AEHIS asks OIG to exempt cybersecurity donations between healthcare providers from fraud enforcement

CHIME's sister organization wants HHS OIG to carve out fraud enforcement exemptions for providers that donate cybersecurity technology. (Sarah Stierch/CC BY 4.0)

A healthcare information security group is asking the Office of Inspector General (OIG) to issue an enforcement safe harbor that would allow providers to donate and receive cybersecurity training and technology.

In response to the Department of Health and Human Services (HHS) OIG’s annual solicitation for new safe harbors, the Association for Executives in Healthcare Information Security (AEHIS) requested the agency allow providers to exchange cybersecurity donations in the same way the agency previously carved out exemptions for certain EHR donations.

AEHIS is the sister organizations of the College of Healthcare Information Management Executives (CHIME).


Driving Engagement in an Evolving Healthcare Ecosystem

Deep-dive into evolving consumer expectations in healthcare today and how leading providers are shaping their infrastructure to connect with patients through virtual care.

“We strongly believe an exemption to the antikickback statute that permits for donations of services that further an entity’s cyber posture is warranted,” AEHIS Board Chair Erik Decker, who serves as chief information security officer at the University of Chicago Medicine wrote in the request (PDF). “We recognize there may be limitations around how such an exemption is crafted; however, if it followed many of the requirements that the OIG laid out around the exceptions permitted for donating an electronic health record (EHR), this would be helpful.”

RELATED: Changing two fraud and abuse laws could help smaller providers manage cybersecurity

The idea of a cybersecurity exemption to the Stark Law and Anti-Kick Statute was previously raised in a landmark report issued last year by the HHS Cybersecurity Task Force. The regulatory shift would help support smaller physician practices and hospitals that are severely under-resourced when it comes to cybersecurity.

Last year, Jackie Monson, the chief privacy and information security officer at Sutter Health, highlighted the two fraud and abuse laws and critical barrier to providing support for the 5,000 physicians within the health system’s network.

“If we want to provide technology around cybersecurity today to make sure they are secure, we would essentially violate Stark and the Anti-Kickback Statute,” she said.

In its request to OIG, AEHIS highlighted portions of the HHS report that underscored the need to share cybersecurity expertise across a broad spectrum of providers. The group recommended OIG tailor an exemption to include training and education, software and technology that has the greatest impact on improving cyber hygiene.

Suggested Articles

Walmart has tapped Cambia Health Solutions' Cheryl Pegus, M.D., to serve as its new executive vice president of health and wellness.

Cleveland Clinic posted a $49 million profit after the first nine months of the year as COVID-19 hampered the system's finances.

Andor Health just landed an investment from Microsoft's venture arm to expand its AI-powered virtual health program.