersecurity technology and services that improves their cybersecurity.

There are a variety of factors integral to determining the impact of this final safe harbor’s effect on the cybersecurity hygiene of the health care industry that remain too speculative to make a quantitative estimate of the impact of this final rule. We cannot predict with sufficient certainty various elements that will determine the impact of this safe harbor. For example, we cannot predict: (1) How many health care industry stakeholders will donate cybersecurity technology or services for which parties may seek safe harbor protection; (2) the specific combinations of items and services that will be donated or how such donations will improve the cybersecurity hygiene of recipients, donors, and the health care industry as a whole; and (3) external factors (e.g., other policies promoting cybersecurity within the health care industry, how cyber criminals will proliferate and develop new strategies, how cyberattack recovery costs and ransom costs will change) that can enable or hinder improved cybersecurity hygiene and potentially result in increased or decreased costs associated with cyberattacks. Despite this, we expect that the flexibility to donate cybersecurity technology and services will benefit the ecosystem as a whole, improve cybersecurity across the industry, and reduce costs associated with cyberattacks (by improving prevention and detection of cybersecurity weaknesses and reducing successful cyberattacks, and consequently, ransom fees and recovery costs). However, we cannot predict the specific impacts of the flexibility afforded by the cybersecurity technology and services safe harbor on the costs or benefits to Federal health care programs, beneficiaries, or the health care industry as a whole.

7. Anticipated Costs

We also acknowledge that there could be some costs associated with this final rule. For example, providers and other stakeholders voluntarily complying with the safe harbors and exception finalized here may incur legal and administrative costs to appropriately structure an arrangement to satisfy an applicable safe harbor or exception. In addition, it is possible providers and others may misuse the protection afforded by the safe harbors and exception which could result in increased costs to Federal health care programs or beneficiaries. It also is possible that providers and other stakeholders will appropriately use the safe harbors, but a care coordination or value-based arrangement developed in good faith might not result in savings to the Federal health care programs or beneficiaries or improvements in quality of care.

Designing safe harbors with sufficient safeguards against potential abuses and harms by those who might misuse the safe harbors is not without challenges. In this final rule, we have tried to strike the right balance between flexibility for beneficial innovation and safeguards to protect patients and Federal health care programs. However, we cannot quantify whether we have struck the appropriate balance; in particular, we cannot quantify whether achievement of the intended outcomes (e.g., improved coordination of patient care, improved quality of patient care, reduced costs to payers) will outweigh any potential costs.

B. Executive Order 12866

Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and if regulations are necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects; distributive impacts; and equity). A regulatory impact analysis must be prepared for major rules with economically significant effects (i.e., $100 million or more in any given year). This final rule codifies a new exception to the definition of “remuneration” under the Beneficiary Inducements CMP and implements new or revised anti-kickback statute safe harbors. As explained more fully above, we believe the changes in the final rule to the safe harbors and the new exception to the Beneficiary Inducements CMP will provide flexibility for providers and others to enter into certain beneficial arrangements. In doing so, this final rule imposes no requirements on any party. Providers and others will be allowed to voluntarily seek to comply with these provisions so that they have assurance that participating in certain arrangements will not subject them to liability under the Federal anti-kickback statute and the Beneficiary Inducements CMP. These safe harbors and exception facilitate providers’ and others’ ability to provide important health care and related services to communities in need. We estimated that this rule would be “economically significant” as measured by the $100 million threshold, and hence also a major rule under the Congressional Review Act. Accordingly, we prepared an RIA that presented our estimates of the costs and benefits of this rulemaking. Thus, this rule has been reviewed by the Office of Management and Budget.

C. Regulatory Flexibility Act

The RFA and the Small Business Regulatory Enforcement and Fairness Act of 1996, which amended the RFA, require agencies to analyze options for regulatory relief of small businesses. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and Government agencies. Most providers are considered small entities by having revenues of $7 million to $35.5 million or less in any one year. For purposes of the RFA, most physicians and suppliers are considered small entities.

Comment: We received comments from two associations representing small and rural providers or Indian health care providers regarding the level of administrative burden and potential costs associated with implementing the requirements in certain proposed safe harbors (e.g., requiring a writing signed by the parties under certain proposed safe harbors and requiring a financial contribution by a recipient of remuneration under the care coordination arrangements safe harbor and EHR safe harbor), particularly for small and rural providers and Indian health care providers. For example, a commenter suggested that if OIG reduced administrative burden on physicians under its final rule, it would allow physicians to focus on the patient-physician relationship and the patient’s welfare. In addition, a commenter representing Indian health care providers expressed concern that its stakeholders would need to make changes to current practices and operations in response to this rulemaking in order to comply with the Federal anti-kickback statute and to avoid severe criminal, civil, and administrative penalties. The commenter also raised concerns regarding potential administrative burden that may occur if Indian health care providers revise or amend existing agreements with the Health Resources and Services Administration to participate in arrangements protected under new safe harbors. The commenter also asked OIG to exempt Indian health programs from certain proposed safe harbor contribution requirements.

Response: We reiterate that this final rule does not impose any obligations on any entity, including Indian health care providers, nor does this final rule require any entity to make changes to current practices and operations to comply with the Federal anti-kickback statute or Beneficiary Inducements CMP. This final rule provides additional flexibilities for providers and others to enter into care coordination arrangements with potentially reduced legal risk. As explained above, structuring financial arrangements to satisfy a safe harbor or exception is voluntary; indeed, even entering into such financial arrangements is voluntary. We believe the changes to the safe harbors and the addition of a new exception to the definition of “remuneration” under the Beneficiary Inducements CMP provide industry stakeholders with additional flexibility if they desire to enter into certain beneficial arrangements.

We understand the commenter’s concern regarding potential costs associated with contribution requirements included within certain safe harbors that we are finalizing. However, after careful consideration, we continue to believe that the contribution requirement is an important safeguard against fraud and abuse in light of the specific risks of inappropriate generation of referrals presented by donations of EHR items and services that could be protected by the EHR safe harbor(paragraph 1001.952(y)) and care coordination arrangements safe harbor (paragraph 1001.952(ee)). As we explain in our discussion of these safe harbors in sections III.B.3.g and III.B.9.e above, when recipients of valuable remuneration have some responsibility to contribute to the cost of the items or services, they are more likely to make economically prudent decisions and accept only what they need or will use. The final rule reflects our efforts to balance additional flexibility for beneficial arrangements that have potential to reduce costs and improve care with safeguards to protect against potential abuses, including inappropriate increases in costs to Federal health care programs and beneficiaries.

We recognize that small or rural entities or Indian health care providers may incur costs to avail themselves of the safe harbor and exception protections under the final rule. However, we expect the costs to be no greater than parties currently incur to comply with the Federal anti-kickback statute and the Beneficiary Inducements CMP. We do not expect this final rule to have a significant impact on a substantial number of small entities or Indian health care providers because the rules are completely voluntary (i.e., providers are not required to comply with the conditions of any safe harbor in order to avoid violating the Federal anti-kickback statute). Furthermore, we believe the net impact on small businesses that choose to take advantage of the new flexibilities will be low because we anticipate that the potential burden associated with certain provisions may be mitigated by other provisions offering greater flexibility to providers.

We estimate the changes to the exception to the Beneficiary Inducements CMP and the Federal anti-kickback statute safe harbors will impose no incremental burden on covered entities. We are providing covered entities with the option to adjust their business practices to better serve patients without adversely affecting their profitability. As a result, we have concluded that this final rule likely will not have a significant impact on a substantial number of small providers and that a regulatory flexibility analysis is not required for this rulemaking. In addition, section 1102(b) of the Act requires that we prepare a regulatory impact analysis if a rule under titles XVIII or XIX or section B of title XI of the Act may have a significant impact on the operations of a substantial number of small rural hospitals. For the reasons stated above, we do not believe that any provisions or changes finalized here will have a significant impact on the operations of rural hospitals. Thus, an analysis under section 1102(b) of the Act is not required for this rulemaking.

D. Unfunded Mandates Reform Act

Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104-4, also requires that agencies assess anticipated costs and benefits before issuing any rule that may result in expenditures in any one year by State Governments, Tribal Governments, or local governments, in the aggregate, or by the private sector, of $100 million, adjusted for inflation. We believe that no significant costs will be associated with this final rule that would impose any mandates on State Governments, Tribal Governments, local governments, or the private sector that would result in an expenditure of $154 million (after adjustment for inflation) in any given year.

D. Executive Order 13132

Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a rule that imposes substantial direct requirements for costs on State and local governments, preempts State law, or otherwise has Federalism implications. In reviewing this rule under the threshold criteria of Executive Order 13132, we have determined that this final rule will not significantly affect the rights, roles, and responsibilities of State or local governments.

E. Executive Order 13771

Executive Order 13771 (January 30, 2017) requires that the costs associated with significant new regulations “to the extent permitted by law, be offset by the elimination of existing costs associated with at least two prior regulations.” This final rule has been designated a significant regulatory action as defined by Executive Order 12866 but imposes no more than de minimis costs and is a deregulatory action under Executive Order 13771. This designation has been informed by public comments.

F. Statement of Need

The Department has identified the broad reach of the Federal anti-kickback statute and Beneficiary Inducements CMP as potentially inhibiting beneficial arrangements that would advance the ability of providers, suppliers, and others to transition more effectively and efficiently to value-based care and to better coordinate care among providers, suppliers, and others in both the Federal health care programs and commercial sectors. Industry stakeholders have informed us that, because the consequences of potential noncompliance with the Federal anti-kickback statute and Beneficiary Inducements CMP could be significant, providers, suppliers, and others may be discouraged from entering into innovative arrangements that could improve quality outcomes, produce health system efficiencies, and lower health care costs (or slow their rate of growth). To the extent providers are discouraged from entering into these innovative arrangements, patient care may not be provided as efficiently as possible. In addition, the potential consequences of noncompliance with these statutes may impede the ability of providers, suppliers, and others, including small providers and suppliers or those serving rural or medically underserved populations, to raise capital to invest in the transition to value-based care or to obtain infrastructure necessary to coordinate patient care, including technology. This unnecessarily slows the transition toward more efficient patient care. This final rule attempts to address these concerns by removing unnecessary impediments to the transformation of the health care system into one that better pays for and delivers value.

To remove regulatory barriers to care coordination and support value-based arrangements, we faced the challenge of designing safe harbor protections for emerging health care arrangements, the optimal form, design, and efficacy of which remain unknown or unproven. These arrangements will be driven by the determinations and experiences of a wide range of providers, suppliers, and others as they innovate in delivering value-based care. This challenge is further complicated by the substantial variation in care coordination and value-based arrangements contemplated by the health care industry and others (meaning that one-size-fits-all safe harbor designs may not be optimal), variation among patient populations and provider characteristics, emerging health technologies and data capabilities, the still-developing science of quality and performance measurement, and our desire not to have a chilling effect on beneficial innovations.

As described above, it is difficult to gauge the effects of this regulatory action in a rapidly evolving and diverse health care ecosystem of substantial innovation, experimentation, and deployment of technology and digital data. For example, as explained above, while a recent article projected potential savings of $29.6 billion to $38.2 billion across the U.S. health care system for reducing waste from failure of care coordination,^[184] it is difficult, if not impossible to gauge reductions in wasteful health care spending and improved health outcomes as a result of new arrangements made possible by this final rule. It is also difficult, if not impossible, to quantify savings or losses that could occur as a result of new fraudulent or abusive conduct that could increase costs or lead to poor outcomes as a result of new arrangements. In some cases, innovations may enhance program integrity and protect against fraud and abuse, reducing costs and increasing benefits. There is a compelling concern that uncertainty and regulatory barriers under current regulations could prevent the best and most efficacious innovations from emerging and being tested in the marketplace. Our goal in finalizing safe harbors is to protect arrangements that foster beneficial arrangements and facilitate value, while also protecting programs and beneficiaries against harms cause by fraud and abuse.

VI. Paperwork Reduction Act

The provisions of this final rule will not impose any new information collection and recordkeeping requirements. Consequently, it need not be reviewed by the Office of Management and Budget under the authority of the Paperwork Reduction Act of 1995.

List of Subjects

42 CFR Part 1001

• Administrative practice and procedure
• Fraud
• Grant programs—health
• Health facilities
• Health professions
• Maternal and child health
• Medicaid
• Medicare
• Social Security

42 CFR Part 1003

• Fraud
• Grant programs—health
• Health facilities
• Health professions
• Medicaid
• Reporting, and recordkeeping

For the reasons set forth in the preamble, the Office of Inspector General, Department of Health and Human Services, amends 42 CFR parts 1001 and 1003 as follows:

PART 1001—PROGRAM INTEGRITY—MEDICARE AND STATE HEATH PROGRAMS

1. The authority citation for part 1001 continues to read as follows:

Authority: 42 U.S.C. 1302, 1320a-7, 1320a-7a, 1320a-7b, 1320a-7d, 1395u(j), 1395u(k), 1395w-104(e)(6), 1395y(d), 1395y(e), 1395cc(b)(2)(D), (E) and (F), and 1395hh; and sec. 2455, Pub. L. 103-355, 108 Stat. 3327 (31 U.S.C. 6101 note).

2. Section 1001.952 is amended by:

a. Revising paragraphs (d), (g) introductory text, (g)(1), (3), and (4);

b. Adding paragraphs (g)(5) and (g)(6) before the undesignated text at the end of paragraph (g);

c. Designating the undesignated text at the end of paragraph (g) as paragraph (g)(7) and revising newly redesignated (g)(7);

d. Revising paragraph (y) introductory text, paragraph (y)(1), the second sentence of paragraph (y)(2);

e. Removing and reserving paragraphs (y)(3) and (7);

f. Revising paragraph (y)(11);

g. Removing and reserving paragraph (y)(13);

h. Redesignating the note to paragraph (y) as paragraph (y)(14) and revising newly redesignated (y)(14);

i. Revising paragraphs (bb)(1)(iv)(B) and (bb)(2)(iii);

j. Redesignating the note to paragraph (bb) as paragraph (bb)(3) and revising newly redesignated (bb)(3);

k. Adding and reserving paragraphs (cc) and (dd); and

l. Adding paragraphs (ee) through (kk).

The revisions and additions read as follows:

§ 1001.952

Exceptions.

* * * * *

(d) Personal services and management contracts and outcomes-based payment arrangements. (1) As used in section 1128B of the Act, “remuneration” does not include any payment made by a principal to an agent as compensation for the services of the agent, as long as all of the following standards are met:

(i) The agency agreement is set out in writing and signed by the parties.

(ii) The agency agreement covers all of the services the agent provides to the principal for the term of the agreement and specifies the services to be provided by the agent.

(iii) The term of the agreement is not less than 1 year.

(iv) The methodology for determining the compensation paid to the agent over the term of the agreement is set in advance, is consistent with fair market value in arm’s-length transactions, and is not determined in a manner that takes into account the volume or value of any referrals or business otherwise generated between the parties for which payment may be made in whole or in part under Medicare, Medicaid, or other Federal health care programs.

(v) The services performed under the agreement do not involve the counseling or promotion of a business arrangement or other activity that violates any State or Federal law.

(vi) The aggregate services contracted for do not exceed those which are reasonably necessary to accomplish the commercially reasonable business purpose of the services.

(2) As used in section 1128B of the Act, “remuneration” does not include any outcomes-based payment as long as all of the standards in paragraphs (d)(2)(i) through (viii) of this section are met:

(i) To receive an outcomes-based payment, the agent achieves one or more legitimate outcome measures that:

(A) Are selected based on clinical evidence or credible medical support; and

(B) Have benchmarks that are used to quantify:

(1) Improvements in, or the maintenance of improvements in, the quality of patient care;

(2) A material reduction in costs to or growth in expenditures of payors while maintaining or improving quality of care for patients; or

(3) Both.

(ii) The methodology for determining the aggregate compensation (including any outcomes-based payments) paid between or among the parties over the term of the agreement is: Set in advance; commercially reasonable; consistent with fair market value; and not determined in a manner that directly takes into account the volume or value of any referrals or business otherwise generated between the parties for which payment may be made in whole or in part by a Federal health care program.

(iii) The agreement between the parties is set out in writing and signed by the parties in advance of, or contemporaneous with, the commencement of the terms of the outcomes-based payment arrangement. The writing states at a minimum: A general description of the services to be performed by the parties for the term of the agreement; the outcome measure(s) the agent must achieve to receive an outcomes-based payment; the clinical evidence or credible medical support relied upon by the parties to select the outcome measure(s); and the schedule for the parties to regularly monitor and assess the outcome measure(s).

(iv) The agreement neither limits any party’s ability to make decisions in their patients’ best interest nor induces any party to reduce or limit medically necessary items or services.

(v) The term of the agreement is not less than 1 year.

(vi) The services performed under the agreement do not involve the counseling or promotion of a business arrangement or other activity that violates any State or Federal law.

(vii) For each outcome measure under the agreement, the parties:

(A) Regularly monitor and assess the agent’s performance, including the impact of the outcomes-based payment arrangement on patient quality of care; and

(B) Periodically assess, and as necessary revise, benchmarks and remuneration under the arrangement to ensure that the remuneration is consistent with fair market value in an arm’s length transaction as required by paragraph (d)(2)(ii) of this section during the term of the agreement.

(viii) The principal has policies and procedures to promptly address and correct identified material performance failures or material deficiencies in quality of care resulting from the outcomes-based payment arrangement.

(3) For purposes of this paragraph (d):

(i) An agent of a principal is any person other than a bona fide employee of the principal who has an agreement to perform services for or on behalf of the principal.

(ii) Outcomes-based payments are limited to payments between or among a principal and an agent that:

(A) Reward the agent for successfully achieving an outcome measure described in paragraph (d)(2)(i) of this section; or

(B) Recoup from or reduce payment to an agent for failure to achieve an outcome measure described in paragraph (d)(2)(i) of this section.

(iii) Outcomes-based payments exclude any payments:

(A) Made directly or indirectly by the following entities:

(1) A pharmaceutical manufacturer, distributor, or wholesaler;

(2) A pharmacy benefit manager;

(3) A laboratory company;

(4) A pharmacy that primarily compounds drugs or primarily dispenses compounded drugs;

(5) A manufacturer of a device or medical supply as defined in paragraph (ee)(14)(iv) of this section;

(6) A medical device distributor or wholesaler that is not otherwise a manufacturer of a device or medical supply, as defined in paragraph (ee)(14)(iv) of this section; or

(7) An entity or individual that sells or rents durable medical equipment, prosthetics, orthotics, or supplies covered by a Federal health care program (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services); or

(B) Related solely to the achievement of internal cost savings for the principal; or

(C) Based solely on patient satisfaction or patient convenience measures.

* * * * *

(g) Warranties. As used in section 1128B of the Act, “remuneration” does not include any payment or exchange of anything of value under a warranty provided by a manufacturer or supplier of one or more items and services (provided the warranty covers at least one item) to the buyer (such as a health care provider or beneficiary) of the items and services, as long as the buyer complies with all of the following standards in paragraphs (g)(1) and (2) of this section and the manufacturer or supplier complies with all of the following standards in paragraphs (g)(3) through (6) of this section:

(1) The buyer (unless the buyer is a Federal health care program beneficiary) must fully and accurately report any price reduction of an item or service (including a free item or service) that was obtained as part of the warranty in the applicable cost reporting mechanism or claim for payment filed with the Department or a State agency.

* * * * *

(3) The manufacturer or supplier must comply with either of the following standards:

(i) The manufacturer or supplier must fully and accurately report any price reduction of an item or service (including free items and services) that the buyer obtained as part of the warranty on the invoice or statement submitted to the buyer and inform the buyer of its obligations under paragraphs (g)(1) and (2) of this section.

(ii) When the amount of any price reduction is not known at the time of sale, the manufacturer or supplier must fully and accurately report the existence of a warranty on the invoice or statement, inform the buyer of its obligations under paragraphs (g)(1) and (g)(2) of this section, and when any price reduction becomes known, provide the buyer with documentation of the calculation of the price reduction resulting from the warranty.

(4) The manufacturer or supplier must not pay any remuneration to any individual (other than a beneficiary) or entity for any medical, surgical, or hospital expense incurred by a beneficiary other than for the cost of the items and services subject to the warranty.

(5) If a manufacturer or supplier offers a warranty for more than one item or one or more items and related services, the federally reimbursable items and services subject to the warranty must be reimbursed by the same Federal health care program and in the same Federal health care program payment.

(6) The manufacturer or supplier must not condition a warranty on a buyer’s exclusive use of, or a minimum purchase of, any of the manufacturer’s or supplier’s items or services.

(7) For purposes of this paragraph (g), the term warranty means:

(i) Any written affirmation of fact or written promise made in connection with the sale of an item or bundle of items, or services in combination with one or more related items, by a manufacturer or supplier to a buyer, which affirmation of fact or written promise relates to the nature of the quality of workmanship and affirms or promises that such quality or workmanship is defect free or will meet a specified level of performance over a specified period of time;

(ii) Any undertaking in writing in connection with the sale by a manufacturer or supplier of an item or bundle of items, or services in combination with one or more related items, to refund, repair, replace, or take other remedial action with respect to such item or bundle of items in the event that such item or bundle of items, or services in combination with one or more related items, fails to meet the specifications set forth in the undertaking which written affirmation, promise, or undertaking becomes part of the basis of the bargain between a seller and a buyer for purposes other than resell of such item or bundle of items; or

(iii) A manufacturer’s or supplier’s agreement to replace another manufacturer’s or supplier’s defective item or bundle of items (which is covered by an agreement made in accordance with this paragraph (g)), on terms equal to the agreement that it replaces.

* * * * *

(y) Electronic health records items and services. As used in section 1128B of the Act, “remuneration” does not include nonmonetary remuneration (consisting of items and services in the form of software or information technology and training services, including cybersecurity software and services) necessary and used predominantly to create, maintain, transmit, receive, or protect electronic health records, if all of the conditions in paragraphs (y)(1) through (13) of this section are met:

(1) The items and services are provided to an individual or entity engaged in the delivery of health care by:

(i) An individual or entity, other than a laboratory company, that:

(A) Provides services covered by a Federal health care program and submits claims or requests for payment, either directly or through reassignment, to the Federal health care program; or

(B) Is comprised of the types of individuals or entities in paragraph (y)(1)(i)(A) of this section; or

(ii) A health plan.

(2) * * * For purposes of this paragraph (y)(2) of this section, software is deemed to be interoperable if, on the date it is provided to the recipient, it is certified by a certifying body authorized by the National Coordinator for Health Information Technology to certification criteria identified in the then-applicable version of 45 CFR part 170.

* * * * *

(11) The recipient pays 15 percent of the donor’s cost for the items and services. The following conditions apply to such contribution:

(i) If the donation is the initial donation of EHR items and services, or the replacement of part or all of an existing system of EHR items and services, the recipient must pay 15 percent of the donor’s cost before receiving the items and services. The contribution for updates to previously donated EHR items and services need not be paid in advance of receiving the update; and

(ii) The donor (or any affiliated individual or entity) does not finance the recipient’s payment or loan funds to be used by the recipient to pay for the items and services.

* * * * *

(14) For purposes of this paragraph (y), the following definitions apply:

(i) Cybersecurity means the process of protecting information by preventing, detecting, and responding to cyberattacks.

(ii) Health plan shall have the meaning set forth at § 1001.952(l)(2).

(iii) Interoperable shall mean able to:

(A) Securely exchange data with and use data from other health information technology; and

(B) Allow for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law.

(iv) Electronic health record shall mean a repository of consumer health status information in computer processable form used for clinical diagnosis and treatment for a broad array of clinical conditions.

* * * * *

(bb) * * *

(1) * * *

(iv) * * *

(B) Within 25 miles of the health care provider or supplier to or from which the patient would be transported, or within 75 miles if the patient resides in a rural area, as defined in this paragraph (bb) except that, if the patient is discharged from an inpatient facility following inpatient admission or released from a hospital after being placed in observation status for at least 24 hours and transported to the patient’s residence, or another residence of the patient’s choice, the mileage limits in this paragraph (bb)(1)(iv)(B) shall not apply; and

* * * * *

(2) * * *

(iii) The eligible entity makes the shuttle service available only within the eligible entity’s local area, meaning there are no more than 25 miles from any stop on the route to any stop at a location where health care items or services are provided, except that if a stop on the route is in a rural area, the distance may be up to 75 miles between that stop and any providers or suppliers on the route;

* * * * *

(3) For purposes of this paragraph (bb), the following definitions apply:

(i) An eligible entity is any individual or entity, except for individuals or entities (or family members or others acting on their behalf) that primarily supply health care items.

(ii) An established patient is a person who has selected and initiated contact to schedule an appointment with a provider or supplier, or who previously has attended an appointment with the provider or supplier.

(iii) A shuttle service is a vehicle that runs on a set route, on a set schedule.

(iv) A rural area is an area that is not an urban area, as defined in paragraph (bb)(3)(v) of this section.

(v) An urban area is:

(A) A Metropolitan Statistical Area (MSA) or New England County Metropolitan Area (NECMA), as defined by the Executive Office of Management and Budget; or

(B) The following New England counties, which are deemed to be parts of urban areas under section 601(g) of the Social Security Amendments of 1983 (Pub. L. 98-21, 42 U.S.C. 1395ww (note)): Litchfield County, Connecticut; York County, Maine; Sagadahoc County, Maine; Merrimack County, New Hampshire; and Newport County, Rhode Island.

(cc)-(dd) [Reserved]

(ee) Care coordination arrangements to improve quality, health outcomes, and efficiency. As used in section 1128B of the Act, “remuneration” does not include the exchange of anything of value between a VBE and VBE participant or between VBE participants pursuant to a value-based arrangement if all of the standards in paragraphs (ee)(1) through (13) of this section are met:

(1) The remuneration exchanged:

(i) Is in-kind;

(ii) Is used predominantly to engage in value-based activities that are directly connected to the coordination and management of care for the target patient population and does not result in more than incidental benefits to persons outside of the target patient population; and

(iii) Is not exchanged or used:

(A) More than incidentally for the recipient’s billing or financial management services; or

(B) For the purpose of marketing items or services furnished by the VBE or a VBE participant to patients or for patient recruitment activities.

(2) The value-based arrangement is commercially reasonable, considering both the arrangement itself and all value-based arrangements within the VBE.

(3) The terms of the value-based arrangement are set forth in writing and signed by the parties in advance of, or contemporaneous with, the commencement of the value-based arrangement and any material change to the value-based arrangement. The writing states at a minimum:

(i) The value-based purpose(s) of the value-based activities provided for in the value-based arrangement;

(ii) The value-based activities to be undertaken by the parties to the value-based arrangement;

(iii) The term of the value-based arrangement;

(iv) The target patient population;

(v) A description of the remuneration;

(vi) Either the offeror’s cost for the remuneration and the reasonable accounting methodology used by the offeror to determine its cost, or the fair market value of the remuneration;

(vii) The percentage and amount contributed by the recipient;

(viii) If applicable, the frequency of the recipient’s contribution payments for ongoing costs; and

(ix) The outcome or process measure(s) against which the recipient will be measured.

(4) The parties to the value-based arrangement establish one or more legitimate outcome or process measures that:

(i) The parties reasonably anticipate will advance the coordination and management of care for the target patient population based on clinical evidence or credible medical or health sciences support;

(ii) Include one or more benchmarks that are related to improving or maintaining improvements in the coordination and management of care for the target patient population;

(iii) Are monitored, periodically assessed, and prospectively revised as necessary to ensure that the measure and its benchmark continue to advance the coordination and management of care of the target patient population;

(iv) Relate to the remuneration exchanged under the value-based arrangement; and

(v) Are not based solely on patient satisfaction or patient convenience.

(5) The offeror of the remuneration does not take into account the volume or value of, or condition the remuneration on:

(i) Referrals of patients who are not part of the target patient population; or

(ii) Business not covered under the value-based arrangement.

(6) The recipient pays at least 15 percent of the offeror’s cost for the remuneration, using any reasonable accounting methodology, or the fair market value of the in-kind remuneration. If it is a one-time cost, the recipient makes such contribution in advance of receiving the in-kind remuneration. If it is an ongoing cost, the recipient makes such contribution at reasonable, regular intervals.

(7) The value-based arrangement does not:

(i) Limit the VBE participant’s ability to make decisions in the best interests of its patients;

(ii) Direct or restrict referrals to a particular provider, practitioner, or supplier if:

(A) A patient expresses a preference for a different practitioner, provider, or supplier;

(B) The patient’s payor determines the provider, practitioner, or supplier; or

(C) Such direction or restriction is contrary to applicable law under titles XVIII and XIX of the Act; or

(iii) Induce parties to furnish medically unnecessary items or services, or reduce or limit medically necessary items or services furnished to any patient.

(8) The exchange of remuneration by a limited technology participant and another VBE participant or the VBE must not be conditioned on any recipient’s exclusive use or minimum purchase of any item or service manufactured, distributed, or sold by the limited technology participant.

(9) The VBE, a VBE participant in the value-based arrangement acting on the VBE’s behalf, or the VBE’s accountable body or responsible person reasonably monitors and assesses the following and reports the monitoring and assessment of the following to the VBE’s accountable body or responsible person, as applicable, no less frequently than annually or at least once during the term of the value-based arrangement for arrangements with terms of less than 1 year:

(i) The coordination and management of care for the target patient population in the value-based arrangement;

(ii) Any deficiencies in the delivery of quality care under the value-based arrangement; and

(iii) Progress toward achieving the legitimate outcome or process measure(s) in the value-based arrangement.

(10) If the VBE’s accountable body or responsible person determines, based on the monitoring and assessment conducted pursuant to paragraph (ee)(9) of this section, that the value-based arrangement has resulted in material deficiencies in quality of care or is unlikely to further the coordination and management of care for the target patient population, the parties must within 60 days either:

(i) Terminate the arrangement; or

(ii) Develop and implement a corrective action plan designed to remedy the deficiencies within 120 days, and if the corrective action plan fails to remedy the deficiencies within 120 days, terminate the value-based arrangement.

(11) The offeror does not and should not know that the remuneration is likely to be diverted, resold, or used by the recipient for an unlawful purpose.

(12) For a period of at least 6 years, the VBE or VBE participant makes available to the Secretary, upon request, all materials and records sufficient to establish compliance with the conditions of this paragraph (ee).

(13) The remuneration is not exchanged by:

(i) A pharmaceutical manufacturer, distributor, or wholesaler;

(ii) A pharmacy benefit manager;

(iii) A laboratory company;

(iv) A pharmacy that primarily compounds drugs or primarily dispenses compounded drugs;

(v) Except to the extent the entity is a limited technology participant, a manufacturer of a device or medical supply;

(vi) Except to the extent the entity or individual is a limited technology participant, an entity or individual that sells or rents durable medical equipment, prosthetics, orthotics, or supplies covered by a Federal health care program (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services); or

(vii) A medical device distributor or wholesaler that is not otherwise a manufacturer of a device or medical supplies.

(14) For purposes of this paragraph (ee), the following definitions apply:

(i) Coordination and management of care (or coordinating and managing care) means the deliberate organization of patient care activities and sharing of information between two or more VBE participants, one or more VBE participants and the VBE, or one or more VBE participants and patients, that is designed to achieve safer, more effective, or more efficient care to improve the health outcomes of the target patient population.

(ii) Digital health technology means hardware, software, or services that electronically capture, transmit, aggregate, or analyze data and that are used for the purpose of coordinating and managing care; such term includes any internet or other connectivity service that is necessary and used to enable the operation of the item or service for that purpose.

(iii) Limited technology participant means a VBE participant that exchanges digital health technology with another VBE participant or a VBE and that is:

(A) A manufacturer of a device or medical supply, but not including a manufacturer of a device or medical supply that was obligated under 42 CFR 403.906 to report one or more ownership or investment interests held by a physician or an immediate family member during the preceding calendar year, or that reasonably anticipates that it will be obligated to report one or more ownership or investment interests held by a physician or an immediate family member during the present calendar year (for purposes of this paragraph, the terms “ownership or investment interest,” “physician,” and “immediate family member” have the same meaning as set forth in 42 CFR 403.902); or

(B) An entity or individual that sells or rents durable medical equipment, prosthetics, orthotics, or supplies covered by a Federal health care program (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services).

(iv) Manufacturer of a device or medical supply means an entity that meets the definition of applicable manufacturer in 42 CFR 403.902 because it is engaged in the production, preparation, propagation, compounding, or conversion of a device or medical supply that meets the definition of covered drug, device, biological, or medical supply in 42 CFR 403.902, but not including entities under common ownership with such entity.

(v) Target patient population means an identified patient population selected by the VBE or its VBE participants using legitimate and verifiable criteria that:

(A) Are set out in writing in advance of the commencement of the value-based arrangement; and

(B) Further the value-based enterprise’s value-based purpose(s).

(vi) Value-based activity. (A) Means any of the following activities, provided that the activity is reasonably designed to achieve at least one value-based purpose of the value-based enterprise:

(1) The provision of an item or service;

(2) The taking of an action; or

(3) The refraining from taking an action; and

(B) Does not include the making of a referral.

(vii) Value-based arrangement means an arrangement for the provision of at least one value-based activity for a target patient population to which the only parties are:

(A) The value-based enterprise and one or more of its VBE participants; or

(B) VBE participants in the same value-based enterprise.

(viii) Value-based enterprise or VBE means two or more VBE participants:

(A) Collaborating to achieve at least one value-based purpose;

(B) Each of which is a party to a value-based arrangement with the other or at least one other VBE participant in the value-based enterprise;

(C) That have an accountable body or person responsible for financial and operational oversight of the value-based enterprise; and

(D) That have a governing document that describes the value-based enterprise and how the VBE participants intend to achieve its value-based purpose(s).

(ix) Value-based enterprise participant or VBE participant means an individual or entity that engages in at least one value-based activity as part of a value-based enterprise, other than a patient acting in their capacity as a patient.

(x) Value-based purpose means:

(A) Coordinating and managing the care of a target patient population;

(B) Improving the quality of care for a target patient population;

(C) Appropriately reducing the costs to or growth in expenditures of payors without reducing the quality of care for a target patient population; or

(D) Transitioning from health care delivery and payment mechanisms based on the volume of items and services provided to mechanisms based on the quality of care and control of costs of care for a target patient population.

(ff) Value-based arrangements with substantial downside financial risk. As used in section 1128B of the Act, “remuneration” does not include the exchange of payments or anything of value between a VBE and a VBE participant pursuant to a value-based arrangement if all of the following standards in paragraphs (ff)(1) through (8) of this section are met:

(1) The remuneration is not exchanged by:

(i) A pharmaceutical manufacturer, distributor, or wholesaler;

(ii) A pharmacy benefit manager;

(iii) A laboratory company;

(iv) A pharmacy that primarily compounds drugs or primarily dispenses compounded drugs;

(v) A manufacturer of a device or medical supply;

(vi) An entity or individual that sells or rents durable medical equipment, prosthetics, orthotics, or supplies covered by a Federal health care program (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services); or

(vii) A medical device distributor or wholesaler that is not otherwise a manufacturer of a device or medical supplies.

(2) The VBE (directly or through a VBE participant, other than a payor, acting on the VBE’s behalf) has assumed through a written contract or a value-based arrangement (or has entered into a written contract or a value-based arrangement to assume in the next 6 months) substantial downside financial risk from a payor for a period of at least 1 year.

(3) The VBE participant (unless the VBE participant is the payor from which the VBE is assuming risk) is at risk for a meaningful share of the VBE’s substantial downside financial risk for providing or arranging for the provision of items and services for the target patient population.

(4) The remuneration provided by, or shared among, the VBE and VBE participant:

(i) Is directly connected to one or more of the VBE’s value-based purposes, at least one of which must be a value-based purpose defined in § 1001.952(ee)(14)(x)(A), (B), or (C);

(ii) Unless exchanged pursuant to risk methodologies defined in paragraph (ff)(9)(i) or (ii) of this section, is used predominantly to engage in value-based activities that are directly connected to the items and services for which the VBE has assumed (or has entered into a written contract or value-based arrangement to assume in the next 6 months) substantial downside financial risk;

(iii) Does not include the offer or receipt of an ownership or investment interest in an entity or any distributions related to such ownership or investment interest; and

(iv) Is not exchanged or used for the purpose of marketing items or services furnished by the VBE or a VBE participant to patients or for patient recruitment activities.

(5) The value-based arrangement is set forth in writing, is signed by the parties in advance of, or contemporaneous with, the commencement of the value-based arrangement and any material change to the value-based arrangement, and specifies all material terms including:

(i) Terms evidencing that the VBE is at substantial downside financial risk or will assume such risk in the next 6 months for the target patient population;

(ii) A description of the manner in which the VBE participant (unless the VBE participant is the payor from which the VBE is assuming risk) has a meaningful share of the VBE’s substantial downside financial risk; and

(iii) The value-based activities, the target patient population, and the type of remuneration exchanged.

(6) The VBE or VBE participant offering the remuneration does not take into account the volume or value of, or condition the remuneration on:

(i) Referrals of patients who are not part of the target patient population; or

(ii) Business not covered under the value-based arrangement.

(7) The value-based arrangement does not:

(i) Limit the VBE participant’s ability to make decisions in the best interests of its patients;

(ii) Direct or restrict referrals to a particular provider, practitioner, or supplier if:

(A) A patient expresses a preference for a different practitioner, provider, or supplier;

(B) The patient’s payor determines the provider, practitioner, or supplier; or

(C) Such direction or restriction is contrary to applicable law under titles XVIII and XIX of the Act; or

(iii) Induce parties to reduce or limit medically necessary items or services furnished to any patient.

(8) For a period of at least 6 years, the VBE or VBE participant makes available to the Secretary, upon request, all materials and records sufficient to establish compliance with the conditions of this paragraph (ff).

(9) For purposes of this paragraph (ff), the following definitions apply:

(i) Substantial downside financial risk means:

(A) Financial risk equal to at least 30 percent of any loss, where losses and savings are calculated by comparing current expenditures for all items and services that are covered by the applicable payor and furnished to the target patient population to a bona fide benchmark designed to approximate the expected total cost of such care;

(B) Financial risk equal to at least 20 percent of any loss, where:

(1) Losses and savings are calculated by comparing current expenditures for all items and services furnished to the target patient population pursuant to a defined clinical episode of care that are covered by the applicable payor to a bona fide benchmark designed to approximate the expected total cost of such care for the defined clinical episode of care; and

(2) The parties design the clinical episode of care to cover items and services collectively furnished in more than one care setting; or

(C) The VBE receives from the payor a prospective, per-patient payment that is:

(1) Designed to produce material savings; and

(2) Paid on a monthly, quarterly, or annual basis for a predefined set of items and services furnished to the target patient population, designed to approximate the expected total cost of expenditures for the predefined set of items and services.

(ii) Meaningful share means the VBE participant:

(A) Assumes two-sided risk for at least 5 percent of the losses and savings, as applicable, realized by the VBE pursuant to its assumption of substantial downside financial risk; or

(B) Receives from the VBE a prospective, per-patient payment on a monthly, quarterly, or annual basis for a predefined set of items and services furnished to the target patient population, designed to approximate the expected total cost of expenditures for the predefined set of items and services, and does not claim payment in any form from the payor for the predefined items and services.

(iii) Manufacturer of a device or medical supply, target patient population, value-based activity, value-based arrangement, value-based enterprise, value-based purpose, and VBE participant shall have the meaning set forth in paragraph (ee) of this section.

(gg) Value-based arrangements with full financial risk. As used in section 1128B of the Act, “remuneration” does not include the exchange of payments or anything of value between the VBE and a VBE participant pursuant to a value-based arrangement if all of the standards in paragraphs (gg)(1) through (9) of this section are met:

(1) The remuneration is not exchanged by:

(i) A pharmaceutical manufacturer, distributor, or wholesaler;

(ii) A pharmacy benefit manager;

(iii) A laboratory company;

(iv) A pharmacy that primarily compounds drugs or primarily dispenses compounded drugs;

(v) A manufacturer of a device or medical supply;

(vi) An entity or individual that sells or rents durable medical equipment, prosthetics, orthotics, or supplies covered by a Federal health care program (other than a pharmacy or a physician, provider, or other entity that primarily furnishes services); or

(vii) A medical device distributor or wholesaler that is not otherwise a manufacturer of a device or medical supplies.

(2) The VBE (directly or through a VBE participant, other than a payor, acting on behalf of the VBE) has assumed through a written contract or a value-based arrangement (or has entered into a written contract or a value-based arrangement to assume in the next 1 year) full financial risk from a payor.

(3) The value-based arrangement is set forth in writing, is signed by the parties, and specifies all material terms, including the value-based activities and the term.

(4) The VBE participant (unless the VBE participant is a payor) does not claim payment in any form from the payor for items or services covered under the contract or value-based arrangement between the VBE and the payor described in paragraph (2).

(5) The remuneration provided by, or shared among, the VBE and VBE participant:

(i) Is directly connected to one or more of the VBE’s value-based purposes;

(ii) Does not include the offer or receipt of an ownership or investment interest in an entity or any distributions related to such ownership or investment interest; and

(iii) Is not exchanged or used for the purpose of marketing items or services furnished by the VBE or a VBE participant to patients or for patient recruitment activities.

(6) The value-based arrangement does not induce parties to reduce or limit medically necessary items or services furnished to any patient.

(7) The VBE or VBE participant offering the remuneration does not take into account the volume or value of, or condition the remuneration on:

(i) Referrals of patients who are not part of the target patient population; or

(ii) Business not covered under the value-based arrangement.

(8) The VBE provides or arranges for a quality assurance program for services furnished to the target patient population that:

(i) Protects against underutilization; and

(ii) Assesses the quality of care furnished to the target patient population.

(9) For a period of at least 6 years, the VBE or VBE participant makes available to the Secretary, upon request, all materials and records sufficient to establish compliance with the conditions of this paragraph (gg).

(10) For purposes of this paragraph (gg), the following definitions apply:

(i) Full financial risk means the VBE is financially responsible on a prospective basis for the cost of all items and services covered by the applicable payor for each patient in the target patient population for a term of at least 1 year.

(ii) Prospective basis means that the VBE has assumed financial responsibility for the cost of all items and services covered by the applicable payor prior to the provision of items and services to patients in the target patient population.

(iii) Items and services means health care items, devices, supplies, and services.

(iv) Manufacturer of a device or medical supply, target patient population, value-based activity, value-based arrangement, value-based enterprise, value-based purpose, and VBE participant shall have the meaning set forth in paragraph (ee) of this section.

(hh) Arrangements for patient engagement and support to improve quality, health outcomes, and efficiency. As used in section 1128B of the Act, “remuneration” does not include a patient engagement tool or support furnished by a VBE participant to a patient in the target patient population of a value-based arrangement to which the VBE participant is a party if all of the conditions in paragraphs (hh)(1) through (9) of this section are met:

(1) The VBE participant is not:

(i) A pharmaceutical manufacturer, distributor, or wholesaler;

(ii) A pharmacy benefit manager;

(iii) A laboratory company;

(iv) A pharmacy that primarily compounds drugs or primarily dispenses compounded drugs;

(v) A manufacturer of a device or medical supply, unless the patient engagement tool or support is digital health technology;

(vi) An entity or individual that sells or rents durable medical equipment, prosthetics, orthotics, or supplies covered by a Federal health care program (other than a pharmacy, a manufacturer of a device or medical supply, or a physician, provider, or other entity that primarily furnishes services);

(vii) A medical device distributor or wholesaler that is not otherwise a manufacturer of a device or medical supply; or

(viii) A manufacturer of a device or medical supply that was obligated under 42 CFR 403.906 to report one or more ownership or investment interests held by a physician or an immediate family member during the preceding calendar year, or that reasonably anticipates that it will be obligated to report one or more ownership or investment interests held by a physician or an immediate family member during the present calendar year, even if the patient engagement tool or support is digital health technology (for purposes of this paragraph, the terms “ownership or investment interest,” “physician,” and “immediate family member” have the same meaning as set forth in 42 CFR 403.902).

(2) The patient engagement tool or support is furnished directly to the patient (or the patient’s caregiver, family member, or other individual acting on the patient’s behalf) by a VBE participant that is a party to the value-based arrangement or its eligible agent.

(3) The patient engagement tool or support:

(i) Is an in-kind item, good, or service;

(ii) That has a direct connection to the coordination and management of care of the target patient population;

(iii) Does not include any cash or cash equivalent;

(iv) Does not result in medically unnecessary or inappropriate items or services reimbursed in whole or in part by a Federal health care program;

(v) Is recommended by the patient’s licensed health care professional; and

(vi) Advances one or more of the following goals:

(A) Adherence to a treatment regimen determined by the patient’s licensed health care professional.

(B) Adherence to a drug regimen determined by the patient’s licensed health care professional.

(C) Adherence to a followup care plan established by the patient’s licensed health care professional.

(D) Prevention or management of a disease or condition as directed by the patient’s licensed health care professional.

(E) Ensure patient safety.

(4) The patient engagement tool or support is not funded or contributed by:

(i) A VBE participant that is not a party to the applicable value-based arrangement; or

(ii) An entity listed in paragraph (hh)(1) of this section.

(5) The aggregate retail value of patient engagement tools and supports furnished to a patient by a VBE participant on an annual basis does not exceed $500. The monetary cap set forth in this paragraph (hh)(5) is adjusted each calendar year to the nearest whole dollar by the increase in the Consumer Price Index—Urban All Items (CPI-U) for the 12-month period ending the preceding September 30. OIG will publish guidance after September 30 of each year reflecting the increase in the CPI-U for the 12-month period ending September 30 and the new monetary cap applicable for the following calendar year.

(6) The VBE participant or any eligible agent does not exchange or use the patient engagement tools or supports to market other reimbursable items or services or for patient recruitment purposes.

(7) For a period of at least 6 years, the VBE participant makes available to the Secretary, upon request, all materials and records sufficient to establish that the patient engagement tool or support was distributed in a manner that meets the conditions of this paragraph (hh).

(8) The availability of a tool or support is not determined in a manner that takes into account the type of insurance coverage of the patient.

(9) For purposes of this paragraph (hh), the following definitions apply:

(i) Eligible agent means any person or entity that is not identified in paragraphs (hh)(1)(i) through (viii) of this section as ineligible to furnish protected tools and supports under this paragraph.

(ii) Coordination and management of care, target patient population, value-based arrangement, VBE, VBE participant, manufacturer of a device or medical supply, and digital health technology shall have the meaning set forth in paragraph (ee) of this section.

(ii) CMS-sponsored model arrangements and CMS-sponsored model patient incentives.

(1) As used in section 1128B of the Act, “remuneration” does not include an exchange of anything of value between or among CMS-sponsored model parties under a CMS-sponsored model arrangement for which CMS has determined that this safe harbor is available if all of the following conditions are met:

(i) The CMS-sponsored model parties reasonably determine that the CMS-sponsored model arrangement will advance one or more goals of the CMS-sponsored model;

(ii) The exchange of value does not induce CMS-sponsored model parties or other providers or suppliers to furnish medically unnecessary items or services, or reduce or limit medically necessary items or services furnished to any patient;

(iii) The CMS-sponsored model parties do not offer, pay, solicit, or receive remuneration in return for, or to induce or reward, any Federal health care program referrals or other Federal health care program business generated outside of the CMS-sponsored model;

(iv) The CMS-sponsored model parties in advance of or contemporaneous with the commencement of the CMS-sponsored model arrangement set forth the terms of the CMS-sponsored model arrangement in a signed writing. The writing must specify at a minimum the activities to be undertaken by the CMS-sponsored model parties and the nature of the remuneration to be exchanged under the CMS-sponsored model arrangement;

(v) The parties to the CMS-sponsored model arrangement make available to the Secretary, upon request, all materials and records sufficient to establish whether the remuneration was exchanged in a manner that meets the conditions of this safe harbor; and

(vi) The CMS-sponsored model parties satisfy such programmatic requirements as may be imposed by CMS in connection with the use of this safe harbor.

(2) As used in section 1128B of the Act, “remuneration” does not include a CMS-sponsored model patient incentive for which CMS has determined that this safe harbor is available if all of the following conditions are met:

(i) The CMS-sponsored model participant reasonably determines that the CMS-sponsored model patient incentive will advance one or more goals of the CMS-sponsored model;

(ii) The CMS-sponsored model patient incentive has a direct connection to the patient’s health care unless the participation documentation expressly specifies a different standard;

(iii) The CMS-sponsored model patient incentive is furnished by a CMS-sponsored model participant (or by an agent of the CMS-sponsored model participant under the CMS-sponsored model participant’s direction and control), unless otherwise specified by the participation documentation;

(iv) The CMS-sponsored model participant makes available to the Secretary, upon request, all materials and records sufficient to establish whether the CMS-sponsored model patient incentive was distributed in a manner that meets the conditions of this safe harbor; and

(v) The CMS-sponsored model patient incentive is furnished consistent with the CMS-sponsored model and satisfies such programmatic requirements as may be imposed by CMS in connection with the use of this safe harbor.

(3) For purposes of this paragraph (ii), the following definitions apply:

(i) CMS-sponsored model means:

(A) A model being tested under section 1115A(b) of the Act or a model expanded under section 1115A(c) of the Act; or

(B) The Medicare shared savings program under section 1899 of the Act.

(ii) CMS-sponsored model arrangement means a financial arrangement between or among CMS-sponsored model parties to engage in activities under the CMS-sponsored model that is consistent with, and is not a type of arrangement prohibited by, the participation documentation.

(iii) CMS-sponsored model participant means an individual or entity that is subject to and is operating under participation documentation with CMS to participate in a CMS-sponsored model.

(iv) CMS-sponsored model party means:

(A) A CMS-sponsored model participant; or

(B) Another individual or entity whom the participation documentation specifies may enter into a CMS-sponsored model arrangement.

(v) CMS-sponsored model patient incentive means remuneration not of a type prohibited by the participation documentation that is furnished to a patient under the terms of a CMS-sponsored model.

(vi) Participation documentation means the participation agreement, legal instrument setting forth the terms and conditions of a grant or cooperative agreement, regulations, or model-specific addendum to an existing contract with CMS that specifies the terms of a CMS-sponsored model.

(4) For purposes of remuneration that satisfies this paragraph (ii), the safe harbor protects:

(i) For a CMS-sponsored model governed by participation documentation other than the legal instrument setting forth the terms and conditions of a grant or a cooperative agreement, the exchange of remuneration between CMS-sponsored model parties that occurs on or after the first day on which services under the CMS-sponsored model begin and no later than 6 months after the final payment determination made by CMS under the model;

(ii) For a CMS-sponsored model governed by the legal instrument setting forth the terms and conditions of a grant or cooperative agreement, the exchange of remuneration between CMS-sponsored model parties that occurs on or after the first day of the period of performance (as defined at 45 CFR 75.2) or such other date specified in the participation documentation and no later than 6 months after closeout occurs pursuant to 45 CFR 75.381; and

(iii) For a CMS-sponsored model patient incentive, an incentive given on or after the first day on which patient care services may be furnished under the CMS-sponsored model as specified by CMS in the participation documentation and no later than the last day on which patient care services may be furnished under the CMS-sponsored model, unless a different timeframe is established in the participation documentation. A patient may retain any incentives furnished in compliance with paragraph (ii)(2) of this section.

(jj) Cybersecurity technology and related services. As used in section 1128B of the Act, “remuneration” does not include nonmonetary remuneration (consisting of cybersecurity technology and services) that is necessary and used predominantly to implement, maintain, or reestablish effective cybersecurity if all of the conditions in paragraphs (jj)(1) through (4) of this section are met.

(1) The donor does not:

(i) Directly take into account the volume or value of referrals or other business generated between the parties when determining the eligibility of a potential recipient for the technology or services, or the amount or nature of the technology or services to be donated; or

(ii) Condition the donation of technology or services, or the amount or nature of the technology or services to be donated, on future referrals.

(2) Neither the recipient nor the recipient’s practice (or any affiliated individual or entity) makes the receipt of technology or services, or the amount or nature of the technology or services, a condition of doing business with the donor.

(3) A general description of the technology and services being provided and the amount of the recipient’s contribution, if any, are set forth in writing and signed by the parties.

(4) The donor does not shift the costs of the technology or services to any Federal health care program.

(5) For purposes of this paragraph (jj) the following definitions apply:

(i) Cybersecurity means the process of protecting information by preventing, detecting, and responding to cyberattacks.

(ii) Technology means any software or other types of information technology.

(kk) ACO Beneficiary Incentive Program. As used in section 1128B of the Act, “remuneration” does not include an incentive payment made by an ACO to an assigned beneficiary under a beneficiary incentive program established under section 1899(m) of the Act, as amended by Congress from time to time, if the incentive payment is made in accordance with the requirements found in such subsection.

PART 1003—CIVIL MONEY PENALTIES, ASSESSMENTS AND EXCLUSIONS

3. The authority citation for part 1003 continues to read as follows:

Authority: 42 U.S.C. 262a, 1302, 1320-7, 1320a-7a, 1320b-10, 1395u(j), 1395u(k), 1395cc(j), 1395w-141(i)(3), 1395dd(d)(1), 1395mm, 1395nn(g), 1395ss(d), 1396b(m), 11131(c), and 11137(b)(2).

4. Section 1003.110 is amended—

a. In the definition of “Remuneration” by adding paragraph (10); and

b. By adding in alphabetical order a definition for “Telehealth technologies.”

The additions read as follows:

§ 1003.110

Definitions.

* * * * *

Remuneration * * *

* * * * *

(10) The provision of telehealth technologies by a provider of services, physician, or a renal dialysis facility (as such terms are defined for purposes of title XVIII of the Act) to an individual with end-stage renal disease who is receiving home dialysis for which payment is being made under part B of such title, if:

(i) The telehealth technologies are furnished to the individual by the provider of services, physician, or the renal dialysis facility that is currently providing the in-home dialysis, telehealth services, or other end-stage renal disease care to the individual, or has been selected or contacted by the individual to schedule an appointment or provide services;

(ii) The telehealth technologies are not offered as part of any advertisement or solicitation; and

(iii) The telehealth technologies are provided for the purpose of furnishing telehealth services related to the individual’s end-stage renal disease.

* * * * *

Telehealth technologies, for purposes of paragraph (10) of the definition of the term “remuneration” as set forth in this section, means hardware, software, and services that support distant or remote communication between the patient and provider, physician, or renal dialysis facility for diagnosis, intervention, or ongoing care management.

* * * * *

Christi A. Grimm,

Principal Deputy, Inspector General.

Alex M. Azar II,

Secretary.

Footnotes

1.  The Federal anti-kickback statute is codified at 42 U.S.C. 1320a-7b(b); the Beneficiary Inducements CMP is codified at 42 U.S.C. 1320a-7a(a)(5). Additionally, the Regulatory Sprint includes the physician self-referral law, 42 U.S.C. 1395nn, 42 CFR part 2, and provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Back to Citation

2.  84 FR 55694 (Oct. 17, 2019). In connection with the Regulatory Sprint, and to help develop the proposals in the OIG Proposed Rule, OIG published a Request for Information (OIG RFI) seeking input on new or modified safe harbors to promote care coordination and value-based care and protect patients and taxpayer dollars from harms cause by fraud and abuse. 83 FR 43607 (Aug. 27, 2018). Back to Citation

3.  84 FR 55766 (Oct. 17, 2019). Back to Citation

4.  Public Law 104-191, 110 Stat. 1936. Back to Citation

5.  42 U.S.C. 1320a-7b(b). Back to Citation

6.  42 U.S.C. 1320a-7a(a)(5). Back to Citation

7.  H.R. Rep. No. 100-85, Pt. 2, at 27 (1987). Back to Citation

8.  Medicare and State Health Care Programs: Fraud and Abuse; OIG Anti-Kickback Provisions, 56 FR 35952 (July 29, 1991); Medicare and State Health Care Programs: Fraud and Abuse; Safe Harbors for Protecting Health Plans, 61 FR 2122 (Jan. 25, 1996); Federal Health Care Programs: Fraud and Abuse; Statutory Exception to the Anti-Kickback Statute for Shared Risk Arrangements, 64 FR 63504 (Nov. 19, 1999); Medicare and State Health Care Programs: Fraud and Abuse; Clarification of the Initial OIG Safe Harbor Provisions and Establishment of Additional Safe Harbor Provisions Under the Anti-Kickback Statute, 64 FR 63518 (Nov. 19, 1999); 64 FR 63504 (Nov. 19, 1999); Medicare and State Health Care Programs: Fraud and Abuse; Ambulance Replenishing Safe Harbor Under the Anti-Kickback Statute, 66 FR 62979 (Dec. 4, 2001); Medicare and State Health Care Programs: Fraud and Abuse; Safe Harbors for Certain Electronic Prescribing and Electronic Health Records Arrangements Under the Anti-Kickback Statute, 71 FR 45109 (Aug. 8, 2006); Medicare and State Health Care Programs: Fraud and Abuse; Safe Harbor for Federally Qualified Health Centers Arrangements Under the Anti-Kickback Statute, 72 FR 56632 (Oct. 4, 2007); Medicare and State Health Care Programs: Fraud and Abuse; Electronic Health Records Safe Harbor Under the Anti-Kickback Statute, 78 FR 79202 (Dec. 27, 2013); and Medicare and State Health Care Programs: Fraud and Abuse; Revisions to the Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, 81 FR 88368 (Dec. 7, 2016). Back to Citation

9.  Medicare and State Health Care Programs: Fraud and Abuse; OIG Anti-Kickback Provisions, 56 FR at 35958 (July 21, 1991). Back to Citation

10.  42 U.S.C. 1320a-7d(a)(2). Back to Citation

11.  The CMS Final Rule is being published elsewhere in this version of the Federal Register. Back to Citation

12.  84 FR 55699 (Oct. 17, 2019). Back to Citation

13.  84 FR 55702 (Oct. 17, 2019). Back to Citation

14.  84 FR 55702 (Oct. 17, 2019). Back to Citation

15.  See 84 FR 55702 (Oct. 17, 2019). Back to Citation

16.  84 FR 55703-06 (Oct. 17, 2019). Back to Citation

17.  Public Law 111-148, 124 Stat. 119, as amended by the Health Care and Education Reconciliation Act of 2010 (Pub. L. 111-152, 124 Stat. 1029). Back to Citation

18.  42 CFR 424.57(a). Back to Citation

19.  84 FR 55706 (Oct. 17, 2019). Back to Citation

20.  See, e.g., FDA, Compounding and the FDA: Questions and Answers, available at https://www.fda.gov/​drugs/​human-drug-compounding/​compounding-and-fda-questions-and-answers (addressing what is compounding and why some patients need compounded drugs). Back to Citation

21.  84 FR 55704 (Oct. 17, 2019). Back to Citation

22.  See, e.g., Press Release, U.S. Department of Justice, Compounding Pharmacy, Two of Its Executives, and Private Equity Firm Agree to Pay $21.36 Million to Resolve False Claims Act Allegations (Sept. 18, 2019), https://www.justice.gov/​opa/​pr/​compounding-pharmacy-two-its-executives-and-private-equity-firm-agree-pay-2136-million;​; Press Release, U.S. Department of Justice, Four Florida Men Charged for Their Roles in a $54 Million Compound Pharmacy Kickback Scheme (June 5, 2020), https://www.justice.gov/​opa/​pr/​four-florida-men-charged-their-roles-54-million-compound-pharmacy-kickback-scheme;​; OIG, Civil Monetary Penalties and Affirmative Exclusions, Texas Company and Owner Agree to Voluntary Exclusion (July 20, 2020). Back to Citation

23.  OIG, Questionable Billing for Compounded Topical Drugs in Medicare Part D (Aug. 2018), available at https://oig.hhs.gov/​oei/​reports/​oei-02-16-00440.asp. Back to Citation

24.  FDA, Compounding and the FDA: Questions and Answers, available at http://www.fda.gov/​Drugs/​GuidanceComplianceRegulatoryInformation/​PharmacyCompounding/​ucm339764.htm. Back to Citation

25.  OIG, Questionable Billing for Compounded Topical Drugs in Medicare Part D (Aug. 2018), available at https://oig.hhs.gov/​oei/​reports/​oei-02-16-00440.asp. Back to Citation

26.  See OIG, Special Fraud Alert: Physician-Owned Entities (Mar. 26, 2013), available at https://oig.hhs.gov/​fraud/​docs/​alertsandbulletins/​2013/​POD_​Special_​Fraud_​Alert.pdf. Back to Citation

27.  84 FR 55707 (Oct. 17, 2019). For example, the Agency for Healthcare Research and Quality explains that “[c]are coordination is identified by the Institute of Medicine as a key strategy that has the potential to improve the effectiveness, safety, and efficiency of the American health care system. Well-designed, targeted care coordination that is delivered to the right people can improve outcomes for everyone: patients, providers, and payers.” https://www.ahrq.gov/​ncepcr/​care/​coordination.html. Back to Citation

28.  See, e.g., NEJM Catalyst, What is Care Coordination? (Jan. 1, 2018), https://catalyst.nejm,org/​what-is-care-coordination/​ (providing examples and noting that “[c]are coordination synchronizes the delivery of a patient’s health care from multiple providers and specialists. The goals of coordinated care are to improve health outcomes by ensuring that care from disparate providers is not delivered in silos, and to help reduce health care costs by eliminating redundant tests and procedures.”). Back to Citation

29.  84 FR 55707 (Oct. 17, 2019). Back to Citation

30.  84 FR 55696 (Oct. 17, 2019). Back to Citation

31.  See, e.g., 42 U.S.C. 1320a-7b(b)(3)(D), (G); 42 CFR 1001.952(k); OIG, Special Fraud Alert: Routine Wavier of Copayments or Deductible Under Medicare Part B, 59 FR 65372, 65377 (Dec. 19, 1994), available at https://oig.hhs.gov/​fraud/​docs/​alertsandbulletins/​121994.html. Back to Citation

32.  84 FR 55708 (Oct. 17, 2019). Back to Citation

33.  84 FR 55708 (Oct. 17, 2020). Back to Citation

35.  84 FR 55709. In the OIG Proposed Rule, we noted in connection with this example that nothing would prevent the donation of technology with enhanced functionality when a value-based arrangement requires that capability or when technology without that functionality is not practicable. Back to Citation

36.  84 FR 55709. Back to Citation

37.  See, e.g., Medicare and State Health Care Programs: Fraud and Abuse; Clarification of the Initial OIG Safe Harbor Provisions and Establishment of Additional Safe Harbor Provisions Under the Anti-Kickback Statute; Final Rule, 64 FR 63518, 63425 (Nov. 19, 1999) available at https://oig.hhs.gov/​fraud/​docs/​safeharborregulations/​getdoc1.pdf. Back to Citation

38.  Section 1128A(b) of the Act. Back to Citation

39.  See, e.g., OIG, Special Fraud Alert, 59 FR 65372, 65377 (Dec. 19, 1994), available at https://oig.hhs.gov/​fraud/​docs/​alertsandbulletins/​121994.html;​; OIG, Medicare and State Health Care Programs: Fraud and Abuse; OIG Anti-Kickback Provisions, 56 FR 35952, 35978 (July 29, 1991), available at https://oig.hhs.gov/​fraud/​docs/​safeharborregulations/​freecomputers.htm. See also OIG advisory opinions generally, e.g., OIG Adv. Op. No. 20-02, where OIG states, “For purposes of the anti-kickback statute, `remuneration’ includes the transfer of anything of value, directly or indirectly, overtly or covertly, in cash or in kind.” Back to Citation

40.  See, e.g., Federal Communication Commission, Rural Health Care Pilot Program FAQs, available at https://www.fcc.gov/​general/​rural-health-care-pilot-program#faqs (requiring eligible recipients to fund 15 percent of the cost of infrastructure design and construction of broadband networks for health care purposes, in recognition that a contribution requirement will “incentiviz[e] participants to choose the most cost-effective services and equipment and refrain from purchasing a higher level of service or equipment than needed”) (as cited to by the Federal Communication Commission, Promoting Telehealth for Low-Income Consumers, 84 FR 36865, 36869 (July 30, 2019)). Back to Citation

41.  See, e.g., 42 CFR 411.354(d)(4)(iv). Back to Citation

42.  See, e.g., 42 CFR 425.305(b). Back to Citation

43.  OIG, OIG Adv. Op. No. 08-20 (Nov. 19, 2008), available at https://oig.hhs.gov/​fraud/​docs/​advisoryopinions/​2008/​AdvOpn08-20.pdf. Back to Citation

44.  84 FR 55712 (Oct. 17, 2019). Back to Citation

45.  84 FR 77712 (Oct. 17, 2019). Back to Citation

46.  42 CFR 483.42(c). Back to Citation

47.  84 FR 55713 (Oct. 17, 2019). Back to Citation

48.  84 FR 55714 (Oct. 17, 2019). Back to Citation

49.  84 FR 55715-16 (Oct. 17, 2019). Back to Citation

50.  Section 1128D(a) of the Act (42 U.S.C. 1320a-7d(a)). Back to Citation

51.  We are not requiring that parties compare current expenditures to a bona fide benchmark designed to approximate the expected total cost of care for the VBE Capitation Payment Methodology because of its prospective nature and per-patient, per-month, per-quarter, or per-year payment structure. Instead, for this methodology, parties must establish a capitated payment for a predefined set of items and services furnished to the target patient population, designed to approximate the expected total cost of expenditures for the predefined set of items and services. The capitated payment must also (among other criteria) be intended to result in material savings. Back to Citation

52.  See Center for Health Care Strategies, Inc., Value-Based Payments in Medicaid Managed Care: An Overview of State Approaches (Feb. 2016), available at https://www.chcs.org/​media/​VBP-Brief_​022216_​FINAL.pdf. Back to Citation

53.  84 FR 55694, 55718 (Oct. 17, 2019). Back to Citation

54.  Mark W. Friedberg, Peggy C. Chen, Chapin White et al., Effects of Health Care Payment Models on Physician Practice in the United States, RAND Corporation (2015); K. John McConnell, Stephanie Renfro, Richard C. Lindrooth et al., Oregon’s Medicaid Reform And Transition To Global Budgets Were Associated With Reductions In Expenditures, Health Affairs (Mar. 2017); James C. Robinson, Stephen M. Shortnell et al., Quality-Based Payment for Medical Groups and Individual Physicians, INQUIRY: The Journal of Health Care Organization, Provision, and Financing (May 2009). Back to Citation

55.  84 FR 55703-06, 55722 (Oct. 17, 2019). Back to Citation

56.  84 FR 55722 (Oct. 17, 2019). Back to Citation

57.  84 FR 55723 (Oct. 17, 2019). Back to Citation

58.  84 FR 55728 (Oct. 17, 2019). Back to Citation

59.  81 FR 88393 (Dec. 7, 2016). Back to Citation

60.  81 FR 88393 n. 19 (Dec. 7, 2016). Back to Citation

61.  See Joint Explanatory Statement of the Committee of Conference, section 231 of HIPAA, Public Law 104-191. Back to Citation

62.  OIG, Office of Inspector General Policy Statement Regarding Gifts of Nominal Value To Medicare and Medicaid Beneficiaries (Dec. 7, 2016), available at https://oig.hhs.gov/​fraud/​docs/​alertsandbulletins/​OIG-Policy-Statement-Gifts-of-Nominal-Value.pdf. Back to Citation

63.  See, e.g., OIG, OIG Adv. Op. No. 08-14 (Oct. 2, 2008), available at https://oig.hhs.gov/​fraud/​docs/​advisoryopinions/​2008/​AdvOpn08-14.pdf (regarding a substance abuse treatment center’s use of motivational incentives to reward a patient’s achievement of certain treatment-related goals; in this advisory opinion, Requestor’s program was developed and refined in connection with National Institute on Drug Abuse’s government-sponsored research into implementation of motivational incentives as a treatment option, a fact that OIG viewed favorably). Back to Citation

64.  84 FR 55275 (Oct. 17, 2019). Back to Citation

65.  See, e.g., Press Release, U.S. Department of Justice, National Health Care Fraud and Opioid Takedown Results in Charges Against 345 Defendants Responsible for More than $6 Billion in Alleged Fraud Losses (Sept. 30, 2020), https://www.justice.gov/​criminal-fraud/​hcf-2020-takedown/​press-release. Back to Citation

66.  See OIG, Office of Inspector General Policy Statement Regarding Gifts of Nominal Value to Medicare and Medicaid Beneficiaries (Dec. 7, 2016), available at https://oig.hhs.gov/​fraud/​docs/​alertsandbulletins/​OIG-Policy-Statement-Gifts-of-Nominal-Value.pdf. Back to Citation

67.  Section 1128B(b)(3)(G) of the Act; 42 CFR 1001.952(k)(3). Back to Citation

68.  84 FR 55723 (Oct. 17, 2019). Back to Citation

69.  84 FR 55723 (Oct. 17, 2019). Back to Citation

70.  84 FR 55724 (Oct. 17, 2019). Back to Citation

71.  We remind readers that exceptions to the definition of “remuneration” under the Beneficiary Inducements CMP apply only for the purposes of the definition of “remuneration” applicable to section 1128A of the Act (the Beneficiary Inducements CMP); they do not apply for purposes of section 1128B(b) of the Act (the Federal anti-kickback statute). Back to Citation

72.  We acknowledge that Federal health care program coverage of telehealth services and other care provided remotely has expanded and the regulatory framework applicable to telehealth services and other virtual care has shifted, at least temporarily, since the publication of the OIG Proposed Rule. In particular, in response to the unique circumstances resulting from the outbreak of COVID-19, the Secretary determined, pursuant to section 319 of the Public Health Service Act, that a public health emergency (PHE) exists and has existed since January 27, 2020 (COVID-19 Declaration). See Department of Health and Human Services, Determination that a Public Health Emergency Exists (Jan. 31, 2020), available at https://www.phe.gov/​emergency/​news/​healthactions/​phe/​Pages/​2019-nCoV.aspx. As a result of the PHE, various agencies have adopted temporary rules and guidance designed to ease access to telehealth services and other virtual care during the PHE. See for example CMS, Interim Final Rule with Comment Period, Medicare and Medicaid Programs; Policy and Regulatory Revisions in Response to the COVID-19 Public Health Emergency, 85 FR 19230 (Apr. 6, 2020). Back to Citation

73.  84 FR 55727 (Oct. 17, 2019). Back to Citation

74.  We note, however, that such items may be excluded from the definition of remuneration under the Beneficiary Inducements CMP if they are of nominal value. See for example 65 FR 24411 (Apr. 26, 2000), available at https://oig.hhs.gov/​authorities/​docs/​cmpfinal.pdf,, and Special Advisory Bulletin: Offering Gifts and Other Inducements to Beneficiaries, August 2002, available at http://oig.hhs.gov/​fraud/​docs/​alertsandbulletins/​SABGiftsandInducements.pdf (Special Advisory Bulletin); Office of Inspector General Policy Statement Regarding Gifts of Nominal Value to Medicare and Medicaid Beneficiaries (Dec. 7, 2016), available at https://oig.hhs.gov/​fraud/​docs/​alertsandbulletins/​OIG-Policy-Statement-Gifts-of-Nominal-Value.pdf. Back to Citation

75.  We recognize the possibility that a hospital or other entity that bills Federal health care programs could provide funding to an entity that does not bill Federal health care programs in order to support the provision of tools and supports to Federal health care program beneficiaries. Such funding could constitute an indirect financial relationship between the funding source and the beneficiary that could implicate the Federal anti-kickback statute and, if so, that relationship would need to be assessed separately. Back to Citation

76.  This illustrative list of health care professionals includes professionals eligible as of 2020 to participate in the Merit-based Incentive Payment System (MIPS), available at https://qpp.cms.gov/​mips/​how-eligibility-is-determined. Back to Citation

77.  84 FR 55729 (Oct. 17, 2019). Back to Citation

78.  We remind readers that exceptions to the definition of “remuneration” under the Beneficiary Inducements CMP apply only for the purposes of the definition of “remuneration” applicable to section 1128A of the Act (the Beneficiary Inducements CMP); they do not apply for purposes of section 1128B(b) of the Act (the Federal anti-kickback statute). Back to Citation

79.  See, e.g., OIG, OIG Adv. Op. No. 17-01, available at https://oig.hhs.gov/​fraud/​docs/​advisoryopinions/​2017/​AdvOpn17-01.pdf (Mar. 10, 2017) (regarding a hospital system’s proposal to provide free or reduced-cost lodging and meals to certain financially needy patients); OIG, OIG Adv. Op. No. 19-03 (Mar. 6, 2019), available at https://oig.hhs.gov/​fraud/​docs/​advisoryopinions/​2019/​AdvOpn19-03.pdf (regarding a program offered by a medical center that provides free, in-home followup care to eligible individuals with congestive heart failure and the proposed expansion of this program to include certain individuals with chronic obstructive pulmonary disease). Back to Citation

80.  Section 1128A(i)(6)(F) of the Act; 42 CFR 1003.110. Back to Citation

81.  A practice permissible under the Federal anti-kickback statute, whether through statutory exception or regulations issued by the Secretary, is also excepted from the Beneficiary Inducements CMP. Section 1128A(i)(6)(B) of the Act. Back to Citation

82.  84 FR 55731 (Oct. 17, 2019). Back to Citation

83.  84 FR 55732 (Oct. 17, 2019). Back to Citation

84.  Id. Back to Citation

85.  84 FR 55731 (Oct. 17, 2019). Back to Citation

86.  Id. Back to Citation

87.  Specifically, the OIG Proposed Rule stated that the “safe harbor would protect the last payment or exchange of value made by or received by a CMS-sponsored model party following the final performance period that the CMS-sponsored model participant that is a party to the arrangement participates in the CMS-sponsored model.” 84 FR 55733 (Oct. 17, 2019). Back to Citation

88.  See Notice of Amended Waivers of Certain Fraud and Abuse Laws in Connection With the Bundled Payments for Care Improvement Advanced Model (Jan. 1, 2020), available at https://www.cms.gov/​files/​document/​notice-amended-waivers-certain-fraud-and-abuse-laws-connection-bundled-payments-care-improvement.pdf. Back to Citation

89.  In contrast, some CMS-sponsored models may require various administrative or analytical services that can occur only after a model terminates or expires (e.g., data or financial analysis, including services related to the reconciliation process). Remuneration related to those required activities, which would be described in the participation documentation, would be protected by this safe harbor, if all conditions are met. Back to Citation

90.  See Healthcare and Public Health Sector Coordinating Councils, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, available at https://www.phe.gov/​Preparedness/​planning/​405d/​Documents/​HICP-Main-508.pdf. Back to Citation

91.  See for example Health Care Industry Cybersecurity Task Force, Report on Improving Cybersecurity in the Health Care Industry, June 2017 (HCIC Task Force Report), available at https://www.phe.gov/​preparedness/​planning/​cybertf/​documents/​report2017.pdf (recommending safe harbor protection for cybersecurity donations). Back to Citation

92.  These examples included any services associated with developing, installing, and updating cybersecurity software; any kind of cybersecurity training services, such as training recipients how to use cybersecurity technology, how to prevent, detect, and respond to cyber threats, and how to troubleshoot problems with the cybersecurity technology (e.g., “help desk” services specific to cybersecurity); and any kind of cybersecurity services for business continuity and data recovery services to ensure the recipient’s operations can continue during and after a cyberattack. 84 FR 55735-55736 (Oct. 17, 2019). Additional examples are in this final rule. Back to Citation

93.  See NIST CSF, Version 1.1 (Apr. 2018), available at https://nvlpubs.nist.gov/​nistpubs/​CSWP/​NIST.CSWP.04162018.pdf. Back to Citation

94.  Id. at 45. Back to Citation

95.  Id. at 6. Back to Citation

96.  84 FR 55734 (Oct. 17, 2019). Back to Citation

97.  See NIST CSF, Version 1.1, pg. 32 (Apr. 16, 2018) available at https://nvlpubs.nist.gov/​nistpubs/​CSWP/​NIST.CSWP.04162018.pdf. Back to Citation

98.  84 FR 55735-6 (Oct. 17, 2019). Back to Citation

99.  85 FR 25642 (May 1, 2020). Back to Citation

100.  21st Century Cures Act, Public Law 114-255, 130 Stat. 1033. Back to Citation

101.  84 FR 55737 (Oct. 17, 2019). Back to Citation

102.  84 FR 7424 (Mar. 4, 2019). Back to Citation

103.  78 FR 79202 (Dec. 27, 2013). Back to Citation

104.  21st Century Cures Act, Public Law 114-255, 130 Stat. 1033. Back to Citation

105.  85 FR 25642 (May 1, 2020). Back to Citation

106.  71 FR 45110 (Aug. 8, 2006). Back to Citation

107.  71 FR 45127. Back to Citation

108.  78 FR 79214 (Dec. 27, 2013). Back to Citation

109.  Sec. 4002 and 4004 of the Cures Act. Back to Citation

110.  See 81 FR 77008, 77028 (Nov. 4, 2016). Back to Citation

111.  85 FR 22979 (Apr. 24, 2020). Back to Citation

112.  Id. Back to Citation

113.  42 CFR 414.1305. Back to Citation

114.  71 FR 45133 (Aug. 8, 2006). Back to Citation

115.  71 FR 45133 (Aug. 6, 2006). Back to Citation

116.  Specifically, we stated in the 2006 EHR Final Rule that we interpret “ `software, information technology and training services necessary and used predominantly’ for electronic health records purposes to include the following, by way of example: Interface and translation software; rights, licenses, and intellectual property related to electronic health records software; connectivity services, including broadband and wireless internet services; clinical support and information services related to patient care (but not separate research or marketing support services); maintenance services; secure messaging (e.g., permitting physicians to communicate with patients through electronic messaging); and training and support services (such as access to help desk services). We interpret the scope of covered electronic health records technology to exclude: Hardware (and operating software that makes the hardware function); storage devices; software with core functionality other than electronic health records (e.g., human resources or payroll software, or software packages focused primarily on practice management or billing); or items or services used by a recipient primarily to conduct personal business or business unrelated to the recipient’s clinical practice or clinical operations. Furthermore, the safe harbor does not protect the provision of staff to recipients or their offices. For example, the provision of staff to transfer paper records to the electronic format would not be protected.” 71 FR 45125. Back to Citation

117.  71 FR 45128 (“We have not included as protected donors pharmaceutical . . . manufacturers. . . . These entities do not provide health care items or services to patients or submit claims for those services. Our enforcement experience demonstrates that unscrupulous manufacturers have offered remuneration in the form of free goods and services to induce referrals of their products. Given this enforcement history, and the lack of a direct and central patient care role that justifies safe harbor protection for the provision of electronic health records technology, we are not including manufacturers as protected donors. We believe there is a substantial risk that, in many cases, manufacturers’ primary interest in offering technology to potential referral sources would be to market their products.”) Back to Citation

118.  See 84 FR 55742 (Oct. 17, 2019). Back to Citation

119.  Section 4003(a)(2), Public Law 114-255, 130 Stat. 1033. Back to Citation

120.  Id. Back to Citation

121.  78 FR at 79210 (“The donation of free access to an interface used only to transmit orders for the donor’s services to the donor and to receive the results of those services from the donor would be integrally related to the donor’s services. As such, the free access would have no independent value to the recipient apart from the services the donor provides and, therefore, would not implicate the anti-kickback statute.”). Back to Citation

122.  84 FR 55766 (Oct. 17, 2019). Back to Citation

123.  84 FR 55744-45 (Oct. 17, 2019). Back to Citation

124.  84 FR 55745 (Oct. 17, 2019). Back to Citation

125.  84 FR 55746 (Oct. 17, 2019). Back to Citation

126.  84 FR 55708 (Oct. 17, 2019). Back to Citation

127.  We recognize that the Federal anti-kickback statute applies both to the offer and the receipt of remuneration, and parties may not know at the time of the offer of an outcomes-based payment (i.e., when the parties develop and initiate the arrangement) whether the outcome measure(s) will be achieved. Assuming all other safe harbor conditions are met when the remuneration is offered under an outcomes-based payment arrangement, the offer would be protected, even if the agent fails to achieve the outcome measure. However, any payment made for an outcome measure not successfully achieved would not meet the safe harbor conditions under paragraph 1001.952(d)(i) and would not be protected. Back to Citation

128.  84 FR 55745 (Oct. 17, 2019). Back to Citation

129.  84 FR 55747 (Oct. 17, 2019). Back to Citation

130.  84 FR 55747 (Oct. 17, 2019). Back to Citation

131.  84 FR 55746 (Oct. 17, 2019). Back to Citation

132.  84 FR 55705 (Oct. 17, 2019). Back to Citation

133.  Id. Back to Citation

134.  84 FR 55748 n.83 (Oct. 17, 2019). Back to Citation

135.  We remind parties to warranty arrangements that they must comply with all legal obligations associated with Medicare cost reporting and other applicable requirements of any Federal health care program payor, including those related to billing and payment for replaced devices offered without cost or with a credit. For example, we note that under the Medicare inpatient prospective payment system if a provider received full credit for the cost of a device, CMS requires that the credit be reported to the Medicare program and the cost of the device is subtracted from the DRG payment. See 42 CFR 412.89; 42 CFR 412.2(g) and Medicare Claims Processing Manual, CMS Pub. 100-04, Ch. 3, § 100.8. Back to Citation

136.  H.R. Conf. Rep. No. 104-736 at 255. See also 79 FR 59717, 59722-23 (Oct. 3, 2014); 81 FR 88368, 88379 (Dec. 7, 2016). Back to Citation

137.  81 FR 88388 (Dec. 7, 2016). Back to Citation

138.  81 FR 88387-89 (Dec. 7, 2016). Back to Citation

139.  42 U.S.C. 254b(b)(1)(A)(iv). Back to Citation

140.  OIG, OIG Adv. Op. Nos. 00-07, 09-01, 15-13, and 16-02. (OIG has issued several favorable advisory opinions in this area.) Back to Citation

141.  81 FR 88389 (Dec. 7, 2016). Back to Citation

142.  See FAQs-Application of OIG’s Administrative Enforcement Authorities to Arrangements Directly Connected to the Coronavirus Disease 2019 (COVID-19) Public Health Emergency, available at https://oig.hhs.gov/​coronavirus/​authorities-faq.asp (describing that, under the unique and exigent circumstances resulting from the COVID-19 outbreak, certain modest transportation assistance would present a low risk of fraud and abuse under the Federal anti-kickback statute and the Beneficiary Inducements CMP). Back to Citation

143.  84 FR 55751 (Oct. 17, 2019). Back to Citation

144.  84 FR 55751 (Oct. 17, 2019). Back to Citation

145.  81 FR 88379 (Dec. 7, 2016). Back to Citation

146.  81 FR 88384 (Dec. 7, 2016). Back to Citation

147.  81 FR 88384 (Dec. 7, 2016). Back to Citation

148.  84 FR 55752 (Oct. 17, 2019). Back to Citation

149.  84 FR 55752 (Oct. 17, 2019). Back to Citation

150.  42 CFR 425.304(c)(4)(i). Back to Citation

151.  84 FR 55754 (Oct. 17, 2019). Back to Citation

152.  In response to the COVID-19, HHS and CMS have exercised emergency authorities and regulatory flexibilities to help health care providers respond to the COVID-19 public health emergency. Specific to telehealth covered by Medicare Part B, CMS has expanded the types of technology that can be used to provide telehealth services, the types of services that can be provided via telehealth, certain coverage requirements related to originating and distant sites, and other flexibilities. Most of these flexibilities will remain in place until the Secretary ends the declaration of a public health emergency for COVID-19. See for example 85 FR 19230 (Apr. 6, 2020), COVID-19 Emergency Declaration Blanket Waivers for Health Care Providers, available at https://www.cms.gov/​files/​document/​summary-covid-19-emergency-declaration-waivers.pdf; 85 FR 27550 (May 8, 2020), Additional Policy and Regulatory Revisions in Response to the COVID-19 Public Health Emergency and Delay of Certain Reporting Requirements for the Skilled Nursing Facility Quality Reporting Program, available at https://www.govinfo.gov/​content/​pkg/​FR-2020-05-08/​pdf/​2020-09608.pdf. Back to Citation

153.  If a patient is unable to call a provider or physician himself or herself, or has otherwise given consent for a person (e.g., a family member, a case manager, or a provider or supplier when the patient is attending an appointment or receiving services) to schedule appointments or upcoming services for him or her, then a request for an appointment or upcoming services made on behalf of the patient is sufficient to meet the patient-initiated contact requirement. Back to Citation

154.  S. 870, 115th Congress (Sept. 26, 2017). Back to Citation

155.  83 FR 59495 (Nov. 23, 2018). Back to Citation

156.  42 CFR 410.78(b) specifies in part that “Medicare Part B pays for covered telehealth services included on the telehealth list when furnished by an interactive telecommunications system if the following conditions (are met, such as) . . . [t]he physician or practitioner at the distant site must be licensed to furnish the service under State law. The physician or practitioner at the distant site who is licensed under State law to furnish a covered telehealth service described in this section may bill, and receive payment for, the service when it is delivered via a telecommunications system.” Back to Citation

157.  81 FR 88373 (Dec. 7, 2016). Back to Citation

158.  83 FR 43607 (Aug. 27, 2018). Back to Citation

159.  Existing safe harbors that may apply to some care coordination and value-based arrangements include the employee safe harbor (42 CFR 1001.952(i)), the personal services and management contracts safe harbor (42 CFR 1001.952(d)), the various managed care safe harbors (e.g., 42 CFR 1001.952(t)), and the local transportation safe harbor (42 CFR 1001.952(bb)). However, stakeholders have informed us that many arrangements they would like to enter into cannot fit in the existing safe harbors as currently structured. Back to Citation

160.  Cheryl L. Damberg et al., RAND Corp., Measuring Success in Health Care Value-Based Purchasing Programs (2014), available at https://www.rand.org/​content/​dam/​rand/​pubs/​research_​reports/​RR300/​RR306/​RAND_​RR306.pdf. Back to Citation

161.  William H. Shrank et al., Waste in the US Health Care System, Estimated Costs and Potential for Savings, 322 JAMA 1501 (2019), available at https://jamanetwork.com/​journals/​jama/​fullarticle/​2752664. Back to Citation

162.  OIG, ACOs’ Strategies for Transitioning to Value-Based Care: Lessons From the Medicare Shared Savings Program (OEI-02-15-00451), July 19, 2019. Available at https://oig.hhs.gov/​oei/​reports/​oei-02-15-00451.asp. Back to Citation

163.  OIG, Medicare Shared Savings Program Accountable Care Organizations Have Shown Potential for Reducing Spending and Improving Quality (OEI-02-15-00450), Aug. 28, 2017. Available at https://oig.hhs.gov/​oei/​reports/​oei-02-15-00450.asp. Back to Citation

164.  See e.g., Brian W. Powers et al., Impact of Complex Care Management on Spending and Utilization for High-Need, High-Cost Medicaid Patients, 26 Am. J. Managed Care e57 (2020), available at https://doi.org/​10.37765/​ajmc.2020.42402 (finding, in a study of a complex care management program implemented in Tennessee for high-need, high-cost Medicaid patients, that the program reduced total medical expenditures by 37 percent and inpatient utilization by 59 percent); Shreya Kangovi et al., Evidence-Based Community Health Worker Program Addresses Unmet Social Needs and Generates Positive Return on Investment, 39 Health Aff. 207 (2020), available at https://www.healthaffairs.org/​doi/​full/​10.1377/​hlthaff.2019.00981 (finding that every dollar invested in the Individualized Management for Patient-Centered Targets (IMPaCT) intervention, which is “a standardized community health worker intervention that addresses socioeconomic and behavioral barriers to health in low-income populations,” yielded a return of $2.47 within a single fiscal year from the perspective of a Medicaid payer). Back to Citation

165.  Amol S. Navathe, et al., Cost of Joint Replacement Using Bundled Payment Models, 177(2) JAMA Internal Med. 214-222 (Feb. 2017), available at https://jamanetwork.com/​journals/​jamainternalmedicine/​article-abstract/​2594805. Back to Citation

166.  Vera Gruessner, 3 Ways Bundled Payment Models Brought Hospital Cost Savings, Health Payer Intelligence (Jan. 16, 2017), https://healthpayerintelligence.com/​news/​3-ways-bundled-payment-models-brought-hospital-cost-savings. Back to Citation

167.  David Muhlestein et al., Recent Progress In The Value Journey: Growth Of ACOs And Value-Based Payment Models In 2018, Health Affairs Blog (Aug. 14, 2018), https://www.healthaffairs.org/​do/​10.1377/​hblog20180810.481968/​full/​. Back to Citation

168.  Shane Wolverton, Providers partner with payers for bundled payments, Becker’s Payer Issues (May 10, 2018) https://www.beckershospitalreview.com/​payer-issues/​providers-partner-with-payers-for-bundled-payments.html. Back to Citation

169.  Thomas Beaton, Value-Based Payment Adoption Drives 5.6% Reduction in Care Costs, Health Payer Intelligence (June 18, 2018), https://healthpayerintelligence.com/​news/​value-based-payment-adoption-drives-5.6-reduction-in-care-costs. Back to Citation

170.  Karen Dorman Marek et al., Cost analysis of a home-based nurse care coordination program, 62 J. Am. Geriatrics Soc’y 2369 (2014). Back to Citation

171.  Andrea B. Neiman et al., CDC Grand Rounds: Improving Medication Adherence for Chronic Disease Management—Innovations and Opportunities, 66 Morbidity & Mortality Wkly. Rep. 1248 (2017), available at https://www.cdc.gov/​mmwr/​volumes/​66/​wr/​mm6645a2.htm. Back to Citation

172.  Press Release, Highmark, Inc., Highmark saves more than $1 billion in avoided cost with True Performance program (Oct. 5, 2020), available at https://www.highmark.com/​newsroom/​press-releases.html#!release/​highmark-saves-more-than-1-billion-in-avoided-cost-with-true-performance-program. Back to Citation

173.  Press Release, Highmark, Inc., Highmark’s True Performance Program Avoided Health Care Costs by More Than $260 Million in 2017 (June 26, 2018), available at https://www.highmark.com/​newsroom/​press-releases.html#!release/​highmarks-true-performance-program-avoided-health-care-costs-by-more-than-260-million-in-2017. Back to Citation

174.  Press Release, Blue Cross and Blue Shield of North Carolina, Primary Care ACOs from Blue Cross NC and Aledade Show Significant Savings and Quality Improvements (July 20, 2020), available at https://mediacenter.bcbsnc.com/​news/​primary-care-acos-from-blue-cross-nc-and-aledade-show-significant-savings-and-quality-improvements. Back to Citation

175.  UnitedHealth Group, Physicians Provide Higher Quality Care Under Set Monthly Payments Instead of Being Paid Per Service, UnitedHealth Group Study Shows (Aug. 11, 2020), available at https://www.unitedhealthgroup.com/​newsroom/​2020/​uhg-study-shows-higher-quality-care-under-set-monthly-payments-403552.html. Back to Citation

176.  Ponemon Institute, Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data (May 2016), available at https://www.ponemon.org/​local/​upload/​file/​Sixth%20Annual%20Patient%20Privacy%20%26%20Data%20Security%20Report%20FINAL%206.pdf. Back to Citation

177.  Health Sector Cybersecurity Coordination Center, A Cost Analysis of Healthcare Sector Data Breaches (Apr. 4, 2019), available at https://www.hhs.gov/​sites/​default/​files/​cost-analysis-of-healthcare-sector-data-breaches.pdf. Back to Citation

178.  Jeff Lagasse, Universal Health Services hit with cyberattack that shuts down IT systems, Healthcare Finance (Sept. 29, 2020), https://www.healthcarefinancenews.com/​news/​universal-health-services-hit-cyberattack-shuts-down-it-systems-1; Jessica Davis, UPDATE: UHS Health System Confirms All US Sites Affected by Ransomware Attack, Health IT Security (Oct. 5, 2020) https://healthitsecurity.com/​news/​uhs-health-system-confirms-all-us-sites-affected-by-ransomware-attack; Jessica Davis, 3 Weeks After Ransomware Attack, All 400 UHS Systems Back Online, Health IT Security (Oct. 13, 2020), https://healthitsecurity.com/​news/​3-weeks-after-ransomware-attack-all-400-uhs-systems-back-online; and Press Release, Universal Health Services (Oct. 29. 2020), https://www.uhsinc.com/​statement-from-universal-health-services/​. Back to Citation

179.  Health Sector Cybersecurity Coordination Center, A Cost Analysis of Healthcare Sector Data Breaches (Apr. 4, 2019), https://www.hhs.gov/​sites/​default/​files/​cost-analysis-of-healthcare-sector-data-breaches.pdf. Back to Citation

180.  Id. Back to Citation

181.  HCIC Task Force Report, https://www.phe.gov/​Preparedness/​planning/​CyberTF/​Documents/​report2017.pdf. Back to Citation

182.  Id. Back to Citation

183.  American Medical Association, Tackling Cyber Threats in Healthcare, https://www.ama-assn.org/​sites/​ama-assn.org/​files/​corp/​media-browser/​public/​government/​advocacy/​medical-cybersecurity-findings.pdf and https://www.ama-assn.org/​sites/​ama-assn.org/​files/​corp/​media-browser/​public/​government/​advocacy/​infographic-medical-cybersecurity.pdf. Back to Citation

184.  William H. Shrank et al., Waste in the US Health Care System, Estimated Costs and Potential for Savings, 322 JAMA 1501 (2019), available at https://jamanetwork.com/​journals/​jama/​article-abstract/​2752664. Back to Citation

[FR Doc. 2020-26072 Filed 11-20-20; 4:30 pm]

BILLING CODE 4152-01-P