AEHIS asks OIG to exempt cybersecurity donations between healthcare providers from fraud enforcement

CHIME's sister organization wants HHS OIG to carve out fraud enforcement exemptions for providers that donate cybersecurity technology. (Sarah Stierch/CC BY 4.0)

A healthcare information security group is asking the Office of Inspector General (OIG) to issue an enforcement safe harbor that would allow providers to donate and receive cybersecurity training and technology.

In response to the Department of Health and Human Services (HHS) OIG’s annual solicitation for new safe harbors, the Association for Executives in Healthcare Information Security (AEHIS) requested the agency allow providers to exchange cybersecurity donations in the same way the agency previously carved out exemptions for certain EHR donations.

AEHIS is the sister organizations of the College of Healthcare Information Management Executives (CHIME).

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

“We strongly believe an exemption to the antikickback statute that permits for donations of services that further an entity’s cyber posture is warranted,” AEHIS Board Chair Erik Decker, who serves as chief information security officer at the University of Chicago Medicine wrote in the request (PDF). “We recognize there may be limitations around how such an exemption is crafted; however, if it followed many of the requirements that the OIG laid out around the exceptions permitted for donating an electronic health record (EHR), this would be helpful.”

RELATED: Changing two fraud and abuse laws could help smaller providers manage cybersecurity

The idea of a cybersecurity exemption to the Stark Law and Anti-Kick Statute was previously raised in a landmark report issued last year by the HHS Cybersecurity Task Force. The regulatory shift would help support smaller physician practices and hospitals that are severely under-resourced when it comes to cybersecurity.

Last year, Jackie Monson, the chief privacy and information security officer at Sutter Health, highlighted the two fraud and abuse laws and critical barrier to providing support for the 5,000 physicians within the health system’s network.

“If we want to provide technology around cybersecurity today to make sure they are secure, we would essentially violate Stark and the Anti-Kickback Statute,” she said.

In its request to OIG, AEHIS highlighted portions of the HHS report that underscored the need to share cybersecurity expertise across a broad spectrum of providers. The group recommended OIG tailor an exemption to include training and education, software and technology that has the greatest impact on improving cyber hygiene.

Suggested Articles

Hospitals are already signaling a legal challenge to a final rule from CMS on price transparency, but the agency is ready.

Aleksandr Pikus, 44, of Brooklyn, was found guilty of one count of conspiracy to commit money laundering and two counts of money laundering.

CMS issued a proposed rule and a final rule aimed at increasing price transparency from hospitals and insurers.