A healthcare information security group is asking the Office of Inspector General (OIG) to issue an enforcement safe harbor that would allow providers to donate and receive cybersecurity training and technology.
In response to the Department of Health and Human Services (HHS) OIG’s annual solicitation for new safe harbors, the Association for Executives in Healthcare Information Security (AEHIS) requested the agency allow providers to exchange cybersecurity donations in the same way the agency previously carved out exemptions for certain EHR donations.
AEHIS is the sister organizations of the College of Healthcare Information Management Executives (CHIME).
“We strongly believe an exemption to the antikickback statute that permits for donations of services that further an entity’s cyber posture is warranted,” AEHIS Board Chair Erik Decker, who serves as chief information security officer at the University of Chicago Medicine wrote in the request (PDF). “We recognize there may be limitations around how such an exemption is crafted; however, if it followed many of the requirements that the OIG laid out around the exceptions permitted for donating an electronic health record (EHR), this would be helpful.”
The idea of a cybersecurity exemption to the Stark Law and Anti-Kick Statute was previously raised in a landmark report issued last year by the HHS Cybersecurity Task Force. The regulatory shift would help support smaller physician practices and hospitals that are severely under-resourced when it comes to cybersecurity.
Last year, Jackie Monson, the chief privacy and information security officer at Sutter Health, highlighted the two fraud and abuse laws and critical barrier to providing support for the 5,000 physicians within the health system’s network.
“If we want to provide technology around cybersecurity today to make sure they are secure, we would essentially violate Stark and the Anti-Kickback Statute,” she said.
In its request to OIG, AEHIS highlighted portions of the HHS report that underscored the need to share cybersecurity expertise across a broad spectrum of providers. The group recommended OIG tailor an exemption to include training and education, software and technology that has the greatest impact on improving cyber hygiene.